Jump to content

eset.com resolves to 127.0.0.1


Recommended Posts

Post Merged

We look for post with 0 replies, so when you reply to your own topic, we assume you were being helped.

Please be patient, someone will assist you as soon as possible.

Hi,

Ive got a PC thats been having issues. Last time I had an issue, i was asked to run an online virus scan at www.eset.com however i'm now unable to access the site.

ping www.eset.com sends a ping to 127.0.0.1.

Ive checked the hosts file and its empty so no issue there.

Any idea how I can diagnose this?

Also can't seem to open malwarebytes.

This only seems to happen when one specific user is logged in.

Other users can run the online eset scanner and malwarebytes without any problems.

The computer is on a domain.

Thanks

Dan

Just noticed that i'm unable to get onto the malwarebytes website too.

Link to post
Share on other sites

Hello Dan,

Is the same pc as in your previous topic ---> http://forums.malwarebytes.org/index.php?showtopic=110150&hl=&fromsearch=1

Please copy/paste the lines in bold below to Notepad:

@Echo on

pushd\windows\system32\drivers\etc

attrib -h -s -r hosts

echo 127.0.0.1 localhost>HOSTS

attrib +r +h +s hosts

popd

ipconfig /release

ipconfig /renew

ipconfig /flushdns

netsh winsock reset all

netsh int ip reset all

shutdown -r -t 1

del %0

Save as flush.bat to your desktop.

Double-click flush.bat file to run it. Your computer will reboot.

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:

DDS.txt

Attach.txt

Which specific-user-account is having the problem?

Is this your personal computer, or someone else's, a friend's, or is this in an organization or company? :excl:

Link to post
Share on other sites

Looks as if TDSSKILLER & Combofix have been used and run very recently. Who's been running them?

Are you getting help elsewhere? and if so, tell me where?

You should never get help from more than 1 forum. IF you are being helped elsewhere, STOP and do not do anything here !!

If you are not being helped elsewhere, then you are self-mediacting and need to stop running tools on your own.

The pc owner is apparently very negligent in security maintenace, for example, the Java runtime is severely out-dated, hence no surprised as to problem issues.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Open notepad and copy/paste the text in the quotebox below into it:

forums.malwarebytes.org/index.php?showtopic=112560
KILLALL::

Suspect::[4]
c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix\xflyvmro.exe

File::
c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix\xflyvmro.exe

Folder::
c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit="c:\windows\system32\userinit.exe,"

Save this as CFScript.txt, in the same location as ComboFix.exe

Close any (all) open browsers.

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When CF finishes running, it pops out with the CF log and this message box:

autosubmit.png

Clicking OK will begin the auto-upload of the zipped file.

CF_UploadSuccessful.gif

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next:

Re-enable the antivirus program.

Now, Logoff and Restart the system fresh.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Copy and paste Checkup.txt in a reply.

Link to post
Share on other sites

I was following the previous topic instructions so thats where ComboFix came from.

I've deleted it now.

In the process of trying to delete the malware, I removed Symantec Endpoint Protection. It was blocking access to the malware files but the malware was causing SEP to repeatedly crash and therefore I was unable to Disable the AV.

After performing the CF steps, I'm still unable to access www.Malwarebytes.org, www.eset.com etc.

Please find the attachments requested.

Thanks for your help.

Dan

Results of screen317's Security Check version 0.99.42

Windows XP Service Pack 3 x86 (UAC is disabled!)

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Please wait while WMIC is being installed.

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Windows Defender

Malwarebytes Anti-Malware version 1.62.0.1300

Java 6 Update 5

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Firefox (for.)

