Jump to content

journo

Honorary Members
  • Posts

    25
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

1,551 profile views
  1. Furthermore, I manually disabled the fake Calculator app prior to running the Malwarebytes scan. Only to discover that it somehow re-enabled itself.
  2. Ok, so this is disturbing. I'm getting exactly the same popups from Calculator, Lockapp etc, identified as trojan.fadeb.j by Malwarebytes. But the really disturbing thing is that i'm also using a BLU device! This is a device that I hardly use. It sits on my desk and hosts my old SIM card in case I receive a text. No way I accidentally installed malware so it's highly worrying that this device/manufacturer may have a security flaw.
  3. Ok, i've disabled Kaspersky but the browsers still dont work. Other programs seem fine like Outlook. But browsers and malwarebytes updater dont work. p.s. I updated malwarebytes in safemode successfully.
  4. Hi, I think ive got some malware because my browsers are only working in Safe mode. However, Malwarebytes didnt pick up anything. Its fully updated. How should I proceed? Here are the DDS files. Thanks Dan DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.11.2 Run by Gerard at 20:04:41 on 2013-02-05 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.334 [GMT 0:00] . AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *Enabled* . ============== Running Processes ================ . C:\WINDOWS\Explorer.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Gerard\Local Settings\Application Data\join.me\join.me.exe C:\WINDOWS\notepad.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService . ============== Pseudo HJT Report =============== . BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe mRun: [TPSMain] TPSMain.exe mRun: [NDSTray.exe] NDSTray.exe mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe mRun: [TFncKy] TFncKy.exe mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe" mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\gerard\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab TCP: NameServer = 192.168.1.254 192.168.1.254 TCP: Interfaces\{89278D3F-6BE9-49D3-B65C-1BAE24114C8C} : DHCPNameServer = 192.168.1.254 192.168.1.254 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Notify: igfxcui - igfxdev.dll Notify: klogon - c:\windows\system32\klogon.dll SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.56\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome . ============= SERVICES / DRIVERS =============== . R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024] R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 43608] R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-4-3 5888] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672] R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2013-1-3 288000] S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2013-1-24 586584] S1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344] S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 356376] S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-5 398184] S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-5 682344] S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856] S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016] S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-10-25 24408] S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-10-25 24920] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-5 21104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-5 40776] . =============== Created Last 30 ================ . 2013-02-05 19:32:13 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-02-05 19:32:12 -------- d-----w- c:\documents and settings\gerard\application data\Malwarebytes 2013-02-05 19:32:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2013-02-05 19:31:55 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-02-05 19:31:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\repository\FS 2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\Repository 2013-02-04 19:26:50 -------- d-----w- c:\documents and settings\gerard\PrivacIE 2013-01-27 19:02:39 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys 2013-01-27 19:02:39 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys 2013-01-27 19:02:35 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys 2013-01-27 19:02:35 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys 2013-01-27 19:02:34 207360 -c--a-w- c:\windows\system32\dllcache\dot4.sys 2013-01-27 19:02:34 207360 ----a-w- c:\windows\system32\drivers\Dot4.sys 2013-01-24 20:35:28 -------- d-----w- c:\documents and settings\gerard\local settings\application data\join.me 2013-01-24 20:34:41 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-01-24 20:28:45 -------- d-----w- c:\program files\Kaspersky Lab 2013-01-24 20:28:44 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab 2013-01-24 20:28:16 74072 ----a-w- c:\windows\system32\drivers\klflt.sys . ==================== Find3M ==================== . 2013-01-27 09:49:27 43608 ----a-w- c:\windows\system32\drivers\kltdi.sys 2013-01-03 20:36:38 859072 ----a-w- c:\windows\system32\npDeployJava1.dll 2013-01-03 20:36:38 779704 ----a-w- c:\windows\system32\deployJava1.dll . ============= FINISH: 20:04:56.64 =============== DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.11.2 Run by Gerard at 20:04:41 on 2013-02-05 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.334 [GMT 0:00] . AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *Enabled* . ============== Running Processes ================ . C:\WINDOWS\Explorer.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Gerard\Local Settings\Application Data\join.me\join.me.exe C:\WINDOWS\notepad.