JMo

MalwareBytes freezes on a file path of jibberish characters

43 posts in this topic

Apparently, I am hit with some sort of spyware or rootkit. After only 2 minutes of scanning my laptop freezes/locks up. I am a System Engineer and I have a ton of admin utilities installed and configured. I can rebuild if necessary, but I would prefer to go through a little pain if we can clean this versus a total rebuild. If you have some suggestions I would be happy to try them. I have attached my last MalwareBytes log file that is several months old. I can't scan long enough now to generate a newer log. I will try to scan in Safe Mode too to see if that helps at all. Yesterday I ran the RootKit remover on your forumn but did not seem to resolve anything. Again any help is much appreciated!

Thanks!

Malware.JPG

Attach.txt

DDS.txt

Share this post


Link to post
Share on other sites

Welcome to the forum.

Please be patient......there's a lot of people who need help and few of us to give it....we do the best we can.

I see you have used ComboFix, can you post the log.

What RootKit remover did you use, can you post the log.

------------------------------

Please do this:

Please download and run RogueKiller.

Click Scan to scan the system (don't run any other options)

Post back the report.

-------------------------------

Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes

MrC

Share this post


Link to post
Share on other sites

Here is both the Combofix log and the TDSSKiller log

ComboFix 12-01-29.02 - Username 01/29/2012 17:09:26.1.4 - x86

Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3241.1944 [GMT -5:00]

Running from: c:\users\Username\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Username\AppData\Roaming\Microsoft\Windows\Recent\SAP Citrix Logon.url

c:\windows\system32\instsrv.exe

c:\windows\system32\SETC4E0.tmp

.

.

((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-29 )))))))))))))))))))))))))))))))

.

.

2012-01-29 22:15 . 2012-01-29 22:15 -------- d-----w- c:\users\suUsername\AppData\Local\temp

2012-01-29 22:15 . 2012-01-29 22:15 -------- d-----w- c:\users\Username\AppData\Local\temp

2012-01-29 22:15 . 2012-01-29 22:15 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-29 21:22 . 2012-01-29 21:22 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-01-24 19:35 . 2012-01-24 19:35 -------- d-----w- c:\program files\iPod

2012-01-24 19:35 . 2012-01-24 19:35 -------- d-----w- c:\program files\iTunes

2012-01-17 17:26 . 2012-01-17 17:26 -------- d-----w- C:\.cisco_mds9000

2012-01-17 17:25 . 2012-01-17 21:07 -------- d-----w- c:\users\Username\.cisco_mds9000

2012-01-17 17:13 . 2012-01-17 17:24 -------- d-----w- c:\program files\Common Files\Java

2012-01-17 17:13 . 2012-01-17 17:12 637848 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-01-16 21:24 . 2012-01-16 21:24 -------- d-----w- c:\program files\WebEx

2012-01-16 16:32 . 2012-01-16 16:32 215864 ----a-w- c:\windows\system32\atsckernel.exe

2012-01-16 16:32 . 2012-01-16 16:32 133944 ----a-w- c:\windows\system32\atashost.exe

2012-01-11 08:01 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll

2012-01-11 08:01 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll

2012-01-11 08:01 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll

2012-01-11 08:01 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll

2012-01-11 08:00 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe

2012-01-11 08:00 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll

2012-01-11 08:00 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll

2012-01-11 08:00 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll

2012-01-11 08:00 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll

2012-01-11 08:00 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-01-11 08:00 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-01-11 08:00 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll

2012-01-11 08:00 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll

2012-01-11 08:00 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys

2012-01-09 12:26 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll

2012-01-09 12:26 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll

2012-01-09 12:26 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-01-09 12:26 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-01-05 22:44 . 2012-01-05 22:44 -------- d-----w- c:\users\Username\AppData\Roaming\TeamViewer

2012-01-04 21:10 . 2012-01-04 22:02 -------- d-----w- C:\IBM_Support

2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-17 17:12 . 2011-11-28 05:20 567184 ----a-w- c:\windows\system32\deployJava1.dll

