1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Google Redirect - IE shutting down - Ads in the corner of IE pages

Discussion in 'Virus & Other Malware Removal' started by Big Boz, Feb 1, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. Big Boz

    Big Boz Thread Starter

    Joined:
    Dec 5, 2007
    Messages:
    86
    For the last couple of weeks, I have been having multiple issues.

    1. Google Redirect - Not always in Google and will happen on some pages that aren't google search pages.
    2. IE will stop working and I have to either restore my last session which seems to cause it to stop working sooner or close IE and start all over
    3. If I open up a second IE window I get what I think are Ad pop ups in the lower right and lower left corners of my window.

    Running
    Windows 7 Professional Service Pack 1 32 bit OS

    The things that I have tried are running my Viper Antivirus software and Malwarebytes. Neither seem to find anything.
     
  2. Glaswegian

    Glaswegian Malware Specialist

    Joined:
    Dec 5, 2004
    Messages:
    3,823
  3. Big Boz

    Big Boz Thread Starter

    Joined:
    Dec 5, 2007
    Messages:
    86
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:07:33 AM, on 2/5/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v8.00 (8.00.7601.17514)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Java\jre6\bin\rmiregistry.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Real\RealPlayer\update\realsched.exe
    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\dbosquez\Desktop\HijackThis.exe
    c:\program files\real\realplayer\RealPlay.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL
    O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
    O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [NVC] "C:\Program Files\Nortel\Nortel VPN Client\Nvc.exe" -autostart
    O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: VPN Client.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
    O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://zk.webex.com/client/T27LB/webex/ieatgpc1.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = solarus.local
    O17 - HKLM\Software\..\Telephony: DomainName = solarus.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solarus.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = solarus.local
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_d511891fb5bff1e2\aestsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    O23 - Service: FF Install Filter Service (InstallFilterService) - Unknown owner - C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: National Instruments LXI Discovery Service (niLXIDiscovery) - National Instruments Corporation - C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe
    O23 - Service: National Instruments mDNS Responder Service (nimDNSResponder) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
    O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\Windows\system32\nisvcloc.exe
    O23 - Service: Nortel VPN Client (NvcSvcMgr) - Nortel Networks - C:\Program Files\Nortel\Nortel VPN Client\NvcSvcMgr.exe
    O23 - Service: NovaCore SDK Service (NvtlService) - Unknown owner - C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
    O23 - Service: Novatel Wireless Device Helper (NWHelper) - Novatel Wireless Inc. - C:\Program Files\Novatel Wireless\Drivers\NWHelper.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: VIPRE Business (SBAMSvc) - GFI Software - C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
    O23 - Service: SB Recovery Service (SBPIMSvc) - GFI Software - C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_d511891fb5bff1e2\STacSV.exe

    --
    End of file - 11877 bytes


    When I try to run the DDS.exe I get an error stating PEV.DAT has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available. It has a close program button but it does not stop this error from popping up. I looked up the PEV.DAT verbage and found that my antivirus software may be causing it. I turned my antivirus off, rebooted and ran DDS.exe again but get the same error.

    I wasn't sure if I was supposed to stop there or continue to run the GMER.exe but here is that file too.

    GMER 2.0.18454 - http://www.gmer.net
    Rootkit scan 2013-02-05 11:53:34
    Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.VBM2 119.24GB
    Running: 11i7bzf6.exe; Driver: C:\Users\dbosquez\AppData\Local\Temp\afeoifod.sys


    ---- Kernel code sections - GMER 2.0 ----

    .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 832863C9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832BFD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    PAGE ntkrnlpa.exe!ZwResumeThread 834B9572 1 Byte [CC] {INT 3 }
    .text iaStor.sys 8C865060 1 Byte [CC] {INT 3 }

    ---- User code sections - GMER 2.0 ----

    .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[4988] kernel32.dll!SetUnhandledExceptionFilter 758BF4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

