PDA

View Full Version : Obvious Infection - requesting help



livinglifewell
2011-12-21, 21:44
I'm in possession of my brother's laptop which has been suffering browser redirects, popups, slow browsing, and spoof-programs. I am attempting to clean the problems for him.

As a preface I attempted to scan and "fix" the issues with Ad-Aware Free, Norton, Malwarebyte's Anti-Malware, and WinPatrol. I'm mentioning this because the FAQ recommended listing any attempts to clean before posting here.

I backed up my registry with ERUNT.

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Brook at 12:50:41 on 2011-12-21
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5611.4203 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\ezSharedSvcHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.iminent.com/?appId=BD461244-FBB9-48B6-AA2B-9A9D36311D6F
uInternet Settings,ProxyServer = http=127.0.0.1:58404
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO: TrueSuite Website Log On: {8590886e-ec8c-43c1-a32c-e4c2b0b6395b} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No File
uRun: [Google Update] "C:\Users\Brook\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\Users\Brook\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.137.13
TCP: Interfaces\{6B840670-1293-4244-B948-6537F25A11EE} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{B633A733-BA5F-4F7B-9C8F-3C4444F8AA94} : DhcpNameServer = 192.168.137.13
TCP: Interfaces\{B633A733-BA5F-4F7B-9C8F-3C4444F8AA94}\8686F6E6F62737 : DhcpNameServer = 4.2.2.2 12.127.16.68 12.127.16.67
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO-X64: Ad-Aware Security Toolbar - No File
BHO-X64: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO-X64: TSBHO Class - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-11-20 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-2 365568]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe [2011-4-28 514232]
R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-2-17 265544]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-16 682040]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-6-8 2375168]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]
R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\amdhub30.sys --> C:\Windows\system32\DRIVERS\amdhub30.sys [?]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\amdxhc.sys --> C:\Windows\system32\DRIVERS\amdxhc.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
RUnknown SymIRON;SymIRON; [x]
RUnknown SymNetS;SymNetS; [x]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-17 494424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-12-17 17152]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
SUnknown EraserUtilRebootDrv;EraserUtilRebootDrv; [x]
.
=============== Created Last 30 ================
.
2011-12-19 03:46:47 -------- d-----w- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2011-12-19 03:01:35 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin
2011-12-19 03:01:32 -------- d-----w- C:\Program Files (x86)\Fliptoast
2011-12-19 03:01:24 -------- d-----w- C:\Users\Brook\AppData\Local\Adobe
2011-12-19 03:00:51 -------- d-----w- C:\Users\Brook\Tracing
2011-12-19 02:59:49 -------- d-----w- C:\Users\Brook\AppData\Local\PackageAware
2011-12-19 02:59:22 -------- d-----w- C:\Users\Brook\AppData\Local\WeatherBug
2011-12-19 02:59:21 -------- d-----w- C:\Users\Brook\AppData\Roaming\WeatherBug
2011-12-19 02:59:19 18944 ----a-r- C:\Users\Brook\AppData\Roaming\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-12-19 02:53:58 -------- d-----w- C:\Program Files (x86)\Shop To Win
2011-12-19 01:01:24 -------- d-----w- C:\Users\Brook\AppData\Roaming\Tific
2011-12-19 01:01:23 -------- d-----w- C:\Users\Brook\AppData\Local\Symantec
2011-12-19 01:00:35 -------- d-----w- C:\Program Files (x86)\Norton AntiVirus
2011-12-18 21:33:15 -------- d-----w- C:\ProgramData\WeCareReminder
2011-12-18 21:16:45 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-12-18 20:29:21 -------- d-----w- C:\Program Files (x86)\PC Tools
2011-12-18 20:25:23 -------- d-----w- C:\Users\Brook\AppData\Roaming\TestApp
2011-12-18 20:25:23 -------- d-----w- C:\ProgramData\PC Tools
2011-12-17 19:45:40 -------- d-----w- C:\Users\Brook\AppData\Local\ElevatedDiagnostics
2011-12-17 19:30:47 22872 ----a-w- C:\Windows\System32\RegistryDefragBootTime.exe
2011-12-17 19:23:16 -------- d-----w- C:\ProgramData\IObit
2011-12-17 19:02:09 -------- d-----w- C:\Users\Brook\AppData\Roaming\IObit
2011-12-17 19:02:02 -------- d-----w- C:\Program Files (x86)\IObit
2011-12-17 18:53:29 -------- d-----w- C:\Users\Brook\AppData\Roaming\WinPatrol
2011-12-17 18:53:26 -------- d-----w- C:\Program Files (x86)\BillP Studios
2011-12-17 18:53:25 -------- d-----w- C:\ProgramData\InstallMate
2011-12-17 18:14:23 -------- d-----w- C:\Users\Brook\AppData\Roaming\Malwarebytes
2011-12-17 18:14:17 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-17 18:14:14 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-17 18:14:14 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-17 17:00:14 333908 ---ha-w- C:\aaw7boot.cmd
2011-12-17 16:45:16 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-12-17 16:43:05 -------- d-----w- C:\Program Files\CCleaner
2011-12-17 16:34:34 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner
2011-12-17 16:34:16 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-12-16 02:56:09 -------- d-----w- C:\Program Files\Microsoft Xbox 360 Accessories
2011-12-16 01:55:05 -------- d-----w- C:\Program Files (x86)\Common Files\Steam
2011-12-16 01:55:04 -------- d-----w- C:\Program Files (x86)\Steam
2011-12-16 00:59:59 -------- d-----w- C:\Users\Brook\AppData\Local\AresXZ
2011-12-16 00:57:05 -------- d-----w- C:\Users\Brook\AppData\Roaming\LimeRunner
2011-12-16 00:55:47 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-16 00:55:46 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-16 00:55:44 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-16 00:55:44 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-16 00:55:42 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-16 00:55:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-14 03:17:02 127 ----a-w- C:\Users\Brook\AppData\Roaming\Microsoft\CC81\bl404151_64.bat
2011-12-11 01:51:42 -------- d-----w- C:\Users\Brook\AppData\Local\Facebook
2011-12-09 05:07:35 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-09 03:51:23 -------- d-----w- C:\Program Files (x86)\LP
2011-12-07 05:22:17 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2011-12-07 01:23:49 -------- d-----w- C:\Users\Brook\AppData\Roaming\D45A0
2011-12-07 01:23:49 -------- d-----w- C:\Users\Brook\AppData\Roaming\101D4
2011-12-07 01:23:18 -------- d-----w- C:\Users\Brook\AppData\Roaming\CF715
2011-12-07 01:22:47 -------- d-----w- C:\Users\Brook\AppData\Roaming\459CF
2011-12-07 01:22:37 -------- d-sh--w- C:\Users\Brook\AppData\Local\784b8e91
2011-12-06 11:51:04 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{07A44B09-CB55-473A-BD04-3B27DA102EE0}\mpengine.dll
.
==================== Find3M ====================
.
2011-12-16 20:01:13 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-12-16 20:01:13 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-12-12 04:26:46 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-11-11 05:08:10 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-03 11:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 12:51:25.96 ===============

W3i.IQ5.fraud: [SBI $5ADC6E84] Program directory (Directory, nothing done)
C:\Windows\System32\AI_RecycleBin\

WebTrends live: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2011-12-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-12-13 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-11-29 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-10-04 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-09-27 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-12-07 Includes\Malware.sbi (*)
2011-12-20 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-10-11 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-12-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-10-18 Includes\Spyware.sbi (*)
2011-10-18 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2011-12-12 Includes\TrojansC-02.sbi (*)
2011-12-19 Includes\TrojansC-03.sbi (*)
2011-12-20 Includes\TrojansC-04.sbi (*)
2011-12-20 Includes\TrojansC-05.sbi (*)
2011-12-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

ken545
2011-12-23, 15:54
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.



Your brothers laptop is infected with the Zero Access Rootkit, this infection is fairly new and very nasty, sometimes damaging your internet connection, I would recommend doing a format of the hard drive and a clean install of windows but if you want to proceed trying to clean it we can.

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

livinglifewell
2011-12-26, 19:14
i will post the log later today.

livinglifewell
2011-12-27, 00:25
aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-25 08:15:17
-----------------------------
08:15:17.825 OS Version: Windows x64 6.1.7601 Service Pack 1
08:15:17.825 Number of processors: 4 586 0x100
08:15:17.825 ComputerName: BROOK-HP UserName: Brook
08:15:21.538 Initialize success
08:16:22.348 AVAST engine defs: 11122500
08:16:27.699 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000066
08:16:27.699 Disk 0 Vendor: ST964032 0002 Size: 610480MB BusType: 11
08:16:29.727 Disk 0 MBR read successfully
08:16:29.743 Disk 0 MBR scan
08:16:29.743 Disk 0 Windows 7 default MBR code
08:16:29.758 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
08:16:29.774 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 595243 MB offset 409600
08:16:29.821 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14933 MB offset 1219467264
08:16:29.883 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
08:16:29.899 Service scanning
08:16:33.478 Modules scanning
08:16:33.478 Disk 0 trace - called modules:
08:16:33.587 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
08:16:34.102 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80062b5060]
08:16:34.118 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa800611eb10]
08:16:34.118 5 hpdskflt.sys[fffff88001999361] -> nt!IofCallDriver -> [0xfffffa8005d3f940]
08:16:34.133 7 amd_xata.sys[fffff880010918f7] -> nt!IofCallDriver -> \Device\00000066[0xfffffa8006024060]
08:16:40.950 AVAST engine scan C:\Windows
08:17:11.651 AVAST engine scan C:\Windows\system32
08:17:31.463 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Malware-gen
08:20:25.528 AVAST engine scan C:\Windows\system32\drivers
08:20:57.945 AVAST engine scan C:\Users\Brook
08:20:58.148 File: C:\Users\Brook\AppData\Local\784b8e91\U\800000cb.@ **INFECTED** Win32:Malware-gen
08:22:39.891 AVAST engine scan C:\ProgramData
08:23:18.704 Scan finished successfully
16:23:46.627 Disk 0 MBR has been saved successfully to "C:\Users\Brook\Desktop\MBR.dat"
16:23:46.627 The log file has been saved successfully to "C:\Users\Brook\Desktop\aswMBRlog.txt"

ken545
2011-12-27, 01:22
Yep, Zero Access it is :sad:


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

livinglifewell
2011-12-27, 04:04
ComboFix 11-12-26.03 - Brook 12/26/2011 19:52:30.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5611.4158 [GMT -6:00]
Running from: c:\users\Brook\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\Shop to Win
c:\program files (x86)\Shop to Win\Test.htm
c:\users\Brook\AppData\Local\784b8e91\U
c:\users\Brook\AppData\Local\784b8e91\U\80000000.@
c:\users\Brook\AppData\Local\784b8e91\U\800000cb.@
c:\users\Brook\AppData\Local\784b8e91\U\800000cf.@
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\00000001.@
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.@
c:\windows\system32\consrv.dll
c:\windows\system32\java.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
.
.
2011-12-27 01:56 . 2011-12-27 01:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-21 18:59 . 2011-12-21 20:04 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-12-21 18:59 . 2011-12-21 19:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-21 18:47 . 2011-12-21 18:47 -------- d-----w- c:\program files (x86)\ERUNT
2011-12-19 03:46 . 2011-12-19 03:46 -------- d-----w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2011-12-19 03:01 . 2011-12-19 03:41 -------- d-----w- c:\program files (x86)\Fliptoast
2011-12-19 03:01 . 2011-12-19 03:01 -------- d-----w- c:\users\Brook\AppData\Local\Adobe
2011-12-19 03:00 . 2011-12-19 03:00 -------- d-----w- c:\users\Brook\Tracing
2011-12-19 02:59 . 2011-12-19 02:59 -------- d-----w- c:\users\Brook\AppData\Local\PackageAware
2011-12-19 02:59 . 2011-12-19 02:59 -------- d-----w- c:\users\Brook\AppData\Local\WeatherBug
2011-12-19 02:59 . 2011-12-19 02:59 -------- d-----w- c:\users\Brook\AppData\Roaming\WeatherBug
2011-12-19 02:59 . 2011-12-19 02:59 18944 ----a-r- c:\users\Brook\AppData\Roaming\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-12-19 01:01 . 2011-12-19 01:01 -------- d-----w- c:\users\Brook\AppData\Roaming\Tific
2011-12-19 01:01 . 2011-12-19 01:01 -------- d-----w- c:\users\Brook\AppData\Local\Symantec
2011-12-18 21:33 . 2011-12-18 23:44 -------- d-----w- c:\programdata\WeCareReminder
2011-12-18 21:16 . 2011-12-18 23:44 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-18 20:29 . 2011-12-18 21:34 -------- d-----w- c:\program files (x86)\PC Tools
2011-12-18 20:25 . 2011-12-18 21:24 -------- d-----w- c:\programdata\PC Tools
2011-12-18 20:25 . 2011-12-18 20:25 -------- d-----w- c:\users\Brook\AppData\Roaming\TestApp
2011-12-17 19:45 . 2011-12-17 19:45 -------- d-----w- c:\users\Brook\AppData\Local\ElevatedDiagnostics
2011-12-17 19:30 . 2011-10-20 05:10 22872 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-12-17 19:23 . 2011-12-17 19:23 -------- d-----w- c:\programdata\IObit
2011-12-17 19:02 . 2011-12-17 19:40 -------- d-----w- c:\users\Brook\AppData\Roaming\IObit
2011-12-17 19:02 . 2011-12-17 19:02 -------- d-----w- c:\program files (x86)\IObit
2011-12-17 18:53 . 2011-12-17 18:53 -------- d-----w- c:\users\Brook\AppData\Roaming\WinPatrol
2011-12-17 18:53 . 2011-12-17 18:53 -------- d-----w- c:\program files (x86)\BillP Studios
2011-12-17 18:53 . 2011-12-17 18:53 -------- d-----w- c:\programdata\InstallMate
2011-12-17 18:14 . 2011-12-17 18:14 -------- d-----w- c:\users\Brook\AppData\Roaming\Malwarebytes
2011-12-17 18:14 . 2011-12-17 18:14 -------- d-----w- c:\programdata\Malwarebytes
2011-12-17 18:14 . 2011-12-17 18:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-17 18:14 . 2011-08-31 23:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-17 17:00 . 2011-12-17 18:17 333908 ---ha-w- C:\aaw7boot.cmd
2011-12-17 16:45 . 2011-12-17 16:45 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-17 16:43 . 2011-12-17 16:43 -------- d-----w- c:\program files\CCleaner
2011-12-17 16:34 . 2011-12-17 16:34 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
2011-12-17 16:34 . 2011-12-17 18:21 -------- d-----w- c:\programdata\Lavasoft
2011-12-17 16:34 . 2011-12-17 16:34 -------- d-----w- c:\program files (x86)\Lavasoft
2011-12-16 02:56 . 2011-12-16 02:56 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2011-12-16 01:55 . 2011-12-16 02:59 -------- d-----w- c:\program files (x86)\Common Files\Steam
2011-12-16 01:55 . 2011-12-19 20:09 -------- d-----w- c:\program files (x86)\Steam
2011-12-16 00:59 . 2011-12-16 00:59 -------- d-----w- c:\users\Brook\AppData\Local\AresXZ
2011-12-16 00:57 . 2011-12-17 00:49 -------- d-----w- c:\users\Brook\AppData\Roaming\LimeRunner
2011-12-16 00:55 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-16 00:55 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-16 00:55 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-16 00:55 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-16 00:55 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-16 00:55 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-14 03:17 . 2011-12-14 03:17 127 ----a-w- c:\users\Brook\AppData\Roaming\Microsoft\CC81\bl404151_64.bat
2011-12-11 01:51 . 2011-12-11 01:52 -------- d-----w- c:\users\Brook\AppData\Local\Facebook
2011-12-09 05:07 . 2011-12-09 05:07 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-09 03:39 . 2011-12-09 03:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-07 05:24 . 2011-12-07 05:24 -------- d-----w- c:\windows\system32\Macromed
2011-12-07 05:22 . 2011-12-07 05:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-12-07 01:23 . 2011-12-19 03:32 -------- d-----w- c:\users\Brook\AppData\Roaming\D45A0
2011-12-07 01:23 . 2011-12-19 03:32 -------- d-----w- c:\users\Brook\AppData\Roaming\101D4
2011-12-07 01:23 . 2011-12-17 17:00 -------- d-----w- c:\users\Brook\AppData\Roaming\CF715
2011-12-07 01:22 . 2011-12-07 01:22 -------- d-----w- c:\users\Brook\AppData\Roaming\459CF
2011-12-07 01:22 . 2011-12-27 01:56 -------- d-sh--w- c:\users\Brook\AppData\Local\784b8e91
2011-12-06 11:51 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07A44B09-CB55-473A-BD04-3B27DA102EE0}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-16 20:01 . 2011-11-11 05:11 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-12-16 20:01 . 2011-11-11 04:57 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-12-12 04:26 . 2011-11-11 04:57 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-11-11 05:08 . 2011-11-11 04:57 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-11-10 20:22 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-10-03 11:06 . 2011-04-29 00:39 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-09-29 16:29 . 2011-11-11 03:15 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-02 336384]
.
c:\users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-17 494424]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-12-17 17152]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-02 365568]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-02-18 265544]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139890736-3921819157-3585904417-1001Core.job
- c:\users\Brook\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-21 18:18]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139890736-3921819157-3585904417-1001UA.job
- c:\users\Brook\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-21 18:18]
.
2011-12-27 c:\windows\Tasks\HPCeeScheduleForBrook.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-11 1128448]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]
"combofix"="c:\combofix\CF11976.3XE" [2010-11-21 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.iminent.com/?appId=BD461244-FBB9-48B6-AA2B-9A9D36311D6F
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:58404
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files (x86)\adawaretb\adawareDx.dll
Toolbar-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files (x86)\adawaretb\adawareDx.dll
WebBrowser-{977AE9CC-AF83-45E8-9E03-E2798216E2D5} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\ezSharedSvcHost.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-12-26 20:03:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-27 02:03
.
Pre-Run: 552,053,542,912 bytes free
Post-Run: 551,750,029,312 bytes free
.
- - End Of File - - D3B1F2DE5A7DA17B79DA5DD96247462E

ken545
2011-12-27, 11:14
Good Morning,

It looks like Combofix removed the rootkit, how is your system behaving now, any more redirects >

Run aswMBR again and post the NEW log.



ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

livinglifewell
2011-12-28, 05:07
First, it does seem to be gone. I'm not getting redirects anymore, and browsing was fast, responsive, and nice.

When I downloaded the aswMBR.exe to my desktop and tried to open it I got the following message:

"C:\Users\Brook\Desktop\aswMBR(1).exe

Illegal operation attempted on a registry key that has been marked for deletion."

In fact nearly every program I try to open comes up with that error.

In addition, I checked to see if my Windows Firewall was enabled and/or working and the window for it was highlighted in red and said:

"Windows Firewall is not using the recommended settings to protect your computer."

When I tried clicking the button that says Use Recommended Settings, an error message pops up that reads: "Windows Firewall can't change some of your settings. Error code 0x80070424."

I right clicked the asw EXE file as ran it as an Admin. Only by doing this was I able to run it. Log attached.

ESET Scan resulted in finding 5 threats.


aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-27 20:12:44
-----------------------------
20:12:44.416 OS Version: Windows x64 6.1.7601 Service Pack 1
20:12:44.417 Number of processors: 4 586 0x100
20:12:44.418 ComputerName: BROOK-HP UserName: Brook
20:12:49.526 Initialize success
20:21:49.021 AVAST engine defs: 11122702
20:22:44.417 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
20:22:44.417 Disk 0 Vendor: ST964032 0002 Size: 610480MB BusType: 11
20:22:46.492 Disk 0 MBR read successfully
20:22:46.492 Disk 0 MBR scan
20:22:46.508 Disk 0 Windows 7 default MBR code
20:22:46.523 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
20:22:46.539 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 595243 MB offset 409600
20:22:46.586 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14933 MB offset 1219467264
20:22:46.601 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
20:22:46.617 Service scanning
20:22:47.693 Modules scanning
20:22:47.693 Disk 0 trace - called modules:
20:22:47.756 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
20:22:47.756 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80060be060]
20:22:47.771 3 CLASSPNP.SYS[fffff8800199c43f] -> nt!IofCallDriver -> [0xfffffa8005deeb10]
20:22:47.771 5 hpdskflt.sys[fffff88001943361] -> nt!IofCallDriver -> [0xfffffa8005c71040]
20:22:47.787 7 amd_xata.sys[fffff8800112e8f7] -> nt!IofCallDriver -> \Device\00000063[0xfffffa8005c75060]
20:22:52.560 AVAST engine scan C:\Windows
20:22:57.022 AVAST engine scan C:\Windows\system32
20:24:56.971 AVAST engine scan C:\Windows\system32\drivers
20:25:11.104 AVAST engine scan C:\Users\Brook
20:26:29.026 AVAST engine scan C:\ProgramData
20:26:59.634 Scan finished successfully
20:28:06.979 Disk 0 MBR has been saved successfully to "C:\Users\Brook\Desktop\MBR.dat"
20:28:06.994 The log file has been saved successfully to "C:\Users\Brook\Desktop\aswMBRlog2.txt"




C:\Qoobox\Quarantine\C\Users\Brook\AppData\Local\784b8e91\U\80000000.@.vir Win64/Sirefef.P trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Brook\AppData\Local\784b8e91\U\800000cb.@.vir Win64/Sirefef.M trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Brook\AppData\Local\784b8e91\U\800000cf.@.vir Win64/Sirefef.O trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.G trojan cleaned by deleting - quarantined
C:\Users\Brook\Downloads\asc-setup.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined

ken545
2011-12-28, 11:11
Good Morning,

Just copy and paste any logs we ask for into this thread , its easier for us to analyse .

You already had aswMBR on your desktop and you redownloaded it and it named it aswMBR(1).exe, thats why you got that error. The new log looks fine,


ESET, line number 8

8. Make sure that the option "Remove found threats" is Unchecked
We put this in purposely in case it removes something legit by mistake, but you squeaked by on this one.

All those files in Qoobox are just back ups of what Combofix removed , we clean all that out as a final cleaning. Advanced System Care was removed and not needed.


Any problems ?

livinglifewell
2011-12-28, 20:37
I don't seem to be experiencing those problems anymore, and everything works perfect as far as I can tell. :D:

livinglifewell
2011-12-28, 20:43
However, I am still unable to turn on my Windows Firewall. Do you have any ideas why that may be?

ken545
2011-12-28, 23:39
First, you have Windows Defender installed but you need a good Anti Virus program, download and install one of these free ones (But Just One ) more than one is overkill and can severely hamper system performance.

I have had good luck with Microsoft Essentials, but your call which one to install



Microsoft Security Essentials (http://www.microsoft.com/nz/digitallife/security/microsoft-security-essentials.mspx)
Free Avast 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)
Avira AntiVirŪ Personal Edition Classic (http://www.free-av.com/)
AVG Free (http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5)






Then run this scanner and let me take a look


OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

ken545
2012-01-03, 23:28
Due to inactivity, this thread will now be closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.