Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Obvious Infection - requesting help

  1. #1
    Junior Member
    Join Date
    Dec 2011
    Posts
    7

    Default Obvious Infection - requesting help

    I'm in possession of my brother's laptop which has been suffering browser redirects, popups, slow browsing, and spoof-programs. I am attempting to clean the problems for him.

    As a preface I attempted to scan and "fix" the issues with Ad-Aware Free, Norton, Malwarebyte's Anti-Malware, and WinPatrol. I'm mentioning this because the FAQ recommended listing any attempts to clean before posting here.

    I backed up my registry with ERUNT.

    DDS Log:

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by Brook at 12:50:41 on 2011-12-21
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5611.4203 [GMT -6:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k WbioSvcGroup
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\SysWOW64\ezSharedSvcHost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
    C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.iminent.com/?appId=BD461244-FBB9-48B6-AA2B-9A9D36311D6F
    uInternet Settings,ProxyServer = http=127.0.0.1:58404
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
    BHO: TrueSuite Website Log On: {8590886e-ec8c-43c1-a32c-e4c2b0b6395b} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No File
    uRun: [Google Update] "C:\Users\Brook\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    StartupFolder: C:\Users\Brook\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
    mPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    TCP: DhcpNameServer = 192.168.137.13
    TCP: Interfaces\{6B840670-1293-4244-B948-6537F25A11EE} : DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{B633A733-BA5F-4F7B-9C8F-3C4444F8AA94} : DhcpNameServer = 192.168.137.13
    TCP: Interfaces\{B633A733-BA5F-4F7B-9C8F-3C4444F8AA94}\8686F6E6F62737 : DhcpNameServer = 4.2.2.2 12.127.16.68 12.127.16.67
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
    BHO-X64: Ad-Aware Security Toolbar - No File
    BHO-X64: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
    BHO-X64: TSBHO Class - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
    TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB-X64: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No File
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
    R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-11-20 89600]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-2 365568]
    R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
    R2 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe [2011-4-28 514232]
    R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-2-17 265544]
    R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-16 682040]
    R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
    R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
    R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-6-8 2375168]
    R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]
    R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\amdhub30.sys --> C:\Windows\system32\DRIVERS\amdhub30.sys [?]
    R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\amdxhc.sys --> C:\Windows\system32\DRIVERS\amdxhc.sys [?]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
    R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
    R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
    R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
    R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
    R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
    R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
    RUnknown SymIRON;SymIRON; [x]
    RUnknown SymNetS;SymNetS; [x]
    S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-17 494424]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-12-17 17152]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    SUnknown EraserUtilRebootDrv;EraserUtilRebootDrv; [x]
    .
    =============== Created Last 30 ================
    .
    2011-12-19 03:46:47 -------- d-----w- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
    2011-12-19 03:01:35 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin
    2011-12-19 03:01:32 -------- d-----w- C:\Program Files (x86)\Fliptoast
    2011-12-19 03:01:24 -------- d-----w- C:\Users\Brook\AppData\Local\Adobe
    2011-12-19 03:00:51 -------- d-----w- C:\Users\Brook\Tracing
    2011-12-19 02:59:49 -------- d-----w- C:\Users\Brook\AppData\Local\PackageAware
    2011-12-19 02:59:22 -------- d-----w- C:\Users\Brook\AppData\Local\WeatherBug
    2011-12-19 02:59:21 -------- d-----w- C:\Users\Brook\AppData\Roaming\WeatherBug
    2011-12-19 02:59:19 18944 ----a-r- C:\Users\Brook\AppData\Roaming\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
    2011-12-19 02:53:58 -------- d-----w- C:\Program Files (x86)\Shop To Win
    2011-12-19 01:01:24 -------- d-----w- C:\Users\Brook\AppData\Roaming\Tific
    2011-12-19 01:01:23 -------- d-----w- C:\Users\Brook\AppData\Local\Symantec
    2011-12-19 01:00:35 -------- d-----w- C:\Program Files (x86)\Norton AntiVirus
    2011-12-18 21:33:15 -------- d-----w- C:\ProgramData\WeCareReminder
    2011-12-18 21:16:45 -------- d-----w- C:\Program Files\Microsoft Security Client
