42 replies to this topic

[JMo]

Apparently, I am hit with some sort of spyware or rootkit. After only 2 minutes of scanning my laptop freezes/locks up. I am a System Engineer and I have a ton of admin utilities installed and configured. I can rebuild if necessary, but I would prefer to go through a little pain if we can clean this versus a total rebuild. If you have some suggestions I would be happy to try them. I have attached my last MalwareBytes log file that is several months old. I can't scan long enough now to generate a newer log. I will try to scan in Safe Mode too to see if that helps at all. Yesterday I ran the RootKit remover on your forumn but did not seem to resolve anything. Again any help is much appreciated!
Thanks!

Attached Files

•  Attach.txt   11.6K   16 downloads
•  DDS.txt   24.01K   19 downloads

[JMo]

Bummer no love yet :-(

[MrCharlie]

Welcome to the forum.

Please be patient......there's a lot of people who need help and few of us to give it....we do the best we can.

I see you have used ComboFix, can you post the log.

What RootKit remover did you use, can you post the log.

------------------------------

Please do this:

Please download and run RogueKiller.
Click Scan to scan the system (don't run any other options)
Post back the report.

-------------------------------

Please download Listparts
Run the tool, click Scan and post the log (Result.txt) it makes

MrC

[JMo]

Here is the Roguekiller report.

Attached Files

•  RKreport1.txt   1.28K   14 downloads

[JMo]

Here is the Listparts report.

Attached Files

•  Result.txt   1.66K   13 downloads

[JMo]

Here is both the Combofix log and the TDSSKiller log


ComboFix 12-01-29.02 - Username 01/29/2012 17:09:26.1.4 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3241.1944 [GMT -5:00]
Running from: c:\users\Username\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Username\AppData\Roaming\Microsoft\Windows\Recent\SAP Citrix Logon.url
c:\windows\system32\instsrv.exe
c:\windows\system32\SETC4E0.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-29 )))))))))))))))))))))))))))))))
.
.
2012-01-29 22:15 . 2012-01-29 22:15 -------- d-----w- c:\users\suUsername\AppData\Local\temp
2012-01-29 22:15 . 2012-01-29 22:15 -------- d-----w- c:\users\Username\AppData\Local\temp
2012-01-29 22:15 . 2012-01-29 22:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-29 21:22 . 2012-01-29 21:22 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-24 19:35 . 2012-01-24 19:35 -------- d-----w- c:\program files\iPod
2012-01-24 19:35 . 2012-01-24 19:35 -------- d-----w- c:\program files\iTunes
2012-01-17 17:26 . 2012-01-17 17:26 -------- d-----w- C:\.cisco_mds9000
2012-01-17 17:25 . 2012-01-17 21:07 -------- d-----w- c:\users\Username\.cisco_mds9000
2012-01-17 17:13 . 2012-01-17 17:24 -------- d-----w- c:\program files\Common Files\Java
2012-01-17 17:13 . 2012-01-17 17:12 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-01-16 21:24 . 2012-01-16 21:24 -------- d-----w- c:\program files\WebEx
2012-01-16 16:32 . 2012-01-16 16:32 215864 ----a-w- c:\windows\system32\atsckernel.exe
2012-01-16 16:32 . 2012-01-16 16:32 133944 ----a-w- c:\windows\system32\atashost.exe
2012-01-11 08:01 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 08:01 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 08:01 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 08:01 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 08:00 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-11 08:00 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-11 08:00 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-11 08:00 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-11 08:00 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-11 08:00 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-11 08:00 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-11 08:00 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-11 08:00 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-11 08:00 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-09 12:26 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2012-01-09 12:26 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2012-01-09 12:26 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-01-09 12:26 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-01-05 22:44 . 2012-01-05 22:44 -------- d-----w- c:\users\Username\AppData\Roaming\TeamViewer
2012-01-04 21:10 . 2012-01-04 22:02 -------- d-----w- C:\IBM_Support
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-17 17:12 . 2011-11-28 05:20 567184 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-10 20:24 . 2011-11-28 05:32 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 17:04 . 2011-11-30 17:05 627712 ----a-w- c:\windows\system32\gpprefbr.dll
2011-11-30 17:04 . 2011-11-30 17:05 2548736 ----a-w- c:\windows\system32\propshts.dll
2011-11-30 17:04 . 2011-11-30 17:05 225280 ----a-w- c:\windows\system32\gpregistrybrowser.dll
2011-11-30 17:04 . 2011-11-30 17:05 166400 ----a-w- c:\windows\system32\gpprefcn.dll
2011-11-30 17:04 . 2011-11-30 17:05 4342784 ----a-w- c:\windows\system32\gppref.dll
2011-11-28 17:46 . 2011-11-28 17:46 39936 ----a-r- c:\users\Username\AppData\Roaming\Microsoft\Installer\{B6CEAC47-E909-4AC2-A077-0EFCFECBD6D5}\IconCFC105E3.exe
2011-11-28 17:46 . 2011-11-28 17:46 27136 ----a-r- c:\users\Username\AppData\Roaming\Microsoft\Installer\{B6CEAC47-E909-4AC2-A077-0EFCFECBD6D5}\Icon0FF7A68B.exe
2011-11-28 05:31 . 2011-11-28 05:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-28 04:50 . 2011-11-28 04:50 45056 ----a-w- c:\windows\GETSIDSV.EXE
2011-11-28 01:40 . 2011-11-28 01:40 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-27 23:16 . 2011-11-27 22:48 97140568 ----a-w- c:\users\Username\AppData\Roaming\NIC_DRVR_WIN_A01_R294111.EXE
2011-11-27 22:21 . 2011-11-27 22:25 20008 ----a-w- c:\windows\system32\btwcoins.dll
2007-12-11 13:55 . 2011-11-28 21:20 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2007-12-11 13:55 . 2011-11-28 21:20 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2007-12-11 13:55 . 2011-11-28 21:20 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2007-12-11 13:55 . 2011-11-28 21:20 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 21:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"Cisco Unified Personal Communicator"="c:\progra~1\CISCOS~1\CISCOU~1\CUPCK9.exe" [2011-02-10 10571776]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-01-25 536668]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-08-09 112408]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2011-07-25 686704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-09-01 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-09-01 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-09-01 176408]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-12-23 1210640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-09 115560]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"KeePass 2 PreLoad"="c:\program files\KeePass Password Safe 2\KeePass.exe" [2011-10-19 1807360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
c:\users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Username\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-8-22 24182896]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-11-28 576000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2011-1-20 1459056]
Online plug-in.lnk - c:\windows\Installer\{E7C5763F-948D-453B-9138-4A8F552B3CE3}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2011-11-27 77824]
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2011-11-27 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\0\0]
"Script"=CreateIntranetLink.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\1\0]
"Script"=\\jle\netlogon\softwareaudit.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\2\0]
"Script"=\\jle\netlogon\LogConnection.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\3\0]
"Script"=\\jle\netlogon\OrgLogon.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 FMPersist;Cisco MDS Database Server;c:\program files\Cisco Systems\MDS 9000\bin\Wrapper.exe [2012-01-17 110592]
R2 FMServer;Cisco MDS Fabric Manager;c:\program files\Cisco Systems\MDS 9000\bin\Wrapper.exe [2012-01-17 110592]
R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2003-04-18 8192]
R3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2009-11-05 34096]
R3 bpenum;Intel® Centrino® WiMAX Enumerator;c:\windows\system32\DRIVERS\bpenum.sys [2010-10-26 60416]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-29 40776]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2011-08-02 18432]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys [2007-10-30 704000]
R3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS [2007-05-30 24192]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-28 1343400]
R3 ZcfgSvc7;Intel® PROSet/Wireless ZeroConfig Service;c:\program files\Intel\WiFi\bin\ZCfgSvc7.exe [2010-12-23 577536]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2011-07-16 17904]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2011-04-25 65584]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ADAM_instance1;instance1;c:\windows\System32\dsamain.exe [2010-02-05 9216]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-03 81920]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2012-01-16 133944]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2011-01-26 826272]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2011-01-26 32160]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2011-01-20 388464]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-08-09 2656536]
S2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2010-08-24 444976]
S2 vmware-converter-server;VMware vCenter Converter Standalone Server;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-08-24 444976]
S2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-08-24 444976]
S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [2009-11-05 22704]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys [2011-07-22 44144]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-08-24 33832]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c6232.sys [2011-07-20 268968]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-15 106104]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-12-21 7434240]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7.sys [2011-01-04 60904]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-03-23 63976]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-678534749-3701800566-368163579-9197Core.job
- c:\users\Username\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-28 16:28]
.
2012-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-678534749-3701800566-368163579-9197UA.job
- c:\users\Username\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-28 16:28]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: box.net
Trusted Zone: excite.com
Trusted Zone: excite.com\my
Trusted Zone: microsoft.com
Trusted Zone: thecuso.info
Trusted Zone: box.net
Trusted Zone: excite.com
Trusted Zone: excite.com\my
Trusted Zone: microsoft.com
Trusted Zone: thecuso.info
TCP: DhcpNameServer = 192.168.1.100 192.168.1.121 4.2.2.2
DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} - hxxp://coleaexhd.coleman.com/aspnet_client/Altiris_AppWeaver/6_0_sp3/lib/VSFlex8.CAB
DPF: {9F1C0B35-8230-4176-8B99-5C2485121A4E} - hxxp://172.29.180.78/program/SNCActiveXViewer.cab
DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} - hxxp://coleaexhd.coleman.com/aspnet_client/Altiris_AppWeaver/6_0_sp3/lib/AeXClipboard.CAB
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
AddRemove-Cisco Unified Presenter Add-in 6x5 - c:\users\Username\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x5\ciscounifiedaddin6x5 -uninstall
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ADAM_instance1]
"ImagePath"="%SystemRoot%\System32\dsamain.exe -sn:instance1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-29 17:17:38
ComboFix-quarantined-files.txt 2012-01-29 22:17
.
Pre-Run: 189,453,918,208 bytes free
Post-Run: 191,540,797,440 bytes free
.
- - End Of File - - C22B623651FA363C84FE923469CC64F7

Attached Files

•  ComboFix2.txt   20.31K   14 downloads
•  TDSSKiller.txt   11.88K   8 downloads

[JMo]

 MrCharlie, on 01 February 2012 - 02:36 PM, said:

Welcome to the forum.

Please be patient......there's a lot of people who need help and few of us to give it....we do the best we can.

I see you have used ComboFix, can you post the log.

What RootKit remover did you use, can you post the log.

------------------------------

Please do this:

Please download and run RogueKiller.
Click Scan to scan the system (don't run any other options)
Post back the report.

-------------------------------

Please download Listparts
Run the tool, click Scan and post the log (Result.txt) it makes

MrC

I really appreciate the help! I understand having tons of people to support with limited resources, I do it everyday :-) I just have domain admin rights and don't want to be infecting our network if I have something that can propagate. I haven't really seen anything abnormal yet like browser hijacks, redirects, or popups, but that does not mean that I don't have something. It's just odd that I can't get through MalwareBytes scan like I use too.

My home network had the System Check virus/Malware on an old XP machine. I couldn't totally clean it, so I copied off my files and rebuilt it as a Ubuntu box. My Windows 2003 server seems fine though. So it might be possible that I have some reminents of that infection on my work laptop. I am running Windows 7 fully patched with SEP v11 MR5.

Again thanks for all that you guys do it's a valuable service that you provide. Keep up the great work!

[MrCharlie]

Things look pretty good some far.

Can you find any trace of that file that MB gets hung up on?

-------------------------


Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com (<---renamed version)


Run OTL (the computer will reboot)

• Under the Custom Scans/Fixes box at the bottom, paste in the following

  :OTL
  :Commands
  [emptytemp]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  
• Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

--------------------------

Run this scanner: SUPERAntiSpyware Portable Scanner

http://www.superanti...blescanner.html

You can just download it to your computer and run it, no need to put it on an usb drive.

Let me know, MrC

[JMo]

This one found 123 infections mostly tracking cookies.

Attached Files

•  SUPERAntiSpyware Scan Log - 02-02-2012 - 13-32-21.log   12.74K   8 downloads

[MrCharlie]

Yes SAS targets cookies and MB doesn't.

Did you run OTL to clean out temp files?

Were you able to locate that file?

Have you tried running MB again?

Let me know, MrC

[JMo]

MrC,
I have a HR video that is two hours long and I have 3/4 of the way done. I read the OL restarts your computer automatically so I haven't ran that one yet because I don't want to blow away my place in the HR video. Should be finished up within an hour then I will run the other util and post.
Thanks!

[MrCharlie]

If you do find that file, we could try to delete it or put it in MB Ignore List.

Make sure you have show hidden files enabled.

MrC

[JMo]

I tried Malwarebytes again and it hung after about 6 minutes. Same bogus jiberish file path as the screenshot above. I ensured that my folders were unhidden in explorer and that folder does not exist. Obviously it's pulling that from the registry somewhere.

Attached Files

•  02022012_162503.log   2.91K   11 downloads
•  OTL.Txt   117.66K   12 downloads

[MrCharlie]

I wonder if this is the problem??

[2012/01/17 19:33:34 | 000,017,070 | ---- | M] () -- C:\Johns_JLEPass.kdbx

also this;

C:\.cisco_mds9000

MrC

[JMo]

No the JLEPass.kdbx is KeePass encrypted database for password. The other program is to manage my fiber fabric. If you are running out of utils then I may just have to rebuild it. Let me know your thoughts.
Thanks!

[MrCharlie]

Did you remove them or move them and see if MB still hangs?? MrC

[MrCharlie]

Please try this:

Open up MB and click on the Ignore List > Add > Navigate to these two files and add them to the Ignore List.

C:\.cisco_mds9000

C:\Johns_JLEPass.kdbx

Now try to run a scan with MBAM

Let me know, MrC

[JMo]

I exclude the database and the Cisco folder with no avail. My machine froze after about 2 mins of MB scan.

[JMo]

I am wondering if it's because of drive encryption (Win 7 Bitlocker) I am going to install on another Bitlocked laptop with a fresh build. I will keep ya posted.

[JMo]

No it was able to scan the other Bitlocked machine. So I have no clue.