2011-12-10 20:24 . 2011-11-28 05:32 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-30 17:04 . 2011-11-30 17:05 627712 ----a-w- c:\windows\system32\gpprefbr.dll

2011-11-30 17:04 . 2011-11-30 17:05 2548736 ----a-w- c:\windows\system32\propshts.dll

2011-11-30 17:04 . 2011-11-30 17:05 225280 ----a-w- c:\windows\system32\gpregistrybrowser.dll

2011-11-30 17:04 . 2011-11-30 17:05 166400 ----a-w- c:\windows\system32\gpprefcn.dll

2011-11-30 17:04 . 2011-11-30 17:05 4342784 ----a-w- c:\windows\system32\gppref.dll

2011-11-28 17:46 . 2011-11-28 17:46 39936 ----a-r- c:\users\Username\AppData\Roaming\Microsoft\Installer\{B6CEAC47-E909-4AC2-A077-0EFCFECBD6D5}\IconCFC105E3.exe

2011-11-28 17:46 . 2011-11-28 17:46 27136 ----a-r- c:\users\Username\AppData\Roaming\Microsoft\Installer\{B6CEAC47-E909-4AC2-A077-0EFCFECBD6D5}\Icon0FF7A68B.exe

2011-11-28 05:31 . 2011-11-28 05:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-28 04:50 . 2011-11-28 04:50 45056 ----a-w- c:\windows\GETSIDSV.EXE

2011-11-28 01:40 . 2011-11-28 01:40 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-11-27 23:16 . 2011-11-27 22:48 97140568 ----a-w- c:\users\Username\AppData\Roaming\NIC_DRVR_WIN_A01_R294111.EXE

2011-11-27 22:21 . 2011-11-27 22:25 20008 ----a-w- c:\windows\system32\btwcoins.dll

2007-12-11 13:55 . 2011-11-28 21:20 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll

2007-12-11 13:55 . 2011-11-28 21:20 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll

2007-12-11 13:55 . 2011-11-28 21:20 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll

2007-12-11 13:55 . 2011-11-28 21:20 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-02-04 21:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Username\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

"Cisco Unified Personal Communicator"="c:\progra~1\CISCOS~1\CISCOU~1\CUPCK9.exe" [2011-02-10 10571776]

"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]

"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-01-25 536668]

"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-08-09 112408]

"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]

"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2011-07-25 686704]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-09-01 142616]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-09-01 177432]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-09-01 176408]

"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-12-23 1210640]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-09 115560]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]

"KeePass 2 PreLoad"="c:\program files\KeePass Password Safe 2\KeePass.exe" [2011-10-19 1807360]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]

.

c:\users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Username\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-8-22 24182896]

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-11-28 576000]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2011-1-20 1459056]

Online plug-in.lnk - c:\windows\Installer\{E7C5763F-948D-453B-9138-4A8F552B3CE3}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2011-11-27 77824]

VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2011-11-27 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"NoWebServices"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\0\0]

"Script"=CreateIntranetLink.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\1\0]

"Script"=\\jle\netlogon\softwareaudit.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\2\0]

"Script"=\\jle\netlogon\LogConnection.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\3\0]

"Script"=\\jle\netlogon\OrgLogon.vbs

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 FMPersist;Cisco MDS Database Server;c:\program files\Cisco Systems\MDS 9000\bin\Wrapper.exe [2012-01-17 110592]

R2 FMServer;Cisco MDS Fabric Manager;c:\program files\Cisco Systems\MDS 9000\bin\Wrapper.exe [2012-01-17 110592]

R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2003-04-18 8192]

R3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2009-11-05 34096]

R3 bpenum;Intel® Centrino® WiMAX Enumerator;c:\windows\system32\DRIVERS\bpenum.sys [2010-10-26 60416]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-29 40776]

R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2011-08-02 18432]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]

R3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys [2007-10-30 704000]

R3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS [2007-05-30 24192]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-28 1343400]

R3 ZcfgSvc7;Intel® PROSet/Wireless ZeroConfig Service;c:\program files\Intel\WiFi\bin\ZCfgSvc7.exe [2010-12-23 577536]

S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2011-07-16 17904]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2011-04-25 65584]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 ADAM_instance1;instance1;c:\windows\System32\dsamain.exe [2010-02-05 9216]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-03 81920]

S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2012-01-16 133944]

S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2011-01-26 826272]

S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2011-01-26 32160]

S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2011-01-20 388464]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-08-09 2656536]

S2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2010-08-24 444976]

S2 vmware-converter-server;VMware vCenter Converter Standalone Server;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-08-24 444976]

S2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-08-24 444976]

S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [2009-11-05 22704]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys [2011-07-22 44144]

S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-08-24 33832]

S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c6232.sys [2011-07-20 268968]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-15 106104]

S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]

S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-12-21 7434240]

S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7.sys [2011-01-04 60904]

S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-03-23 63976]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-678534749-3701800566-368163579-9197Core.job

- c:\users\Username\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-28 16:28]

.

2012-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-678534749-3701800566-368163579-9197UA.job

- c:\users\Username\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-28 16:28]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105

Trusted Zone: box.net

Trusted Zone: excite.com

Trusted Zone: excite.com\my

Trusted Zone: microsoft.com

Trusted Zone: thecuso.info

Trusted Zone: box.net

Trusted Zone: excite.com

Trusted Zone: excite.com\my

Trusted Zone: microsoft.com

Trusted Zone: thecuso.info

TCP: DhcpNameServer = 192.168.1.100 192.168.1.121 4.2.2.2

DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} - hxxp://coleaexhd.coleman.com/aspnet_client/Altiris_AppWeaver/6_0_sp3/lib/VSFlex8.CAB

DPF: {9F1C0B35-8230-4176-8B99-5C2485121A4E} - hxxp://172.29.180.78/program/SNCActiveXViewer.cab

DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} - hxxp://coleaexhd.coleman.com/aspnet_client/Altiris_AppWeaver/6_0_sp3/lib/AeXClipboard.CAB

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-Symantec Antvirus

AddRemove-Cisco Unified Presenter Add-in 6x5 - c:\users\Username\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x5\ciscounifiedaddin6x5 -uninstall

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ADAM_instance1]

"ImagePath"="%SystemRoot%\System32\dsamain.exe -sn:instance1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-01-29 17:17:38

ComboFix-quarantined-files.txt 2012-01-29 22:17

.

Pre-Run: 189,453,918,208 bytes free

Post-Run: 191,540,797,440 bytes free

.

- - End Of File - - C22B623651FA363C84FE923469CC64F7

ComboFix2.txt

TDSSKiller.txt

Share this post


Link to post
Share on other sites

Welcome to the forum.

Please be patient......there's a lot of people who need help and few of us to give it....we do the best we can.

I see you have used ComboFix, can you post the log.

What RootKit remover did you use, can you post the log.

------------------------------

Please do this:

Please download and run RogueKiller.

Click Scan to scan the system (don't run any other options)

Post back the report.

-------------------------------

Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes

MrC

I really appreciate the help! I understand having tons of people to support with limited resources, I do it everyday :-) I just have domain admin rights and don't want to be infecting our network if I have something that can propagate. I haven't really seen anything abnormal yet like browser hijacks, redirects, or popups, but that does not mean that I don't have something. It's just odd that I can't get through MalwareBytes scan like I use too.

My home network had the System Check virus/Malware on an old XP machine. I couldn't totally clean it, so I copied off my files and rebuilt it as a Ubuntu box. My Windows 2003 server seems fine though. So it might be possible that I have some reminents of that infection on my work laptop. I am running Windows 7 fully patched with SEP v11 MR5.

Again thanks for all that you guys do it's a valuable service that you provide. Keep up the great work!

Share this post


Link to post
Share on other sites

Things look pretty good some far.

Can you find any trace of that file that MB gets hung up on?

-------------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Run OTL (the computer will reboot)

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

--------------------------

Run this scanner: SUPERAntiSpyware Portable Scanner

http://www.superanti...blescanner.html

You can just download it to your computer and run it, no need to put it on an usb drive.

Let me know, MrC

Share this post


Link to post
Share on other sites

Yes SAS targets cookies and MB doesn't.

Did you run OTL to clean out temp files?

Were you able to locate that file?

Have you tried running MB again?

Let me know, MrC

Share this post


Link to post
Share on other sites

MrC,

I have a HR video that is two hours long and I have 3/4 of the way done. I read the OL restarts your computer automatically so I haven't ran that one yet because I don't want to blow away my place in the HR video. Should be finished up within an hour then I will run the other util and post.

Thanks!

Share this post


Link to post
Share on other sites

If you do find that file, we could try to delete it or put it in MB Ignore List.

Make sure you have show hidden files enabled.

MrC

Share this post


Link to post
Share on other sites

I tried Malwarebytes again and it hung after about 6 minutes. Same bogus jiberish file path as the screenshot above. I ensured that my folders were unhidden in explorer and that folder does not exist. Obviously it's pulling that from the registry somewhere.

02022012_162503.log

OTL.Txt

Share this post


Link to post
Share on other sites

I wonder if this is the problem??

[2012/01/17 19:33:34 | 000,017,070 | ---- | M] () -- C:\Johns_JLEPass.kdbx

also this;

C:\.cisco_mds9000

MrC

Share this post


Link to post
Share on other sites

No the JLEPass.kdbx is KeePass encrypted database for password. The other program is to manage my fiber fabric. If you are running out of utils then I may just have to rebuild it. Let me know your thoughts.

Thanks!

Share this post


Link to post
Share on other sites

Did you remove them or move them and see if MB still hangs?? MrC

Share this post


Link to post
Share on other sites

Please try this:

Open up MB and click on the Ignore List > Add > Navigate to these two files and add them to the Ignore List.

C:\.cisco_mds9000

C:\Johns_JLEPass.kdbx

Now try to run a scan with MBAM

Let me know, MrC

Share this post


Link to post
Share on other sites

I exclude the database and the Cisco folder with no avail. My machine froze after about 2 mins of MB scan.

Share this post


Link to post
Share on other sites

I am wondering if it's because of drive encryption (Win 7 Bitlocker) I am going to install on another Bitlocked laptop with a fresh build. I will keep ya posted.

Share this post


Link to post
Share on other sites

No it was able to scan the other Bitlocked machine. So I have no clue.

Share this post


Link to post
Share on other sites

Let me ask the developers of MB and see if they have an answer.

I'll get back to you asap, MrC

Share this post


Link to post
Share on other sites

OK, two things start with.

Do you have all live-monitor security apps turned off before starting MBAM scan? (Symantec)

and.....

Wait at least 10 minutes as a minimum before considering MB is freezing.

Let me know, MrC

Share this post


Link to post
Share on other sites

MrC,

I disabled my Symantec Endpoint Protection in the system try and went into services and stop all the Symantec services. I then ran MB again and did not touch it for 45 minutes.

8 minutes into the scan the file counter quit incrementing, but I left everything alone and just moved the mouse occasionally so the screensaver wouldn't pop on.

About the 30-40 minute mark the files still haven't incremented and the time scanning still said 8 minutes - that's when the machine totally locked up. I had to hard power cycle it. So there is definitely something hidden in those folders of jibberous that is hanging when MB runs.

Share this post


Link to post
Share on other sites

OK, I'll pass the info on, will get back to you asap.

Thanks....MrC

Share this post


Link to post
Share on other sites

Please confirm that you get the same results in safe mode.

also......

Get to a Command Prompt

Copy and paste this in and hit enter.

DIR C:\ >C:\LIST.TXT

It will create LIST.TXT in C:\

Copy and paste or attach it in your next post.

MrC

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.