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService . ============== Pseudo HJT Report =============== . BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe mRun: [TPSMain] TPSMain.exe mRun: [NDSTray.exe] NDSTray.exe mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe mRun: [TFncKy] TFncKy.exe mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe" mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\gerard\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab TCP: NameServer = 192.168.1.254 192.168.1.254 TCP: Interfaces\{89278D3F-6BE9-49D3-B65C-1BAE24114C8C} : DHCPNameServer = 192.168.1.254 192.168.1.254 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Notify: igfxcui - igfxdev.dll Notify: klogon - c:\windows\system32\klogon.dll SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.56\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome . ============= SERVICES / DRIVERS =============== . R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024] R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 43608] R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-4-3 5888] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672] R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2013-1-3 288000] S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2013-1-24 586584] S1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344] S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 356376] S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-5 398184] S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-5 682344] S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856] S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016] S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-10-25 24408] S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-10-25 24920] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-5 21104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-5 40776] . =============== Created Last 30 ================ . 2013-02-05 19:32:13 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-02-05 19:32:12 -------- d-----w- c:\documents and settings\gerard\application data\Malwarebytes 2013-02-05 19:32:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2013-02-05 19:31:55 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-02-05 19:31:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\repository\FS 2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\Repository 2013-02-04 19:26:50 -------- d-----w- c:\documents and settings\gerard\PrivacIE 2013-01-27 19:02:39 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys 2013-01-27 19:02:39 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys 2013-01-27 19:02:35 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys 2013-01-27 19:02:35 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys 2013-01-27 19:02:34 207360 -c--a-w- c:\windows\system32\dllcache\dot4.sys 2013-01-27 19:02:34 207360 ----a-w- c:\windows\system32\drivers\Dot4.sys 2013-01-24 20:35:28 -------- d-----w- c:\documents and settings\gerard\local settings\application data\join.me 2013-01-24 20:34:41 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-01-24 20:28:45 -------- d-----w- c:\program files\Kaspersky Lab 2013-01-24 20:28:44 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab 2013-01-24 20:28:16 74072 ----a-w- c:\windows\system32\drivers\klflt.sys . ==================== Find3M ==================== . 2013-01-27 09:49:27 43608 ----a-w- c:\windows\system32\drivers\kltdi.sys 2013-01-03 20:36:38 859072 ----a-w- c:\windows\system32\npDeployJava1.dll 2013-01-03 20:36:38 779704 ----a-w- c:\windows\system32\deployJava1.dll . ============= FINISH: 20:04:56.64 ===============
  5. Hi, I'm unable to access some https files and ive noticed that my hosts file keeps being added to. I remove the entries, but they come back a few minutes later. Malwarebytes shows nothing. eset online scanner shows nothing. Symantec shows nothing. Any ideas? Heres the items from the hosts file if needed. 216.239.32.20 www.google.ae # bck9 216.239.32.20 www.google.at # bck9 216.239.32.20 www.google.be # bck9 216.239.32.20 www.google.ca # bck9 216.239.32.20 www.google.ch # bck9 216.239.32.20 www.google.cl # bck9 216.239.32.20 www.google.co.il # bck9 216.239.32.20 www.google.co.in # bck9 216.239.32.20 www.google.co.jp # bck9 216.239.32.20 www.google.co.kr # bck9 216.239.32.20 www.google.co.nz # bck9 216.239.32.20 www.google.co.uk # bck9 216.239.32.20 www.google.co.ve # bck9 216.239.32.20 www.google.co.za # bck9 216.239.32.20 www.google.com # bck9 216.239.32.20 www.google.com.ar # bck9 216.239.32.20 www.google.com.au # bck9 216.239.32.20 www.google.com.br # bck9 216.239.32.20 www.google.com.co # bck9 216.239.32.20 www.google.com.gr # bck9 216.239.32.20 www.google.com.hk # bck9 216.239.32.20 www.google.com.mx # bck9 216.239.32.20 www.google.com.my # bck9 216.239.32.20 www.google.com.pe # bck9 216.239.32.20 www.google.com.ph # bck9 216.239.32.20 www.google.com.pk # bck9 216.239.32.20 www.google.com.sg # bck9 216.239.32.20 www.google.com.tr # bck9 216.239.32.20 www.google.com.tw # bck9 216.239.32.20 www.google.com.ua # bck9 216.239.32.20 www.google.de # bck9 216.239.32.20 www.google.dk # bck9 216.239.32.20 www.google.es # bck9 216.239.32.20 www.google.fi # bck9 216.239.32.20 www.google.fr # bck9 216.239.32.20 www.google.it # bck9 216.239.32.20 www.google.lt # bck9 216.239.32.20 www.google.lv # bck9 216.239.32.20 www.google.nl # bck9 216.239.32.20 www.google.pl # bck9 216.239.32.20 www.google.pt # bck9 216.239.32.20 www.google.ro # bck9 216.239.32.20 www.google.ru # bck9
  6. Thank you. However since it was taking quite a while to remove, the user decided to wipe the PC and use the Restore Disks. Hopefully that resolves the problem. Thanks for your help with this. Dan
  7. Yes, I ran the script (with both spellings to make sure) Both times it said that the service couldnt found. The script finished successfully.
  8. Hi, Here are the results from the DDS program. DDS.txt . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Administrator at 23:15:47 on 2012-07-17 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1410 [GMT 1:00] . FW: Symantec Endpoint Protection *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch C:\WINDOWS\system32\svchost.exe -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe C:\Program Files\Xobni\XobniService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TeamViewer\Version7\TeamViewer.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\TeamViewer\Version7\tv_w32.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\SHARP\Printer Status Monitor\Smon.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe . ============== Pseudo HJT Report =============== . uStart Page = about:blank mURLSearchHooks: H - No File mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix\xflyvmro.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll BHO: Project seed Toolbar: {7f4290b4-b183-4623-bba2-28f48d9bbd23} - c:\program files\project_seed\prxtbPro0.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll TB: Project seed Toolbar: {7f4290b4-b183-4623-bba2-28f48d9bbd23} - c:\program files\project_seed\prxtbPro0.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe" uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [XflYvmro] c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix\xflyvmro.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe" mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon mRun: [sMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [\\PC2\EPSON Stylus D68 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaae.exe /p29 "\\pc2\EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68" mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Google Updater] "c:\program files\google\google updater\GoogleUpdater.exe" -check_deprecation mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printe~1.lnk - c:\program files\sharp\printer status monitor\Smon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe uPolicies-explorer: DisablePersonalDirChange = 1 (0x1) mPolicies-explorer: NoWelcomeScreen = 1 (0x1) mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-system: EnableLUA = 0 (0x0) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://manchesterserve/connectcomputer/nshelp.dll DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 TCP: DhcpNameServer = 192.168.11.254 TCP: Interfaces\{BC9C58A2-60A2-4E71-A074-F19F6A930625} : DhcpNameServer = 192.168.11.254 Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll . ================= FIREFOX =================== . FF - ProfilePath - \\Manchesterserve\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\kxdjx1ig.default\ . ============= SERVICES / DRIVERS =============== . R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2008-7-30 277736] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-1-6 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-5-18 47640] R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?] R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-5-21 173352] R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-3-19 2666880] R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-8-11 46824] R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-2-20 18432] R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-2-20 14336] R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\admini~1.see\locals~1\temp\ftmgyjnb.sys --> c:\docume~1\admini~1.see\locals~1\temp\ftmgyjnb.sys [?] S0 00677621;00677621;c:\windows\system32\drivers\68236726.sys --> c:\windows\system32\drivers\68236726.sys [?] S2 ASFIPmon;Broadcom ASF IP Monitor;"c:\program files\broadcom\asfipmon\asfipmon.exe" -service --> c:\program files\broadcom\asfipmon\AsfIpMon.exe [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-8 135664] S2 WinDefend;Windows Defender;"c:\program files\windows defender\msmpeng.exe" --> c:\program files\windows defender\MsMpEng.exe [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-16 250056] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-8 135664] S3 MBAMCatchMe;MBAMCatchMe;c:\program files\malwarebytes' anti-malware\catchme.sys [2008-3-26 27136] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-7-16 40776] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2012-07-17 09:37:29 -------- d-----w- c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix 2012-07-16 21:07:03 -------- d-----w- c:\program files\stinger 2012-07-16 18:16:21 -------- d-sha-r- C:\cmdcons 2012-07-16 14:03:10 98816 ----a-w- c:\windows\sed.exe 2012-07-16 14:03:10 518144 ----a-w- c:\windows\SWREG.exe 2012-07-16 14:03:10 256000 ----a-w- c:\windows\PEV.exe 2012-07-16 14:03:10 208896 ----a-w- c:\windows\MBR.exe 2012-07-16 14:01:02 -------- d-----w- C:\TDSSKiller_Quarantine 2012-07-16 05:56:59 9216 ----a-w- c:\windows\system32\dllcache\wamps51.dll 2012-07-16 05:55:58 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll 2012-07-16 05:54:58 230912 ----a-w- c:\windows\system32\dllcache\tosdvd03.sys 2012-07-16 05:53:57 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll 2012-07-16 05:52:59 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys 2012-07-16 05:51:59 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll 2012-07-16 05:50:58 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys 2012-07-16 05:49:59 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys 2012-07-16 05:48:58 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys 2012-07-16 05:48:56 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys 2012-07-16 05:48:53 48000 ----a-w- c:\windows\system32\dllcache\ovcam2.sys 2012-07-16 05:48:51 25088 ----a-w- c:\windows\system32\dllcache\ovca.sys 2012-07-16 05:48:49 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys 2012-07-16 05:48:46 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys 2012-07-16 05:48:43 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys 2012-07-16 05:48:38 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys 2012-07-16 05:48:29 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys 2012-07-16 05:48:11 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys 2012-07-16 05:48:09 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll 2012-07-16 05:46:58 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll 2012-07-16 05:45:41 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys 2012-07-16 05:45:36 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll 2012-07-16 05:45:36 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys 2012-07-16 05:45:04 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys 2012-07-16 05:45:00 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys 2012-07-16 05:44:59 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys 2012-07-16 05:44:20 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys 2012-07-16 05:44:09 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys 2012-07-16 05:42:58 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys 2012-07-16 05:41:58 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe 2012-07-16 05:40:58 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys 2012-07-16 05:39:59 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys 2012-07-16 05:38:58 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys 2012-07-16 05:37:59 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll 2012-07-16 05:36:59 272640 ----a-w- c:\windows\system32\dllcache\cinemclc.sys 2012-07-16 05:35:59 75136 ----a-w- c:\windows\system32\dllcache\atimpae.sys 2012-07-16 05:28:47 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-07-16 05:10:35 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-15 18:16:26 -------- d-----w- c:\program files\ESET 2012-06-26 20:58:04 -------- d-----w- \\Manchesterserve\Users\Administrator\Application Data\ElevatedDiagnostics . ==================== Find3M ==================== . 2012-07-16 05:10:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-03 12:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys 2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll 2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll 2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 14:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 14:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 14:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 14:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 14:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll 2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll 2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec 2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys . ============= FINISH: 23:17:29.23 =============== I couldnt copy and paste the attach.txt file because it was too large to post, so i've attached it instead. Thanks Dan Attach.txt
  9. Hi Maurice, Is this a typo? sc delete MICORSOFT_WINDOWS_SERVICE Thanks Dan
  10. I was following the previous topic instructions so thats where ComboFix came from. I've deleted it now. In the process of trying to delete the malware, I removed Symantec Endpoint Protection. It was blocking access to the malware files but the malware was causing SEP to repeatedly crash and therefore I was unable to Disable the AV. After performing the CF steps, I'm still unable to access www.Malwarebytes.org, www.eset.com etc. Please find the attachments requested. Thanks for your help. Dan Results of screen317's Security Check version 0.99.42 Windows XP Service Pack 3 x86 (UAC is disabled!) Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Please wait while WMIC is being installed. WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Windows Defender Malwarebytes Anti-Malware version 1.62.0.1300 Java 6 Update 5 Java version out of Date! Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox (for.) ````````Process Check: objlist.exe by Laurent```````` `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 27% Defragment your hard drive soon! ````````````````````End of Log`````````````````````` ComboFix 12-07-16.01 - Administrator 17/07/2012 10:24:31.2.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1687 [GMT 1:00] Running from: \\MANCHESTERSERVE\Users\Administrator\Desktop\ComboFix.exe Command switches used :: \\MANCHESTERSERVE\Users\Administrator\Desktop\CFScript.txt FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . FILE :: "c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix\xflyvmro.exe" . file zipped: c:\documents and settings\shaya.SEEDMANCHESTER.000\Local Settings\Application Data\pytmlmix\xflyvmro.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\awseslek.log c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\bwitqshb.log c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\dgmbomnp.log c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\epjlyeqf.log c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\lymuqbib.log c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\nrcdbcgr.log c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\rgveijmc.log c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\ygoqwlak.log c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_MICORSOFT_WINDOWS_SERVICE . . ((((((((((((((((((((((((( Files Created from 2012-06-17 to 2012-07-17 ))))))))))))))))))))))))))))))) . . 2012-07-17 09:37 . 2012-07-17 09:37 -------- d-----w- c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix 2012-07-17 09:14 . 2012-07-17 09:15 -------- d-----w- c:\program files\ERUNT 2012-07-16 21:07 . 2012-07-16 21:08 -------- d-----w- c:\program files\stinger 2012-07-16 14:01 . 2012-07-16 21:05 -------- d-----w- C:\TDSSKiller_Quarantine 2012-07-16 05:54 . 2001-08-17 21:36 10240 ----a-w- c:\windows\system32\dllcache\swpdflt2.dll 2012-07-16 05:54 . 2001-08-17 21:36 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll 2012-07-16 05:52 . 2008-04-13 18:36 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys 2012-07-16 05:51 . 2001-08-17 21:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll 2012-07-16 05:50 . 2001-08-17 11:12 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys 2012-07-16 05:49 . 2008-04-13 18:40 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys 2012-07-16 05:48 . 2001-08-17 13:05 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys 2012-07-16 05:48 . 2001-08-17 13:05 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys 2012-07-16 05:48 . 2001-08-17 13:05 48000 ----a-w- c:\windows\system32\dllcache\ovcam2.sys 2012-07-16 05:48 . 2001-08-17 13:05 25088 ----a-w- c:\windows\system32\dllcache\ovca.sys 2012-07-16 05:48 . 2001-08-17 12:28 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys 2012-07-16 05:48 . 2001-08-17 11:12 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys 2012-07-16 05:48 . 2001-08-17 11:12 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys 2012-07-16 05:48 . 2001-08-17 11:20 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys 2012-07-16 05:48 . 2008-04-13 18:46 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys 2012-07-16 05:48 . 2001-08-17 11:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys 2012-07-16 05:48 . 2001-08-17 21:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll 2012-07-16 05:46 . 2001-08-17 13:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll 2012-07-16 05:45 . 2001-08-17 13:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys 2012-07-16 05:45 . 2008-04-13 18:54 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys 2012-07-16 05:45 . 2004-08-04 05:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll 2012-07-16 05:45 . 2001-08-17 13:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys 2012-07-16 05:45 . 2001-08-17 12:48 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys 2012-07-16 05:44 . 2008-04-13 18:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys 2012-07-16 05:44 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys 2012-07-16 05:44 . 2001-08-17 12:57 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys 2012-07-16 05:42 . 2001-08-17 11:12 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys 2012-07-16 05:41 . 2004-08-04 05:00 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe 2012-07-16 05:40 . 2001-08-17 12:28 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys 2012-07-16 05:39 . 2001-08-17 11:49 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys 2012-07-16 05:38 . 2001-08-17 11:19 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys 2012-07-16 05:37 . 2001-08-17 21:36 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll 2012-07-16 05:36 . 2001-08-17 13:02 272640 ----a-w- c:\windows\system32\dllcache\cinemclc.sys 2012-07-16 05:35 . 2001-08-17 11:49 75136 ----a-w- c:\windows\system32\dllcache\atimpae.sys 2012-07-16 05:28 . 2012-07-16 21:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-07-16 05:10 . 2012-07-16 05:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-15 18:16 . 2012-07-15 18:16 -------- d-----w- c:\program files\ESET . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-16 05:10 . 2012-02-21 20:59 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-03 12:46 . 2012-02-02 14:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-13 13:19 . 2004-08-11 17:00 1866112 ----a-w- c:\windows\system32\win32k.sys 2012-06-05 15:50 . 2007-05-15 15:43 1372672 ----a-w- c:\windows\system32\msxml6.dll 2012-06-05 15:50 . 2004-08-11 17:00 1172480 ----a-w- c:\windows\system32\msxml3.dll 2012-06-04 04:32 . 2004-08-11 17:00 152576 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 14:19 . 2007-04-16 22:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 14:19 . 2007-04-16 22:46 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 14:19 . 2004-08-11 17:12 329240 ----a-w- c:\windows\system32\wucltui.dll 2012-06-02 14:19 . 2004-08-11 17:12 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 14:19 . 2004-08-11 17:12 210968 ----a-w- c:\windows\system32\wuweb.dll 2012-06-02 14:19 . 2007-04-16 22:46 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 14:19 . 2007-04-16 22:45 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 14:19 . 2004-08-11 17:12 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 14:19 . 2004-08-11 17:12 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 14:19 . 2004-08-11 17:00 97304 ----a-w- c:\windows\system32\cdm.dll 2012-06-02 14:19 . 2007-04-16 22:45 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 14:19 . 2004-08-11 17:12 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 14:19 . 2004-08-11 17:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-05-31 13:22 . 2004-08-11 17:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2012-05-16 15:08 . 2004-08-11 17:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-05-11 14:42 . 2004-08-11 17:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-05-11 14:42 . 2004-08-11 17:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-05-11 11:38 . 2004-08-11 17:00 385024 ----a-w- c:\windows\system32\html.iec 2012-05-04 13:16 . 2004-08-11 17:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-02 13:46 . 2004-08-11 17:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys . . ((((((((((((((((((((((((((((( SnapShot@2012-07-16_20.04.25 ))))))))))))))))))))))))))))))))))))))))) . + 2012-07-17 01:30 . 2012-07-17 01:30 22016 c:\windows\Installer\fbd1a7.msi + 2012-07-17 09:37 . 2012-07-17 09:37 65536 c:\windows\Installer\{5ACE69F0-A3E8-44EB-88C1-0A841E700180}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe - 2008-09-09 11:48 . 2008-09-09 11:48 65536 c:\windows\Installer\{5ACE69F0-A3E8-44eb-88C1-0A841E700180}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe + 2012-07-17 09:15 . 2012-07-17 09:15 12288 c:\windows\erdnt\17-07-2012\Users\00000004\UsrClass.dat + 2012-07-17 09:15 . 2012-07-17 09:15 12288 c:\windows\erdnt\17-07-2012\Users\00000002\UsrClass.dat + 2009-11-11 23:28 . 2009-10-01 09:29 195440 c:\windows\system32\MpSigStub.exe + 2012-07-17 09:15 . 2012-07-17 09:15 151552 c:\windows\erdnt\17-07-2012\Users\00000006\UsrClass.dat + 2012-07-17 09:15 . 2012-07-17 09:15 241664 c:\windows\erdnt\17-07-2012\Users\00000003\NTUSER.DAT + 2012-07-17 09:15 . 2012-07-17 09:15 237568 c:\windows\erdnt\17-07-2012\Users\00000001\NTUSER.DAT + 2012-07-17 09:15 . 2005-10-20 11:02 163328 c:\windows\erdnt\17-07-2012\ERDNT.EXE + 2012-07-17 09:15 . 2012-07-17 09:15 3440640 c:\windows\erdnt\17-07-2012\Users\00000005\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f4290b4-b183-4623-bba2-28f48d9bbd23}] 2011-05-09 09:49 176936 ----a-w- c:\program files\Project_seed\prxtbPro0.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{7f4290b4-b183-4623-bba2-28f48d9bbd23}"= "c:\program files\Project_seed\prxtbPro0.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{7f4290b4-b183-4623-bba2-28f48d9bbd23}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{7F4290B4-B183-4623-BBA2-28F48D9BBD23}"= "c:\program files\Project_seed\prxtbPro0.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{7f4290b4-b183-4623-bba2-28f48d9bbd23}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856] "XflYvmro"="c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix\xflyvmro.exe" [bU] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360] "SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "\\PC2\EPSON Stylus D68 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE" [2005-01-25 98304] "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-05-27 53248] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-08 198160] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-09-12 161336] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247] . c:\documents and settings\ilan\Start Menu\Programs\Startup\ eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [N/A] Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2012-5-3 13006952] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Printer Status Monitor.lnk - c:\program files\SHARP\Printer Status Monitor\Smon.exe [2011-1-6 180313] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-8-23 967960] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisablePersonalDirChange"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix\xflyvmro.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2010-12-14 14:32 87424 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon] 2010-04-22 10:55 49152 ----a-w- c:\windows\system32\ico.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SN0XRCV] 2006-10-23 10:11 102400 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\SN0XRCV.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SN52IPRW] 2005-02-15 10:02 135168 ----a-w- c:\windows\system32\SN52SELC.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XflYvmro] c:\documents and settings\shaya.SEEDMANCHESTER.000\Local Settings\Application Data\pytmlmix\xflyvmro.exe [bU] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "stllssvr"=3 (0x3) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AllAlertsDisabled"=dword:00000001 "TermService"=dword:00000001 "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\temp\\HP_WebRelease\\Setup\\HPZnet01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "%windir%\\Network Diagnostic\\xpnetdiag.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service . R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [30/07/2008 06:51 277736] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [06/01/2011 16:45 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856] R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?] R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [21/05/2010 12:27 173352] R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [19/03/2012 12:38 2666880] R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [11/08/2009 23:31 46824] R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [20/02/2008 15:08 18432] R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [20/02/2008 15:08 14336] R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\ADMINI~1.SEE\LOCALS~1\Temp\ftmgyjnb.sys --> c:\docume~1\ADMINI~1.SEE\LOCALS~1\Temp\ftmgyjnb.sys [?] S0 00677621;00677621;c:\windows\system32\drivers\68236726.sys --> c:\windows\system32\drivers\68236726.sys [?] S2 ASFIPmon;Broadcom ASF IP Monitor;"c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe" -service --> c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/04/2010 15:30 135664] S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [16/07/2012 06:10 250056] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [08/04/2010 15:30 135664] S3 MBAMCatchMe;MBAMCatchMe;c:\program files\Malwarebytes' Anti-Malware\catchme.sys [26/03/2008 11:58 27136] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [16/07/2012 06:28 40776] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MICORSOFT_WINDOWS_SERVICE . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 05:10] . 2012-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57] . 2012-07-12 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-13 13:30] . 2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 14:30] . 2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 14:30] . . ------- Supplementary Scan ------- . uStart Page = about:blank TCP: DhcpNameServer = 192.168.11.254 FF - ProfilePath - \\Manchesterserve\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\kxdjx1ig.default\ . - - - - ORPHANS REMOVED - - - - . WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) HKCU-Run-PC Suite Tray - c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe SafeBoot-00677621.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-07-17 10:36 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1918387015-3744224925-1604920466-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\ . [HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(664) c:\windows\system32\LMIinit.dll c:\program files\LogMeIn\x86\LMIhook.000.dll c:\windows\system32\wininet.dll c:\windows\system32\LMIRfsClientNP.dll . - - - - - - - > 'lsass.exe'(720) c:\windows\system32\LMIRfsClientNP.dll . - - - - - - - > 'explorer.exe'(5844) c:\windows\system32\WININET.dll c:\program files\LogMeIn\x86\LMIhook.000.dll c:\windows\system32\LMIRfsClientNP.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr c:\program files\Roxio\Drag-to-Disc\Shellex.dll c:\windows\system32\DLAAPI_W.DLL c:\windows\system32\CDRTC.DLL c:\program files\Roxio\Drag-to-Disc\ShellRes.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe c:\windows\system32\msiexec.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\TeamViewer\Version7\TeamViewer.exe c:\windows\system32\wscntfy.exe c:\program files\TeamViewer\Version7\tv_w32.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2012-07-17 10:42:06 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-17 09:42 ComboFix2.txt 2012-07-16 20:09 . Pre-Run: 109,024,645,120 bytes free Post-Run: 106,894,229,504 bytes free . - - End Of File - - 8F83AFB3399AAB5FBA40AB97F69828FA Upload was successful
  11. Correction. Its happening to all users on the computer.
  12. Hi, Thanks. I ran the flush.bat file but still can't access Malwarebytes and other security sites. Please find the attached DDS results. Its a friends PC. Its part of a domain. His login is called DOMAIN/shaya Thanks Dan Attach.txt DDS (2).txt
  13. Post Merged We look for post with 0 replies, so when you reply to your own topic, we assume you were being helped. Please be patient, someone will assist you as soon as possible. Hi, Ive got a PC thats been having issues. Last time I had an issue, i was asked to run an online virus scan at www.eset.com however i'm now unable to access the site. ping www.eset.com sends a ping to 127.0.0.1. Ive checked the hosts file and its empty so no issue there. Any idea how I can diagnose this? Also can't seem to open malwarebytes. This only seems to happen when one specific user is logged in. Other users can run the online eset scanner and malwarebytes without any problems. The computer is on a domain. Thanks Dan Just noticed that i'm unable to get onto the malwarebytes website too.
  14. Thanks for all your hard work. Hopefully after the reinstall, all will be fine! I'll be sure to run a scan disk to check it for errors.
  15. Hi, I just wanted to update you that the user was using it today, installed Google drive which asked him to perform a reboot. Then there were a series of messages that mentioned the words 'deleting files' and indexes. Then the PC stopped booting and continuously showed the blue screen, even safe mode and last known good config. Running Recuva on it to rescue the data, then i'll reinstall windows. Not sure what the cause was. Could it have been the viruses? Thanks Dan
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.