    ---- User IAT/EAT - GMER 2.0 ----

    IAT C:\Users\dbosquez\Desktop\11i7bzf6.exe[348] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0050F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[564] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[564] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[564] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[564] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[564] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[564] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\IDT\WDM\sttray.exe[2340] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [003AF4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3088] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [00F5F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\DellTPad\HidFind.exe[3292] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0164F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\DellTPad\Apntex.exe[3488] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0122F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3676] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0036F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3676] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3676] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3676] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3676] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [KERNEL32.dll!CreateProcessW] [03DEF4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740024CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73FE562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73FE56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74002546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73FF85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73FF4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73FF5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73FF51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73FF6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73FF8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73FF8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73FF90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73FFE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FF4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [03DEF4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Windows\Explorer.EXE[3920] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [03DEF41C] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3940] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0182F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\DellTPad\Apoint.exe[4076] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0255F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4628] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4628] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4628] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0065F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4628] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4628] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4628] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\iTunes\iTunesHelper.exe[4692] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0037F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4732] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0025F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Windows\System32\hkcmd.exe[4860] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0032F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Windows\System32\igfxpers.exe[4932] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0157F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\Real\RealPlayer\Update\realsched.exe[4988] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0041F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[5036] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0057F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[5036] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [0057F41C] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5168] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [01E3F4D5] C:\Windows\system32\clipgMgr.dll
    IAT c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5296] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0535F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\WinZip\WZQKPICK.EXE[5308] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [0053F4D5] C:\Windows\system32\clipgMgr.dll
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlReAllocateHeap] [64059832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlSizeHeap] [6405A27D] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlLockHeap] [640594D8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlUnlockHeap] [640594E8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlAllocateHeap] [640592CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlFreeHeap] [64059E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlDestroyHeap] [640594B8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlCreateHeap] [640594A8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlExitUserProcess] [6405AA9E] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\GDI32.dll [ntdll.dll!RtlAllocateHeap] [640592CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\GDI32.dll [ntdll.dll!RtlFreeHeap] [64059E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlSizeHeap] [6405A27D] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlReAllocateHeap] [64059832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlAllocateHeap] [640592CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlFreeHeap] [64059E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [75938000] C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\SHELL32.dll [ntdll.dll!RtlFreeHeap] [64059E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\OLE32.dll [ntdll.dll!RtlFreeHeap] [64059E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\OLE32.dll [ntdll.dll!RtlAllocateHeap] [640592CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\OLE32.dll [ntdll.dll!RtlReAllocateHeap] [64059832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\RPCRT4.dll [ntdll.dll!RtlFreeHeap] [64059E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\RPCRT4.dll [ntdll.dll!RtlAllocateHeap] [640592CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\ADVAPI32.DLL [ntdll.dll!RtlFreeHeap] [64059E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\ADVAPI32.DLL [ntdll.dll!RtlAllocateHeap] [640592CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\ADVAPI32.DLL [ntdll.dll!RtlReAllocateHeap] [64059832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\WS2_32.dll [ntdll.dll!RtlFreeHeap] [64059E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\WS2_32.dll [ntdll.dll!RtlAllocateHeap] [640592CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [765A2E05] C:\Windows\system32\ADVAPI32.DLL (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\CRYPT32.dll [ntdll.dll!RtlFreeHeap] [64059E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\CRYPT32.dll [ntdll.dll!RtlAllocateHeap] [640592CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Program Files\Franklin\Franklin Access Manager\Franklin Access Manager.exe[6036] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [754BFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Threads - GMER 2.0 ----

    Thread System [4:708] 8A2E60F4

    ---- Registry - GMER 2.0 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4cf429f6
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\[email protected] 0x9F 0xA9 0x41 0x8E ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\[email protected] 0xFF 0xFB 0x45 0x01 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\[email protected] 0x60 0x79 0xC2 0x97 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\[email protected] 0xBD 0xF5 0x0E 0xA3 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4cf429f6 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[email protected] 0x9F 0xA9 0x41 0x8E ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[email protected] 0xFF 0xFB 0x45 0x01 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[email protected] 0x60 0x79 0xC2 0x97 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[email protected] 0xBD 0xF5 0x0E 0xA3 ...

    ---- EOF - GMER 2.0 ----
     
  4. Glaswegian

    Glaswegian Malware Specialist

    Joined:
    Dec 5, 2004
    Messages:
    3,823
    Hi again

    My name is Iain and I will be helping you clean your system.

    You may wish to Subscribe to this thread (bottom left corner of this thread) so that you are notified when you receive a reply.

    Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

    Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

    If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

    Please ensure that you follow the instructions in the order I have them listed. Note that if you do not respond within 3 days I shall no longer check this thread for replies.

    Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.


    IMPORTANT - for Windows Vista and Windows 7 start all tools by using right click > Run as Administrator.




    Combofix
    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please read all the information carefully! If using Windows XP you should ensure you install the Recovery Console.

    You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

    Please include the log C:\ComboFix.txt in your next reply for further review.
     