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 27% Defragment your hard drive soon!

````````````````````End of Log``````````````````````

ComboFix 12-07-16.01 - Administrator 17/07/2012 10:24:31.2.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1687 [GMT 1:00]

Running from: \\MANCHESTERSERVE\Users\Administrator\Desktop\ComboFix.exe

Command switches used :: \\MANCHESTERSERVE\Users\Administrator\Desktop\CFScript.txt

FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

FILE ::

"c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix\xflyvmro.exe"

.

file zipped: c:\documents and settings\shaya.SEEDMANCHESTER.000\Local Settings\Application Data\pytmlmix\xflyvmro.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\awseslek.log

c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\bwitqshb.log

c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\dgmbomnp.log

c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\epjlyeqf.log

c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\lymuqbib.log

c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\nrcdbcgr.log

c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\rgveijmc.log

c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\ygoqwlak.log

c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MICORSOFT_WINDOWS_SERVICE

.

.

((((((((((((((((((((((((( Files Created from 2012-06-17 to 2012-07-17 )))))))))))))))))))))))))))))))

.

.

2012-07-17 09:37 . 2012-07-17 09:37 -------- d-----w- c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix

2012-07-17 09:14 . 2012-07-17 09:15 -------- d-----w- c:\program files\ERUNT

2012-07-16 21:07 . 2012-07-16 21:08 -------- d-----w- c:\program files\stinger

2012-07-16 14:01 . 2012-07-16 21:05 -------- d-----w- C:\TDSSKiller_Quarantine

2012-07-16 05:54 . 2001-08-17 21:36 10240 ----a-w- c:\windows\system32\dllcache\swpdflt2.dll

2012-07-16 05:54 . 2001-08-17 21:36 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll

2012-07-16 05:52 . 2008-04-13 18:36 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys

2012-07-16 05:51 . 2001-08-17 21:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll

2012-07-16 05:50 . 2001-08-17 11:12 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys

2012-07-16 05:49 . 2008-04-13 18:40 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys

2012-07-16 05:48 . 2001-08-17 13:05 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys

2012-07-16 05:48 . 2001-08-17 13:05 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys

2012-07-16 05:48 . 2001-08-17 13:05 48000 ----a-w- c:\windows\system32\dllcache\ovcam2.sys

2012-07-16 05:48 . 2001-08-17 13:05 25088 ----a-w- c:\windows\system32\dllcache\ovca.sys

2012-07-16 05:48 . 2001-08-17 12:28 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys

2012-07-16 05:48 . 2001-08-17 11:12 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys

2012-07-16 05:48 . 2001-08-17 11:12 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys

2012-07-16 05:48 . 2001-08-17 11:20 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys

2012-07-16 05:48 . 2008-04-13 18:46 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys

2012-07-16 05:48 . 2001-08-17 11:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys

2012-07-16 05:48 . 2001-08-17 21:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll

2012-07-16 05:46 . 2001-08-17 13:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll

2012-07-16 05:45 . 2001-08-17 13:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys

2012-07-16 05:45 . 2008-04-13 18:54 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys

2012-07-16 05:45 . 2004-08-04 05:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll

2012-07-16 05:45 . 2001-08-17 13:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys

2012-07-16 05:45 . 2001-08-17 12:48 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys

2012-07-16 05:44 . 2008-04-13 18:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys

2012-07-16 05:44 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys

2012-07-16 05:44 . 2001-08-17 12:57 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys

2012-07-16 05:42 . 2001-08-17 11:12 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys

2012-07-16 05:41 . 2004-08-04 05:00 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe

2012-07-16 05:40 . 2001-08-17 12:28 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys

2012-07-16 05:39 . 2001-08-17 11:49 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys

2012-07-16 05:38 . 2001-08-17 11:19 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys

2012-07-16 05:37 . 2001-08-17 21:36 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll

2012-07-16 05:36 . 2001-08-17 13:02 272640 ----a-w- c:\windows\system32\dllcache\cinemclc.sys

2012-07-16 05:35 . 2001-08-17 11:49 75136 ----a-w- c:\windows\system32\dllcache\atimpae.sys

2012-07-16 05:28 . 2012-07-16 21:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-07-16 05:10 . 2012-07-16 05:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-15 18:16 . 2012-07-15 18:16 -------- d-----w- c:\program files\ESET

