TechSpot

Malware stopping Windows Updates!

Inactive
By MazanSM
Aug 6, 2012
  1. Hey friends. I am sorry I dont really have any specific details about what is happening, but here is what I think. One of our users had a Fake Antivirus problem, so I ran MalwareBytes and it found around 400 infected files! Which I removed. Everything seemed good.

    He then began complaining about Windows updates. They download, install, reboot, and say Reverting, Failed. I worked on this for 3 hours today thinking about Windows etc...

    I then remembered the MalWare and think it still may be an issue.

    Is there anything you can do to help me with this situation please??

    Thanks so much for any help that can be provided, I really appreciate it.

    Thanks again!

    - S
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi!

    Information about malware removal forum
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Please review the 5-Step removal instructions and post the logs back here for my review.
  3. MazanSM

    MazanSM TS Rookie Topic Starter

    Thanks so much for the reply!

    Here are the log files.

    MalwareBytes:

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.08.06.12
    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    fredr :: TM1012 [administrator]
    8/6/2012 4:52:40 PM
    mbam-log-2012-08-06 (16-52-40).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 255248
    Time elapsed: 16 minute(s), 53 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    GMER:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-08-06 17:18:03
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST925041 rev.0002
    Running: qu4ud658.exe; Driver: C:\Users\FredR\AppData\Local\Temp\pfldipog.sys

    ---- Disk sectors - GMER 1.0.15 ----
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    ---- EOF - GMER 1.0.15 ----
  4. MazanSM