  5. Big Boz

    Big Boz Thread Starter

    Joined:
    Dec 5, 2007
    Messages:
    86
    ComboFix 13-02-03.03 - dbosquez 02/05/2013 16:29:14.1.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3510.2446 [GMT -6:00]
    Running from: c:\users\dbosquez\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\users\dbosquez\AppData\Local\assembly\tmp
    c:\windows\Fonts\usps4cb.ttf
    c:\windows\system32\test
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-01-05 to 2013-02-05 )))))))))))))))))))))))))))))))
    .
    .
    2013-02-05 18:36 . 2013-02-05 18:36 -------- d-----w- c:\users\dbosquez\AppData\Local\Adobe
    2013-02-01 11:58 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2CF949E2-E636-4A0C-A73A-C1B9A43A57F1}\mpengine.dll
    2013-01-30 15:10 . 2013-01-30 15:10 99328 ----a-w- c:\windows\system32\clipgMgr.dll
    2013-01-20 16:20 . 2012-11-09 04:42 2048 ----a-w- c:\windows\system32\tzres.dll
    2013-01-17 19:19 . 2013-01-17 19:19 -------- d-----w- c:\program files\Silabs
    2013-01-14 00:53 . 2013-01-14 15:09 -------- d-----w- c:\program files\RealNetworks
    2013-01-14 00:53 . 2013-01-14 00:53 -------- d-----w- c:\programdata\RealNetworks
    2013-01-11 00:03 . 2010-02-26 02:12 164568 ----a-w- c:\windows\system32\drivers\DIFMVsp.sys
    2013-01-11 00:03 . 2010-02-26 02:12 164568 ----a-w- c:\windows\system32\drivers\DIFMNVsp.sys
    2013-01-11 00:03 . 2010-02-25 17:04 164568 ----a-w- c:\windows\system32\drivers\DIFMMdm.sys
    2013-01-11 00:03 . 2010-02-25 17:04 112728 ----a-w- c:\windows\system32\drivers\DIFMNET.sys
    2013-01-11 00:03 . 2010-02-25 17:04 56408 ----a-w- c:\windows\system32\drivers\DIFMBUS.sys
    2013-01-11 00:03 . 2010-02-25 17:04 29400 ----a-w- c:\windows\system32\drivers\DIFMCDF.sys
    2013-01-11 00:03 . 2010-02-25 17:04 164568 ----a-w- c:\windows\system32\drivers\DIFMCVsp.sys
    2013-01-11 00:03 . 2013-01-11 00:03 -------- d-----w- c:\program files\Franklin
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-17 07:28 . 2010-08-02 13:32 232336 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-05-13 288112]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-04-05 495708]
    "IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "NVC"="c:\program files\Nortel\Nortel VPN Client\Nvc.exe" [2010-03-01 1717600]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2011-10-12 1627504]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-23 142616]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-23 177432]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-23 177944]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-10-12 296096]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-1-8 828704]
    VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2010-8-3 6144]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-9-28 106560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
    R2 5727;5727;c:\users\dbosquez\AppData\Local\Temp\5727.sys [x]
    R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
    R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [x]
    R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
    R3 CT_AD_U_CEFE_SERM;AD CEFE service for ports and modem;c:\windows\system32\DRIVERS\CT_AD_U_CEFE_drv.sys [x]
    R3 CT_CDROM_AD;AD EVDO Filter Driver;c:\windows\system32\DRIVERS\CT_CDROM_AD.sys [x]
    R3 DIFMBUS;Franklin EVDO USB Modem Composite Device Driver;c:\windows\system32\DRIVERS\DIFMBUS.sys [x]
    R3 DIFMCDF;Franklin EVDO USB Modem Installation CD;c:\windows\system32\DRIVERS\DIFMCDF.sys [x]
    R3 DIFMCVsp;Franklin EVDO USB Modem CM Port;c:\windows\system32\DRIVERS\DIFMCVsp.sys [x]
    R3 DIFMMdm;Franklin EVDO USB Modem;c:\windows\system32\DRIVERS\DIFMMdm.sys [x]
    R3 DIFMNET;Franklin EVDO USB Modem Network Adapter;c:\windows\system32\DRIVERS\DIFMNET.sys [x]
    R3 DIFMNVsp;Franklin EVDO USB Modem NMEA Port Serial Port;c:\windows\system32\DRIVERS\DIFMNVsp.sys [x]
    R3 DIFMVsp;Franklin EVDO USB Modem Diagnostics Port;c:\windows\system32\DRIVERS\DIFMVsp.sys [x]
    R3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [x]
    R3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [x]
    R3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\DRIVERS\nwusbmdm_000.sys [x]
    R3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser_000.sys [x]
    R3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser2_000.sys [x]
    R3 NWVNDIS;Novatel Wireless Virtual Network Adapter;c:\windows\system32\DRIVERS\NWVNdis.sys [x]
    R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [x]
    R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [x]
    R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [x]
    R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [x]
    R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [x]
    R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [x]
    R3 qcusbser;QC USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys [x]
    R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [x]
    R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [x]
    R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [x]
    R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 SBAMSvc;VIPRE Business;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [x]
    S0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\System32\drivers\nipbcfk.sys [x]
    S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [x]
    S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_d511891fb5bff1e2\aestsrv.exe [x]
    S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
    S2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [x]
    S2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [x]
    S2 NvcSvcMgr;Nortel VPN Client;c:\program files\Nortel\Nortel VPN Client\NvcSvcMgr.exe [x]
    S2 nvcwfpco;nvcwfpco;c:\windows\system32\DRIVERS\nvcwfpco.sys [x]
    S2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [x]
    S2 NWHelper;Novatel Wireless Device Helper ;c:\program files\Novatel Wireless\Drivers\NWHelper.exe [x]
    S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [x]
    S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
    S2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\SBEAgent\SBPIMSvc.exe [x]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
    S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
    S3 NT_NvcA;Nortel VPN Adapter;c:\windows\system32\DRIVERS\ntnvca.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2DF770F4-E9A4-4D0B-A014-82E1A42C7B69}]
    2009-09-23 06:21 99176 ------w- c:\program files\Hummingbird\Connectivity\14.00\Accessories\HumSettings.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-06 11:59]
    .
    2013-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-06 11:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.0.1 72.1.0.2
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    HKCU-Run-Mobilink3 - (no file)
    AddRemove-SLABCOMM&10C4&EA60 - c:\program files\Silabs\MCU\CP210x\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-02-05 16:33:50
    ComboFix-quarantined-files.txt 2013-02-05 22:33
    .
    Pre-Run: 55,677,419,520 bytes free
    Post-Run: 56,653,545,472 bytes free
    .
    - - End Of File - - CF706A55A4FDE5A19D152803C62E20A2
     
  6. Glaswegian

    Glaswegian Malware Specialist

    Joined:
    Dec 5, 2004
    Messages:
    3,823
    Hi again

    Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


    Combofix

    • Close any open browsers.
    • Open notepad and copy/paste the text in the box below into it:

    Code:
    ClearJavaCache::
    
    File::
    c:\users\dbosquez\AppData\Local\Temp\5727.sys
    
    Driver::
    5727
    
    Looking at the image below as an example

    [​IMG]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript onto ComboFix.exe.

    If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.

