help with fbi lockout screen virus Please

[pjoseph]

Yesterday i got that screen looking for money to unlock my computer, I was able to reboot into safemode and run malwarebytes which removed some things.

I worked well for the rest of the day and now this morning it came back how do i get rid of this thing?!


I keep noticing a pop up at the bottom from Malwarebytes saying
"successfully blocked access to a potentially malicious website: 95.211.194.79
Type: Outgoing
Port:60277, Process:svhost.exe"

here is my log:
malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.31.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
pamato :: ENPUSREML0278 [administrator]

Protection: Enabled

5/31/2013 8:23:04 AM
mbam-log-2013-05-31 (08-23-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 273230
Time elapsed: 9 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\pamato\rundll32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\pamato\winlogon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

(end)


Thanks

 

[pjoseph]

ran adwcleaner but when i try to delet it freezes up my computer everytime so never finishes

# AdwCleaner v2.301 - Logfile created 05/31/2013 at 09:26:36
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : pamato - ENPUSREML0278
# Boot Mode : Normal
# Running from : C:\Users\pamato\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files\adawaretb
Folder Found : C:\ProgramData\adawaretb
Folder Found : C:\ProgramData\blekko toolbars

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\adawaretb
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.94

File : C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2229 octets] - [31/05/2013 08:54:19]
AdwCleaner[R2].txt - [2275 octets] - [31/05/2013 09:10:33]
AdwCleaner[R3].txt - [2147 octets] - [31/05/2013 09:26:36]
AdwCleaner[S1].txt - [398 octets] - [31/05/2013 08:55:42]
AdwCleaner[S2].txt - [325 octets] - [31/05/2013 09:11:59]
AdwCleaner[S3].txt - [325 octets] - [31/05/2013 09:26:26]

########## EOF - C:\AdwCleaner[R3].txt - [2384 octets] ##########

 

[Punk]

Hello!


Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  Combofix
  
  
• When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
• Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.
  
  
  
• We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
  
  
• Close all open Windows including this one.
  
• Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
  Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  
• Please click on I agree on the disclaimer window.
• ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.
  
  
  
  
  
• ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
  
  
  
  
  
• Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
  
  
  
  
  
• At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  
• Please click on yes in the next window to continue scanning for malware.
  
• ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  
• ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  
• While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
  
  
  
  
  
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  
• When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  
• Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.
  

In your next reply please post:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[johnb35]

Yes, please follow what Punk has suggested to do. It seems you may have a service that is still infecting you.

I would also suggest running tdsskiller as sometimes the Zero access rootkit is involved with the ransomware infection.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.

Please reboot the system if asked to do so.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please open the log and copy and paste it back here.

 

[pjoseph]

well i ran combo fix and now i can not open any program or file or get on the internet ect....
"
"anything I try and open says "illegal operation attempted on a registry key that has been marked for deletion"

 

[johnb35]

Reboot the pc and you'll be fine. Then post the logfile.

 

[voyagerfan99]

Hey John, you should edit your instructions so they say to reboot the computer

 

[pjoseph]

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3241.1674 [GMT -7:00]
Running from: c:\users\pamato\Desktop\ComboFix.exe
AV: Lavasoft Ad-Aware *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Lavasoft Ad-Aware *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\MS
c:\programdata\Roaming
c:\users\pamato\acrobatreader.exe
c:\users\pamato\alg.exe
c:\users\pamato\AppData\Local\d6a229c4-3b65-43a8-ab14-a6e1f19addf4ad
c:\users\pamato\AppData\Local\d6a229c4-3b65-43a8-ab14-a6e1f19addf4ad\dacbaabaefaddfad.exe
c:\users\pamato\chrome.exe
c:\users\pamato\flashplayer.exe
c:\users\pamato\googleupdate.exe
c:\users\pamato\GoToAssistDownloadHelper.exe
c:\users\pamato\icq.exe
c:\users\pamato\java.exe
c:\users\pamato\jucheck.exe
c:\users\pamato\msconfig.exe
c:\users\pamato\mstsc.exe
c:\users\pamato\opera.exe
c:\users\pamato\skype.exe
c:\users\pamato\teamviewer.exe
c:\users\pamato\windowsupdate.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-04-28 to 2013-05-31 )))))))))))))))))))))))))))))))
.
.
2013-05-31 19:02 . 2013-05-31 19:02 -------- d-----w- c:\users\tcyberey\AppData\Local\temp
2013-05-31 16:02 . 2013-05-31 16:02 -------- d-----w- C:\found.001
2013-05-31 15:21 . 2013-05-31 15:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-31 15:21 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-31 14:55 . 2013-05-31 14:55 -------- d-----w- C:\found.000
2013-05-31 00:57 . 2013-05-31 01:00 -------- d-----w- c:\programdata\Ad-Aware Antivirus
2013-05-31 00:51 . 2013-05-31 00:51 -------- d-----w- c:\programdata\Lavasoft
2013-05-31 00:51 . 2013-05-31 00:57 -------- d-----w- c:\program files\Ad-Aware Antivirus
2013-05-31 00:50 . 2013-05-31 00:50 -------- d-----w- c:\users\pamato\AppData\Local\adawarebp
2013-05-31 00:50 . 2013-05-31 00:50 -------- d-----w- c:\programdata\adawaretb
2013-05-31 00:50 . 2013-05-31 00:50 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2013-05-31 00:49 . 2013-05-31 05:57 -------- d-----w- c:\users\pamato\AppData\Roaming\Ad-Aware Antivirus
2013-05-31 00:17 . 2013-05-31 00:17 30464 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2013-05-31 00:07 . 2013-05-31 00:15 -------- d-----w- c:\programdata\HitmanPro
2013-05-30 23:46 . 2013-05-30 23:46 -------- d-----w- c:\users\pamato\AppData\Roaming\Malwarebytes
2013-05-30 23:46 . 2013-05-30 23:46 -------- d-----w- c:\programdata\Malwarebytes
2013-05-30 23:46 . 2013-05-30 23:46 -------- d-----w- c:\users\pamato\AppData\Local\Programs
2013-05-30 23:37 . 2013-05-30 23:37 -------- d-----w- c:\programdata\Anvisoft
2013-05-30 23:37 . 2013-05-30 23:37 -------- d-----w- c:\program files\Anvisoft
2013-05-30 21:13 . 2013-05-30 21:13 -------- d-----w- c:\users\pamato\AppData\Roaming\wabEventSupport16
2013-05-24 03:47 . 2013-05-24 03:47 -------- d-----w- c:\programdata\Downloaded Installations
2013-05-22 06:03 . 2013-05-31 15:12 -------- d-----w- c:\users\pamato\AppData\Local\Widcomm
2013-05-13 14:17 . 2013-05-13 14:17 -------- d-----w- c:\users\Default\AppData\Local\Symantec
2013-05-11 10:37 . 2013-05-11 10:37 209472 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2013-05-10 07:57 . 2013-05-10 07:57 49728 ----a-w- c:\windows\system32\AdobePDF.dll
2013-05-10 07:57 . 2013-05-10 07:57 25160 ----a-w- c:\windows\system32\AdobePDFUI.dll
2013-05-06 07:00 . 2013-05-06 07:00 -------- d-----w- c:\program files\Common Files\Intel Corporation
2013-05-05 07:30 . 2013-05-05 07:30 -------- d-----w- c:\users\pamato\AppData\Roaming\Intel Corporation
2013-05-04 11:06 . 2011-04-16 14:00 53248 ----a-w- c:\windows\system32\CSVer.dll
2013-05-04 11:05 . 2013-05-04 11:05 -------- d-----w- c:\users\pamato\AppData\Roaming\InstallShield
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-31 00:49 . 2013-01-17 07:24 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-05-31 00:49 . 2013-01-17 07:24 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-05-24 15:19 . 2012-04-18 15:58 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-24 15:19 . 2011-10-19 15:22 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-13 19:53 . 2013-03-20 22:20 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-03-20 22:20 . 2013-03-20 22:20 53248 ----a-r- c:\users\pamato\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2013-03-19 05:04 . 2013-04-17 19:42 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-17 19:42 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48 . 2013-04-17 19:42 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49 . 2013-04-17 19:42 69632 ----a-w- c:\windows\system32\smss.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2010-05-21 324976]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Widcomm"="c:\users\pamato\AppData\Local\Widcomm\vwhsfohz.dll" [2013-05-31 821248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-06-02 70144]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2010-11-17 858792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-07-16 115624]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2011-09-09 523216]
"Nuance PDF Converter Professional 7-reminder"="c:\program files\Nuance\PDF Professional 7\Ereg\Ereg.exe" [2011-09-06 333672]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\\isuspm.exe" [2010-05-21 324976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-05-10 38984]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-05-10 840768]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-07-20 505720]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2012-03-29 3421456]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2013-02-21 2238704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-11-07 145464]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-11-07 180792]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-11-07 189496]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2013-05-15 554408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-10-27 840992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"DefaultLogonDomain"= EMRSN
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-10-17 17:43 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2013-02-08 18:30 66800 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 04:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R280 Series]
2007-04-13 14:00 182272 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATICKA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 06:30 421776 ----a-w- E:\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nuance PDF Converter Professional 7-reminder]
2011-09-06 21:47 333672 ----a-w- c:\program files\Nuance\PDF Professional 7\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF7 Registry Controller]
2012-02-17 20:01 141160 ----a-w- c:\program files\Nuance\PDF Professional 7\RegistryController.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDFProHook]
2012-02-17 20:02 1828712 ----a-w- c:\program files\Nuance\PDF Professional 7\PdfPro7Hook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-11-08 01:21 421888 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wabEventSupport16]
2013-05-30 21:13 30208 ----a-w- c:\users\pamato\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 xwxn;xwxn;c:\windows\System32\drivers\ihpjs.sys [x]
R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys [x]
R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\DRIVERS\NETwNx32.sys [x]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Ser2plx86;Prolific Serial port WDF driver;c:\windows\system32\DRIVERS\ser2pl.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [x]
S0 prot_2k;prot_2k; [x]
S1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\DRIVERS\Teefer3.sys [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [x]
S2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 IRA;IRA;c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe [x]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 7\PDFProFiltSrv.exe [x]
S2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [x]
S2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [x]
S2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [x]
S2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDCLient\softmon.exe [x]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]
S2 ZeroConfigService;Intel(R) PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 acsock;acsock;c:\windows\system32\DRIVERS\acsock.sys [x]
S3 BTWAMPFL;btwampfl Bluetooth filter driver;c:\windows\system32\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [x]
S3 Mandiant_Tools;Mandiant_Tools;c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys [x]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\Netwsn00.sys [x]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
GPSvcGroup REG_MULTI_SZ GPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 15:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = enpusfpkinf01:8080
uInternet Settings,ProxyOverride = 169.254.1.1;*.ascopower.*;*.ascoswitch.com;*.enps.com;*.liebert.com;*.emrsn.org;*.learninglogin.com;155.104.*;10.*;192.168.*;*.emerson.*;*.msftncsi.com;*.careermap.net;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 7 - c:\program files\Nuance\PDF Professional 7\cnvres_eng.dll /100
IE: Open with PDF Professional 7 - c:\program files\Nuance\PDF Professional 7\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
TCP: Interfaces: NameServer = 10.16.64.11,10.20.64.11
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
HKCU-Run-Adobe CSS5.1 Manager - c:\users\pamato\AppData\Local\d6a229c4-3b65-43a8-ab14-a6e1f19addf4ad\dacbaabaefaddfad.exe
SafeBoot-Wdf01000.sys
SafeBoot-Symantec Antvirus
MSConfigStartUp-ADBlocker - c:\program files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerTray.exe
MSConfigStartUp-ATI Remote Control - c:\program files\ATI Multimedia\RemCtrl\ATIRW.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2420)
c:\programdata\Ad-Aware Browsing Protection\adawarebp.dll
c:\users\pamato\AppData\Local\Widcomm\vwhsfohz.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\WallData\dba\dbashlex.dll
c:\program files\WallData\system\Nls32.DLL
c:\program files\WallData\dba\MRI2924\NLSDBSHL.Dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDCLient\tmcsvc.exe
c:\progra~1\LANDesk\LDCLient\issuser.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\windows\system32\conhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\taskhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\System32\regsvr32.exe
c:\program files\DellTPad\HidFind.exe
c:\progra~1\AD-AWA~1\AdAware.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conhost.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\windows\system32\sppsvc.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2013-05-31 12:10:46 - machine was rebooted
ComboFix-quarantined-files.txt 2013-05-31 19:10
.
Pre-Run: 55,911,739,392 bytes free
Post-Run: 56,035,725,312 bytes free
.
- - End Of File - - B6E63C4838B3C90C880C311648337152

 

[pjoseph]

Still gettign teh Mawarebytes message
"successfully blocked access to a potentially malicious website 109.236.82.107
type outgoing
port:49294, process iexlore.exe"

and regarding TDssKiller

When i click on the link i have the following options "do you want to save this file or find a program to open online"

If i save it i cant open it.

not sure what the issue is

 

[johnb35]

You are downloading the exe file correct? You are still somewhat infected. Can you try booting into safe mode and try running tdsskiller for me and see if ti will run.

I also need you to post a log that combofix produces but doesn't show you. Looks like we need to uninstall some software as well. Please navigate to c:\Qoobox and in that folder will be a file named add-remove programs.txt. Open the notepad file and copy and paste the contents back here. Meanwhile I will go through the combofix log you posted.

 

[pjoseph]

i am clicking on the link you provided which automatically goes to file download.

Name tdsskiller
Type Unknown file type
from support.kaspersky.com


2007 Microsoft Office Suite Service Pack 3 (SP3)
32 Bit HP CIO Components Installer
Active Models
Ad-Aware Antivirus
Ad-Aware Browsing Protection
Adobe Acrobat X Standard
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 11 ActiveX
Adobe Reader XI (11.0.03)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 2.0
AutoCAD LT 2012 - English
AutoCAD LT 2012 Language Pack - English
Autodesk Content Service
Autodesk Material Library 2012
Autodesk Material Library Base Resolution Image Library 2012
Bonjour
Canon DIGITAL CAMERA Solution Disk Software Guide
CANON iMAGE GATEWAY MyCamera Download Plugin
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PowerShot ELPH 100 HS_IXUS 115 HS Camera User Guide
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow Launcher
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Check Point Endpoint Security - Full Disk Encryption
Cisco AnyConnect Diagnostics and Reporting Tool
Cisco AnyConnect Secure Mobility Client
Cisco AnyConnect Secure Mobility Client
Compatibility Pack for the 2007 Office system
Dell Client System Update
Dell Touchpad
DWG TrueView 2008
ENP messaging screen saver
EPSON Printer Software
eReg
foobar2000 v1.1.15
Google SketchUp 8
GoToAssist Corporate
Intel PROSet Wireless
Intel(R) Network Connections Drivers
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
Intel(R) SDK for OpenCL - CPU Only Runtime Package
Intel® PROSet/Wireless WiFi Software
IrfanView (remove only)
iTunes
Java Auto Updater
Java(TM) 7 Update 4
JavaFX 2.1.0
LAME v3.99.3 (for Windows)
LANDesk Advance Agent
LANDesk(R) Common Base Agent 8
LiveUpdate 3.3 (Symantec Corporation)
Logitech SetPoint 6.52
Malwarebytes Anti-Malware version 1.75.0.1300
MANDIANT Intelligent Response Agent
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft AntiXSS v4.2.1
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.2
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visio Professional 2002 [English]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Modem Diagnostic Tool
Multi-Targeting Pack for Microsoft .NET Framework 4 Platform Update 1 (KB2495638)
Multi-Targeting Pack for the Microsoft .NET Framework 4.0.2
Multi-Targeting Pack for the Microsoft .NET Framework 4.0.2 (KB2544526)
Nuance PDF Converter Professional 7
QuickTime
RUMBA 2000
Scansoft PDF Professional
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Security Update for Microsoft Visual Basic for Applications 6.5 (KB2688865)
Symantec Endpoint Protection
System Requirements Lab for Intel
Update 4.0.2 for Microsoft .NET Framework 4 Client Profile (KB2544514)
Update 4.0.2 for Microsoft .NET Framework 4 Extended (KB2544514)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VLC media player 1.1.11
WIDCOMM Bluetooth Software
WinZip 15.0
X10 Hardware(TM)

 

[johnb35]

Try this link.

http://www.bleepingcomputer.com/download/tdsskiller/dl/4/

Please uninstall the following programs.

Ad-Aware Antivirus
Ad-Aware Browsing Protection
Java Auto Updater
Java(TM) 7 Update 4
JavaFX 2.1.0

 

[pjoseph]

Ok I was able to run tdsskiller with new link, and it found 0 threats.

I removed all of the programs you listed except Java Auto Updater
because i am not finding it in the list.

 

[johnb35]

Ok, then give me a while to go through your log and I'll give you your next procedure.

 

[johnb35]

Ok next step.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Driver::

xwxn

File::

c:\windows\System32\drivers\ihpjs.sys 

Reglock::

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Then finally please run an online scan using Eset.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates, install and then start scanning your system.
When the scan is done, push list of found threats
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply.
If no threats are found then it won't produce a log.

 

[pjoseph]

I am unable to disable Symantec Enpoint Protection since this is a company laptop, should I proceed anyway Combofix giving me a warning.

thanks again

 

[johnb35]

Yes, continue.

 

[pjoseph]

Really appreciate the help so far, here is the log

ComboFix 13-05-31.02 - pamato 05/31/2013 17:19:34.2.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3241.1280 [GMT -7:00]
Running from: c:\users\pamato\Desktop\ComboFix.exe
Command switches used :: c:\users\pamato\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\System32\drivers\ihpjs.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\users\pamato\AppData\Roaming\skype.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_xwxn
.
.
((((((((((((((((((((((((( Files Created from 2013-05-01 to 2013-06-01 )))))))))))))))))))))))))))))))
.
.
2013-06-01 00:29 . 2013-06-01 00:29 -------- d-----w- c:\users\tcyberey\AppData\Local\temp
2013-06-01 00:29 . 2013-06-01 00:29 -------- d-----w- c:\users\tcyberey.EMRSN\AppData\Local\temp
2013-06-01 00:29 . 2013-06-01 00:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-31 20:46 . 2013-06-01 00:32 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3545A5C2-324F-408F-AC97-05397BD0C750}\offreg.dll
2013-05-31 16:02 . 2013-05-31 16:02 -------- d-----w- C:\found.001
2013-05-31 15:21 . 2013-05-31 15:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-31 15:21 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-31 14:55 . 2013-05-31 14:55 -------- d-----w- C:\found.000
2013-05-31 00:50 . 2013-05-31 00:50 -------- d-----w- c:\users\pamato\AppData\Local\adawarebp
2013-05-31 00:50 . 2013-05-31 00:50 -------- d-----w- c:\programdata\adawaretb
2013-05-31 00:50 . 2013-05-31 00:50 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2013-05-31 00:17 . 2013-05-31 00:17 30464 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2013-05-31 00:07 . 2013-05-31 00:15 -------- d-----w- c:\programdata\HitmanPro
2013-05-30 23:46 . 2013-05-30 23:46 -------- d-----w- c:\users\pamato\AppData\Roaming\Malwarebytes
2013-05-30 23:46 . 2013-05-30 23:46 -------- d-----w- c:\programdata\Malwarebytes
2013-05-30 23:46 . 2013-05-30 23:46 -------- d-----w- c:\users\pamato\AppData\Local\Programs
2013-05-30 23:37 . 2013-05-30 23:37 -------- d-----w- c:\programdata\Anvisoft
2013-05-30 23:37 . 2013-05-30 23:37 -------- d-----w- c:\program files\Anvisoft
2013-05-30 21:13 . 2013-05-30 21:13 -------- d-----w- c:\users\pamato\AppData\Roaming\wabEventSupport16
2013-05-24 03:47 . 2013-05-24 03:47 -------- d-----w- c:\programdata\Downloaded Installations
2013-05-22 06:03 . 2013-05-31 15:12 -------- d-----w- c:\users\pamato\AppData\Local\Widcomm
2013-05-13 14:17 . 2013-05-13 14:17 -------- d-----w- c:\users\Default\AppData\Local\Symantec
2013-05-11 10:37 . 2013-05-11 10:37 209472 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2013-05-10 07:57 . 2013-05-10 07:57 49728 ----a-w- c:\windows\system32\AdobePDF.dll
2013-05-10 07:57 . 2013-05-10 07:57 25160 ----a-w- c:\windows\system32\AdobePDFUI.dll
2013-05-06 07:00 . 2013-05-06 07:00 -------- d-----w- c:\program files\Common Files\Intel Corporation
2013-05-05 07:30 . 2013-05-05 07:30 -------- d-----w- c:\users\pamato\AppData\Roaming\Intel Corporation
2013-05-04 11:06 . 2011-04-16 14:00 53248 ----a-w- c:\windows\system32\CSVer.dll
2013-05-04 11:05 . 2013-05-04 11:05 -------- d-----w- c:\users\pamato\AppData\Roaming\InstallShield
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-31 00:49 . 2013-01-17 07:24 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-05-31 00:49 . 2013-01-17 07:24 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-05-24 15:19 . 2012-04-18 15:58 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-24 15:19 . 2011-10-19 15:22 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-13 19:53 . 2013-03-20 22:20 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-03-20 22:20 . 2013-03-20 22:20 53248 ----a-r- c:\users\pamato\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2013-03-19 05:04 . 2013-04-17 19:42 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-17 19:42 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48 . 2013-04-17 19:42 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49 . 2013-04-17 19:42 69632 ----a-w- c:\windows\system32\smss.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2010-05-21 324976]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Widcomm"="c:\users\pamato\AppData\Local\Widcomm\vwhsfohz.dll" [2013-05-31 821248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-06-02 70144]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2010-11-17 858792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-07-16 115624]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2011-09-09 523216]
"Nuance PDF Converter Professional 7-reminder"="c:\program files\Nuance\PDF Professional 7\Ereg\Ereg.exe" [2011-09-06 333672]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\\isuspm.exe" [2010-05-21 324976]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-05-10 38984]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-05-10 840768]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-07-20 505720]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2012-03-29 3421456]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2013-02-21 2238704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-11-07 145464]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-11-07 180792]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-11-07 189496]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-10-27 840992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"DefaultLogonDomain"= EMRSN
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-10-17 17:43 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2013-02-08 18:30 66800 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 04:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R280 Series]
2007-04-13 14:00 182272 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATICKA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 06:30 421776 ----a-w- E:\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nuance PDF Converter Professional 7-reminder]
2011-09-06 21:47 333672 ----a-w- c:\program files\Nuance\PDF Professional 7\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF7 Registry Controller]
2012-02-17 20:01 141160 ----a-w- c:\program files\Nuance\PDF Professional 7\RegistryController.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDFProHook]
2012-02-17 20:02 1828712 ----a-w- c:\program files\Nuance\PDF Professional 7\PdfPro7Hook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-11-08 01:21 421888 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wabEventSupport16]
2013-05-30 21:13 30208 ----a-w- c:\users\pamato\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys [x]
R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\DRIVERS\NETwNx32.sys [x]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Ser2plx86;Prolific Serial port WDF driver;c:\windows\system32\DRIVERS\ser2pl.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [x]
S0 prot_2k;prot_2k; [x]
S1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\DRIVERS\Teefer3.sys [x]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [x]
S2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 IRA;IRA;c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe [x]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 7\PDFProFiltSrv.exe [x]
S2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [x]
S2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [x]
S2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDCLient\softmon.exe [x]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]
S2 ZeroConfigService;Intel(R) PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 acsock;acsock;c:\windows\system32\DRIVERS\acsock.sys [x]
S3 BTWAMPFL;btwampfl Bluetooth filter driver;c:\windows\system32\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [x]
S3 Mandiant_Tools;Mandiant_Tools;c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys [x]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\Netwsn00.sys [x]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
GPSvcGroup REG_MULTI_SZ GPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 15:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = enpusfpkinf01:8080
uInternet Settings,ProxyOverride = 169.254.1.1;*.ascopower.*;*.ascoswitch.com;*.enps.com;*.liebert.com;*.emrsn.org;*.learninglogin.com;155.104.*;10.*;192.168.*;*.emerson.*;*.msftncsi.com;*.careermap.net;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 7 - c:\program files\Nuance\PDF Professional 7\cnvres_eng.dll /100
IE: Open with PDF Professional 7 - c:\program files\Nuance\PDF Professional 7\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
TCP: Interfaces: NameServer = 10.16.64.11,10.20.64.11
TCP: Interfaces\{F39B21CE-17BD-4563-BC8F-26C93DDA032C}: NameServer = 10.16.64.11,10.20.64.11
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5080)
c:\users\pamato\AppData\Local\Widcomm\vwhsfohz.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\WallData\dba\dbashlex.dll
c:\program files\WallData\system\Nls32.DLL
c:\program files\WallData\dba\MRI2924\NLSDBSHL.Dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDCLient\tmcsvc.exe
c:\progra~1\LANDesk\LDCLient\issuser.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\DRIVERS\o2flash.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\conhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\taskhost.exe
c:\progra~1\LANDesk\LDCLient\rcgui.exe
c:\windows\system32\conhost.exe
c:\windows\System32\regsvr32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
.
**************************************************************************
.
Completion time: 2013-05-31 17:50:29 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-01 00:50
ComboFix2.txt 2013-05-31 19:10
.
Pre-Run: 56,917,889,024 bytes free
Post-Run: 56,722,034,688 bytes free
.
- - End Of File - - F5AE29F1CE28DE3822D84AF320223281

 

[johnb35]

Go ahead and run the eset scan and post the results.

How is the system acting now?

 

[pjoseph]

i am at 50% scanning ESET

So far found 2 infected files,

Threats found
Win/32/trojandownloader.tracur.V trojan
a variant of Win32/Injector.AHJT trojan

I am still getting that popup that i mention in post#9, but malewarebytes keeps blocking it, it happens at least once a min. Any idea on what it is?

thanks again