    2011-12-18 20:29:21 -------- d-----w- C:\Program Files (x86)\PC Tools
    2011-12-18 20:25:23 -------- d-----w- C:\Users\Brook\AppData\Roaming\TestApp
    2011-12-18 20:25:23 -------- d-----w- C:\ProgramData\PC Tools
    2011-12-17 19:45:40 -------- d-----w- C:\Users\Brook\AppData\Local\ElevatedDiagnostics
    2011-12-17 19:30:47 22872 ----a-w- C:\Windows\System32\RegistryDefragBootTime.exe
    2011-12-17 19:23:16 -------- d-----w- C:\ProgramData\IObit
    2011-12-17 19:02:09 -------- d-----w- C:\Users\Brook\AppData\Roaming\IObit
    2011-12-17 19:02:02 -------- d-----w- C:\Program Files (x86)\IObit
    2011-12-17 18:53:29 -------- d-----w- C:\Users\Brook\AppData\Roaming\WinPatrol
    2011-12-17 18:53:26 -------- d-----w- C:\Program Files (x86)\BillP Studios
    2011-12-17 18:53:25 -------- d-----w- C:\ProgramData\InstallMate
    2011-12-17 18:14:23 -------- d-----w- C:\Users\Brook\AppData\Roaming\Malwarebytes
    2011-12-17 18:14:17 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-12-17 18:14:14 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-12-17 18:14:14 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-17 17:00:14 333908 ---ha-w- C:\aaw7boot.cmd
    2011-12-17 16:45:16 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
    2011-12-17 16:43:05 -------- d-----w- C:\Program Files\CCleaner
    2011-12-17 16:34:34 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner
    2011-12-17 16:34:16 -------- d-----w- C:\Program Files (x86)\Lavasoft
    2011-12-16 02:56:09 -------- d-----w- C:\Program Files\Microsoft Xbox 360 Accessories
    2011-12-16 01:55:05 -------- d-----w- C:\Program Files (x86)\Common Files\Steam
    2011-12-16 01:55:04 -------- d-----w- C:\Program Files (x86)\Steam
    2011-12-16 00:59:59 -------- d-----w- C:\Users\Brook\AppData\Local\AresXZ
    2011-12-16 00:57:05 -------- d-----w- C:\Users\Brook\AppData\Roaming\LimeRunner
    2011-12-16 00:55:47 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-12-16 00:55:46 3145216 ----a-w- C:\Windows\System32\win32k.sys
    2011-12-16 00:55:44 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2011-12-16 00:55:44 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-12-16 00:55:42 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-12-16 00:55:42 2048 ----a-w- C:\Windows\System32\tzres.dll
    2011-12-14 03:17:02 127 ----a-w- C:\Users\Brook\AppData\Roaming\Microsoft\CC81\bl404151_64.bat
    2011-12-11 01:51:42 -------- d-----w- C:\Users\Brook\AppData\Local\Facebook
    2011-12-09 05:07:35 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-12-09 03:51:23 -------- d-----w- C:\Program Files (x86)\LP
    2011-12-07 05:22:17 -------- d-sh--w- C:\Windows\System32\%APPDATA%
    2011-12-07 01:23:49 -------- d-----w- C:\Users\Brook\AppData\Roaming\D45A0
    2011-12-07 01:23:49 -------- d-----w- C:\Users\Brook\AppData\Roaming\101D4
    2011-12-07 01:23:18 -------- d-----w- C:\Users\Brook\AppData\Roaming\CF715
    2011-12-07 01:22:47 -------- d-----w- C:\Users\Brook\AppData\Roaming\459CF
    2011-12-07 01:22:37 -------- d-sh--w- C:\Users\Brook\AppData\Local\784b8e91
    2011-12-06 11:51:04 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{07A44B09-CB55-473A-BD04-3B27DA102EE0}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2011-12-16 20:01:13 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2011-12-16 20:01:13 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2011-12-12 04:26:46 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
    2011-11-11 05:08:10 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
    2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
    2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
    2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
    2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-10-03 11:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    .
    ============= FINISH: 12:51:25.96 ===============

    W3i.IQ5.fraud: [SBI $5ADC6E84] Program directory (Directory, nothing done)
    C:\Windows\System32\AI_RecycleBin\

    WebTrends live: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)



    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-01-26 TeaTimer.exe (1.6.4.26)
    2011-12-21 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-01-26 advcheck.dll (1.6.2.15)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-03-18 Includes\Adware.sbi (*)
    2011-12-13 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-11-29 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2011-03-29 Includes\Hijackers.sbi (*)
    2011-10-04 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-09-27 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-12-07 Includes\Malware.sbi (*)
    2011-12-20 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-10-11 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2011-02-24 Includes\Security.sbi (*)
    2011-12-13 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-10-18 Includes\Spyware.sbi (*)
    2011-10-18 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2011-09-28 Includes\Trojans.sbi (*)
    2011-12-12 Includes\TrojansC-02.sbi (*)
    2011-12-19 Includes\TrojansC-03.sbi (*)
    2011-12-20 Includes\TrojansC-04.sbi (*)
    2011-12-20 Includes\TrojansC-05.sbi (*)
    2011-12-12 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

  2. #2
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.