    When finished, it will produce a log for you at "C:\ComboFix.txt"

    Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

    CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


    Please post the log C:\ComboFix.txt for further review.



    I’d like to have a closer look at one file.

    Please go to: VirusTotal

    • Make sure the 'Upload a file' tab is selected.
    • To the right of the page you'll find a "Choose File" button.

      [​IMG]

      Click the "Choose File" button and browse to this file in RED:

      c:\windows\system32\clipgMgr.dll

    • Then click the blue "Scan it!" button in the middle of the VirusTotal page.
    • If you receive a message saying the File has already been analyzed click Reanalyze file now.
    • This will scan the file. Please be patient.
    • Once scanned, copy and paste the results in your next reply.




    Download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Save it to your desktop.
    Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.



    How is your system running now?
     
  7. Big Boz

    Big Boz Thread Starter

    Joined:
    Dec 5, 2007
    Messages:
    86
    ComboFix 13-02-03.03 - dbosquez 02/06/2013 17:13:09.2.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3510.1847 [GMT -6:00]
    Running from: c:\users\dbosquez\Desktop\ComboFix.exe
    Command switches used :: c:\users\dbosquez\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\dbosquez\AppData\Local\Temp\5727.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_5727
    -------\Service_5727
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-01-06 to 2013-02-06 )))))))))))))))))))))))))))))))
    .
    .
    2013-02-06 23:16 . 2013-02-06 23:16 -------- d-----w- c:\users\wctcAdmin\AppData\Local\temp
    2013-02-06 23:16 . 2013-02-06 23:16 -------- d-----w- c:\users\user\AppData\Local\temp
    2013-02-06 23:16 . 2013-02-06 23:16 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-02-06 11:04 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5E7C1AD-6077-4B7B-BA7A-6727B8306810}\mpengine.dll
    2013-02-05 22:33 . 2013-02-06 23:18 -------- d-----w- c:\users\dbosquez\AppData\Local\temp
    2013-02-05 18:36 . 2013-02-05 18:36 -------- d-----w- c:\users\dbosquez\AppData\Local\Adobe
    2013-01-30 15:10 . 2013-01-30 15:10 99328 ----a-w- c:\windows\system32\clipgMgr.dll
    2013-01-20 16:20 . 2012-11-09 04:42 2048 ----a-w- c:\windows\system32\tzres.dll
    2013-01-17 19:19 . 2013-01-17 19:19 -------- d-----w- c:\program files\Silabs
    2013-01-14 00:53 . 2013-01-14 15:09 -------- d-----w- c:\program files\RealNetworks
    2013-01-14 00:53 . 2013-01-14 00:53 -------- d-----w- c:\programdata\RealNetworks
    2013-01-11 00:03 . 2010-02-26 02:12 164568 ----a-w- c:\windows\system32\drivers\DIFMVsp.sys
    2013-01-11 00:03 . 2010-02-26 02:12 164568 ----a-w- c:\windows\system32\drivers\DIFMNVsp.sys
    2013-01-11 00:03 . 2010-02-25 17:04 164568 ----a-w- c:\windows\system32\drivers\DIFMMdm.sys
    2013-01-11 00:03 . 2010-02-25 17:04 112728 ----a-w- c:\windows\system32\drivers\DIFMNET.sys
    2013-01-11 00:03 . 2010-02-25 17:04 56408 ----a-w- c:\windows\system32\drivers\DIFMBUS.sys
    2013-01-11 00:03 . 2010-02-25 17:04 29400 ----a-w- c:\windows\system32\drivers\DIFMCDF.sys
    2013-01-11 00:03 . 2010-02-25 17:04 164568 ----a-w- c:\windows\system32\drivers\DIFMCVsp.sys
    2013-01-11 00:03 . 2013-01-11 00:03 -------- d-----w- c:\program files\Franklin
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-17 07:28 . 2010-08-02 13:32 232336 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-05-13 288112]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-04-05 495708]
    "IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "NVC"="c:\program files\Nortel\Nortel VPN Client\Nvc.exe" [2010-03-01 1717600]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2011-10-12 1627504]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-23 142616]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-23 177432]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-23 177944]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-10-12 296096]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-1-8 828704]
    VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2010-8-3 6144]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-9-28 106560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
    R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
    R3 CT_AD_U_CEFE_SERM;AD CEFE service for ports and modem;c:\windows\system32\DRIVERS\CT_AD_U_CEFE_drv.sys [x]
    R3 CT_CDROM_AD;AD EVDO Filter Driver;c:\windows\system32\DRIVERS\CT_CDROM_AD.sys [x]
    R3 DIFMBUS;Franklin EVDO USB Modem Composite Device Driver;c:\windows\system32\DRIVERS\DIFMBUS.sys [x]
    R3 DIFMCDF;Franklin EVDO USB Modem Installation CD;c:\windows\system32\DRIVERS\DIFMCDF.sys [x]
    R3 DIFMCVsp;Franklin EVDO USB Modem CM Port;c:\windows\system32\DRIVERS\DIFMCVsp.sys [x]
    R3 DIFMMdm;Franklin EVDO USB Modem;c:\windows\system32\DRIVERS\DIFMMdm.sys [x]
    R3 DIFMNET;Franklin EVDO USB Modem Network Adapter;c:\windows\system32\DRIVERS\DIFMNET.sys [x]
    R3 DIFMNVsp;Franklin EVDO USB Modem NMEA Port Serial Port;c:\windows\system32\DRIVERS\DIFMNVsp.sys [x]
    R3 DIFMVsp;Franklin EVDO USB Modem Diagnostics Port;c:\windows\system32\DRIVERS\DIFMVsp.sys [x]
    R3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [x]
    R3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [x]
    R3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\DRIVERS\nwusbmdm_000.sys [x]
    R3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser_000.sys [x]
    R3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser2_000.sys [x]
    R3 NWVNDIS;Novatel Wireless Virtual Network Adapter;c:\windows\system32\DRIVERS\NWVNdis.sys [x]
    R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [x]
    R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [x]
    R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [x]
    R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [x]
    R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [x]
    R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [x]
    R3 qcusbser;QC USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys [x]
    R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [x]
    R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [x]
    R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [x]
    R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 SBAMSvc;VIPRE Business;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [x]
    S0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\System32\drivers\nipbcfk.sys [x]
    S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [x]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
    S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_d511891fb5bff1e2\aestsrv.exe [x]
    S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
    S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x]
    S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [x]
    S2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [x]
    S2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [x]
    S2 NvcSvcMgr;Nortel VPN Client;c:\program files\Nortel\Nortel VPN Client\NvcSvcMgr.exe [x]
    S2 nvcwfpco;nvcwfpco;c:\windows\system32\DRIVERS\nvcwfpco.sys [x]
    S2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [x]
    S2 NWHelper;Novatel Wireless Device Helper ;c:\program files\Novatel Wireless\Drivers\NWHelper.exe [x]
    S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [x]
    S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
    S2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\SBEAgent\SBPIMSvc.exe [x]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
    S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
    S3 NT_NvcA;Nortel VPN Adapter;c:\windows\system32\DRIVERS\ntnvca.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2DF770F4-E9A4-4D0B-A014-82E1A42C7B69}]
    2009-09-23 06:21 99176 ------w- c:\program files\Hummingbird\Connectivity\14.00\Accessories\HumSettings.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-06 11:59]
    .
    2013-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-06 11:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.0.1 72.1.0.2
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(4352)
    c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
    c:\program files\Hummingbird\Connectivity\14.00\Hummingbird Neighborhood\heshell.dll
    c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
    c:\program files\WS_FTP Pro\nsftpch.dll
    c:\program files\hummingbird\connectivity\14.00\accessories\humsettings.eng.nls
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_d511891fb5bff1e2\STacSV.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\windows\system32\nisvcloc.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\DellTPad\HidFind.exe
    c:\program files\DellTPad\Apntex.exe
    c:\windows\system32\conhost.exe
    c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\sppsvc.exe
    .
    **************************************************************************
    .
    Completion time: 2013-02-06 17:19:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-02-06 23:19
    ComboFix2.txt 2013-02-05 22:33
    .
    Pre-Run: 56,308,355,072 bytes free
    Post-Run: 55,596,814,336 bytes free
    .
    - - End Of File - - FED6FCCBAD1C42E6C78C08E424972D95