    MazanSM TS Rookie Topic Starter

    DDS.txt

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33
    Run by fredr at 17:18:39 on 2012-08-06
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3535.1928 [GMT -4:00]
    .
    AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Sophos\SafeGuard Enterprise\Client\SGNAuthServicen.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\atashost.exe
    C:\Windows\system32\BEDevCtl.exe
    C:\Windows\system32\BEFCSvcn.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
    c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Windows\system32\SGN_MasterServicen.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Sophos\SafeGuard Enterprise\Client\SGNMaster.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Bryan Equipment Sales\BES Support Application\BES Support Application.exe
    C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Windows\winsxs\x86_microsoft-windows-I..etexplorer-optional_31bf3856ad364e35_9.1.8112.16421_none_58a99749ebaa0de6\iexplore.exe
    C:\Windows\winsxs\x86_microsoft-windows-I..etexplorer-optional_31bf3856ad364e35_9.1.8112.16421_none_58a99749ebaa0de6\iexplore.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Windows\winsxs\x86_microsoft-windows-I..etexplorer-optional_31bf3856ad364e35_9.1.8112.16421_none_58a99749ebaa0de6\iexplore.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/?ilc=1
    uSearch Bar = Preserve
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Playfin: {d30bc29f-19f6-40b3-a91f-d4707048ade6} - c:\program files\playfin_1t\bar\1.bin\1tbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: MapsGalaxy: {364ea597-e728-4ce4-bb4a-ed846ef47970} - c:\program files\mapsgalaxy_39\bar\1.bin\39bar.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [SGNMasterApplication] c:\program files\sophos\safeguard enterprise\client\SGNMaster.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bessup~1.lnk - c:\windows\installer\{c8c580d7-ea83-45e5-9f4b-89e3466812b8}\_CC0A4E5930FC4E7D8FFDEDEA7606DDDE.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\sqlser~1.lnk - c:\program files\microsoft sql server\80\tools\binn\scm.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
    DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1 71.89.148.129 71.89.132.13
    TCP: Interfaces\{14312104-AC27-49E2-8A92-02E5E20B1103} : DhcpNameServer = 192.168.1.1 71.89.148.129 71.89.132.13
    TCP: Interfaces\{CBA228D1-C88A-4AB2-B2F4-7D06F3621BE0} : NameServer = 10.1.1.5 10.1.1.15
    TCP: Interfaces\{F8BAB74F-C6E3-4B46-815C-909F5E4156DE} : DhcpNameServer = 192.168.1.1 71.89.139.1 71.89.132.13
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\fredr\appdata\roaming\mozilla\firefox\profiles\8zhofijn.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.autoDisableScopes - 14
    .
    FF - user.js: extensions.autoDisableScopes - 14
    .
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 BE_FLTI;be_flti;c:\windows\system32\drivers\be_fltim.sys [2010-10-15 50944]
    R0 BeFlt;BeFlt;c:\windows\system32\drivers\BEFLT.SYS [2010-10-15 97536]
    R0 CEAES2M;CEAES2M;c:\windows\system32\drivers\cegaes2m.sys [2010-10-15 63232]
    R0 CEAESM;CEAESM;c:\windows\system32\drivers\cegaesm.sys [2010-10-15 62720]
    R0 CEDES3M;CEDES3M;c:\windows\system32\drivers\cedes3m.sys [2010-10-14 20224]
    R0 CEDESM;CEDESM;c:\windows\system32\drivers\cedesm.sys [2010-10-14 19712]
    R0 CEEIDEM;CEEIDEM;c:\windows\system32\drivers\ceeidem.sys [2010-10-14 16128]
    R0 CEHMACM;CEHMACM;c:\windows\system32\drivers\cehmacm.sys [2010-10-14 25344]
    R0 CEIDEM;CEIDEM;c:\windows\system32\drivers\ceidem.sys [2010-10-14 17664]
    R0 CERNDM;CERNDM;c:\windows\system32\drivers\cerndm.sys [2010-10-14 15616]
    R0 CESHAM;CESHAM;c:\windows\system32\drivers\cesham.sys [2010-10-14 24832]
    R0 SGSTDRVM;SGMKeyStore Driver;c:\windows\system32\drivers\SGStDrvm.sys [2010-10-14 51968]
    R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2011-2-4 119608]
    R2 BEDevCtl;SafeGuard(R) Device Encryption Controller;c:\windows\system32\BEDevCtl.exe [2010-10-15 905216]
    R2 BEFCSvcn;SafeGuard(R) Kernel Feature Client;c:\windows\system32\BEFCSvcn.exe [2010-10-15 20480]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-4-9 447264]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-4-26 223088]
    R2 SGN_BEService;SafeGuard(R) Base Encryption Service;c:\windows\system32\SGN_MasterServicen.exe [2010-10-15 49152]
    R2 SGN_LogSystem;SafeGuard(R) Log Service;c:\windows\system32\SGN_MasterServicen.exe [2010-10-15 49152]
    R2 SGN_Sem;SafeGuard(R) System Event Manager;c:\windows\system32\SGN_MasterServicen.exe [2010-10-15 49152]
    R2 SGNAuthService;SGNAuthService;c:\program files\sophos\safeguard enterprise\client\SGNAuthServicen.exe [2010-10-15 647168]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-4-28 1839888]
    R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-8-21 1589704]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-8-18 224384]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-31 106656]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-8-21 112128]
    R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-6-26 3662848]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-6 136176]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 250056]
    S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-8-25 23888]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-6 136176]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2011-4-4 20480]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
    S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-1 23424]
    S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-1-25 9472]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
    S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
    .
    =============== Created Last 30 ================
    .
    2012-08-06 16:47:23 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-08-06 15:28:04 -------- d-----w- c:\users\fredr\appdata\local\ElevatedDiagnostics
    2012-08-06 15:15:56 -------- d-----w- c:\users\fredr\appdata\local\join.me
    2012-08-06 14:59:34 -------- d-----w- c:\windows\system32\catroot2
    2012-08-06 14:44:55 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-08-06 13:12:50 -------- d-----w- c:\windows\pss
    2012-07-27 13:49:47 -------- d-----w- c:\users\fredr\appdata\roaming\Malwarebytes
    2012-07-27 13:49:37 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-27 13:49:36 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-27 13:49:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-10 20:01:36 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2012-07-10 20:01:34 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-10 20:01:34 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-09 01:09:06 -------- d-----w- c:\program files\MapsGalaxy_39
    .
    ==================== Find3M ====================
    .
    2012-08-06 14:44:34 472880 ----a-w- c:\windows\system32\deployJava1.dll
    2012-08-03 11:51:12 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-08-03 11:51:12 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-28 02:37:58 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: ST925041 rev.0002 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
    c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
    1 ntkrnlpa!IofCallDriver[0x82044936] -> \Device\Harddisk0\DR0[0x8663E030]
    3 CLASSPNP[0x8BBAA8B3] -> ntkrnlpa!IofCallDriver[0x82044936] -> \Device\Ide\IAAStorageDevice-0[0x85936028]
    kernel: MBR read successfully
    _asm { CLI ; JMP 0x64; }
    user != kernel MBR !!!
    .
    ============= FINISH: 17:20:03.95 ===============
  5. MazanSM

    MazanSM TS Rookie Topic Starter

    Attach.txt


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/18/2009 12:06:21 PM
    System Uptime: 8/6/2012 1:06:33 PM (4 hours ago)
    .
    Motherboard: Dell Inc. | | 0W612R
    Processor: Intel(R) Core(TM)2 Duo CPU T9550 @ 2.66GHz | Microprocessor | 2668/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 142.817 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Broadcom USH
    Device ID: USB\VID_0A5C&PID_5800&MI_00\6&66DE6C9&0&0000
    Manufacturer:
    Name: Broadcom USH
    PNP Device ID: USB\VID_0A5C&PID_5800&MI_00\6&66DE6C9&0&0000
    Service:
    .
    ==== System Restore Points ===================
    .
    RP1119: 7/19/2012 7:27:58 AM - Windows Update
    RP1120: 7/20/2012 12:10:10 PM - Windows Update
    RP1121: 7/23/2012 8:51:40 AM - Windows Update
    RP1122: 7/23/2012 10:10:24 PM - Scheduled Checkpoint
    RP1123: 7/24/2012 3:00:14 AM - Windows Update
    RP1124: 7/24/2012 6:33:21 PM - Scheduled Checkpoint
    RP1125: 7/24/2012 8:23:57 PM - Windows Update
    RP1126: 7/25/2012 5:40:43 AM - Windows Update
    RP1127: 7/25/2012 8:08:45 PM - Scheduled Checkpoint
    RP1128: 7/26/2012 7:24:54 AM - Windows Update
    RP1129: 7/26/2012 9:16:03 PM - Windows Update
    RP1130: 7/27/2012 8:14:33 AM - Windows Update
    RP1131: 7/27/2012 9:28:17 AM - Windows Update
    RP1132: 7/27/2012 11:31:09 AM - Removed WeatherBug
    RP1133: 7/27/2012 11:43:05 AM - Windows Update
    RP1134: 7/28/2012 9:29:47 AM - Windows Update
    RP1135: 7/29/2012 12:00:03 AM - Scheduled Checkpoint
    RP1136: 7/29/2012 3:00:13 AM - Windows Update
    RP1137: 7/30/2012 1:53:45 PM - Installed Motorola Mobile Drivers Installation 4.7.1
    RP1138: 7/30/2012 8:38:09 PM - Windows Update
    RP1139: 7/31/2012 11:27:48 AM - Windows Update
    RP1140: 7/31/2012 1:04:06 PM - Windows Update
    RP1141: 8/1/2012 7:39:30 AM - Windows Update
    RP1142: 8/2/2012 7:50:42 AM - Windows Update
    RP1143: 8/3/2012 7:19:27 AM - Windows Update
    RP1144: 8/5/2012 8:24:20 AM - Windows Update
    RP1145: 8/6/2012 9:11:28 AM - Windows Modules Installer
    RP1146: 8/6/2012 10:42:38 AM - Installed Java(TM) 6 Update 33
    RP1147: 8/6/2012 12:29:00 PM - Installed Microsoft Fix it 50123
    RP1148: 8/6/2012 12:40:41 PM - Installed Microsoft Fix it 50123
    RP1149: 8/6/2012 12:46:48 PM - Windows Update
    RP1150: 8/6/2012 1:03:30 PM - Windows Update
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    5700_Help
    Acrobat.com
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.5.1
    BES Planning Advantage
    BES Support Application
    BPD_Scan
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    Compatibility Pack for the 2007 Office system
    Dell ControlPoint System Manager
    Dell Resource CD
    Dell Touchpad
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    eSupportQFolder
    Fax
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToMeeting 5.1.0.880
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Imaging Device Functions 8.0
    HP OCR Software 8.0
    HP Officejet All-In-One Series
    HP Photosmart Essential
    HP Product Assistant
    HP Solution Center 8.0
    HP Update
    HPProductAssistant
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Network Connections Drivers
    Intel(R) PROSet/Wireless WiFi Software
    Intel(R) TV Wizard
    Intel® Matrix Storage Manager
    J5700
    Java Auto Updater
    Java(TM) 6 Update 33
    Java(TM) 6 Update 5
    join.me
    LanFax Client
    LiveUpdate 3.3 (Symantec Corporation)
    Malwarebytes Anti-Malware version 1.62.0.1300
    mediaCAT
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft SQL Server 2005 Backward compatibility
    Microsoft SQL Server 2008 R2
    Microsoft SQL Server 2008 R2 Native Client
    Microsoft SQL Server 2008 R2 RsFx Driver
    Microsoft SQL Server 2008 R2 Setup (English)
    Microsoft SQL Server 2008 Setup Support Files
    Microsoft SQL Server Browser
    Microsoft SQL Server Native Client
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 Redistributable
    MotoHelper 2.0.51 Driver 5.1.0
    MotoHelper MergeModules
    Motorola Mobile Drivers Installation 5.1.0
    Mozilla Firefox 5.0 (x86 en-US)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OGA Notifier 2.0.0048.0
    Playfin
    PowerDVD DX
    ProductContext
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler 3
    Roxio Update Manager
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    SolutionCenter
    Sonic CinePlayer Decoder Pack
    Sophos SafeGuard 5.50.8 Client
    Sophos SafeGuard 5.50.8 Client Configuration
    Sophos SafeGuard Preinstall 5.50.8
    SQL Server 2008 R2 Common Files
    SQL Server 2008 R2 Database Engine Services
    SQL Server 2008 R2 Database Engine Shared
    Sql Server Customer Experience Improvement Program
    Status
    Symantec Endpoint Protection
    Toolbox
    Tour de Force
    Tour de Force Platinum Client - 4.2.035
    TrayApp
    UltraVNC 1.0.6.5
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    WebEx
    WebReg
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/6/2012 9:36:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service sdrsvc with arguments "" in order to run the server: {47135EEA-06B6-4452-8787-4A187C64A47E}
    8/6/2012 8:25:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Update for Windows Vista (KB2677070).
    8/6/2012 8:25:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Security Update for Windows Vista (KB2719985).
    8/6/2012 8:25:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Security Update for Windows Vista (KB2718523).
    8/6/2012 8:25:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Security Update for Windows Vista (KB2698365).
    8/6/2012 8:25:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Security Update for Windows Vista (KB2691442).
    8/6/2012 8:25:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Security Update for Windows Vista (KB2685939).
    8/6/2012 8:25:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2 x86 (KB2686833).
    8/6/2012 8:25:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2 x86 (KB2656374).
    8/6/2012 8:22:41 AM, Error: Service Control Manager [7022] - The KtmRm for Distributed Transaction Coordinator service hung on starting.
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2719985_client~31bf3856ad364e35~x86~~6.0.1.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2719985_client_2~31bf3856ad364e35~x86~~6.0.1.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2718523_client~31bf3856ad364e35~x86~~6.0.1.2 () into Absent(Absent) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2718523_client_2~31bf3856ad364e35~x86~~6.0.1.2 () into Absent(Absent) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2698365_client~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2698365_client_2~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2691442_client~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2691442_client_2~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2686833_client~31bf3856ad364e35~x86~~6.0.1.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2686833_client_2~31bf3856ad364e35~x86~~6.0.1.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2685939_client~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2685939_client_2~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2677070~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2677070_client~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2677070_client_2~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2656374_client~31bf3856ad364e35~x86~~6.0.2.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2656374_client_2~31bf3856ad364e35~x86~~6.0.2.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_9_for_KB2677070~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_7_for_KB2686833~31bf3856ad364e35~x86~~6.0.1.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_7_for_KB2656374~31bf3856ad364e35~x86~~6.0.2.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_5_for_KB2698365~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_4_for_KB2698365~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_3_for_KB2698365~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_2_for_KB2698365~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_2_for_KB2677070~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2719985~31bf3856ad364e35~x86~~6.0.1.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2718523~31bf3856ad364e35~x86~~6.0.1.2 () into Absent(Absent) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2698365~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2691442~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2686833~31bf3856ad364e35~x86~~6.0.1.0 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2685939~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2677070~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 8:19:21 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2656374~31bf3856ad364e35~x86~~6.0.2.0 () into Resolved(Resolved) state
    8/6/2012 8:19:12 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2691442~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:19:02 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2686833~31bf3856ad364e35~x86~~6.0.1.0 () into Resolved(Resolved) state
    8/6/2012 8:18:47 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2718523~31bf3856ad364e35~x86~~6.0.1.2 () into Absent(Absent) state
    8/6/2012 8:18:29 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2719985~31bf3856ad364e35~x86~~6.0.1.0 () into Resolved(Resolved) state
    8/6/2012 8:18:29 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2698365~31bf3856ad364e35~x86~~6.0.1.2 () into Resolved(Resolved) state
    8/6/2012 8:18:29 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2656374~31bf3856ad364e35~x86~~6.0.2.0 () into Resolved(Resolved) state
    8/6/2012 8:18:28 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2685939~31bf3856ad364e35~x86~~6.0.1.1 () into Resolved(Resolved) state
    8/6/2012 11:53:53 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
    8/6/2012 10:18:30 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl SPBBCDrv spldr SRTSP SRTSPX SYMTDI Wanarpv6
    8/6/2012 10:18:30 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    8/6/2012 10:18:09 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    8/6/2012 10:18:02 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    8/6/2012 10:17:42 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
    8/6/2012 10:17:35 AM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
    8/6/2012 10:17:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    8/6/2012 10:01:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}
    8/6/2012 10:01:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    8/6/2012 10:01:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    8/6/2012 1:16:21 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Security Update for Windows Vista (KB2655992).
    8/6/2012 1:16:21 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80071aa7: Cumulative Security Update for Internet Explorer 9 for Windows Vista (KB2719177).
    8/6/2012 1:12:32 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{CBA228D1-C88A-4AB2-B2F4-7D06F3621BE0} because another computer on the network has the same name. The server could not start.
    8/6/2012 1:10:54 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2719177~31bf3856ad364e35~x86~~9.1.1.0 () into Absent(Absent) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2719177_RTM~31bf3856ad364e35~x86~~9.1.1.0 () into Absent(Absent) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2655992~31bf3856ad364e35~x86~~6.0.1.2 () into Staged(Staged) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2655992_client~31bf3856ad364e35~x86~~6.0.1.2 () into Staged(Staged) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_for_KB2655992_client_2~31bf3856ad364e35~x86~~6.0.1.2 () into Staged(Staged) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_6_for_KB975467~31bf3856ad364e35~x86~~6.0.1.0 () into Installed(Installed) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_6_for_KB968389~31bf3856ad364e35~x86~~6.0.1.3 () into Installed(Installed) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_5_for_KB975467~31bf3856ad364e35~x86~~6.0.1.0 () into Installed(Installed) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_5_for_KB968389~31bf3856ad364e35~x86~~6.0.1.3 () into Installed(Installed) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_2_for_KB2655992~31bf3856ad364e35~x86~~6.0.1.2 () into Staged(Staged) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_2_for_KB2585542~31bf3856ad364e35~x86~~6.0.1.2 () into Installed(Installed) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2719177~31bf3856ad364e35~x86~~9.1.1.0 () into Absent(Absent) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2655992~31bf3856ad364e35~x86~~6.0.1.2 () into Staged(Staged) state
    8/6/2012 1:10:32 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package Package_1_for_KB2585542~31bf3856ad364e35~x86~~6.0.1.2 () into Installed(Installed) state
    8/6/2012 1:09:51 PM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    8/6/2012 1:08:29 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain BRYAN_SERVER_2 due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    8/6/2012 1:05:17 PM, Error: Service Control Manager [7023] - The Windows Modules Installer service terminated with the following error: The file cannot be opened transactionally, because its identity depends on the outcome of an unresolved transaction.
    8/2/2012 4:59:52 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
    7/31/2012 9:07:30 PM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    7/31/2012 1:10:50 PM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
    7/30/2012 8:32:07 AM, Error: Microsoft-Windows-GroupPolicy [1058] - The processing of Group Policy failed. Windows attempted to read the file \\bryan.local\sysvol\bryan.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled.
    7/30/2012 11:29:04 AM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{14312104-AC27-49E2-8A92-02E5E20B1103} because another computer on the network has the same name. The server could not start.
    7/30/2012 11:29:04 AM, Error: netbt [4321] - The name "TM1012 :20" could not be registered on the interface with IP address 0.0.0.0. The computer with the IP address 192.168.1.105 did not allow the name to be claimed by this computer.
    7/30/2012 1:36:46 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 0024E8BC98D1 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
  8. MazanSM

    MazanSM TS Rookie Topic Starter

    hey! Very sorry! Thanks for the follow up. This is for one of our out of town managers. It has been a little time to get connected with him again. Running Combo Fix right now.
    Thanks!
  9. MazanSM

    MazanSM TS Rookie Topic Starter

    Here is the ComboFix.
    Let me know what's next.
    Thanks again for all of your help!

    ComboFix 12-08-10.02 - fredr 08/13/2012 9:39.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3535.2020 [GMT -4:00]
    Running from: c:\users\FredR\Desktop\ComboFix.exe
    AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\ntuser.dat
    c:\programdata\Roaming
    c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
    c:\users\FredR\AppData\Local\assembly\tmp
    c:\users\FredR\Documents\~WRL2522.tmp
    c:\users\FredR\Documents\ShopToWin
    c:\users\FredR\g2mdlhlpx.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-13 13:49 . 2012-08-13 13:49 -------- d-----w- c:\users\besAdmin\AppData\Local\temp
    2012-08-13 13:49 . 2012-08-13 13:49 -------- d-----w- c:\users\admin\AppData\Local\temp
    2012-08-06 16:47 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-08-06 15:28 . 2012-08-06 15:28 -------- d-----w- c:\users\FredR\AppData\Local\ElevatedDiagnostics
    2012-08-06 15:15 . 2012-08-06 15:15 -------- d-----w- c:\users\FredR\AppData\Local\join.me
    2012-08-06 14:59 . 2012-08-06 16:46 -------- d-----w- c:\windows\system32\catroot2
    2012-08-06 14:44 . 2012-08-06 14:44 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-08-06 14:25 . 2012-08-06 14:25 -------- d-----w- c:\users\besAdmin\AppData\Roaming\Malwarebytes
    2012-08-06 13:40 . 2012-08-06 14:19 -------- d-----w- c:\users\besAdmin\AppData\Local\Deployment
    2012-08-06 13:40 . 2012-08-06 13:40 -------- d-----w- c:\users\besAdmin\AppData\Local\Apps
    2012-07-27 13:49 . 2012-07-27 13:49 -------- d-----w- c:\users\FredR\AppData\Roaming\Malwarebytes
    2012-07-27 13:49 . 2012-07-27 13:49 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-27 13:49 . 2012-07-27 13:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-27 13:49 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-06 14:44 . 2010-04-19 11:33 472880 ----a-w- c:\windows\system32\deployJava1.dll
    2012-08-03 11:51 . 2012-04-03 12:11 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-03 11:51 . 2011-05-18 01:48 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-05 16:47 . 2012-07-10 20:01 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-05 16:47 . 2012-07-10 20:01 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-02 22:19 . 2012-06-25 00:30 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-25 00:30 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-25 00:30 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-25 00:30 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-25 00:30 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-25 00:30 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-25 00:30 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:19 . 2012-06-25 00:30 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:12 . 2012-06-25 00:30 33792 ----a-w- c:\windows\system32\wuapp.exe
    2011-06-16 04:17 . 2011-06-29 20:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgnIconOvln1]
    @="{93c136f0-91dc-4456-a586-98f72aff8d89}"
    [HKEY_CLASSES_ROOT\CLSID\{93c136f0-91dc-4456-a586-98f72aff8d89}]
    2010-10-15 20:03 303104 ----a-w- c:\windows\System32\sgn_beshellextn.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgnIconOvln2]
    @="{93c136f0-91dc-4457-a586-98f72aff8d89}"
    [HKEY_CLASSES_ROOT\CLSID\{93c136f0-91dc-4457-a586-98f72aff8d89}]
    2010-10-15 20:03 303104 ----a-w- c:\windows\System32\sgn_beshellextn.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgnIconOvln3]
    @="{93c136f0-91dc-4458-a586-98f72aff8d89}"
    [HKEY_CLASSES_ROOT\CLSID\{93c136f0-91dc-4458-a586-98f72aff8d89}]
    2010-10-15 20:03 303104 ----a-w- c:\windows\System32\sgn_beshellextn.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-04-02 128232]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-04-28 115624]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
    "SGNMasterApplication"="c:\program files\Sophos\SafeGuard Enterprise\Client\SGNMaster.exe" [2010-10-15 94208]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BES Support Application.lnk - c:\windows\Installer\{C8C580D7-EA83-45E5-9F4B-89E3466812B8}\_CC0A4E5930FC4E7D8FFDEDEA7606DDDE.exe [2010-9-16 45056]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-4-9 1094944]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    SQL Server.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\scm.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SGNAuthService]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-13 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 11:51]
    .
    2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-06 19:23]
    .
    2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-06 19:23]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?ilc=1
    TCP: DhcpNameServer = 192.168.1.1 71.89.148.129 71.89.132.13
    TCP: Interfaces\{CBA228D1-C88A-4AB2-B2F4-7D06F3621BE0}: NameServer = 10.1.1.5 10.1.1.15
    DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab
    FF - ProfilePath -
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    SafeBoot-Symantec Antvirus
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-13 09:51
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: ST925041 rev.0002 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    .
    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user != kernel MBR !!!
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
    "ImagePath"="a"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-08-13 09:58:00
    ComboFix-quarantined-files.txt 2012-08-13 13:57
    .
    Pre-Run: 154,631,770,112 bytes free
    Post-Run: 156,694,728,704 bytes free
    .
    - - End Of File - - AE89C1D51B96A1C32B64D27643E6C651
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Thanks for getting back.

    Kaspersky Security Scan (KSS)

    The Kaspersky Security Scan is a scanning only tool, that searches for active infections such as rootkits, trojans, viruses, etc.

    Please download the Kaspersky Security Scan from Kaspersky's Official Link and save it to your Desktop.

    • Double-click on the downloaded item. It will quickly download the latest version of KSS and then launch the installer. Please navigate through the installer.
    • After it finishes install, it will place an icon on your Desktop and launch itself.
    • In the Kaspersky Security Scan interface, choose full scan at the bottom:
      [​IMG]
    • Once it finishes, it will show the report. Click on the Details button, and it will launch a HTML page.
    • You have two options - either A. Upload the HTML report here, file located at { C:/ProgramData/Kaspersky%20Lab/KSS2/DataRoot/HtmlReport/index.html } (Copy and paste the file path into the Address box in the Upload window), or B. Copy and paste all of the results in your next reply.
  11. MazanSM

    MazanSM TS Rookie Topic Starter

    Got it, thanks a lot for your help. I will have to get in touch with the user, as he it an out of town manager for us. I will post back ASAP though.

    Thanks again!
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Will wait here.
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
  14. MazanSM

    MazanSM TS Rookie Topic Starter

    Hey. Sorry I was out of town. So I downloaded this tool, but it wont run. I installed it but when I try to run the program it doesnt open. Sometimes it says not responding and it said a message from Kaspersky "Failed to open program: Send or Dont Send". What do you think I should do now?

    Thanks a lot. - Sorry this case is slow moving sometimes. I just want these silly windows updates to work!
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That's okay. We shall continue.

    New log from ComboFix

    We would like to see a ☆new log☆ from ComboFix. Please find the ComboFix icon on your Desktop, and double-click on it. Once it finishes running, post the new log.
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any chance to keep up here?
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.