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-16 05:10 . 2012-02-21 20:59 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-03 12:46 . 2012-02-02 14:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-13 13:19 . 2004-08-11 17:00 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-06-05 15:50 . 2007-05-15 15:43 1372672 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 15:50 . 2004-08-11 17:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 04:32 . 2004-08-11 17:00 152576 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 14:19 . 2007-04-16 22:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 14:19 . 2007-04-16 22:46 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 14:19 . 2004-08-11 17:12 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 14:19 . 2004-08-11 17:12 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 14:19 . 2004-08-11 17:12 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-02 14:19 . 2007-04-16 22:46 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 14:19 . 2007-04-16 22:45 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 14:19 . 2004-08-11 17:12 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 14:19 . 2004-08-11 17:12 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 14:19 . 2004-08-11 17:00 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 14:19 . 2007-04-16 22:45 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 14:19 . 2004-08-11 17:12 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 14:19 . 2004-08-11 17:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-05-31 13:22 . 2004-08-11 17:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08 . 2004-08-11 17:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-11 14:42 . 2004-08-11 17:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42 . 2004-08-11 17:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38 . 2004-08-11 17:00 385024 ----a-w- c:\windows\system32\html.iec

2012-05-04 13:16 . 2004-08-11 17:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46 . 2004-08-11 17:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2012-07-16_20.04.25 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-07-17 01:30 . 2012-07-17 01:30 22016 c:\windows\Installer\fbd1a7.msi

+ 2012-07-17 09:37 . 2012-07-17 09:37 65536 c:\windows\Installer\{5ACE69F0-A3E8-44EB-88C1-0A841E700180}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe

- 2008-09-09 11:48 . 2008-09-09 11:48 65536 c:\windows\Installer\{5ACE69F0-A3E8-44eb-88C1-0A841E700180}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe

+ 2012-07-17 09:15 . 2012-07-17 09:15 12288 c:\windows\erdnt\17-07-2012\Users\00000004\UsrClass.dat

+ 2012-07-17 09:15 . 2012-07-17 09:15 12288 c:\windows\erdnt\17-07-2012\Users\00000002\UsrClass.dat

+ 2009-11-11 23:28 . 2009-10-01 09:29 195440 c:\windows\system32\MpSigStub.exe

+ 2012-07-17 09:15 . 2012-07-17 09:15 151552 c:\windows\erdnt\17-07-2012\Users\00000006\UsrClass.dat

+ 2012-07-17 09:15 . 2012-07-17 09:15 241664 c:\windows\erdnt\17-07-2012\Users\00000003\NTUSER.DAT

+ 2012-07-17 09:15 . 2012-07-17 09:15 237568 c:\windows\erdnt\17-07-2012\Users\00000001\NTUSER.DAT

+ 2012-07-17 09:15 . 2005-10-20 11:02 163328 c:\windows\erdnt\17-07-2012\ERDNT.EXE

+ 2012-07-17 09:15 . 2012-07-17 09:15 3440640 c:\windows\erdnt\17-07-2012\Users\00000005\NTUSER.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f4290b4-b183-4623-bba2-28f48d9bbd23}]

2011-05-09 09:49 176936 ----a-w- c:\program files\Project_seed\prxtbPro0.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{7f4290b4-b183-4623-bba2-28f48d9bbd23}"= "c:\program files\Project_seed\prxtbPro0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{7f4290b4-b183-4623-bba2-28f48d9bbd23}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{7F4290B4-B183-4623-BBA2-28F48D9BBD23}"= "c:\program files\Project_seed\prxtbPro0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{7f4290b4-b183-4623-bba2-28f48d9bbd23}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856]

"XflYvmro"="c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix\xflyvmro.exe" [bU]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]

"\\PC2\EPSON Stylus D68 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE" [2005-01-25 98304]

"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-05-27 53248]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-08 198160]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-09-12 161336]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

.

c:\documents and settings\ilan\Start Menu\Programs\Startup\

eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [N/A]

Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2012-5-3 13006952]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

Printer Status Monitor.lnk - c:\program files\SHARP\Printer Status Monitor\Smon.exe [2011-1-6 180313]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-8-23 967960]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"DisablePersonalDirChange"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix\xflyvmro.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-12-14 14:32 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]

2010-04-22 10:55 49152 ----a-w- c:\windows\system32\ico.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SN0XRCV]

2006-10-23 10:11 102400 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\SN0XRCV.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SN52IPRW]

2005-02-15 10:02 135168 ----a-w- c:\windows\system32\SN52SELC.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XflYvmro]

c:\documents and settings\shaya.SEEDMANCHESTER.000\Local Settings\Application Data\pytmlmix\xflyvmro.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"stllssvr"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AllAlertsDisabled"=dword:00000001

"TermService"=dword:00000001

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\temp\\HP_WebRelease\\Setup\\HPZnet01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

.

R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [30/07/2008 06:51 277736]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [06/01/2011 16:45 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]

R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [21/05/2010 12:27 173352]

R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [19/03/2012 12:38 2666880]

R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [11/08/2009 23:31 46824]

R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [20/02/2008 15:08 18432]

R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [20/02/2008 15:08 14336]

R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\ADMINI~1.SEE\LOCALS~1\Temp\ftmgyjnb.sys --> c:\docume~1\ADMINI~1.SEE\LOCALS~1\Temp\ftmgyjnb.sys [?]

S0 00677621;00677621;c:\windows\system32\drivers\68236726.sys --> c:\windows\system32\drivers\68236726.sys [?]

S2 ASFIPmon;Broadcom ASF IP Monitor;"c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe" -service --> c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/04/2010 15:30 135664]

S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [16/07/2012 06:10 250056]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [08/04/2010 15:30 135664]

S3 MBAMCatchMe;MBAMCatchMe;c:\program files\Malwarebytes' Anti-Malware\catchme.sys [26/03/2008 11:58 27136]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [16/07/2012 06:28 40776]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 05:10]

.

2012-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]

.

2012-07-12 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-13 13:30]

.

2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 14:30]

.

2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 14:30]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

TCP: DhcpNameServer = 192.168.11.254

FF - ProfilePath - \\Manchesterserve\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\kxdjx1ig.default\

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKCU-Run-PC Suite Tray - c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

SafeBoot-00677621.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-17 10:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1918387015-3744224925-1604920466-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(664)

c:\windows\system32\LMIinit.dll

c:\program files\LogMeIn\x86\LMIhook.000.dll

c:\windows\system32\wininet.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'lsass.exe'(720)

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(5844)

c:\windows\system32\WININET.dll

c:\program files\LogMeIn\x86\LMIhook.000.dll

c:\windows\system32\LMIRfsClientNP.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe

c:\windows\system32\msiexec.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\TeamViewer\Version7\TeamViewer.exe

c:\windows\system32\wscntfy.exe

c:\program files\TeamViewer\Version7\tv_w32.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2012-07-17 10:42:06 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-17 09:42

ComboFix2.txt 2012-07-16 20:09

.

Pre-Run: 109,024,645,120 bytes free

Post-Run: 106,894,229,504 bytes free

.

- - End Of File - - 8F83AFB3399AAB5FBA40AB97F69828FA

Upload was successful

Edited by Maurice Naggar
logs In-line
Link to post
Share on other sites

Reminders: Do NOT use any other topic's "fixes" nor do any changes/additions / tweaks/ fixes on your own.

Tools used by other topics do not apply to your case. Please follow my guidance and only do what I outline.

Secondly, do NOT attach the log/reports. Copy and Paste contents into main-body of reply box.

These steps are for journo only. If you are a casual viewer, do NOT try this on your system!

If you are not journo and have a similar problem, do NOT post here; start your own topic

The fixes in this Topic are for this system only! Do not apply the fix-instructions from this topic to any other system!

You will want to print out or copy these instructions to Notepad for Safe offline reference!

Do not do any websurfing on this system. Only go to this forum and the sites I guide you to for tools or online scans.

Please follow my guidance

eusa_hand.gif If you are a casual viewer, do NOT try this on your system!

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gifDo NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

Close any of your open programs while you run these tools.

Step 1

For Internet Explorer settings

do this:

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

5. Make sure Proxy servers block is not selected (not checkmarked).

6. Apply changes & OK

Step 2

We Need to Run a Batch Script

We need to make sure the wmi service & Windows firewall service is properly set. This batch should execute very quickly.

  1. Press the Windows-key on keyboard.
  2. Then select RUN, type notepad and press Enter.
  3. Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
    sc delete MICORSOFT_WINDOWS_SERVICE
    del /f /q c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Temp\ftmgyjnb.sys
    sc config winmgmt start= auto
    sc start winmgmt
    sc config mpssvc start= auto
    sc start mpssvc
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    netsh winsock reset all
    netsh int ip reset all
    del /f /q "%~f0"


  4. Select File -> Save AS.
  5. Press the Desktop button on the left side of the save dialog.
  6. In the 10-16-2011%204-37-58%20PM.png box, type in Fix.bat.
  7. Press 10-16-2011%204-36-39%20PM.png.
  8. Close Notepad.
  9. Double click fix.bat on your desktop to start.
  10. A command prompt window will open & run thru very quickly.

Step 3

Download TFC by OldTimer and SAVE it to your desktop

  • Double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Step 4

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:

DDS.txt

Attach.txt

Edited by Maurice Naggar
modified
Link to post
Share on other sites

Hi,

Here are the results from the DDS program.

DDS.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 23:15:47 on 2012-07-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1410 [GMT 1:00]

.

FW: Symantec Endpoint Protection *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

C:\Program Files\Xobni\XobniService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TeamViewer\Version7\TeamViewer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\TeamViewer\Version7\tv_w32.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\SHARP\Printer Status Monitor\Smon.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mURLSearchHooks: H - No File

mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix\xflyvmro.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

BHO: Project seed Toolbar: {7f4290b4-b183-4623-bba2-28f48d9bbd23} - c:\program files\project_seed\prxtbPro0.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

TB: Project seed Toolbar: {7f4290b4-b183-4623-bba2-28f48d9bbd23} - c:\program files\project_seed\prxtbPro0.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [XflYvmro] c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix\xflyvmro.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [sMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [\\PC2\EPSON Stylus D68 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaae.exe /p29 "\\pc2\EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"

mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Google Updater] "c:\program files\google\google updater\GoogleUpdater.exe" -check_deprecation

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printe~1.lnk - c:\program files\sharp\printer status monitor\Smon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://manchesterserve/connectcomputer/nshelp.dll

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 192.168.11.254

TCP: Interfaces\{BC9C58A2-60A2-4E71-A074-F19F6A930625} : DhcpNameServer = 192.168.11.254

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - \\Manchesterserve\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\kxdjx1ig.default\

.

============= SERVICES / DRIVERS ===============

.

R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2008-7-30 277736]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-1-6 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-5-18 47640]

R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-5-21 173352]

R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-3-19 2666880]

R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-8-11 46824]

R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-2-20 18432]

R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-2-20 14336]

R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\admini~1.see\locals~1\temp\ftmgyjnb.sys --> c:\docume~1\admini~1.see\locals~1\temp\ftmgyjnb.sys [?]

S0 00677621;00677621;c:\windows\system32\drivers\68236726.sys --> c:\windows\system32\drivers\68236726.sys [?]

S2 ASFIPmon;Broadcom ASF IP Monitor;"c:\program files\broadcom\asfipmon\asfipmon.exe" -service --> c:\program files\broadcom\asfipmon\AsfIpMon.exe [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-8 135664]

S2 WinDefend;Windows Defender;"c:\program files\windows defender\msmpeng.exe" --> c:\program files\windows defender\MsMpEng.exe [?]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-16 250056]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-8 135664]

S3 MBAMCatchMe;MBAMCatchMe;c:\program files\malwarebytes' anti-malware\catchme.sys [2008-3-26 27136]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-7-16 40776]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2012-07-17 09:37:29 -------- d-----w- c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix

2012-07-16 21:07:03 -------- d-----w- c:\program files\stinger

2012-07-16 18:16:21 -------- d-sha-r- C:\cmdcons

2012-07-16 14:03:10 98816 ----a-w- c:\windows\sed.exe

2012-07-16 14:03:10 518144 ----a-w- c:\windows\SWREG.exe

2012-07-16 14:03:10 256000 ----a-w- c:\windows\PEV.exe

2012-07-16 14:03:10 208896 ----a-w- c:\windows\MBR.exe

2012-07-16 14:01:02 -------- d-----w- C:\TDSSKiller_Quarantine

2012-07-16 05:56:59 9216 ----a-w- c:\windows\system32\dllcache\wamps51.dll

2012-07-16 05:55:58 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll

2012-07-16 05:54:58 230912 ----a-w- c:\windows\system32\dllcache\tosdvd03.sys

2012-07-16 05:53:57 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll

2012-07-16 05:52:59 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys

2012-07-16 05:51:59 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll

2012-07-16 05:50:58 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys

2012-07-16 05:49:59 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys

2012-07-16 05:48:58 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys

2012-07-16 05:48:56 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys

2012-07-16 05:48:53 48000 ----a-w- c:\windows\system32\dllcache\ovcam2.sys

2012-07-16 05:48:51 25088 ----a-w- c:\windows\system32\dllcache\ovca.sys

2012-07-16 05:48:49 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys

2012-07-16 05:48:46 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys

2012-07-16 05:48:43 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys

2012-07-16 05:48:38 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys

2012-07-16 05:48:29 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys

2012-07-16 05:48:11 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys

2012-07-16 05:48:09 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll

2012-07-16 05:46:58 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll

2012-07-16 05:45:41 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys

2012-07-16 05:45:36 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll

2012-07-16 05:45:36 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys

2012-07-16 05:45:04 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys

2012-07-16 05:45:00 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys

2012-07-16 05:44:59 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys

2012-07-16 05:44:20 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys

2012-07-16 05:44:09 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys

2012-07-16 05:42:58 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys

2012-07-16 05:41:58 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe

2012-07-16 05:40:58 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys

2012-07-16 05:39:59 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys

2012-07-16 05:38:58 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys

2012-07-16 05:37:59 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll

2012-07-16 05:36:59 272640 ----a-w- c:\windows\system32\dllcache\cinemclc.sys

2012-07-16 05:35:59 75136 ----a-w- c:\windows\system32\dllcache\atimpae.sys

2012-07-16 05:28:47 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-07-16 05:10:35 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-15 18:16:26 -------- d-----w- c:\program files\ESET

2012-06-26 20:58:04 -------- d-----w- \\Manchesterserve\Users\Administrator\Application Data\ElevatedDiagnostics

.

==================== Find3M ====================

.

2012-07-16 05:10:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-03 12:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 14:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 14:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 14:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 14:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 14:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec

2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

============= FINISH: 23:17:29.23 ===============

I couldnt copy and paste the attach.txt file because it was too large to post, so i've attached it instead.

Thanks

Dan

Attach.txt

Link to post
Share on other sites

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Open notepad and copy/paste the text in the quotebox below into it:

forums.malwarebytes.org/index.php?showtopic=112560
KILLALL::

Collect::[4]
c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix\xflyvmro.exe

File::
c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix\xflyvmro.exe

Folder::
c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix

Driver::
Legacy_MICORSOFT_WINDOWS_SERVICE
MICORSOFT_WINDOWS_SERVICE

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

Save this as CFScript.txt, in the same location as ComboFix.exe

Close any (all) open browsers.

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When CF finishes running, it pops out with the CF log and this message box:

autosubmit.png

Clicking OK will begin the auto-upload of the zipped file.

CF_UploadSuccessful.gif

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Re-Enable your antivirus app.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.