Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Connection issues with Vista, possible malware?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Connection issues with Vista, possible malware?

Unread postby tequesta » September 25th, 2010, 2:41 pm

Please post the log, and we will go from there.
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm
Top
Advertisement
Register to Remove

Re: Connection issues with Vista, possible malware?

Unread postby Transien » September 25th, 2010, 8:15 pm

Nevermind the last post. Could not find the file. Here is the entirety of the SystemLook logfile:

SystemLook 04.09.10 by jpshortstuff

Log created at 11:39 on 25/09/2010 by Tiffany

Administrator - Elevation successful



========== filefind ==========



Searching for "*dmlj.sys*"

No files found.



-= EOF =-

So, somehow the file disappeared. Just to be sure I scanned again with RKUnhooker and checked the new log. I couldn't find C:\Windows\System32\drivers\dmlj.sys on the new scan, nor any other, differently named file that used the same memory address (0x80544000). If you want to see the new log, let me know.

As for the state of my computer, I am sorry that I was too vague. I had, until a few days ago, partial connectivity with the computer through Internet Explorer, though Firefox wouldn't work at all. Sometimes IE would get hits, in which case it would work throughout the entire browsing session, and sometimes it would give me page load errors.

Then, a few days ago, even IE's spotty behavior quit. I cannot browse the internet through my laptop at all. I can run Windows Update, Apple Software Update, HP Update, or Adobe Update, but cannot update my antivirus software or programs such as Spywareblaster or Adaware. The connection issues coincided with me removing MyWebSearch from the computer, so I assumed that was the problem. However, now that you have me thinking, I realized that Windows Update ran around the same time I removed the offending program. Looking back at my update logs, I noticed that Vista SP2 was one of the updates installed. I know XP SP2 had a tendency to break a system if installed over malware. Does Vista SP2 have the same problem? Could that be our culprit?

If so, or if we run out of other options, I do have a system restore point for pre-SP2 on this computer. That is the earliest I have, though. I inherited it from my family and they, for some crazy reason, didn't have system restore enabled.

Anyway, I hope that clears things up for you. Again, sorry for the confusion. I sometimes skip vital steps when explaining things. Let me know if you have any more questions.

Still working on contacting my ISP about router issues. Will post as soon as I have an answer for you.

Darrel
Transien
Active Member
 
Posts: 14
Joined: September 17th, 2010, 9:27 pm
Top

Re: Connection issues with Vista, possible malware?

Unread postby tequesta » September 26th, 2010, 7:56 am

Hello Darrel,

Lets try a few things before we go to the restore point.

Back Up registry with ERUNT

  • Please use the following link and download ERUNT to your desktop. HERE
  • Click on the erunt-setup.exe
  • Follow the prompts to install ERUNT
  • Choose language
  • A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO

    Image
  • Backup your registry to the default location

Note: To restore your registry (if needed), go to the folder and start ERDNT.exe


Next

Disable Avast

  • Right click on the avast! icon in system tray (looks like this: Image) and choose (Stop On-Access Protection)
  • Note: Don't forget to re-enable it after the fix.


Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Please post the ComboFix.txt

Thank you,

Tequesta
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm
Top

Re: Connection issues with Vista, possible malware?

Unread postby Transien » September 26th, 2010, 3:14 pm

ComboFix 10-09-25.07 - Tiffany 09/26/2010 10:13:36.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1635 [GMT -7:00]
Running from: c:\users\Tiffany\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\PAV\Uninstall.lnk

.
((((((((((((((((((((((((( Files Created from 2010-08-26 to 2010-09-26 )))))))))))))))))))))))))))))))
.

2010-09-26 17:22 . 2010-09-26 17:22 -------- d-----w- c:\users\Tiffany\AppData\Local\temp
2010-09-26 17:22 . 2010-09-26 17:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-26 17:09 . 2010-09-26 17:09 -------- d-----w- c:\program files\ERUNT
2010-09-25 18:31 . 2010-09-25 18:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-22 19:06 . 2010-09-22 19:06 -------- d-----w- c:\users\Tiffany\AppData\Local\Apple
2010-09-22 19:05 . 2010-09-25 18:31 -------- d-----w- c:\users\Tiffany\AppData\Local\Adobe
2010-09-22 17:57 . 2010-09-22 17:57 -------- d-----w- c:\program files\trend micro
2010-09-22 17:57 . 2010-09-22 17:57 -------- d-----w- C:\rsit
2010-09-22 17:48 . 2010-09-22 19:12 -------- d-----w- c:\users\Tiffany\AppData\Local\Apple Computer
2010-09-22 17:30 . 2010-09-22 17:30 -------- d-----w- c:\users\Tiffany\AppData\Roaming\Malwarebytes
2010-09-22 17:29 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-22 17:29 . 2010-09-22 17:29 -------- d-----w- c:\programdata\Malwarebytes
2010-09-22 17:29 . 2010-09-22 17:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-22 17:29 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 10:22 . 2010-09-18 10:22 -------- d-----w- c:\program files\Windows Portable Devices
2010-09-18 10:05 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-09-18 10:05 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-09-18 10:05 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-09-18 10:03 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-09-18 10:03 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-09-18 10:03 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-09-17 06:04 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-17 06:04 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-17 06:04 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-17 06:04 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-17 06:04 . 2010-09-07 14:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-17 06:03 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-17 06:03 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-17 06:02 . 2010-09-17 06:02 -------- d-----w- c:\programdata\Alwil Software
2010-09-17 06:02 . 2010-09-17 06:02 -------- d-----w- c:\program files\Alwil Software
2010-09-17 03:01 . 2010-09-17 03:03 -------- d-----w- c:\windows\system32\ca-ES
2010-09-17 03:01 . 2010-09-17 03:02 -------- d-----w- c:\windows\system32\eu-ES
2010-09-17 03:01 . 2010-09-17 03:02 -------- d-----w- c:\windows\system32\vi-VN
2010-09-17 00:17 . 2010-09-17 00:17 -------- d-----w- c:\windows\system32\EventProviders
2010-09-16 23:28 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-09-16 23:12 . 2009-10-16 23:06 1069056 ----a-w- c:\windows\system32\lxduserv.dll
2010-09-16 23:11 . 2009-10-16 23:06 651264 ----a-w- c:\windows\system32\lxdupmui.dll
2010-09-16 23:11 . 2009-10-16 23:06 376832 ----a-w- c:\windows\system32\lxducomm.dll
2010-09-16 23:11 . 2009-10-16 23:06 364544 ----a-w- c:\windows\system32\lxduinpa.dll
2010-09-16 23:11 . 2009-10-16 23:06 339968 ----a-w- c:\windows\system32\lxduiesc.dll
2010-09-16 23:11 . 2009-10-16 23:06 860160 ----a-w- c:\windows\system32\lxduusb1.dll
2010-09-16 23:11 . 2009-10-16 23:06 684032 ----a-w- c:\windows\system32\lxduhbn3.dll
2010-09-16 23:11 . 2009-10-16 23:06 364544 ----a-w- c:\windows\system32\lxducfg.exe
2010-09-16 23:11 . 2009-10-16 22:56 208896 ----a-w- c:\windows\system32\lxdugrd.dll
2010-09-16 23:11 . 2009-10-16 23:06 323584 ----a-w- c:\windows\system32\lxduih.exe
2010-09-16 23:05 . 2008-06-12 10:09 33088 ----a-w- c:\users\Tiffany\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-16 19:09 . 2010-09-16 19:09 -------- d-----w- c:\program files\QuickTime
2010-09-16 19:00 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-16 19:00 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-16 18:57 . 2010-09-16 18:57 -------- d-----w- c:\program files\iPod
2010-09-16 18:57 . 2010-09-16 18:59 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-16 18:57 . 2010-09-16 18:59 -------- d-----w- c:\program files\iTunes
2010-09-16 18:46 . 2010-09-16 18:46 -------- d-----w- c:\program files\Bonjour
2010-09-16 18:44 . 2010-09-16 18:44 -------- d-----w- c:\programdata\WindowsSearch
2010-09-16 18:35 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-16 18:35 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-16 18:35 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-16 18:34 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-16 18:33 . 2010-09-16 18:33 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-16 18:05 . 2010-09-16 18:05 -------- d-----w- c:\users\Tiffany\AppData\Local\Mozilla
2010-09-16 17:52 . 2010-09-21 23:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-16 17:52 . 2010-09-16 17:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-16 17:51 . 2010-09-16 17:51 -------- d-----w- c:\program files\SpywareBlaster
2010-09-16 17:48 . 2010-09-16 17:48 -------- d-----w- c:\program files\CCleaner
2010-09-16 17:47 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-16 17:47 . 2010-09-17 06:00 -------- dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-16 17:47 . 2010-08-12 12:16 2979848 -c--a-w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-09-16 17:46 . 2010-09-16 17:48 -------- d-----w- c:\programdata\Lavasoft
2010-09-16 17:46 . 2010-09-16 17:46 -------- d-----w- c:\program files\Lavasoft
2010-09-10 22:36 . 2010-09-10 22:36 58760 ----a-w- C:\symlcsv1.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-26 17:10 . 2008-11-02 01:46 48461 ----a-w- c:\programdata\nvModes.dat
2010-09-22 17:48 . 2008-10-24 00:10 75832 ----a-w- c:\users\Tiffany\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-22 17:46 . 2010-07-01 03:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-18 10:22 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-09-18 10:22 . 2010-09-18 10:22 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-09-18 10:21 . 2010-09-18 10:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-09-17 06:07 . 2008-08-04 16:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-17 05:55 . 2008-08-04 16:43 -------- d-----w- c:\programdata\Symantec
2010-09-17 03:18 . 2008-12-19 01:45 -------- d-----w- c:\users\Tiffany\AppData\Roaming\Apple Computer
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-09-17 03:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-09-17 02:49 . 2008-09-09 01:48 -------- d-----w- c:\programdata\NVIDIA
2010-09-17 00:11 . 2008-08-04 16:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-16 23:59 . 2008-08-04 16:27 -------- d-----w- c:\program files\Hewlett-Packard
2010-09-16 23:44 . 2008-11-16 02:19 -------- d-----w- c:\program files\Google
2010-09-16 23:26 . 2008-08-04 18:13 -------- d-----w- c:\programdata\Microsoft Help
2010-09-16 23:10 . 2008-10-24 00:03 -------- d-----w- c:\programdata\Viewpoint
2010-09-16 22:56 . 2008-08-04 18:37 -------- d-----w- c:\program files\Yahoo!
2010-09-16 19:21 . 2008-08-04 18:49 -------- d-----w- c:\program files\Java
2010-09-16 19:12 . 2010-07-01 03:32 -------- d-----w- c:\program files\Bing Bar Installer
2010-09-16 18:57 . 2008-12-19 01:41 -------- d-----w- c:\program files\Common Files\Apple
2010-09-07 22:40 . 2010-04-29 01:30 1819504 ----a-w- c:\programdata\Norton\NUA.exe
2010-08-31 01:06 . 2009-06-15 13:01 7808 ----a-w- c:\users\Tiffany\AppData\Local\d3d9caps.dat
2010-08-28 01:08 . 2010-04-29 01:30 -------- d-----w- c:\programdata\Norton
2010-08-24 02:54 . 2008-12-27 02:35 -------- d-----w- c:\program files\Symantec
2010-08-24 02:54 . 2008-12-27 02:35 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-24 02:54 . 2008-08-04 16:44 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-24 02:54 . 2008-08-04 16:44 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-21 19:30 . 2010-08-21 19:30 226650 ----a-w- c:\programdata\SPL99FE.tmp
2010-08-21 18:58 . 2010-08-21 18:58 226650 ----a-w- c:\programdata\SPLCF9E.tmp
2010-08-21 15:47 . 2010-08-21 15:47 268945 ----a-w- c:\programdata\SPL12F3.tmp
2010-08-21 03:21 . 2010-08-21 03:21 268945 ----a-w- c:\programdata\SPL7625.tmp
2010-08-14 04:00 . 2008-08-04 17:50 -------- d-----w- c:\program files\Microsoft Works
2010-07-28 01:44 . 2010-07-28 01:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44 . 2010-07-28 01:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-28 01:44 . 2010-07-28 01:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-16 02:30 . 2010-07-16 02:30 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-07-16 01:53 . 2010-07-16 01:52 23089 ----a-w- c:\windows\hpqins15.dat
2010-07-16 01:27 . 2010-07-16 01:27 118906 ----a-w- c:\programdata\SPL5918.tmp
2010-07-15 01:05 . 2010-07-15 01:05 118906 ----a-w- c:\programdata\SPL5DCD.tmp
2008-08-04 15:03 . 2008-08-04 15:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-09 47904]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-28 122368]
"Norton Online Backup"="c:\program files\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-08 968536]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Auto Detect.lnk - c:\program files\iConcepts Music Express\MEAutoDetect.exe [2010-2-7 374104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-08-12 1355416]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-03-11 29824]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-03-11 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-03-11 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-03-11 59776]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 589824]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
S2 NOBU;Norton Online Backup;c:\program files\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 21:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 03:29]

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 03:29]

2010-09-25 c:\windows\Tasks\User_Feed_Synchronization-{FACDD4D7-6EBC-471A-A725-DA0B4DB147F9}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Tiffany\AppData\Roaming\Mozilla\Firefox\Profiles\hw7xbn9f.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsear ... searchfor=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-hpqSRMon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-26 10:22
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e9,d3,e2,30,40,42,15,46,a3,79,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e9,d3,e2,30,40,42,15,46,a3,79,02,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-26 10:26:51
ComboFix-quarantined-files.txt 2010-09-26 17:26

Pre-Run: 221,997,453,312 bytes free
Post-Run: 221,934,870,528 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 5E9DB3A9467BADA9E3715347E6C3F55A
Transien
Active Member
 
Posts: 14
Joined: September 17th, 2010, 9:27 pm
Top

Re: Connection issues with Vista, possible malware?

Unread postby tequesta » September 27th, 2010, 2:49 pm

Hello Darrel,

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    Folder::
C:\Program Files\oovootb
C:\Program Files\PlaySushi

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.

Now please try to go online and

ESET NOD32 Online Scan
Vista - W7 users: You will need to to right-click on the IE or FF icons on the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
Note: If using Mozilla Firefox you will need to download "esetsmartinstaller_enu.exe" when prompted... then double click on it to install.
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
** Make sure you are using an account that has Administrative privileges **
    Press the "ESET Online Scanner" button.
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
  3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  4. Click "Start". Make sure that the options:
    • Remove found threats is UNCHECKED
    • Leave the "default" settings under Advanced as they are, if not set , please check:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  5. Click "Start"... ESET scanner will begin to download the virus signatures database.
    When the signatures have been downloaded, the scan will start automatically.
  6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
  7. Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  8. Copy and paste the contents of log.txt in your next reply.
Remember to enable your Anti-virus protection... before continuing!

Please post the combofix log and the eset log.

Thanks

Tequesta
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm
Top

Re: Connection issues with Vista, possible malware?

Unread postby Transien » September 27th, 2010, 5:34 pm

Okay, still no dice with internet access. I ran the CFScript you gave me, but cannot access ESET to do an online scan. Here is my ComboFix log.

ComboFix 10-09-25.07 - Tiffany 09/27/2010 13:20:08.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1628 [GMT -7:00]
Running from: c:\users\Tiffany\Desktop\ComboFix.exe
Command switches used :: c:\users\Tiffany\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-27 20:28 . 2010-09-27 20:28 -------- d-----w- c:\users\Tiffany\AppData\Local\temp
2010-09-27 20:28 . 2010-09-27 20:28 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-27 20:28 . 2010-09-27 20:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-26 17:09 . 2010-09-26 17:09 -------- d-----w- c:\program files\ERUNT
2010-09-25 18:31 . 2010-09-25 18:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-22 19:06 . 2010-09-22 19:06 -------- d-----w- c:\users\Tiffany\AppData\Local\Apple
2010-09-22 19:05 . 2010-09-25 18:31 -------- d-----w- c:\users\Tiffany\AppData\Local\Adobe
2010-09-22 17:57 . 2010-09-22 17:57 -------- d-----w- c:\program files\trend micro
2010-09-22 17:57 . 2010-09-22 17:57 -------- d-----w- C:\rsit
2010-09-22 17:48 . 2010-09-22 19:12 -------- d-----w- c:\users\Tiffany\AppData\Local\Apple Computer
2010-09-22 17:30 . 2010-09-22 17:30 -------- d-----w- c:\users\Tiffany\AppData\Roaming\Malwarebytes
2010-09-22 17:29 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-22 17:29 . 2010-09-22 17:29 -------- d-----w- c:\programdata\Malwarebytes
2010-09-22 17:29 . 2010-09-22 17:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-22 17:29 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 10:22 . 2010-09-18 10:22 -------- d-----w- c:\program files\Windows Portable Devices
2010-09-18 10:05 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-09-18 10:05 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-09-18 10:05 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-09-18 10:03 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-09-18 10:03 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-09-18 10:03 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-09-17 06:04 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-17 06:04 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-17 06:04 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-17 06:04 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-17 06:04 . 2010-09-07 14:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-17 06:03 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-17 06:03 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-17 06:02 . 2010-09-17 06:02 -------- d-----w- c:\programdata\Alwil Software
2010-09-17 06:02 . 2010-09-17 06:02 -------- d-----w- c:\program files\Alwil Software
2010-09-17 03:01 . 2010-09-17 03:03 -------- d-----w- c:\windows\system32\ca-ES
2010-09-17 03:01 . 2010-09-17 03:02 -------- d-----w- c:\windows\system32\eu-ES
2010-09-17 03:01 . 2010-09-17 03:02 -------- d-----w- c:\windows\system32\vi-VN
2010-09-17 00:17 . 2010-09-17 00:17 -------- d-----w- c:\windows\system32\EventProviders
2010-09-16 23:28 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-09-16 23:12 . 2009-10-16 23:06 1069056 ----a-w- c:\windows\system32\lxduserv.dll
2010-09-16 23:11 . 2009-10-16 23:06 651264 ----a-w- c:\windows\system32\lxdupmui.dll
2010-09-16 23:11 . 2009-10-16 23:06 376832 ----a-w- c:\windows\system32\lxducomm.dll
2010-09-16 23:11 . 2009-10-16 23:06 364544 ----a-w- c:\windows\system32\lxduinpa.dll
2010-09-16 23:11 . 2009-10-16 23:06 339968 ----a-w- c:\windows\system32\lxduiesc.dll
2010-09-16 23:11 . 2009-10-16 23:06 860160 ----a-w- c:\windows\system32\lxduusb1.dll
2010-09-16 23:11 . 2009-10-16 23:06 684032 ----a-w- c:\windows\system32\lxduhbn3.dll
2010-09-16 23:11 . 2009-10-16 23:06 364544 ----a-w- c:\windows\system32\lxducfg.exe
2010-09-16 23:11 . 2009-10-16 22:56 208896 ----a-w- c:\windows\system32\lxdugrd.dll
2010-09-16 23:11 . 2009-10-16 23:06 323584 ----a-w- c:\windows\system32\lxduih.exe
2010-09-16 23:05 . 2008-06-12 10:09 33088 ----a-w- c:\users\Tiffany\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-16 19:09 . 2010-09-16 19:09 -------- d-----w- c:\program files\QuickTime
2010-09-16 19:00 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-16 19:00 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-16 18:57 . 2010-09-16 18:57 -------- d-----w- c:\program files\iPod
2010-09-16 18:57 . 2010-09-16 18:59 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-16 18:57 . 2010-09-16 18:59 -------- d-----w- c:\program files\iTunes
2010-09-16 18:46 . 2010-09-16 18:46 -------- d-----w- c:\program files\Bonjour
2010-09-16 18:44 . 2010-09-16 18:44 -------- d-----w- c:\programdata\WindowsSearch
2010-09-16 18:35 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-16 18:35 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-16 18:35 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-16 18:34 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-16 18:33 . 2010-09-16 18:33 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-16 18:05 . 2010-09-16 18:05 -------- d-----w- c:\users\Tiffany\AppData\Local\Mozilla
2010-09-16 17:52 . 2010-09-21 23:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-16 17:52 . 2010-09-16 17:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-16 17:51 . 2010-09-16 17:51 -------- d-----w- c:\program files\SpywareBlaster
2010-09-16 17:48 . 2010-09-16 17:48 -------- d-----w- c:\program files\CCleaner
2010-09-16 17:47 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-16 17:47 . 2010-09-17 06:00 -------- dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-16 17:47 . 2010-08-12 12:16 2979848 -c--a-w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-09-16 17:46 . 2010-09-16 17:48 -------- d-----w- c:\programdata\Lavasoft
2010-09-16 17:46 . 2010-09-16 17:46 -------- d-----w- c:\program files\Lavasoft
2010-09-10 22:36 . 2010-09-10 22:36 58760 ----a-w- C:\symlcsv1.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-27 20:17 . 2008-11-02 01:46 48461 ----a-w- c:\programdata\nvModes.dat
2010-09-22 17:48 . 2008-10-24 00:10 75832 ----a-w- c:\users\Tiffany\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-22 17:46 . 2010-07-01 03:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-18 10:22 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-09-18 10:22 . 2010-09-18 10:22 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-09-18 10:21 . 2010-09-18 10:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-09-17 06:07 . 2008-08-04 16:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-17 05:55 . 2008-08-04 16:43 -------- d-----w- c:\programdata\Symantec
2010-09-17 03:18 . 2008-12-19 01:45 -------- d-----w- c:\users\Tiffany\AppData\Roaming\Apple Computer
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-09-17 03:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-09-17 03:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-09-17 02:49 . 2008-09-09 01:48 -------- d-----w- c:\programdata\NVIDIA
2010-09-17 00:11 . 2008-08-04 16:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-16 23:59 . 2008-08-04 16:27 -------- d-----w- c:\program files\Hewlett-Packard
2010-09-16 23:44 . 2008-11-16 02:19 -------- d-----w- c:\program files\Google
2010-09-16 23:26 . 2008-08-04 18:13 -------- d-----w- c:\programdata\Microsoft Help
2010-09-16 23:10 . 2008-10-24 00:03 -------- d-----w- c:\programdata\Viewpoint
2010-09-16 22:56 . 2008-08-04 18:37 -------- d-----w- c:\program files\Yahoo!
2010-09-16 19:21 . 2008-08-04 18:49 -------- d-----w- c:\program files\Java
2010-09-16 19:12 . 2010-07-01 03:32 -------- d-----w- c:\program files\Bing Bar Installer
2010-09-16 18:57 . 2008-12-19 01:41 -------- d-----w- c:\program files\Common Files\Apple
2010-09-07 22:40 . 2010-04-29 01:30 1819504 ----a-w- c:\programdata\Norton\NUA.exe
2010-08-31 01:06 . 2009-06-15 13:01 7808 ----a-w- c:\users\Tiffany\AppData\Local\d3d9caps.dat
2010-08-28 01:08 . 2010-04-29 01:30 -------- d-----w- c:\programdata\Norton
2010-08-24 02:54 . 2008-12-27 02:35 -------- d-----w- c:\program files\Symantec
2010-08-24 02:54 . 2008-12-27 02:35 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-24 02:54 . 2008-08-04 16:44 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-24 02:54 . 2008-08-04 16:44 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-21 19:30 . 2010-08-21 19:30 226650 ----a-w- c:\programdata\SPL99FE.tmp
2010-08-21 18:58 . 2010-08-21 18:58 226650 ----a-w- c:\programdata\SPLCF9E.tmp
2010-08-21 15:47 . 2010-08-21 15:47 268945 ----a-w- c:\programdata\SPL12F3.tmp
2010-08-21 03:21 . 2010-08-21 03:21 268945 ----a-w- c:\programdata\SPL7625.tmp
2010-08-14 04:00 . 2008-08-04 17:50 -------- d-----w- c:\program files\Microsoft Works
2010-07-28 01:44 . 2010-07-28 01:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44 . 2010-07-28 01:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-28 01:44 . 2010-07-28 01:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-16 02:30 . 2010-07-16 02:30 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-07-16 01:53 . 2010-07-16 01:52 23089 ----a-w- c:\windows\hpqins15.dat
2010-07-16 01:27 . 2010-07-16 01:27 118906 ----a-w- c:\programdata\SPL5918.tmp
2010-07-15 01:05 . 2010-07-15 01:05 118906 ----a-w- c:\programdata\SPL5DCD.tmp
2008-08-04 15:03 . 2008-08-04 15:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-09 47904]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-28 122368]
"Norton Online Backup"="c:\program files\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-08 968536]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Auto Detect.lnk - c:\program files\iConcepts Music Express\MEAutoDetect.exe [2010-2-7 374104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-08-12 1355416]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-03-11 29824]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-03-11 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-03-11 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-03-11 59776]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 589824]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
S2 NOBU;Norton Online Backup;c:\program files\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 21:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 03:29]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 03:29]

2010-09-27 c:\windows\Tasks\User_Feed_Synchronization-{FACDD4D7-6EBC-471A-A725-DA0B4DB147F9}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cnnb
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Tiffany\AppData\Roaming\Mozilla\Firefox\Profiles\hw7xbn9f.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsear ... searchfor=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 13:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-09-27 13:33:48
ComboFix-quarantined-files.txt 2010-09-27 20:33
ComboFix2.txt 2010-09-26 17:26

Pre-Run: 222,053,126,144 bytes free
Post-Run: 222,002,417,664 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - CB123791CBB797F7E5713AF9E3F39705
Transien
Active Member
 
Posts: 14
Joined: September 17th, 2010, 9:27 pm
Top

Re: Connection issues with Vista, possible malware?

Unread postby tequesta » September 28th, 2010, 10:59 am

Hello Darrel,

Please delete Combofix Qoobox folders, and the Combofix.txt file from C:\
Now delete Combofix.exe from your desktop.

OTC

Download OTC by Old Timer and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

  • Right click OTC.exe and select " Run as administrator " to run it. OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Please delete any tools we downloaded and used that still remain on your Desktop.

The problems you are still experiencing are not caused by malware, as all of your latest logs have come back clean.
Malware Removal is a dedicated Malware Removal site, and I think your issues are best left to experts elsewhere..
Here are some excellent Tech sites (in no particular order) that may be able to help with your problems:


So as I said above your logs are clean, I hope you can resolve your other problem with the links that I provided.

Thank you,

Tequesta
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm
Top

Re: Connection issues with Vista, possible malware?

Unread postby Transien » September 28th, 2010, 4:19 pm

Thanks for the help! It is too bad we couldn't fix the system here, but I'll manage it somehow.

You were awesome though :cheers:
Transien
Active Member
 
Posts: 14
Joined: September 17th, 2010, 9:27 pm
Top

Re: Connection issues with Vista, possible malware?

Unread postby Gary R » September 29th, 2010, 7:58 am

This topic is now closed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 514 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index