    I didn't see a log file when the Virus Total scan finished so I just did a CTRL-A CTRL-C and pasted to notepad

    × Cookies are disabled! This site requires cookies to be enabled to work properly
    CommunityStatisticsDocumentationFAQAboutJoin our community
    Sign in


    Analysis completed.
    SHA256: 4a1b322c2aac586bf72d5117149756213f98ff53621361cd84fe2439f0d5497e
    SHA1: 9ed3a3c218a781693c2007024905f27dd756ec0c
    MD5: ee0caa2cf24834669802a611f0e3904f
    File size: 97.0 KB ( 99328 bytes )
    File name: hole.dll
    File type: Win32 DLL
    Detection ratio: 23 / 46
    Analysis date: 2013-02-06 23:38:23 UTC ( 1 minute ago )

    00Less detailsAnalysis
    Comments
    Votes
    Additional information

    Antivirus Result Update
    Agnitum - 20130206
    AhnLab-V3 Backdoor/Win32.Papras 20130206
    AntiVir TR/Spy.Ursnif.296 20130206
    Antiy-AVL - 20130206
    Avast Win32:Malware-gen 20130207
    AVG PSW.Generic10.BNBV 20130206
    BitDefender Trojan.Generic.KDV.842130 20130207
    ByteHero - 20130204
    CAT-QuickHeal - 20130206
    ClamAV - 20130206
    Commtouch - 20130206
    Comodo UnclassifiedMalware 20130206
    DrWeb - 20130207
    Emsisoft - 20130207
    eSafe - 20130206
    ESET-NOD32 Win32/PSW.Papras.CD 20130206
    F-Prot - 20130201
    F-Secure Trojan.Generic.KDV.842130 20130206
    Fortinet W32/Papras.CD!tr.pws 20130206
    GData Trojan.Generic.KDV.842130 20130206
    Ikarus Trojan-Spy.Win32.Ursnif 20130206
    Jiangmin - 20121221
    K7AntiVirus - 20130206
    Kaspersky Backdoor.Win32.Papras.pgk 20130206
    Kingsoft - 20130204
    Malwarebytes - 20130206
    McAfee RDN/Generic PWS.y!l 20130206
    McAfee-GW-Edition RDN/Generic PWS.y!l 20130206
    Microsoft TrojanSpy:Win32/Ursnif 20130206
    MicroWorld-eScan Trojan.Generic.KDV.842130 20130207
    NANO-Antivirus - 20130206
    Norman Suspicious_Gen4.CFXJA 20130206
    nProtect Trojan.Generic.KDV.842130 20130206
    Panda Trj/CI.A 20130206
    PCTools Backdoor.Snifula 20130206
    Rising - 20130205
    Sophos - 20130206
    SUPERAntiSpyware - 20130206
    Symantec Backdoor.Snifula.D 20130206
    TheHacker - 20130206
    TotalDefense - 20130206
    TrendMicro - 20130207
    TrendMicro-HouseCall TROJ_GEN.RCBH1AU 20130207
    VBA32 - 20130206
    VIPRE Trojan.Win32.Generic!BT 20130206
    ViRobot - 20130206

    No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so! More comments Leave your comment...? Rich Text AreaToolbar Bold (Ctrl+B) Italic (Ctrl+I) Underline (Ctrl+U) Undo (Ctrl+Z) Redo (Ctrl+Y) StylesStyles ▼
    Remove Formatting


    Post comment You have not signed in. Only registered users can leave comments, sign in and have a voice!
    Sign in Join the community
    No votes. No one has voted on this item yet, be the first one to do so! More votes
    An error occurred Blog | Twitter | [email protected]| Google groups | ToS | Privacy policy × Recover your passwordEnter the email address associated to your VirusTotal Community account and we'll send you a message so you can setup a new password.
    Email: Recover password Cancel
    × Join VirusTotal CommunityInteract with other VirusTotal users and have an active voice when fighting today's Internet threats. Find out more about VirusTotal Community.
    First name Last name Username * Email * Password * Confirm password * * Required field Cancel Sign up
    × Sign inUsername or email Password Forgot your password? Cancel Sign in




    When Malwarebytes completed, it showed that there were no malicious objects found. There were no results shown and no objects to remove.

    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.02.06.11

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 8.0.7601.17514
    dbosquez :: ELEMENTTECH-LT2 [administrator]

    2/6/2013 5:53:18 PM
    mbam-log-2013-02-06 (17-53-18).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 264903
    Time elapsed: 1 minute(s), 55 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  8. Big Boz

    Big Boz Thread Starter

    Joined:
    Dec 5, 2007
    Messages:
    86
    This is how the system is running now.

    Internet explorer seems more stable and I haven't had the "IE has stopped working" error yet.

    The redirect is still there. It happens so fast that all I can read is is "redirecting www.2beinhome............." or "www2.findbest....."

    There are still the ad windows in the lower corners of my browser. If I right click on one under properties it shows http//content.yieldmanager.edgesuite.net and then a long address. The 2nd one occasionally shows Chitka ad choices on the bottom of it.

    Another thing that is now happening is if I perform a google search and click on the results links, it takes me to the search page of Google Romania.
     
  9. Glaswegian

    Glaswegian Malware Specialist

    Joined:
    Dec 5, 2004
    Messages:
    3,823
    Hi again

    We can now remove that file.

    Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


    Combofix

    • Close any open browsers.
    • Open notepad and copy/paste the text in the box below into it:

    Code:
    ClearJavaCache::
    
    File::
    c:\windows\system32\clipgMgr.dll
    Looking at the image below as an example

    [​IMG]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript onto ComboFix.exe.

    If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.

    When finished, it will produce a log for you at "C:\ComboFix.txt"

    Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

    CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!
     
  10. Big Boz

    Big Boz Thread Starter

    Joined:
    Dec 5, 2007
    Messages:
    86
    When I drag the CFScript file to Combofix I get a message stating the date and that if I want to continue, Combofix will run with reduced functionality.

    I'm not sure what I should do at this point.
     
  11. Glaswegian

    Glaswegian Malware Specialist

    Joined:
    Dec 5, 2004
    Messages:
    3,823
    Hi again

    CF has an expiry date - however, you can still run the script and we'll get a log. If CF wants to update itself then please allow it to do so.
     
  12. Big Boz

    Big Boz Thread Starter

    Joined:
    Dec 5, 2007
    Messages:
    86
    ComboFix 13-02-03.03 - dbosquez 02/09/2013 12:51:15.3.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3510.2244 [GMT -6:00]
    Running from: c:\users\dbosquez\Desktop\ComboFix.exe
    Command switches used :: c:\users\dbosquez\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    FILE ::
    "c:\windows\system32\clipgMgr.dll"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-01-09 to 2013-02-09 )))))))))))))))))))))))))))))))
    .
    .
    2013-02-09 18:53 . 2013-02-09 18:53 -------- d-----w- c:\users\wctcAdmin\AppData\Local\temp
    2013-02-09 18:53 . 2013-02-09 18:53 -------- d-----w- c:\users\user\AppData\Local\temp
    2013-02-09 18:53 . 2013-02-09 18:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-02-09 16:10 . 2013-02-09 16:10 -------- d-----w- c:\users\dbosquez\AppData\Local\Apple
    2013-02-09 16:10 . 2013-02-09 16:10 -------- d-----w- c:\users\dbosquez\AppData\Local\Apple Computer
    2013-02-08 19:32 . 2013-02-08 19:32 -------- d-----w- c:\users\dbosquez\AppData\Local\Adobe
    2013-02-08 09:32 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{973A2BAD-1C88-4CC0-A609-C80F06D29B53}\mpengine.dll
    2013-02-06 23:52 . 2013-02-06 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-02-06 23:52 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-02-05 22:33 . 2013-02-09 18:53 -------- d-----w- c:\users\dbosquez\AppData\Local\temp
    2013-01-20 16:20 . 2012-11-09 04:42 2048 ----a-w- c:\windows\system32\tzres.dll
    2013-01-17 19:19 . 2013-01-17 19:19 -------- d-----w- c:\program files\Silabs
    2013-01-14 00:53 . 2013-01-14 15:09 -------- d-----w- c:\program files\RealNetworks
    2013-01-14 00:53 . 2013-01-14 00:53 -------- d-----w- c:\programdata\RealNetworks
    2013-01-11 00:03 . 2010-02-26 02:12 164568 ----a-w- c:\windows\system32\drivers\DIFMVsp.sys
    2013-01-11 00:03 . 2010-02-26 02:12 164568 ----a-w- c:\windows\system32\drivers\DIFMNVsp.sys
    2013-01-11 00:03 . 2010-02-25 17:04 164568 ----a-w- c:\windows\system32\drivers\DIFMMdm.sys
    2013-01-11 00:03 . 2010-02-25 17:04 112728 ----a-w- c:\windows\system32\drivers\DIFMNET.sys
    2013-01-11 00:03 . 2010-02-25 17:04 56408 ----a-w- c:\windows\system32\drivers\DIFMBUS.sys
    2013-01-11 00:03 . 2010-02-25 17:04 29400 ----a-w- c:\windows\system32\drivers\DIFMCDF.sys
    2013-01-11 00:03 . 2010-02-25 17:04 164568 ----a-w- c:\windows\system32\drivers\DIFMCVsp.sys
    2013-01-11 00:03 . 2013-01-11 00:03 -------- d-----w- c:\program files\Franklin
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-17 07:28 . 2010-08-02 13:32 232336 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-05-13 288112]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-04-05 495708]
    "IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "NVC"="c:\program files\Nortel\Nortel VPN Client\Nvc.exe" [2010-03-01 1717600]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2011-10-12 1627504]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-23 142616]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-23 177432]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-23 177944]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-10-12 296096]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-1-8 828704]
    VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2010-8-3 6144]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-9-28 106560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
    R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
    R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [x]
    R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
    R3 CT_AD_U_CEFE_SERM;AD CEFE service for ports and modem;c:\windows\system32\DRIVERS\CT_AD_U_CEFE_drv.sys [x]
    R3 CT_CDROM_AD;AD EVDO Filter Driver;c:\windows\system32\DRIVERS\CT_CDROM_AD.sys [x]
    R3 DIFMBUS;Franklin EVDO USB Modem Composite Device Driver;c:\windows\system32\DRIVERS\DIFMBUS.sys [x]
    R3 DIFMCDF;Franklin EVDO USB Modem Installation CD;c:\windows\system32\DRIVERS\DIFMCDF.sys [x]
    R3 DIFMCVsp;Franklin EVDO USB Modem CM Port;c:\windows\system32\DRIVERS\DIFMCVsp.sys [x]
    R3 DIFMMdm;Franklin EVDO USB Modem;c:\windows\system32\DRIVERS\DIFMMdm.sys [x]
    R3 DIFMNET;Franklin EVDO USB Modem Network Adapter;c:\windows\system32\DRIVERS\DIFMNET.sys [x]
    R3 DIFMNVsp;Franklin EVDO USB Modem NMEA Port Serial Port;c:\windows\system32\DRIVERS\DIFMNVsp.sys [x]
    R3 DIFMVsp;Franklin EVDO USB Modem Diagnostics Port;c:\windows\system32\DRIVERS\DIFMVsp.sys [x]
    R3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [x]
    R3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [x]
    R3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\DRIVERS\nwusbmdm_000.sys [x]
    R3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser_000.sys [x]
    R3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser2_000.sys [x]
    R3 NWVNDIS;Novatel Wireless Virtual Network Adapter;c:\windows\system32\DRIVERS\NWVNdis.sys [x]
    R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [x]
    R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [x]
    R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [x]
    R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [x]
    R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [x]
    R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [x]
    R3 qcusbser;QC USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys [x]
    R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [x]
    R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [x]
    R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [x]
    R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 SBAMSvc;VIPRE Business;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [x]
    S0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\System32\drivers\nipbcfk.sys [x]
    S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [x]
    S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_d511891fb5bff1e2\aestsrv.exe [x]
    S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
    S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
    S2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [x]
    S2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [x]
    S2 NvcSvcMgr;Nortel VPN Client;c:\program files\Nortel\Nortel VPN Client\NvcSvcMgr.exe [x]
    S2 nvcwfpco;nvcwfpco;c:\windows\system32\DRIVERS\nvcwfpco.sys [x]
    S2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [x]
    S2 NWHelper;Novatel Wireless Device Helper ;c:\program files\Novatel Wireless\Drivers\NWHelper.exe [x]
    S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [x]
    S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
    S2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\SBEAgent\SBPIMSvc.exe [x]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
    S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
    S3 NT_NvcA;Nortel VPN Adapter;c:\windows\system32\DRIVERS\ntnvca.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2DF770F4-E9A4-4D0B-A014-82E1A42C7B69}]
    2009-09-23 06:21 99176 ------w- c:\program files\Hummingbird\Connectivity\14.00\Accessories\HumSettings.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-06 11:59]
    .
    2013-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-06 11:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.0.1 72.1.0.2
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(6752)
    c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
    c:\program files\Hummingbird\Connectivity\14.00\Hummingbird Neighborhood\heshell.dll
    .
    Completion time: 2013-02-09 12:58:18
    ComboFix-quarantined-files.txt 2013-02-09 18:58
    ComboFix2.txt 2013-02-06 23:19
    ComboFix3.txt 2013-02-05 22:33
    .
    Pre-Run: 57,097,965,568 bytes free
    Post-Run: 56,975,392,768 bytes free
    .
    - - End Of File - - 8A646627DDF6FEB9AB89A97006F14337
     
  13. Big Boz

    Big Boz Thread Starter

    Joined:
    Dec 5, 2007
    Messages:
    86
    Seems to be working very well now.