    Your brothers laptop is infected with the Zero Access Rootkit, this infection is fairly new and very nasty, sometimes damaging your internet connection, I would recommend doing a format of the hard drive and a clean install of windows but if you want to proceed trying to clean it we can.

    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Dec 2011
    Posts
    7

    Default

    i will post the log later today.

  4. #4
    Junior Member
    Join Date
    Dec 2011
    Posts
    7

    Default

    aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-25 08:15:17
    -----------------------------
    08:15:17.825 OS Version: Windows x64 6.1.7601 Service Pack 1
    08:15:17.825 Number of processors: 4 586 0x100
    08:15:17.825 ComputerName: BROOK-HP UserName: Brook
    08:15:21.538 Initialize success
    08:16:22.348 AVAST engine defs: 11122500
    08:16:27.699 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000066
    08:16:27.699 Disk 0 Vendor: ST964032 0002 Size: 610480MB BusType: 11
    08:16:29.727 Disk 0 MBR read successfully
    08:16:29.743 Disk 0 MBR scan
    08:16:29.743 Disk 0 Windows 7 default MBR code
    08:16:29.758 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
    08:16:29.774 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 595243 MB offset 409600
    08:16:29.821 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14933 MB offset 1219467264
    08:16:29.883 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
    08:16:29.899 Service scanning
    08:16:33.478 Modules scanning
    08:16:33.478 Disk 0 trace - called modules:
    08:16:33.587 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
    08:16:34.102 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80062b5060]
    08:16:34.118 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa800611eb10]
    08:16:34.118 5 hpdskflt.sys[fffff88001999361] -> nt!IofCallDriver -> [0xfffffa8005d3f940]
    08:16:34.133 7 amd_xata.sys[fffff880010918f7] -> nt!IofCallDriver -> \Device\00000066[0xfffffa8006024060]
    08:16:40.950 AVAST engine scan C:\Windows
    08:17:11.651 AVAST engine scan C:\Windows\system32
    08:17:31.463 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Malware-gen
    08:20:25.528 AVAST engine scan C:\Windows\system32\drivers
    08:20:57.945 AVAST engine scan C:\Users\Brook
    08:20:58.148 File: C:\Users\Brook\AppData\Local\784b8e91\U\800000cb.@ **INFECTED** Win32:Malware-gen
    08:22:39.891 AVAST engine scan C:\ProgramData
    08:23:18.704 Scan finished successfully
    16:23:46.627 Disk 0 MBR has been saved successfully to "C:\Users\Brook\Desktop\MBR.dat"
    16:23:46.627 The log file has been saved successfully to "C:\Users\Brook\Desktop\aswMBRlog.txt"

  5. #5
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Yep, Zero Access it is


    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  6. #6
    Junior Member
    Join Date
    Dec 2011
    Posts
    7

    Default

    ComboFix 11-12-26.03 - Brook 12/26/2011 19:52:30.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5611.4158 [GMT -6:00]
    Running from: c:\users\Brook\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\LP
    c:\program files (x86)\Shop to Win
    c:\program files (x86)\Shop to Win\Test.htm
    c:\users\Brook\AppData\Local\784b8e91\U
    c:\users\Brook\AppData\Local\784b8e91\U\80000000.@
    c:\users\Brook\AppData\Local\784b8e91\U\800000cb.@
    c:\users\Brook\AppData\Local\784b8e91\U\800000cf.@
    c:\windows\assembly\tmp\U
    c:\windows\assembly\tmp\U\00000001.@
    c:\windows\assembly\tmp\U\000000c0.@
    c:\windows\assembly\tmp\U\000000cb.@
    c:\windows\assembly\tmp\U\000000cf.@
    c:\windows\assembly\tmp\U\80000000.@
    c:\windows\assembly\tmp\U\800000c0.@
    c:\windows\assembly\tmp\U\800000cb.@
    c:\windows\assembly\tmp\U\800000cf.@
    c:\windows\system32\consrv.dll
    c:\windows\system32\java.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-27 01:56 . 2011-12-27 01:56 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-21 18:59 . 2011-12-21 20:04 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2011-12-21 18:59 . 2011-12-21 19:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-21 18:47 . 2011-12-21 18:47 -------- d-----w- c:\program files (x86)\ERUNT
    2011-12-19 03:46 . 2011-12-19 03:46 -------- d-----w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
    2011-12-19 03:01 . 2011-12-19 03:41 -------- d-----w- c:\program files (x86)\Fliptoast
    2011-12-19 03:01 . 2011-12-19 03:01 -------- d-----w- c:\users\Brook\AppData\Local\Adobe
    2011-12-19 03:00 . 2011-12-19 03:00 -------- d-----w- c:\users\Brook\Tracing
    2011-12-19 02:59 . 2011-12-19 02:59 -------- d-----w- c:\users\Brook\AppData\Local\PackageAware
    2011-12-19 02:59 . 2011-12-19 02:59 -------- d-----w- c:\users\Brook\AppData\Local\WeatherBug
    2011-12-19 02:59 . 2011-12-19 02:59 -------- d-----w- c:\users\Brook\AppData\Roaming\WeatherBug
    2011-12-19 02:59 . 2011-12-19 02:59 18944 ----a-r- c:\users\Brook\AppData\Roaming\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
    2011-12-19 01:01 . 2011-12-19 01:01 -------- d-----w- c:\users\Brook\AppData\Roaming\Tific
    2011-12-19 01:01 . 2011-12-19 01:01 -------- d-----w- c:\users\Brook\AppData\Local\Symantec
    2011-12-18 21:33 . 2011-12-18 23:44 -------- d-----w- c:\programdata\WeCareReminder
    2011-12-18 21:16 . 2011-12-18 23:44 -------- d-----w- c:\program files\Microsoft Security Client
    2011-12-18 20:29 . 2011-12-18 21:34 -------- d-----w- c:\program files (x86)\PC Tools
    2011-12-18 20:25 . 2011-12-18 21:24 -------- d-----w- c:\programdata\PC Tools
    2011-12-18 20:25 . 2011-12-18 20:25 -------- d-----w- c:\users\Brook\AppData\Roaming\TestApp
    2011-12-17 19:45 . 2011-12-17 19:45 -------- d-----w- c:\users\Brook\AppData\Local\ElevatedDiagnostics
    2011-12-17 19:30 . 2011-10-20 05:10 22872 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2011-12-17 19:23 . 2011-12-17 19:23 -------- d-----w- c:\programdata\IObit
    2011-12-17 19:02 . 2011-12-17 19:40 -------- d-----w- c:\users\Brook\AppData\Roaming\IObit
    2011-12-17 19:02 . 2011-12-17 19:02 -------- d-----w- c:\program files (x86)\IObit
    2011-12-17 18:53 . 2011-12-17 18:53 -------- d-----w- c:\users\Brook\AppData\Roaming\WinPatrol
    2011-12-17 18:53 . 2011-12-17 18:53 -------- d-----w- c:\program files (x86)\BillP Studios
    2011-12-17 18:53 . 2011-12-17 18:53 -------- d-----w- c:\programdata\InstallMate
    2011-12-17 18:14 . 2011-12-17 18:14 -------- d-----w- c:\users\Brook\AppData\Roaming\Malwarebytes
    2011-12-17 18:14 . 2011-12-17 18:14 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-17 18:14 . 2011-12-17 18:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-17 18:14 . 2011-08-31 23:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-17 17:00 . 2011-12-17 18:17 333908 ---ha-w- C:\aaw7boot.cmd
    2011-12-17 16:45 . 2011-12-17 16:45 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-12-17 16:43 . 2011-12-17 16:43 -------- d-----w- c:\program files\CCleaner
    2011-12-17 16:34 . 2011-12-17 16:34 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
    2011-12-17 16:34 . 2011-12-17 18:21 -------- d-----w- c:\programdata\Lavasoft
    2011-12-17 16:34 . 2011-12-17 16:34 -------- d-----w- c:\program files (x86)\Lavasoft
    2011-12-16 02:56 . 2011-12-16 02:56 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
    2011-12-16 01:55 . 2011-12-16 02:59 -------- d-----w- c:\program files (x86)\Common Files\Steam
    2011-12-16 01:55 . 2011-12-19 20:09 -------- d-----w- c:\program files (x86)\Steam
    2011-12-16 00:59 . 2011-12-16 00:59 -------- d-----w- c:\users\Brook\AppData\Local\AresXZ
    2011-12-16 00:57 . 2011-12-17 00:49 -------- d-----w- c:\users\Brook\AppData\Roaming\LimeRunner
    2011-12-16 00:55 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-16 00:55 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-16 00:55 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-16 00:55 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-16 00:55 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-16 00:55 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-14 03:17 . 2011-12-14 03:17 127 ----a-w- c:\users\Brook\AppData\Roaming\Microsoft\CC81\bl404151_64.bat
    2011-12-11 01:51 . 2011-12-11 01:52 -------- d-----w- c:\users\Brook\AppData\Local\Facebook
    2011-12-09 05:07 . 2011-12-09 05:07 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-12-09 03:39 . 2011-12-09 03:39 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-12-07 05:24 . 2011-12-07 05:24 -------- d-----w- c:\windows\system32\Macromed
    2011-12-07 05:22 . 2011-12-07 05:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2011-12-07 01:23 . 2011-12-19 03:32 -------- d-----w- c:\users\Brook\AppData\Roaming\D45A0
    2011-12-07 01:23 . 2011-12-19 03:32 -------- d-----w- c:\users\Brook\AppData\Roaming\101D4
    2011-12-07 01:23 . 2011-12-17 17:00 -------- d-----w- c:\users\Brook\AppData\Roaming\CF715
    2011-12-07 01:22 . 2011-12-07 01:22 -------- d-----w- c:\users\Brook\AppData\Roaming\459CF
    2011-12-07 01:22 . 2011-12-27 01:56 -------- d-sh--w- c:\users\Brook\AppData\Local\784b8e91
    2011-12-06 11:51 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07A44B09-CB55-473A-BD04-3B27DA102EE0}\mpengine.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-16 20:01 . 2011-11-11 05:11 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2011-12-16 20:01 . 2011-11-11 04:57 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2011-12-12 04:26 . 2011-11-11 04:57 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2011-11-11 05:08 . 2011-11-11 04:57 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
    2011-11-10 20:22 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-10-03 11:06 . 2011-04-29 00:39 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-09-29 16:29 . 2011-11-11 03:15 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-02 336384]
    .
    c:\users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "EnableShellExecuteHooks"= 1 (0x1)
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-17 494424]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-12-17 17152]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-02 365568]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
    S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-02-18 265544]
    S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
    S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
    S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
    S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [x]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
    S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139890736-3921819157-3585904417-1001Core.job
    - c:\users\Brook\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-21 18:18]
    .
    2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139890736-3921819157-3585904417-1001UA.job
    - c:\users\Brook\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-21 18:18]
    .
    2011-12-27 c:\windows\Tasks\HPCeeScheduleForBrook.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-11 1128448]
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]
    "combofix"="c:\combofix\CF11976.3XE" [2010-11-21 345088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.iminent.com/?appId=BD461244-FBB9-48B6-AA2B-9A9D36311D6F
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyServer = http=127.0.0.1:58404
    TCP: DhcpNameServer = 192.168.2.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files (x86)\adawaretb\adawareDx.dll
    Toolbar-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files (x86)\adawaretb\adawareDx.dll
    WebBrowser-{977AE9CC-AF83-45E8-9E03-E2798216E2D5} - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SysWOW64\ezSharedSvcHost.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-26 20:03:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-27 02:03
    .
    Pre-Run: 552,053,542,912 bytes free
    Post-Run: 551,750,029,312 bytes free
    .
    - - End Of File - - D3B1F2DE5A7DA17B79DA5DD96247462E

  7. #7
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    It looks like Combofix removed the rootkit, how is your system behaving now, any more redirects >

    Run aswMBR again and post the NEW log.



    ESET Online Scanner
    I'd like us to scan your machine with ESET OnlineScan

    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Make sure that the option "Remove found threats" is Unchecked
    9. Push the Start button.
    10. ESET will then download updates for itself, install itself, and begin
      scanning your computer. Please be patient as this can take some time.
    11. When the scan completes, push
    12. Push , and save the file to your desktop using a unique name, such as
      ESETScan. Include the contents of this report in your next reply.
    13. Push the button.
    14. Push
    Please make sure you include the following items in your next post:
    The log that was produced after running ESET Online Scanner.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  8. #8
    Junior Member
    Join Date
    Dec 2011
    Posts
    7

    Default

    First, it does seem to be gone. I'm not getting redirects anymore, and browsing was fast, responsive, and nice.

    When I downloaded the aswMBR.exe to my desktop and tried to open it I got the following message:

    "C:\Users\Brook\Desktop\aswMBR(1).exe

    Illegal operation attempted on a registry key that has been marked for deletion."

    In fact nearly every program I try to open comes up with that error.

    In addition, I checked to see if my Windows Firewall was enabled and/or working and the window for it was highlighted in red and said:

    "Windows Firewall is not using the recommended settings to protect your computer."

    When I tried clicking the button that says Use Recommended Settings, an error message pops up that reads: "Windows Firewall can't change some of your settings. Error code 0x80070424."

    I right clicked the asw EXE file as ran it as an Admin. Only by doing this was I able to run it. Log attached.

    ESET Scan resulted in finding 5 threats.


    aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-27 20:12:44
    -----------------------------
    20:12:44.416 OS Version: Windows x64 6.1.7601 Service Pack 1
    20:12:44.417 Number of processors: 4 586 0x100
    20:12:44.418 ComputerName: BROOK-HP UserName: Brook
    20:12:49.526 Initialize success
    20:21:49.021 AVAST engine defs: 11122702
    20:22:44.417 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
    20:22:44.417 Disk 0 Vendor: ST964032 0002 Size: 610480MB BusType: 11
    20:22:46.492 Disk 0 MBR read successfully
    20:22:46.492 Disk 0 MBR scan
    20:22:46.508 Disk 0 Windows 7 default MBR code
    20:22:46.523 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
    20:22:46.539 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 595243 MB offset 409600
    20:22:46.586 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14933 MB offset 1219467264
    20:22:46.601 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
    20:22:46.617 Service scanning
    20:22:47.693 Modules scanning
    20:22:47.693 Disk 0 trace - called modules:
    20:22:47.756 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
    20:22:47.756 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80060be060]
    20:22:47.771 3 CLASSPNP.SYS[fffff8800199c43f] -> nt!IofCallDriver -> [0xfffffa8005deeb10]
    20:22:47.771 5 hpdskflt.sys[fffff88001943361] -> nt!IofCallDriver -> [0xfffffa8005c71040]
    20:22:47.787 7 amd_xata.sys[fffff8800112e8f7] -> nt!IofCallDriver -> \Device\00000063[0xfffffa8005c75060]
    20:22:52.560 AVAST engine scan C:\Windows
    20:22:57.022 AVAST engine scan C:\Windows\system32
    20:24:56.971 AVAST engine scan C:\Windows\system32\drivers
    20:25:11.104 AVAST engine scan C:\Users\Brook
    20:26:29.026 AVAST engine scan C:\ProgramData
    20:26:59.634 Scan finished successfully
    20:28:06.979 Disk 0 MBR has been saved successfully to "C:\Users\Brook\Desktop\MBR.dat"
    20:28:06.994 The log file has been saved successfully to "C:\Users\Brook\Desktop\aswMBRlog2.txt"




    C:\Qoobox\Quarantine\C\Users\Brook\AppData\Local\784b8e91\U\80000000.@.vir Win64/Sirefef.P trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Users\Brook\AppData\Local\784b8e91\U\800000cb.@.vir Win64/Sirefef.M trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Users\Brook\AppData\Local\784b8e91\U\800000cf.@.vir Win64/Sirefef.O trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.G trojan cleaned by deleting - quarantined
    C:\Users\Brook\Downloads\asc-setup.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined
    Last edited by ken545; 2011-12-28 at 11:02.

  9. #9
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    Just copy and paste any logs we ask for into this thread , its easier for us to analyse .

    You already had aswMBR on your desktop and you redownloaded it and it named it aswMBR(1).exe, thats why you got that error. The new log looks fine,


    ESET, line number 8

    8. Make sure that the option "Remove found threats" is Unchecked
    We put this in purposely in case it removes something legit by mistake, but you squeaked by on this one.

    All those files in Qoobox are just back ups of what Combofix removed , we clean all that out as a final cleaning. Advanced System Care was removed and not needed.


    Any problems ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  10. #10
    Junior Member
    Join Date
    Dec 2011
    Posts
    7

    Default

    I don't seem to be experiencing those problems anymore, and everything works perfect as far as I can tell.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •