trojans, sirefef, small, rootkit.0access

[dwt]

new here so forgive me if incorrect. recently had some virus issues, I run MSE, but it had been disabled, once i got it back up, system started shutting down every minute. after light research restored to a previous date and was able to get malwarebytes on, ran it found some threats, cleaned them with mb but they still re-gen.

logs attached

Attach.txt

DDS.txt

mbam-log-2012-06-18 (13-36-16).txt

mbam-log-2012-06-18 (16-23-15).txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!)

Post back the report.

MrC

[dwt]

Thanks. ran program, log attached.

RKreport1.txt

[MrCharlie]

OK, run RogueKiller again and click Scan

When the scan completes > click on the Processes tab

Put a check next to all of these and uncheck the rest:

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] syshost.exe -- C:\Users\PBSLLaptop8\AppData\Local\{07FD7DE2-21C0-74E1-29D4-B26E08B4A542}\syshost.exe -> KILLED [TermProc]

Now click Delete on the right hand column.

Repeat the process for these

Click on the Registry > put a check next to these and uncheck the rest:

¤¤¤ Registry Entries: 5 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : syshost32 (C:\Users\PBSLLaptop8\AppData\Local\{07FD7DE2-21C0-74E1-29D4-B26E08B4A542}\syshost.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-34789903-4041923258-2902432038-1000[...]\Run : syshost32 (C:\Users\PBSLLaptop8\AppData\Local\{07FD7DE2-21C0-74E1-29D4-B26E08B4A542}\syshost.exe) -> FOUND

Click on Delete

-----------------------------------------------

Next......

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[dwt]

ran steps, thanks. logs attached.

RKreport4.txt

tdss.txt

[MrCharlie]

That scan was clean....please do this:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review. (Post It!)

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[dwt]

ok, thanks for you prompt and helpful replies on this. It's appreciated.

log below from combofix:

ComboFix 12-06-19.03 - PBSLLaptop8 20/06/2012 7:35.1.4 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.3241.2174 [GMT -4:00]

Running from: c:\users\PBSLLaptop8\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

c:\users\PBSLLA~1\AppData\Local\Temp\{FBAFD646-00BF-44C6-A92F-70E6C4B4DD2F}\fpb.tmp

c:\users\PBSLLaptop8\AppData\Local\{4b7be691-b268-e7b2-db99-7940a39a8df9}\@

c:\users\PBSLLaptop8\AppData\Local\{4b7be691-b268-e7b2-db99-7940a39a8df9}\n

c:\users\PBSLLaptop8\AppData\Local\Temp\{FBAFD646-00BF-44C6-A92F-70E6C4B4DD2F}\fpb.tmp

c:\users\PBSLLaptop8\AppData\Local\uztigowwm.exe

c:\windows\Installer\{4b7be691-b268-e7b2-db99-7940a39a8df9}\@

c:\windows\Installer\{4b7be691-b268-e7b2-db99-7940a39a8df9}\U\00000001.@

c:\windows\Installer\{4b7be691-b268-e7b2-db99-7940a39a8df9}\U\80000000.@

c:\windows\Installer\{4b7be691-b268-e7b2-db99-7940a39a8df9}\U\800000cb.@

c:\windows\system32\drivers\npf.sys

c:\windows\system32\instsrv.exe

.

Infected copy of c:\windows\system32\services.exe was found and disinfected

Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy9_!Windows!System32!services.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))

.

.

2012-06-20 11:40 . 2012-06-20 11:41 -------- d-----w- c:\users\PBSLLaptop8\AppData\Local\temp

2012-06-20 11:40 . 2012-06-20 11:40 -------- d-----w- c:\users\Guest\AppData\Local\temp

2012-06-20 11:40 . 2012-06-20 11:40 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-18 17:36 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys

2012-06-18 17:36 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-18 17:36 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll

2012-06-18 17:36 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-18 17:36 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-18 17:36 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-18 17:36 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll

2012-06-18 17:36 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-18 17:36 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll

2012-06-18 17:36 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-18 17:34 . 2012-06-18 17:34 -------- d-----w- c:\users\PBSLLaptop8\AppData\Roaming\Malwarebytes

2012-06-18 17:34 . 2012-06-18 17:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-18 17:34 . 2012-06-18 17:34 -------- d-----w- c:\programdata\Malwarebytes

2012-06-18 17:34 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-17 22:32 . 2012-06-18 21:30 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-06-17 21:22 . 2012-06-18 21:30 -------- d-----w- c:\users\PBSLLaptop8\AppData\Local\{07FD7DE2-21C0-74E1-29D4-B26E08B4A542}

2012-06-17 12:49 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5BFC5903-4B89-4D1C-80EA-4378CFDDE435}\mpengine.dll

2012-06-16 10:43 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-06-12 22:41 . 2012-02-11 10:44 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6209A929-BB0E-4E0E-9447-EDB82AC1FE58}\gapaengine.dll

2012-06-03 15:28 . 2012-06-03 16:01 -------- d-----w- c:\users\PBSLLaptop8\AppData\Roaming\SmartDraw

2012-06-03 15:27 . 2012-06-03 15:28 -------- d-----w- c:\program files\SmartDraw 2012

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-17 22:30 . 2012-03-28 23:53 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-17 22:30 . 2011-11-17 02:17 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-03-31 04:39 . 2012-05-09 22:29 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-03-31 04:39 . 2012-05-09 22:29 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-03-30 10:23 . 2012-05-09 22:29 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"

[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]

2011-05-27 23:38 120184 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"

[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]

2011-05-27 23:38 120184 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-07-20 505720]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-01-25 536668]

"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2011-01-18 5955072]

"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2011-07-25 686704]

"DFEPApplication"="c:\program files\Dell\Feature Enhancement Pack\DFEPApplication.exe" [2011-08-24 6306712]

"TdmNotify"="c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe" [2011-05-27 214384]

"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-03-12 462993]

"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336]

"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-18 50472]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]

"Desktop Disc Tool"="c:\program files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]

"ToolboxFX"="c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-28 142616]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-28 177432]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-28 176408]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2011-8-24 494488]

.

c:\users\PBSLLaptop8\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2011-8-24 494488]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-11-16 50688]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2011-8-24 494488]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"DisableCAD"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]

2010-09-15 17:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

2;2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-03 2656280]

R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]

R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [2010-10-03 20504]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-27 132480]

R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-12-20 21504]

R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-20 126464]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]

R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\O2MDFw7.sys [2011-01-04 60904]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-20 19456]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-25 1343400]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2011-07-16 17904]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-03 81920]

S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2010-05-10 1803584]

S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2010-06-29 127488]

S2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\Dell\Feature Enhancement Pack\DFEPService.exe [2011-08-24 1568664]

S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [2010-10-25 145920]

S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]

S2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2003-04-19 8192]

S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-02-03 427192]

S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2011-07-01 1131520]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys [2011-07-22 44144]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-09-16 144576]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]

S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-20 41088]

S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [2011-01-04 62440]

S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-03-23 63976]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-34789903-4041923258-2902432038-1000Core.job

- c:\users\PBSLLaptop8\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-14 16:48]

.

2012-06-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-34789903-4041923258-2902432038-1000UA.job

- c:\users\PBSLLaptop8\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-14 16:48]

.

2012-06-20 c:\windows\Tasks\SDMsgUpdate (TE).job

- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2012-06-03 18:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/

uInternet Settings,ProxyOverride = *.local

Trusted Zone: patene.com\vpn

TCP: DhcpNameServer = 192.168.0.1

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.patene.com/CACHE/stc/1/binaries/vpnweb.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

SafeBoot-MsMpSvc

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(568)

c:\windows\system32\wvauth.DLL

.

- - - - - - - > 'Explorer.exe'(5048)

c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\IDT\WDM\STacSV.exe

c:\program files\Common Files\SPBA\upeksvr.exe

c:\program files\Dell\DW WLAN Card\WLTRYSVC.EXE

c:\windows\system32\WLANExt.exe

c:\windows\system32\conhost.exe

c:\program files\Dell\DW WLAN Card\bcmwltry.exe

c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\DRIVERS\o2flash.exe

c:\windows\system32\SDIOAssist.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\DllHost.exe

c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\windows\system32\sppsvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Common Files\Java\Java Update\jusched.exe

.

**************************************************************************

.

Completion time: 2012-06-20 07:43:44 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-20 11:43

.

Pre-Run: 214,120,140,800 bytes free

Post-Run: 214,746,390,528 bytes free

.

- - End Of File - - 3D1CDF4853FEFFC201E688F9FED21A30

[MrCharlie]

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[dwt]

showing clean. log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.20.07

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

PBSLLaptop8 :: DWTLAPTOP [administrator]

Protection: Enabled

20/06/2012 7:06:54 PM

mbam-log-2012-06-20 (19-06-54).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 227348

Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

How's the computer running??? Any problems??? MrC

[dwt]

not getting the popups saying malware detected and quaratined trojan.small etc. however on full scan there are items in a quarantine folder, should 'remove selected' be done on these?

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.20.07

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

PBSLLaptop8 :: DWTLAPTOP [administrator]

Protection: Enabled

20/06/2012 8:24:10 PM

mbam-log-2012-06-20 (21-00-56).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 335961

Time elapsed: 30 minute(s), 35 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 6

C:\Qoobox\Quarantine\C\Users\PBSLLaptop8\AppData\Local\uztigowwm.exe.vir (Trojan.Agent.P3Xgen) -> No action taken.

C:\Qoobox\Quarantine\C\Users\PBSLLaptop8\AppData\Local\{4b7be691-b268-e7b2-db99-7940a39a8df9}\n.vir (Trojan.Dropper.PE4) -> No action taken.

C:\Qoobox\Quarantine\C\Windows\Installer\{4b7be691-b268-e7b2-db99-7940a39a8df9}\U\00000001.@.vir (Trojan.Small) -> No action taken.

C:\Qoobox\Quarantine\C\Windows\Installer\{4b7be691-b268-e7b2-db99-7940a39a8df9}\U\80000000.@.vir (Trojan.Sirefef) -> No action taken.

C:\Qoobox\Quarantine\C\Windows\Installer\{4b7be691-b268-e7b2-db99-7940a39a8df9}\U\800000cb.@.vir (Rootkit.0Access) -> No action taken.

C:\Users\PBSLLaptop8\Desktop\RK_Quarantine\uztigowwm.exe.vir (Trojan.Agent.P3Xgen) -> No action taken.

(end)

[MrCharlie]

No, they're all in "Quarantine"

If everything is OK, a little cleanup to do.

Important!!

Please delete you copy of ComboFix and download a fresh one to your desktop.

Now......

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

-----------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!