    I haven't had a redirection on a search through google.
    I have not had the corner ads pop up, even with multiple windows open.
    IE seems to be stabilized. I haven't had the "IE has stopped working" come up.
     
  14. Glaswegian

    Glaswegian Malware Specialist

    Joined:
    Dec 5, 2004
    Messages:
    3,823
    Hi again

    Looks like that one file was the main source.

    We’ll run an online scan to check for remnants.

    Go here to run an online scannner from ESET. Vista and Windows 7 users - run as Administrator.
    • Note: You will need to use Internet explorer for this scan. For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open..
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
    • Copy and paste that log as a reply to this topic and also let me know how things are now.
     
  15. Big Boz

    Big Boz Thread Starter

    Joined:
    Dec 5, 2007
    Messages:
    86
    [email protected] as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=8
    # iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
    # OnlineScanner.ocx=1.0.0.6920
    # api_version=3.0.2
    # EOSSerial=b68d184237d83846b15633079c26d80b
    # engine=13093
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2013-02-11 12:07:54
    # local_time=2013-02-10 06:07:54 (-0600, Central Standard Time)
    # country="United States"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode=5893 16776574 100 94 0 112086065 0 0
    # scanned=172499
    # found=19
    # cleaned=0
    # scan_time=3745
    sh=60517A91CE32C56FF20A7B4AE5487880DDECF6EB ft=0 fh=0000000000000000 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\13418713.msi"
    sh=296B7BD959FD561D759C6D5AB12586284B86B652 ft=0 fh=0000000000000000 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\1498df15.msi"
    sh=A2BE04DA43058B3F8AAF54D9ED371D566061EA83 ft=0 fh=0000000000000000 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\3372ebe.msi"
    sh=14D5D56F63735107455B8AA062BA9431BA6016F1 ft=0 fh=0000000000000000 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\4d5db75.msi"
    sh=3D146F466B075144A0726E1EC19BFF223541ED6C ft=0 fh=0000000000000000 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\4d5db79.msi"
    sh=0D6AC74FD0EE9E6E995EE389FE73CC939B691698 ft=1 fh=e998fa0db83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}\ARPPRODUCTICON.exe"
    sh=0D6AC74FD0EE9E6E995EE389FE73CC939B691698 ft=1 fh=e998fa0db83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe"
    sh=0D6AC74FD0EE9E6E995EE389FE73CC939B691698 ft=1 fh=e998fa0db83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe"
    sh=0D6AC74FD0EE9E6E995EE389FE73CC939B691698 ft=1 fh=e998fa0db83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe"
    sh=0D6AC74FD0EE9E6E995EE389FE73CC939B691698 ft=1 fh=e998fa0db83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe"
    sh=7E31CD1178F08E384A2587548CF7B1F2F68D825A ft=1 fh=0b129a11b83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe"
    sh=7E31CD1178F08E384A2587548CF7B1F2F68D825A ft=1 fh=0b129a11b83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe"
    sh=954F4AD3F1262AC20ACA2FF47D8C7BFD41DEF50B ft=1 fh=9e3ec0f9b83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}\_7EA1FFEF_B7AE_43A5_8841_DBB045C2D037"
    sh=301D37DE77FDAE20356F55747E9978A2C6DB8276 ft=1 fh=15d3ad48b83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}\_A86D6FCA_B61A_4DF3_A911_587A28753A8E"
    sh=28B7C70645A8C3E92C4A1BB5A4815DF6BB5241E7 ft=1 fh=1dca43a0b4bde6d1 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{75694B4F-EAE0-4323-8E04-65C431C0ADE8}\ARPPRODUCTICON.exe"
    sh=829AE28B65AECD9E1F6ACBF27F6C6022C0C9539B ft=1 fh=e2ebbce231fc3ea1 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{75694B4F-EAE0-4323-8E04-65C431C0ADE8}\NewShortcut1_F8F057F9B34C42BAAB4294B8D90803D8.exe"
    sh=AFE03F78D18DE658B4CDCDC49235811869B2BB90 ft=1 fh=67e37109e246c396 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{8641DC22-298A-4F46-8E3F-BCDA6B83862F}\ARPPRODUCTICON.exe"
    sh=28B7C70645A8C3E92C4A1BB5A4815DF6BB5241E7 ft=1 fh=1dca43a0b4bde6d1 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{9D544611-F437-4153-913E-91CE036583CC}\ARPPRODUCTICON.exe"
    sh=7E31CD1178F08E384A2587548CF7B1F2F68D825A ft=1 fh=0b129a11b83509a7 vn="Win32/Toolbar.Widgi application" ac=I fn="C:\Windows\Installer\{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe"


    IE still seems to be working pretty well and is stable.
    No redirects have occured and there are no ads in the corners.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1087866

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice