TechSpot

Malwarebytes blocking websites, computer stalling and can't do system restore

Solved
By dblads
Sep 28, 2012
  1. Have symantec antivirus protection - updated. Have tried Malwarebytes software and SuperSpyware software...both have found trojans. On reboot, laptop stalls. Have tried unsuccessfully to do system restore from safe boot prior to finding this site. Can usually do one task in normal mode before computer locks up. Any help would be greatly appreciated. Logs to follow.
     
  2. dblads

    dblads TS Rookie Topic Starter

    MBAM Quickscan log

    Malwarebytes Anti-Malware (PRO) 1.65.0.1400
    www.malwarebytes.org
    Database version: v2012.09.27.10
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    DBLeblan :: RFSHRL202 [administrator]
    Protection: Enabled
    9/27/2012 10:18:06 PM
    mbam-log-2012-09-27 (22-18-06).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 307492
    Time elapsed: 23 minute(s), 29 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     
  3. dblads

    dblads TS Rookie Topic Starter

    GMER

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-09-27 22:51:06
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 FUJITSU_ rev.8909
    Running: i9f8kc5h.exe; Driver: C:\DOCUME~1\dbleblan\LOCALS~1\Temp\kwdyipob.sys

    ---- Disk sectors - GMER 1.0.15 ----
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    ---- EOF - GMER 1.0.15 ----
     
  4. dblads

    dblads TS Rookie Topic Starter

    DDS

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by DBLeblan at 22:57:09 on 2012-09-27
    .
    ============== Running Processes ===============
    .
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    c:\Program Files\ActivIdentity\ActivClient\accoca.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Motorola Media Link\Lite\NServiceEntry.exe
    C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
    C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
    C:\Program Files\Common Files\Motive\pcCMService.exe
    C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\TightVNC\tvnserver.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\TightVNC\tvnserver.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Epson Software\Event Manager\EEventManager.exe
    C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHQA.EXE
    C:\Documents and Settings\dbleblan\Desktop\dds.com
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\system32\svchost.exe -k HPService
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.att.net
    uInternet Settings,ProxyOverride = *.local;192.168.*.*
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [RCHotKey] "c:\program files\ringcentral\ringcentral call controller\RCHotKey.exe"
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [Artisan 730(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatihqa.exe /fu "c:\docume~1\dbleblan\locals~1\temp\E_S30E.tmp" /EF "HKCU"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [tvncontrol] "c:\program files\tightvnc\tvnserver.exe" -controlservice -slave
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
    mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
    uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
    uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    uPolicies-explorer: NoThemesTab = 1 (0x1)
    uPolicies-system: NoVisualStyleChoice = 1 (0x1)
    uPolicies-system: NoSizeChoice = 1 (0x1)
    uPolicies-system: NoColorChoice = 1 (0x1)
    uPolicies-system: Wallpaper = \\rfslafs1\users\rfsbackground.bmp
    uPolicies-system: WallpaperStyle = 0
    uPolicies-system: SetVisualStyle = \\rfslafs1\users\rfsbackground.bmp
    IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    LSP: bmnet.dll
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
    DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} - hxxp://klmenuweb/MenugisticsTCH/Reserved.ReportViewerWebControl.axd?ReportSession=wz3dfa45lyjp1w552mv21tjg&ControlID=20a8ba774d6042cd8280e9b8a4e339de&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.1.cab
    DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://rfsvpn1.rfsdelivers.com/auth/taweb.cab
    DPF: {57AF0810-BDA7-47A5-B02D-FDA1073C04B0} - hxxps://www.mydlink.com/8D/activeX//TunnelX.ocx
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342995031359
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1342995024609
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} - hxxps://www150.livemeeting.com/etc/static/TRIrapid2/2011-07-14-21-08-21/MailObjects.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://itradenetwork.webex.com/client/T27LB/webex/ieatgpc.cab
    DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
    TCP: DhcpNameServer = 205.152.132.23 205.152.37.23 192.168.1.1
    TCP: Interfaces\{9771BF21-EBAC-481A-81AD-8DE1D4326245} : DhcpNameServer = 205.152.132.23 205.152.37.23 192.168.1.1
    Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
    Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R? ATSwpWDF;AuthenTec TruePrint USB WDF Driver
    R? ATTRcAppSvc;AT&T RcAppSvc
    R? BTCFilterService;USB Networking Driver Filter Service
    R? COH_Mon;COH_Mon
    R? Com4QLBEx;Com4QLBEx
    R? HTCAND32;HTC Device Driver
    R? MBAMProtector;MBAMProtector
    R? MBAMService;MBAMService
    R? motccgp;Motorola USB Composite Device Driver
    R? motccgpfl;MotCcgpFlService
    R? Motousbnet;Motorola USB Networking Driver Service
    R? motusbdevice;Motorola USB Dev Driver
    R? PulseUsb;Livescribe Smartpen USB Driver
    R? vsdatant;vsdatant
    R? WsAudio_DeviceS(1);WsAudio_DeviceS(1)
    S? !SASCORE;SAS Core Service
    S? accoca;ActivClient Middleware Service
    S? ccEvtMgr;Symantec Event Manager
    S? ccSetMgr;Symantec Settings Manager
    S? DeviceMonitorService;DeviceMonitorService
    S? EpsonCustomerParticipation;EpsonCustomerParticipation
    S? EraserUtilRebootDrv;EraserUtilRebootDrv
    S? FreeAgentGoNext Service;Seagate Service
    S? IFXTPM;IFXTPM
    S? MBAMScheduler;MBAMScheduler
    S? Motorola Device Manager;Motorola Device Manager Service
    S? NACAgent;Cisco NAC Agent
    S? NAVENG;NAVENG
    S? NAVEX15;NAVEX15
    S? pcCMService;pcCMService
    S? PenCommService;Livescribe Pulse Smartpen Service
    S? SASDIFSV;SASDIFSV
    S? SASKUTIL;SASKUTIL
    S? SFAUDIO;Sonic Focus DSP Driver
    S? Symantec AntiVirus;Symantec Endpoint Protection
    S? TomTomHOMEService;TomTomHOMEService
    S? tvnserver;TightVNC Server
    .
    =============== Created Last 30 ================
    .
    2012-09-28 02:16:50 5658 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-09-28 01:09:00 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2012-09-27 17:28:02 -------- d-----w- c:\documents and settings\dbleblan\application data\SUPERAntiSpyware.com
    2012-09-27 17:27:30 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-09-27 17:27:29 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2012-09-26 22:02:01 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-26 21:34:12 451072 ----a-w- c:\documents and settings\dbleblan\application data\psevc.dll
    2012-09-26 21:33:17 -------- d-----w- c:\documents and settings\all users\application data\F139BF267F3771D00029F139955EE3A0
    2012-09-18 21:45:40 -------- d-----w- c:\documents and settings\dbleblan\local settings\application data\TechSmith
    2012-09-18 18:59:56 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2012-09-18 18:59:56 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-09-17 21:53:08 -------- d-----w- c:\documents and settings\dbleblan\application data\Malwarebytes
    2012-09-17 21:53:02 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-09-17 21:53:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-09-17 21:40:02 -------- d-----w- c:\documents and settings\dbleblan\application data\Remote
    2012-09-17 19:56:52 -------- d-----w- c:\program files\Enigma Software Group
    2012-09-14 21:28:07 -------- d-----w- c:\documents and settings\all users\application data\Cisco Systems
    2012-09-14 13:59:47 -------- d-----w- c:\program files\ATT
    2012-09-13 18:47:45 -------- d-----w- c:\program files\Yahoo!
    2012-09-13 18:46:48 -------- d-----w- c:\program files\ATT-HSI
    2012-09-13 18:46:37 -------- d-----w- c:\program files\common files\Motive
    2012-08-30 03:27:22 -------- d-----w- c:\program files\common files\Cisco
    .
    ==================== Find3M ====================
    .
    2012-09-11 17:26:44 60304 ----a-w- c:\documents and settings\dbleblan\g2mdlhlpx.exe
    2012-09-08 10:10:26 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2012-08-03 17:22:55 5 ----a-w- c:\windows\system32\lMMLDeleteUserData42107612FX.tmp
    2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
    2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-07-02 17:49:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-07-02 17:49:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05:43 385024 ----a-w- c:\windows\system32\html.iec
    .
    ============= FINISH: 23:02:52.95 ===============
     
  5. dblads

    dblads TS Rookie Topic Starter

    DDS Attach Log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    .
    ==== Installed Programs ======================
    .
    2007 Microsoft Office system
    32 Bit HP CIO Components Installer
    8000A809
    8000A809_eDocs
    8000A809_Help
    Activation Assistant for the 2007 Microsoft Office suites
    ActivClient 6.1 x86
    Adobe Acrobat 9 Pro - English, Français, Deutsch
    Adobe Acrobat 9.5.2 - CPSID_83708
    Adobe AIR
    Adobe Digital Editions
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.5.1
    Adobe Shockwave Player 11.5
    Agere Systems HDA Modem
    AiO_Scan_CDA
    Amazon Kindle
    Amazon MP3 Downloader 1.0.15
    Amazon MP3 Uploader
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AT&T Communication Manager
    AT&T Connect Participant
    AudibleManager
    BlackBerry App World Browser Plugin
    BlackBerry Desktop Software 6.0.1
    BlackBerry Desktop Software 6.1
    Bonjour
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    Calendar Printing Assistant for Microsoft Office Outlook 2007
    Camtasia Studio 7
    CCleaner
    Cisco Connect
    Cisco NAC Agent
    Cisco Systems VPN Client 5.0.05.0290
    Cisco WebEx Meetings
    Cognos 8 BI Analysis for Microsoft Excel
    Cognos 8 Go! Office
    Content Transfer
    CutePDF Writer 2.7
    DeviceDiscovery
    Driver Installer
    EC Software TNT Screen Capture 2.1
    EPSON Artisan 730 Series Printer Uninstall
    Epson Connect
    Epson Customer Participation
    Epson Download Navigator
    Epson Event Manager
    Epson Print CD
    EPSON Scan
    EpsonNet Print
    Evernote v. 4.5.6
    Gold Medal - Make More With Less
    GoToMeeting 5.2.0.952
    GPBaseService2
    GPL Ghostscript 8.54
    GPL Ghostscript Fonts
    Help & Manual 5
    Help & Manual 6
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    HP 3D DriveGuard
    HP BatteryCheck 1.00 A7
    HP Customer Participation Program 12.0
    HP Doc Viewer
    HP Help and Support
    HP Imaging Device Functions 12.0
    HP Officejet Pro 8000 A809 Series
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Quick Launch Buttons 6.40 D3
    HP QuickLook 2
    HP Smart Web Printing
    HP Software Setup 5.00.A.5
    HP Solution Center 12.0
    HP Update
    HP User Guide Bluetooth Addendum 0062
    HP User Guides 0097
    HP Wireless Assistant
    HPProductAssistant
    HPSSupply
    HTC BMP USB Driver
    ICE.TCP Pro
    InstallMgr
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    ISO Recorder
    Java(TM) 6 Update 13
    Lexmark Software Uninstall
    Livescribe Connect
    Livescribe Desktop
    LiveUpdate 3.3 (Symantec Corporation)
    Malwarebytes Anti-Malware version 1.65.0.1400
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Default Manager
    Microsoft IntelliPoint 7.1
    Microsoft IntelliType Pro 7.1
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Live Meeting 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MotoCast
    MotoHelper MergeModules
    Motorola Device Manager
    Motorola Device Software Update
    MOTOROLA MEDIA LINK
    Motorola Mobile Drivers Installation 5.9.0
    MSN Toolbar
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB2721691)
    MSXML 4.0 SP3 Parser (KB973685)
    MSXML 6 Service Pack 2 (KB973686)
    myPrintMileage (Officejet Pro 8000 A809)
    Network
    NowPDF
    NWZ-S540 WALKMAN Guide
    pdfsam 0.7sr1
    ProductContext
    QFolder
    QuickTime
    RingCentral Call Controller
    Scan
    Seagate Manager Installer
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2731847)
    Shop for HP Supplies
    SmartWebPrinting
    SolutionCenter
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 9
    Status
    SUPERAntiSpyware
    Symantec Endpoint Protection
    The Markon Fresh Produce Wizard
    TightVNC 2.0.2
    TomTom HOME 2.8.2.2264
    TomTom HOME Visual Studio Merge Modules
    Toolbox
    TrayApp
    Unity Web Player
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687400) 32-Bit Edition
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Service Pack 3
    WinZip
    XEROX DocuMate 510
    .
    ==== End Of File ===========================
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.​

    Please feel free to introduce yourself, after you follow the steps below to get started.​

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Also, include this scan:​

    Download AdwCleaner by Xplode onto your Desktop.​
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
     
  7. dblads

    dblads TS Rookie Topic Starter

    Here is the R1 txt file...Also will post the S1 file that opened after it rebooted the computer.

    # AdwCleaner v2.003 - Logfile created 09/28/2012 at 11:17:00
    # Updated 23/09/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : DBLeblan - RFSHRL202
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\dbleblan\Desktop\adwcleaner.exe
    # Option [Search]

    ***** [Services] *****

    ***** [Files / Folders] *****

    ***** [Registry] *****
    Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Value Found : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v8.0.6001.18702
    [OK] Registry is clean.
    *************************
    AdwCleaner[R1].txt - [712 octets] - [28/09/2012 11:17:00]
    ########## EOF - C:\AdwCleaner[R1].txt - [771 octets] ##########
     
  8. dblads

    dblads TS Rookie Topic Starter

    # AdwCleaner v2.003 - Logfile created 09/28/2012 at 11:18:34
    # Updated 23/09/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : DBLeblan - RFSHRL202
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\dbleblan\Desktop\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****

    ***** [Registry] *****
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Value Deleted : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v8.0.6001.18702
    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    *************************
    AdwCleaner[R1].txt - [839 octets] - [28/09/2012 11:17:00]
    AdwCleaner[S1].txt - [1194 octets] - [28/09/2012 11:18:34]
    ########## EOF - C:\AdwCleaner[S1].txt - [1254 octets] ##########
     
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good job! (y)

    Scan for malware

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.



    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.
     
  10. dblads

    dblads TS Rookie Topic Starter

    TDSSKiller file attached.

    MBAM log below:
    Malwarebytes Anti-Malware (PRO) 1.65.0.1400
    www.malwarebytes.org
    Database version: v2012.09.28.07
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    DBLeblan :: RFSHRL202 [administrator]
    Protection: Enabled
    9/28/2012 2:48:49 PM
    mbam-log-2012-09-28 (14-48-49).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 311212
    Time elapsed: 24 minute(s), 28 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     

    Attached Files:

  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That killed the biggest underlying problem, good job!

    avast! aswMBR

    Please download aswMBR from here
    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Click the Scan button to start the scan as illustrated below
    [​IMG]
    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
    • Please also find MBR.dat on your Desktop, and rename it to MBR.txt. Upload that as well.

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
     
     
  12. dblads

    dblads TS Rookie Topic Starter

    Please find the logs from aswMBR. As for ComboFix, I am not able to disable Symantec Endpoint Protection...one of the only things my employer blocks. I tried going to safe boot (w/ networking is my only option) and Symantec is still partly enabled. I did not want to proceed with running ComboFix without your advise first.

    aswMBR.txt
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-09-29 12:12:46
    -----------------------------
    12:12:46.890 OS Version: Windows 5.1.2600 Service Pack 3
    12:12:46.890 Number of processors: 2 586 0x1706
    12:12:46.890 ComputerName: RFSHRL202 UserName: DBLeblan
    12:12:47.140 Initialze error 0
    12:12:49.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    12:12:49.843 Disk 0 Vendor: FUJITSU_ 8909 Size: 152627MB BusType: 3
    12:12:49.875 Disk 0 MBR read successfully
    12:12:49.890 Disk 0 MBR scan
    12:12:49.906 Disk 0 unknown MBR code
    12:12:49.906 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 151589 MB offset 63
    12:12:49.953 Disk 0 Partition 2 00 0C FAT32 LBA MSDOS5.0 1027 MB offset 310472190
    12:12:49.968 Disk 0 scanning sectors +312576705
    12:12:50.046 Disk 0 scanning C:\WINDOWS\system32\drivers
    12:12:50.062 Service scanning
    12:12:51.390 Modules scanning
    12:12:52.734 Disk 0 trace - called modules:
    12:12:52.765 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys
    12:12:52.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b0b2030]
    12:12:52.781 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> [0x8b0648b8]
    12:12:52.796 5 hpdskflt.sys[f771833d] -> nt!IofCallDriver -> \Device\000000e7[0x8b0b4670]
    12:12:52.812 7 ACPI.sys[f7330620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8b0b3030]
    12:12:52.812 Scan finished successfully
    12:12:56.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\dbleblan\Desktop\logs\MBR.dat"
    12:12:56.734 The log file has been saved successfully to "C:\Documents and Settings\dbleblan\Desktop\logs\aswMBR.txt"

    MBR.dat changed to MBR.txt
    ú3ÀŽÐ¼ |‹ôPPûü¿ ¹ ò¥ê ¾¾³€<€t€< uƒÆþËuïÍ‹‹L‹îƒÆþËt€< tô¾‹¬< t V» ´Í^ëðëþ¿ » |¸WÍ_s 3ÀÍOuí¾£ëӾ¿þ}=UªuÇ‹õê | Invalid partition table Error loading operating system Missing operating system ª•ª• € þÿÿ? þ. Áÿ þÿÿþmÃ Uª
     
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Go ahead and run ComboFix anyway. I'll be back in the morning (ET).

    Also, run the following scan, please:

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
     
  14. dblads

    dblads TS Rookie Topic Starter

    ComboFix

    ComboFix 12-09-27.03 - DBLeblan 09/29/2012 13:10:44.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3001.2259 [GMT -5:00]
    Running from: c:\documents and settings\dbleblan\Desktop\ComboFix.exe
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\dbleblan\Application Data\psevc.dll
    c:\documents and settings\dbleblan\Application Data\Remote
    c:\documents and settings\dbleblan\Application Data\Remote\kkjt
    c:\documents and settings\dbleblan\g2mdlhlpx.exe
    c:\documents and settings\dleblan\g2mdlhlpx.exe
    c:\documents and settings\dleblan\WINDOWS
    c:\windows\system32\drivers\etc\hosts.ics
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\fusion.dll
    c:\windows\system32\URTTemp\mscoree.dll
    c:\windows\system32\URTTemp\mscoree.dll.local
    c:\windows\system32\URTTemp\mscorsn.dll
    c:\windows\system32\URTTemp\mscorwks.dll
    c:\windows\system32\URTTemp\msvcr71.dll
    c:\windows\system32\URTTemp\regtlib.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-28 to 2012-09-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-28 19:41 . 2012-09-28 19:41 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-09-28 01:09 . 2012-09-28 01:09 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2012-09-27 17:28 . 2012-09-27 17:28 -------- d-----w- c:\documents and settings\dbleblan\Application Data\SUPERAntiSpyware.com
    2012-09-27 17:27 . 2012-09-28 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-09-27 17:27 . 2012-09-27 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-09-26 22:02 . 2012-09-07 22:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-26 21:33 . 2012-09-26 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\F139BF267F3771D00029F139955EE3A0
    2012-09-18 21:45 . 2012-09-18 21:45 -------- d-----w- c:\documents and settings\dbleblan\Local Settings\Application Data\TechSmith
    2012-09-18 18:59 . 2012-09-18 18:59 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-09-17 21:53 . 2012-09-17 21:53 -------- d-----w- c:\documents and settings\dbleblan\Application Data\Malwarebytes
    2012-09-17 21:53 . 2012-09-17 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-09-17 21:53 . 2012-09-28 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-09-17 19:56 . 2012-09-17 19:56 -------- d-----w- c:\program files\Enigma Software Group
    2012-09-14 21:28 . 2012-09-14 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
    2012-09-14 14:01 . 2012-09-14 14:01 -------- d-----w- c:\documents and settings\dbleblan\Application Data\Motive
    2012-09-14 13:59 . 2012-09-14 13:59 -------- d-----w- c:\program files\ATT
    2012-09-13 18:47 . 2012-09-14 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2012-09-13 18:47 . 2012-09-13 18:47 -------- d-----w- c:\documents and settings\dbleblan\Application Data\Yahoo!
    2012-09-13 18:47 . 2012-09-14 15:05 -------- d-----w- c:\program files\Yahoo!
    2012-09-13 18:46 . 2012-09-13 18:46 -------- d-----w- c:\program files\ATT-HSI
    2012-09-13 18:46 . 2012-09-14 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
    2012-09-13 18:46 . 2012-09-14 15:47 -------- d-----w- c:\program files\Common Files\Motive
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-08 10:10 . 2011-05-19 20:53 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2012-08-03 17:22 . 2012-06-15 16:55 5 ----a-w- c:\windows\system32\lMMLDeleteUserData42107612FX.tmp
    2012-07-06 13:58 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\browser.dll
    2012-07-04 14:05 . 2004-08-04 08:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40 . 2004-08-04 08:00 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-07-02 17:49 . 2004-08-04 08:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-07-02 17:49 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-07-02 17:49 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2010-09-22 38144]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-09-27 4780928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-04 148888]
    "tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2010-07-08 815704]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-03-24 115560]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
    "EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
    "NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2011-01-27 483552]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSimpleStartMenu"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
    2007-05-15 23:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
    2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firewall Client Connectivity Monitor.LNK]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firewall Client Connectivity Monitor.LNK
    backup=c:\windows\pss\Firewall Client Connectivity Monitor.LNKCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    backup=c:\windows\pss\VPN Client.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^dbleblan^Start Menu^Programs^Startup^EvernoteClipper.lnk]
    path=c:\documents and settings\dbleblan\Start Menu\Programs\Startup\EvernoteClipper.lnk
    backup=c:\windows\pss\EvernoteClipper.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2012-07-30 20:02 640480 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
    2012-07-31 09:19 41944 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-07-11 17:00 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
    2010-03-10 23:10 883272 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentTransferWMDetector.exe]
    2009-11-20 00:15 583016 ----a-w- c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2009-11-05 20:35 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
    2009-11-05 20:45 1505144 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
    2009-09-26 05:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
    2009-02-03 18:05 233304 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MotoCast]
    2012-08-03 17:24 1704 ----a-w- c:\program files\Motorola Mobility\MotoCast\MotoLauncher.lnk
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rim.DesktopHelper.exe]
    2011-06-07 13:06 744280 ----a-w- c:\program files\Research In Motion\BlackBerry Desktop\Rim.DesktopHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
    2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
    2011-04-22 12:21 247728 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
    2004-06-21 01:45 630854 ----a-w- c:\program files\UltraVNC\winvnc.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 5:14 AM 24064]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 6:38 PM 116608]
    R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 6:08 PM 182576]
    R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\Lite\NServiceEntry.exe [6/5/2012 11:48 AM 87400]
    R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\EpsonCustomerParticipation\EPCP.exe [6/9/2011 1:01 PM 521600]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/26/2012 5:02 PM 399432]
    R2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [7/17/2012 3:31 PM 116632]
    R2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [1/26/2011 10:09 PM 827616]
    R2 pcCMService;pcCMService;c:\program files\Common Files\Motive\pcCMService.exe [9/14/2012 8:59 AM 361472]
    R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [10/27/2011 6:56 PM 470528]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 7:21 AM 92592]
    R2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe [7/8/2010 8:28 AM 815704]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/9/2012 6:30 AM 106656]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 2:16 PM 41216]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/26/2012 5:02 PM 676936]
    S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/13/2008 10:30 AM 475520]
    S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [3/10/2010 6:12 PM 121416]
    S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [8/3/2012 12:22 PM 6016]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [3/24/2011 4:54 PM 23888]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [7/8/2008 7:18 AM 193840]
    S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/26/2012 5:02 PM 22856]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/3/2012 12:22 PM 20864]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/3/2012 12:22 PM 8448]
    S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [8/3/2012 12:22 PM 23808]
    S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [8/3/2012 12:22 PM 11008]
    S3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [12/25/2011 11:25 PM 20480]
    S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [9/28/2010 9:38 AM 16640]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - BMLoad
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
    .
    2010-09-01 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
    - c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-11-05 20:35]
    .
    2010-09-01 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
    - c:\program files\Microsoft IntelliType Pro\itype.exe [2009-11-05 20:45]
    .
    2012-09-24 c:\windows\Tasks\MotoCast Update.job
    - c:\program files\Motorola Mobility\MotoCast\LiveUpdate\MotoCastUpdate.exe [2012-05-26 14:35]
    .
    2012-09-24 c:\windows\Tasks\Motorola Device Manager Engine.job
    - c:\program files\Motorola Mobility\Motorola Device Manager\MotorolaDeviceManagerUpdate.exe [2012-07-17 20:31]
    .
    2012-09-02 c:\windows\Tasks\Motorola Device Manager Update.job
    - c:\program files\Motorola Mobility\Motorola Device Manager\MotorolaDeviceManagerUpdate.exe [2012-07-17 20:31]
    .
    2012-09-29 c:\windows\Tasks\User_Feed_Synchronization-{9359E281-F91B-4048-96B0-B033EEF225AA}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.att.net
    uInternet Settings,ProxyOverride = *.local;192.168.*.*
    IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: bmnet.dll
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 205.152.132.23 205.152.37.23 192.168.1.1
    DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} - hxxp://klmenuweb/MenugisticsTCH/Reserved.ReportViewerWebControl.axd?ReportSession=wz3dfa45lyjp1w552mv21tjg&ControlID=20a8ba774d6042cd8280e9b8a4e339de&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
    DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://rfsvpn1.rfsdelivers.com/auth/taweb.cab
    DPF: {57AF0810-BDA7-47A5-B02D-FDA1073C04B0} - hxxps://www.mydlink.com/8D/activeX//TunnelX.ocx
    DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} - hxxps://www150.livemeeting.com/etc/static/TRIrapid2/2011-07-14-21-08-21/MailObjects.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    Toolbar-Locked - (no file)
    SafeBoot-64328469.sys
    SafeBoot-Symantec Antvirus
    MSConfigStartUp-HTC Sync Loader - c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
    AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-09-29 13:22
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1044)
    c:\windows\system32\ackpbsc.dll
    c:\windows\system32\aclog.dll
    c:\windows\system32\ACLIBEAY.dll
    c:\windows\system32\acevtsub.dll
    c:\windows\system32\asphat32.dll
    c:\windows\system32\acerrmes.dll
    c:\windows\system32\aspcom.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
    c:\program files\ActivIdentity\ActivClient\acunlock.dll
    c:\windows\system32\aipingui.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
    c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
    .
    - - - - - - - > 'lsass.exe'(1148)
    c:\windows\system32\bmnet.dll
    .
    Completion time: 2012-09-29 13:23:57
    ComboFix-quarantined-files.txt 2012-09-29 18:23
    .
    Pre-Run: 87,075,966,976 bytes free
    Post-Run: 88,241,623,040 bytes free
    .
    - - End Of File - - AFB02E53C4FDE2D7054209CB6F514C43

    ESET Online Scan
    C:\Qoobox\Quarantine\C\Documents and Settings\dbleblan\Application Data\psevc.dll.vir a variant of Win32/Medfos.DY trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1170\A0154063.exe Win32/Simda.P trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1178\A0155619.dll a variant of Win32/Kryptik.ALZT trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1185\A0156469.dll a variant of Win32/Medfos.DX trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1190\A0181418.dll a variant of Win32/Medfos.DY trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_14.38.38\mbr0000\tdlfs0000\tsk0001.dta a variant of Win32/Rootkit.Kryptik.NP trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_14.38.38\mbr0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_14.38.38\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
     
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  16. dblads

    dblads TS Rookie Topic Starter

    Computer appears to be running much faster and I haven't received any error messages since yesterday morning.
     
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay, let's finish up.

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  18. dblads

    dblads TS Rookie Topic Starter

    Results of screen317's Security Check version 0.99.51
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Disabled!
    Symantec Endpoint Protection
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.0.1400
    CCleaner
    Java(TM) 6 Update 13
    Java version out of Date!
    Adobe Reader 9 Adobe Reader out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    Norton ccSvcHst.exe
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 10%
    ````````````````````End of Log``````````````````````
     
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.


    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems




    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
     
  20. dblads

    dblads TS Rookie Topic Starter

    Will do...Thanks so much for your help!
     
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Great! And you're welcome. :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.