Jump to content

Google Redirect Trojan.BHO


joeyangel

Recommended Posts

Hello, I am having the same Google redirect issue described in other topics here regarding the Trojan.BHO. I am running Windows 7 and using IE9 as well as Firefox, and have experienced redirect issues with both browsers.

MBAM detects and removes the appropriate registry key (fsharproj) but, when I run either MBAM flash scan or quick scan, the Trojan.BHO reappears within seconds along with an identical registry key to the one which was deleted previously.

As well, a hidden .tmp file (frqksodobw) consistently reappears on my desktop during this, despite repeated deletions.

After reading the other Trojan.BHO-related topics here, I attempted the fix recommended by moderator LDTate using a combination of the ATF Cleaner, GooredFix and TDSSKiller. This failed to detecet the Trojan.BHO, which then reappeared immedaitely when I ran a MBAM flash scan or quick scan.

In addition, after restaring my PC this morning, I am now receiving a "No such interface supported" when I try to access any of my files, vua shortcut or directly.

Finally, after reviewing one Google redirecting thread, I downloaded the ComboFix application and ran it after the user's example in that thread.

After this, MBAM flash scan or quick scan have not detected the Trojan.BHO. The hidden .tmp file (frqksodobw) still appears on my desktop; is this actually related to the Trojan.BHO?

I have not tried a Google search to see whether the Trojan.BHO reappears; should I try this?

Finally, I am still experiencing the "No such interface supported"; is this related to the ATF Cleaner/GooredFix/TDSSKiller operations I undertook? If so, is there a fix I can attempt to rectify this?

I will be happy to attach log files if that will help; thank you in advance for any clarification you may be able to provide.

Link to post
Share on other sites

  • Replies 102
  • Created
  • Last Reply

Top Posters In This Topic

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

Please run a new combofix scan and post the resuts.

Link to post
Share on other sites

Hello, LDTate, thank you for your assistance. I am including the ComboFix results below.

Since I originally posted this thread, I have partially resolved some of the issues (NSIS) but am unable to resolve others.

As well, my AV (Symantec Endpoint Protection) seems to be unable to complete a full scan; I don't know whether this is a result of latent TrojanBHO elements.

Please let me know if there are any additional details I can provide to assist you in helping me - thank you once again.

ComboFix 11-09-20.04 - caparo 09/23/2011 10:27:14.2.2 - x64

Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3054.1622 [GMT -4:00]

Running from: c:\users\caparo\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\caparo\AppData\Local\Mozilla\MozillaUpdate\Mozillaupdt32.dll

c:\users\caparo\Taskmgr.exe

c:\users\caparodesktop\EULA.txt

c:\windows\SysWow64\comct332.ocx

c:\windows\Temp\tmp3.tmp

.

.

((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))

.

.

2011-09-23 14:44 . 2011-09-23 14:44 -------- d-----w- c:\users\UNC Support\AppData\Local\temp

2011-09-23 14:44 . 2011-09-23 14:44 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-20 18:19 . 2011-08-16 12:48 8862544 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6813238C-071B-4706-A014-49A9DAEDC4B6}\mpengine.dll

2011-09-20 17:20 . 2011-09-20 17:20 -------- d-----w- c:\windows\desktop

2011-09-20 17:20 . 2011-09-23 14:43 -------- d-----w- c:\users\caparodesktop

2011-09-19 01:30 . 2011-09-19 01:30 97792 ----a-w- c:\windows\SysWow64\srrstr.dll

2011-09-07 19:49 . 2011-09-07 22:43 -------- d-----w- c:\users\caparo\AppData\Roaming\IrfanView

2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2011-08-30 03:55 . 2011-08-30 03:55 -------- d-----w- c:\users\caparo\AppData\Roaming\Garmin

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-31 21:00 . 2010-10-30 16:49 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-18 22:12 . 2011-05-17 03:43 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-07-22 05:42 . 2011-08-10 06:20 2303488 ----a-w- c:\windows\system32\jscript9.dll

2011-07-22 05:36 . 2011-08-10 06:20 1389056 ----a-w- c:\windows\system32\wininet.dll

2011-07-22 05:32 . 2011-08-10 06:20 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-22 02:54 . 2011-08-10 06:20 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll

2011-07-22 02:48 . 2011-08-10 06:20 1126912 ----a-w- c:\windows\SysWow64\wininet.dll

2011-07-22 02:44 . 2011-08-10 06:20 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-07-16 05:41 . 2011-08-10 06:18 362496 ----a-w- c:\windows\system32\wow64win.dll

2011-07-16 05:41 . 2011-08-10 06:18 243200 ----a-w- c:\windows\system32\wow64.dll

2011-07-16 05:41 . 2011-08-10 06:18 13312 ----a-w- c:\windows\system32\wow64cpu.dll

2011-07-16 05:39 . 2011-08-10 06:18 16384 ----a-w- c:\windows\system32\ntvdm64.dll

2011-07-16 05:37 . 2011-08-10 06:18 421888 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 05:21 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2011-07-16 04:29 . 2011-08-10 06:18 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2011-07-16 04:26 . 2011-08-10 06:18 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2011-07-16 04:25 . 2011-08-10 06:18 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2011-07-16 04:24 . 2011-08-10 06:18 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2011-07-16 04:24 . 2011-08-10 06:18 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 06:18 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2011-07-16 02:21 . 2011-08-10 06:18 2048 ----a-w- c:\windows\SysWow64\user.exe

2011-07-16 02:17 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:17 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:17 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2011-07-16 02:17 . 2011-08-10 06:18 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2011-07-09 05:26 . 2011-08-24 13:06 2048 ----a-w- c:\windows\system32\tzres.dll

2011-07-09 04:29 . 2011-08-24 13:06 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2011-07-09 02:46 . 2011-08-10 06:18 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2011-09-20_20.21.24 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-07-14 04:54 . 2011-09-20 13:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-07-14 04:54 . 2011-09-23 13:51 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-07-14 04:54 . 2011-09-23 13:51 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 04:54 . 2011-09-20 13:28 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 04:54 . 2011-09-23 13:51 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-07-14 04:54 . 2011-09-20 13:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2010-01-07 02:43 . 2011-09-23 05:38 44996 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2011-09-23 05:38 51474 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2010-10-29 19:18 . 2011-09-23 05:38 13768 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1967798008-3269264677-1605733285-1001_UserData.bin

- 2011-08-31 00:50 . 2011-08-30 20:42 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat

+ 2011-08-31 00:50 . 2011-09-22 20:18 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat

- 2010-07-26 16:14 . 2011-09-20 20:14 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-07-26 16:14 . 2011-09-23 05:34 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-07-26 16:14 . 2011-09-20 20:14 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-07-26 16:14 . 2011-09-23 05:34 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 04:54 . 2011-09-20 20:14 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:54 . 2011-09-23 05:34 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:46 . 2011-09-23 01:28 84568 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

- 2010-07-26 17:53 . 2011-09-16 03:16 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe

- 2011-09-20 19:40 . 2011-09-20 19:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-09-23 05:34 . 2011-09-23 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2011-09-20 19:40 . 2011-09-20 19:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2011-09-23 05:34 . 2011-09-23 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2011-03-20 09:49 . 2011-09-21 19:13 263572 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin

+ 2009-07-14 05:01 . 2011-09-23 05:32 494676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2009-07-14 05:01 . 2011-09-20 19:37 494676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2010-07-26 17:53 . 2011-09-23 13:44 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe

+ 2011-09-20 20:38 . 2011-09-23 14:22 4145152 c:\windows\Temporary Internet Files\Content.IE5\index.dat

+ 2011-08-26 15:26 . 2011-09-23 05:32 2625264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

- 2011-08-26 15:26 . 2011-09-20 19:38 2625264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

+ 2011-04-29 05:26 . 2011-09-23 03:53 9221816 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-12288.dat

- 2010-07-26 17:53 . 2011-09-16 03:16 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe

- 2010-07-26 17:53 . 2011-09-16 03:16 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-07-26 17:53 . 2011-09-23 13:44 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe

+ 2011-03-09 06:40 . 2011-09-23 05:32 12429248 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-8192.dat

- 2011-04-26 18:04 . 2011-09-20 19:38 24852460 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-4096.dat

+ 2011-04-26 18:04 . 2011-09-23 05:32 24852460 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-4096.dat

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2010-08-25 1129832]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-02-14 115560]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"RestrictWelcomeCenter"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2010-04-07 45496]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [x]

R3 PCDSRVC{127174DC-C366ED8B-06020101}_0;PCDSRVC{127174DC-C366ED8B-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc_x64.pkms [2010-12-13 25072]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2010-08-25 75112]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R4 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R4 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-08-25 164200]

R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]

R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]

R4 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]

S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [x]

S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-07-20 4908576]

S2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 13840]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-04-07 63928]

S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-27 136824]

S3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:58]

.

2011-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:58]

.

2011-09-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PC-Doctor\uaclauncher.exe [2010-12-13 21:55]

.

2011-09-22 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\PC-Doctor\pcdrcui.exe [2010-12-13 21:55]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TpShocks"="TpShocks.exe" [2010-07-01 380776]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2010-07-27 69560]

"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-05 16336488]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-10-19 5894968]

"nwiz"="nwiz.exe" [2009-08-27 1712672]

"Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://webmail.earthlink.net/wam/index.jsp?x=1045303802

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyServer = http=127.0.0.1:60646

uInternet Settings,ProxyOverride = <local>

Trusted Zone: earthlink.net\webmail

Trusted Zone: yougov.com\today

TCP: DhcpNameServer = 207.69.188.186 207.69.188.187

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\478656028696A7A797: DhcpNameServer = 207.69.188.186 207.69.188.187

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\55E434D213: DhcpNameServer = 152.19.240.8 152.2.253.100

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\55E434D2355636572756: DhcpNameServer = 152.19.240.8 152.2.253.100

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\D41484D41484: DhcpNameServer = 192.168.0.1

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

FF - ProfilePath - c:\users\caparo\AppData\Roaming\Mozilla\Firefox\Profiles\dwv589ee.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.google.com/webhp?ie=UTF-8&oe=UTF-8

FF - prefs.js: network.proxy.gopher - 127.0.0.1

FF - prefs.js: network.proxy.gopher_port - 60646

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60646

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{127174DC-C366ED8B-06020101}_0]

"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1967798008-3269264677-1605733285-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*j*p*g* \OpenWithList]

@Class="Shell"

"a"="mspaint.exe"

"MRUList"="a"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-09-23 10:51:33

ComboFix-quarantined-files.txt 2011-09-23 14:51

ComboFix2.txt 2011-09-20 20:25

.

Pre-Run: 42,324,815,872 bytes free

Post-Run: 42,041,741,312 bytes free

.

- - End Of File - - 9D3332FC9A024654150A37A48F1EAD68

Link to post
Share on other sites

Did you setup these proxy ports?

uInternet Settings,ProxyServer = http=127.0.0.1:60646

FF - prefs.js: network.proxy.gopher - 127.0.0.1

FF - prefs.js: network.proxy.gopher_port - 60646

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60646

FF - prefs.js: network.proxy.type - 0

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:60646

FireFox::
FF - ProfilePath - c:\users\caparo\AppData\Roaming\Mozilla\Firefox\Profiles\dwv589ee.default\
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 60646
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60646
FF - prefs.js: network.proxy.type - 0

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Hello, LDTate, thank you once again for your assistance; the most recent ComboFix results are included below.

After running ComboFix again, I was unable to access any of my regular applications or functions; I restarted in safe mode with networking to send this. Hopefully this was the appropriate action.

ComboFix 11-09-20.04 - caparo 09/23/2011 12:05:18.3.2 - x64

Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3054.1840 [GMT -4:00]

Running from: c:\users\caparo\Desktop\ComboFix.exe

Command switches used :: c:\users\caparo\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))

.

.

2011-09-23 16:14 . 2011-09-23 16:14 -------- d-----w- c:\users\UNC Support\AppData\Local\temp

2011-09-23 16:14 . 2011-09-23 16:14 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-20 18:19 . 2011-08-16 12:48 8862544 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6813238C-071B-4706-A014-49A9DAEDC4B6}\mpengine.dll

2011-09-20 17:20 . 2011-09-20 17:20 -------- d-----w- c:\windows\desktop

2011-09-20 17:20 . 2011-09-23 14:43 -------- d-----w- c:\users\caparodesktop

2011-09-19 01:30 . 2011-09-19 01:30 97792 ----a-w- c:\windows\SysWow64\srrstr.dll

2011-09-07 19:49 . 2011-09-07 22:43 -------- d-----w- c:\users\caparo\AppData\Roaming\IrfanView

2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2011-08-30 03:55 . 2011-08-30 03:55 -------- d-----w- c:\users\caparo\AppData\Roaming\Garmin

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-31 21:00 . 2010-10-30 16:49 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-18 22:12 . 2011-05-17 03:43 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-07-22 05:42 . 2011-08-10 06:20 2303488 ----a-w- c:\windows\system32\jscript9.dll

2011-07-22 05:36 . 2011-08-10 06:20 1389056 ----a-w- c:\windows\system32\wininet.dll

2011-07-22 05:32 . 2011-08-10 06:20 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-22 02:54 . 2011-08-10 06:20 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll

2011-07-22 02:48 . 2011-08-10 06:20 1126912 ----a-w- c:\windows\SysWow64\wininet.dll

2011-07-22 02:44 . 2011-08-10 06:20 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-07-16 05:41 . 2011-08-10 06:18 362496 ----a-w- c:\windows\system32\wow64win.dll

2011-07-16 05:41 . 2011-08-10 06:18 243200 ----a-w- c:\windows\system32\wow64.dll

2011-07-16 05:41 . 2011-08-10 06:18 13312 ----a-w- c:\windows\system32\wow64cpu.dll

2011-07-16 05:39 . 2011-08-10 06:18 16384 ----a-w- c:\windows\system32\ntvdm64.dll

2011-07-16 05:37 . 2011-08-10 06:18 421888 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 05:21 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2011-07-16 04:29 . 2011-08-10 06:18 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2011-07-16 04:26 . 2011-08-10 06:18 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2011-07-16 04:25 . 2011-08-10 06:18 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2011-07-16 04:24 . 2011-08-10 06:18 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2011-07-16 04:24 . 2011-08-10 06:18 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 06:18 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2011-07-16 02:21 . 2011-08-10 06:18 2048 ----a-w- c:\windows\SysWow64\user.exe

2011-07-16 02:17 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:17 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:17 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2011-07-16 02:17 . 2011-08-10 06:18 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2011-07-09 05:26 . 2011-08-24 13:06 2048 ----a-w- c:\windows\system32\tzres.dll

2011-07-09 04:29 . 2011-08-24 13:06 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2011-07-09 02:46 . 2011-08-10 06:18 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.

.

((((((((((((((((((((((((((((( SnapShot_2011-09-23_14.45.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-07 02:43 . 2011-09-23 16:20 45262 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

- 2009-07-14 05:10 . 2011-09-23 05:38 51474 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2011-09-23 16:20 51474 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2010-10-29 19:18 . 2011-09-23 16:20 13910 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1967798008-3269264677-1605733285-1001_UserData.bin

+ 2010-07-26 16:14 . 2011-09-23 16:17 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-07-26 16:14 . 2011-09-23 05:34 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-07-26 16:14 . 2011-09-23 16:17 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2010-07-26 16:14 . 2011-09-23 05:34 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 04:54 . 2011-09-23 05:34 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:54 . 2011-09-23 16:17 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-11-11 16:26 . 2011-09-19 04:38 3444 c:\windows\system32\wdi\ERCQueuedResolutions.dat

+ 2010-11-11 16:26 . 2011-09-23 16:14 3444 c:\windows\system32\wdi\ERCQueuedResolutions.dat

- 2011-09-23 05:34 . 2011-09-23 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-09-23 16:16 . 2011-09-23 16:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2011-09-23 05:34 . 2011-09-23 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2011-09-23 16:16 . 2011-09-23 16:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2009-07-14 05:01 . 2011-09-23 16:14 494676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2009-07-14 05:01 . 2011-09-23 05:32 494676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2011-09-20 20:38 . 2011-09-23 16:02 4145152 c:\windows\Temporary Internet Files\Content.IE5\index.dat

- 2011-09-20 20:38 . 2011-09-23 14:22 4145152 c:\windows\Temporary Internet Files\Content.IE5\index.dat

+ 2011-08-26 15:26 . 2011-09-23 16:14 2625264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

- 2011-08-26 15:26 . 2011-09-23 05:32 2625264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

+ 2011-04-29 05:26 . 2011-09-23 16:14 9668756 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-12288.dat

+ 2011-03-09 06:40 . 2011-09-23 14:59 12558860 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-8192.dat

+ 2011-04-26 18:04 . 2011-09-23 14:59 24864300 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-4096.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2010-08-25 1129832]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-02-14 115560]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"RestrictWelcomeCenter"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2010-04-07 45496]

R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-08-25 164200]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [x]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 PCDSRVC{127174DC-C366ED8B-06020101}_0;PCDSRVC{127174DC-C366ED8B-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc_x64.pkms [2010-12-13 25072]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2010-08-25 75112]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]

R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]

R4 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]

S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [x]

S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-07-20 4908576]

S2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 13840]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-04-07 63928]

S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-27 136824]

S3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [x]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:58]

.

2011-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:58]

.

2011-09-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PC-Doctor\uaclauncher.exe [2010-12-13 21:55]

.

2011-09-22 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\PC-Doctor\pcdrcui.exe [2010-12-13 21:55]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TpShocks"="TpShocks.exe" [2010-07-01 380776]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2010-07-27 69560]

"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-05 16336488]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-10-19 5894968]

"nwiz"="nwiz.exe" [2009-08-27 1712672]

"Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://webmail.earthlink.net/wam/index.jsp?x=1045303802

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyServer = http=127.0.0.1:60646

uInternet Settings,ProxyOverride = <local>

Trusted Zone: earthlink.net\webmail

Trusted Zone: yougov.com\today

TCP: DhcpNameServer = 207.69.188.186 207.69.188.187

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\478656028696A7A797: DhcpNameServer = 207.69.188.186 207.69.188.187

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\55E434D213: DhcpNameServer = 152.19.240.8 152.2.253.100

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\55E434D2355636572756: DhcpNameServer = 152.19.240.8 152.2.253.100

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\D41484D41484: DhcpNameServer = 192.168.0.1

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

FF - ProfilePath - c:\users\caparo\AppData\Roaming\Mozilla\Firefox\Profiles\dwv589ee.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.google.com/webhp?ie=UTF-8&oe=UTF-8

FF - prefs.js: network.proxy.gopher - 127.0.0.1

FF - prefs.js: network.proxy.gopher_port - 60646

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60646

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{127174DC-C366ED8B-06020101}_0]

"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1967798008-3269264677-1605733285-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*j*p*g* \OpenWithList]

@Class="Shell"

"a"="mspaint.exe"

"MRUList"="a"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files (x86)\Lenovo\Client Security Solution\tvttcsd.exe

c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe

c:\program files (x86)\Lenovo\System Update\SUService.exe

c:\program files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe

.

**************************************************************************

.

Completion time: 2011-09-23 12:25:29 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-23 16:25

ComboFix2.txt 2011-09-23 14:51

ComboFix3.txt 2011-09-20 20:25

.

Pre-Run: 42,237,509,632 bytes free

Post-Run: 42,217,832,448 bytes free

.

- - End Of File - - 655D0999E53944F28CAA2F74478845C7

Link to post
Share on other sites

Thank you; everything generally seems to be working, but I am still unable to utilize the full functionality of my folder items (all of which are .exe?).

Despite re-setting the overall folder options to open in the same window, all folders open in new windows. I am aware that this is a registry issue, as well; initially, I received an NSIS error message until I opened a command prompt and used regSvr32 to register actxprxy.dll. I attempted to register shdocvw.dll but received another error message ("the module shdocvw.dll was loaded but the DllRegisterServer entry point was not found").

Is this the result of an earlier running of TDKKiller (after which this issue appeared) or is it another vestige of the TrojanBHO?

Also - and I hesitate ask this - is it unsafe to reinstall Google toolbar?

Link to post
Share on other sites

1. Use the System File Checker tool (SFC.exe) to determine which file is causing the issue, and then replace the file. To do this, follow these steps:

Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.

2. Type the following command, and then press ENTER:

sfc /scannow <--Note the space, it needs to be there

The sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions.

Link to post
Share on other sites

Thank you for the insight regarding SFC; I'll try that presently.

The OS was pre-installed, I'm afraid.

As an afterthought, I noted that - in other threads regarding this issue - you've recommended uninstalling ComboFix after everything is again secure. Is this simply because of the potentially hazardous nature of the app, or are there other considerations I should take into account?

Thank you once again for your invaluable assistance.

Link to post
Share on other sites

As an afterthought, I noted that - in other threads regarding this issue - you've recommended uninstalling ComboFix after everything is again secure. Is this simply because of the potentially hazardous nature of the app, or are there other considerations I should take into account?
Yes. Once CF is no longer needed it is best to uninstall it.

Your issues might have been caused by an infection and I'm hoping sfc will repair it.

Link to post
Share on other sites

Thanks; I'm afraid that SFC didn't rectify the issues ("Windows Resource Protection did not find any integrity violations").

I note also that saved file locations are no longer following their original defaults, seeming rather to be random locations which were recently accessed.

Is this part of the same issue?

Link to post
Share on other sites

Thanks for your help with this; I appreciate it whenever you're able to offer it.

I haven't noticed any other issues beyond those described above (folder commands ignored, default save locations inconsistent).

If you come up with anything you feel I should review, please don't hesitate to direct me toward any potential conflicts I might not otherwise take note of.

Thanks once again - have a great evening.

Link to post
Share on other sites

Sorry, I was mistaken in this; the files did download, albeit not to the specified location (they appeared in My Pictures rather than on the Desktop).

I ran MicrosoftFixit.WinSecurity and attempted to run MicrosoftFixit-portable; the former came up with one anti-phishing recommendation, while the latter seemed to tall before opening entirely.

Is there a specific aspect of the FixIt suite that you feel would be most applicable to my situation?

Thanks as always.

Link to post
Share on other sites

Thank you; I succeeded after several attempts to download the file (the system seems to want to rename the file using the names of the other FixIt downloads I attempted, as well as saving it to unassigned locations).

FixIt detected the folder issues I noted and applied a 'successful fix'; however, the issues remain unchanged.

Is there a secondary remedy I might try?

Link to post
Share on other sites

http://windows.microsoft.com/en-us/windows7/What-are-the-system-recovery-options-in-Windows-7

System Restore Win7

System Restore

Restores your computer's system files to an earlier point in time without affecting your files, such as e-mail, documents, or photos.

If you use System Restore from the System Recovery Options menu, you cannot undo the restore operation. However, you can run System Restore again and choose a different restore point, if one exists.

If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.

On the Advanced Boot Options screen, use the arrow keys to highlight Repair your computer, and then press Enter. (If Repair your computer isn't listed as an option, then your computer doesn't include preinstalled recovery options, or your network administrator has turned them off.)

Select a keyboard layout, and then click Next.

On the System Recovery Options menu, click a tool to open it.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.