Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Hijack


  • This topic is locked This topic is locked
103 replies to this topic

#1 oxblood

oxblood

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 06 November 2012 - 12:34 PM

Greetings All - I awoke this morning to discover I had acquired what apparrently is an imposter FBI page that will not allow me to proceed to windows without paying $200. My system is XP. I am currently running AVG in safe mode but I don't have much hope of a solution from that source. Can any of you good people help as this desktop is where I do most of my business ad I'm virtually computer illiterate.

Many Thanks

Oxblood

BC AdBot (Login to Remove)

 


#2 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:10:24 AM

Posted 06 November 2012 - 01:58 PM

Hello oxblood:).

I will be helping with your computer problems.

Before to start please note the following:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know
  • Do not make any changes on your own to the computer (installing/uninstall programs, deleting files, modifying the registry, running scanners or other tools, etc.) without instructions to do it
  • Please read every post completely and perform all steps in the specified order. If you can't understand something or you encounter problems please stop and let me know
  • Do not attach logs, use code or quote boxes. Just copy and paste the text unless directed otherwise
  • Even if things appear to be better, it does not mean we have finished. Follow my instructions and reply back until I tell you that your computer is clean.
  • Please reply using the Add Reply button in the lower right hand corner of your screen
  • Please track this topic by clicking on the Watch Topic button on the top right on this tread => select Immediate Email Notification => click on Proceed button
Now please try to follow these steps using Safe Mode (F8 method) and post the required logs as described in that topic.:)


Regards

Edited by Clairvoyant, 06 November 2012 - 02:06 PM.


#3 oxblood

oxblood
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 06 November 2012 - 04:23 PM

Clairvoyant - Thank you so much for your kind assistance with my problem. Before we begin allow me to ask a few questions if I may.

1 Currently I am on my laptop which is uninfected. Should I go to my desktop which is infected and open in safe mode to perform these functions, since you instructed me to use copy paste.I attempted this once in safe mode and it would not allow access to the internet.

2 Reply using add reply only?

3 In the top right corner of the preceeding forum page where you instructed me to enter watch topic - immediate email notify - proceed, did you mean watch forum instead? I don't see watch topic anywhere.

Kind regards
Oxblood

PS Unfortunately I had run an AVG scan and approx 50% Super Anti Spyware before I got your reply. Sorry.

#4 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:10:24 AM

Posted 06 November 2012 - 07:08 PM

Hello oxblood,

the scans you performed with AVG and SuperAntispyware probably they are not dangerous here, but almost surely is a waste of time.:)

2 Reply using add reply only?

Yes, and you already did it to reply here. :thumbup2:
I mention it because may happen someone click on Start New Topic Button instead.

3 In the top right corner of the preceeding forum page where you instructed me to enter watch topic - immediate email notify - proceed, did you mean watch forum instead? I don't see watch topic anywhere.

That button is in the top right corner of this topic, just above your first post. :wink:

1 Currently I am on my laptop which is uninfected. Should I go to my desktop which is infected and open in safe mode to perform these functions, since you instructed me to use copy paste.I attempted this once in safe mode and it would not allow access to the internet.

Sorry, I was in rush and I was unclear.:)
The download of the programs mentioned should be done using your uninfected laptop, then you have to save these file on a USB drive and finally use them on your sick computer.

Please try to follow the instructions below.

1- Download using your clean computer

and then copy them on a USB Drive

2- Boot the sick computer in Safe Mode and plug the USB drive into it

3- Run RKill
  • Put Rkill on your desktop
  • Double-click on RKill icon to run the tool
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully
  • If not, delete the file, then download and use the one from this link
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs
  • When finished, cick on the Ok button of the prompt that will appears
4- Run DDS
  • Put DDS on your desktop
  • Double-click on DDS icon and Click on the Run button to start DDS
  • Click on Start button of the tool to run it
  • When finished, cick on the Ok button of the prompt
  • Close the two logs that will automatically displayed
Finally copy the RKill.txt , DDS.txt and Attach.txt files from the desktop of the sick computer to the USB Drive, plug the USB drive in your clean computer, post the contents of the first two logs and attach the Attach.txt file in your next reply.


Regards

#5 oxblood

oxblood
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 06 November 2012 - 10:00 PM

Clairvoyant - I currently have a couple of rkill desktop icons on my infected computer plus other bleeping computer icons from an earlier session a year or so ago. I attempted to remove these just now unsuccessfully. Should I reattempt removal on the infected desktop or just overwrite with the new rkill & DDS downloads?

Thanks
Oxblood

#6 oxblood

oxblood
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 07 November 2012 - 11:39 AM

Clairvoyant - I was able to download and run both rkill & dds programs on the infected computer. However I cannot seem to be able to copy and paste these files back to either the flash drive nor a CD to load on the clean laptop and upload to you. Can you provide a procedure to instruct me how to accomplish this or do you have any other suggestions?

I will continue to try and figure out how to copy and paste the requested files to my laptop
and if successful will upload to you unless I hear from you first.

Thanks & Sorry
Oxblood

#7 oxblood

oxblood
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 07 November 2012 - 02:30 PM

.Clairvoyant - I hope this is what you need. I await our reply.

Thanks Much
Oxblood






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-05.02)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 11/10/2005 1:59:34 PM
System Uptime: 11/7/2012 10:48:10 AM (1 hours ago)
.
Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2657/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 16.993 GiB free.
D: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP888: 8/31/2012 11:49:34 AM - System Checkpoint
RP889: 9/1/2012 1:01:25 PM - System Checkpoint
RP890: 9/2/2012 1:16:32 PM - System Checkpoint
RP891: 9/3/2012 2:21:31 PM - System Checkpoint
RP892: 9/4/2012 3:22:15 PM - System Checkpoint
RP893: 9/5/2012 3:26:39 PM - System Checkpoint
RP894: 9/6/2012 4:29:53 PM - System Checkpoint
RP895: 9/7/2012 4:43:41 PM - System Checkpoint
RP896: 9/8/2012 5:26:38 PM - System Checkpoint
RP897: 9/9/2012 5:27:43 PM - System Checkpoint
RP898: 9/10/2012 5:29:04 PM - System Checkpoint
RP899: 9/11/2012 6:26:20 PM - System Checkpoint
RP900: 9/12/2012 7:26:18 PM - System Checkpoint
RP901: 9/13/2012 8:40:22 PM - System Checkpoint
RP902: 9/14/2012 10:27:28 PM - System Checkpoint
RP903: 9/15/2012 11:26:20 PM - System Checkpoint
RP904: 9/17/2012 12:26:19 AM - System Checkpoint
RP905: 9/18/2012 1:25:18 AM - System Checkpoint
RP906: 9/19/2012 2:30:02 AM - System Checkpoint
RP907: 9/20/2012 2:57:09 AM - System Checkpoint
RP908: 9/20/2012 9:56:59 AM - Avg Update
RP909: 9/21/2012 10:22:08 AM - System Checkpoint
RP910: 9/22/2012 10:57:08 AM - System Checkpoint
RP911: 9/23/2012 11:57:08 AM - System Checkpoint
RP912: 9/24/2012 12:03:03 PM - System Checkpoint
RP913: 9/25/2012 12:13:53 PM - System Checkpoint
RP914: 9/26/2012 1:13:53 PM - System Checkpoint
RP915: 9/27/2012 1:16:33 PM - System Checkpoint
RP916: 9/28/2012 2:20:43 PM - System Checkpoint
RP917: 9/29/2012 3:13:53 PM - System Checkpoint
RP918: 9/30/2012 4:13:21 PM - System Checkpoint
RP919: 10/1/2012 6:03:35 PM - System Checkpoint
RP920: 10/2/2012 6:13:22 PM - System Checkpoint
RP921: 10/3/2012 8:31:33 PM - System Checkpoint
RP922: 10/4/2012 9:12:10 PM - System Checkpoint
RP923: 10/5/2012 9:46:46 PM - System Checkpoint
RP924: 10/6/2012 10:31:39 PM - System Checkpoint
RP925: 10/8/2012 12:42:20 AM - System Checkpoint
RP926: 10/9/2012 12:53:11 AM - System Checkpoint
RP927: 10/10/2012 2:44:03 AM - System Checkpoint
RP928: 10/11/2012 2:53:11 AM - System Checkpoint
RP929: 10/12/2012 3:53:11 AM - System Checkpoint
RP930: 10/13/2012 4:53:11 AM - System Checkpoint
RP931: 10/14/2012 2:37:32 PM - System Checkpoint
RP932: 10/15/2012 2:45:57 PM - System Checkpoint
RP933: 10/16/2012 3:16:58 PM - System Checkpoint
RP934: 10/17/2012 3:45:56 PM - System Checkpoint
RP935: 10/18/2012 5:58:44 PM - System Checkpoint
RP936: 10/19/2012 6:45:58 PM - System Checkpoint
RP937: 10/20/2012 1:54:14 PM - Installed MozyHome
RP938: 10/21/2012 2:13:54 PM - System Checkpoint
RP939: 10/22/2012 3:13:53 PM - System Checkpoint
RP940: 10/23/2012 4:26:51 PM - System Checkpoint
RP941: 10/24/2012 5:09:42 PM - System Checkpoint
RP942: 10/25/2012 11:09:30 PM - System Checkpoint
RP943: 10/26/2012 11:33:25 PM - System Checkpoint
RP944: 10/27/2012 11:53:57 PM - System Checkpoint
RP945: 10/29/2012 12:55:01 AM - System Checkpoint
RP946: 10/30/2012 1:37:48 AM - System Checkpoint
RP947: 10/31/2012 2:25:27 AM - System Checkpoint
RP948: 11/1/2012 2:37:47 AM - System Checkpoint
RP949: 11/2/2012 3:37:47 AM - System Checkpoint
RP950: 11/3/2012 3:47:06 AM - System Checkpoint
RP951: 11/4/2012 3:37:47 AM - System Checkpoint
RP952: 11/5/2012 4:37:51 AM - System Checkpoint
.
==== Installed Programs ======================
.
Active Disk
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.4)
Akamai NetSession Interface
Akamai NetSession Interface Service
America Online (Choose which version to remove)
AudibleManager
AVG Free 9.0
Banctec Service Agreement
Broadcom Management Programs
Canon Camera Access Library
Canon DIGITAL CAMERA Solution Disk Software Guide
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PowerShot A3100 IS and PowerShot A3000 IS Camera User Guide
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC 8
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Conexant D850 56K V.9x DFVc Modem
Corel Applications
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
DAO 3.5
Dell Digital Jukebox Driver
Dell Networking Guide
Dell Solution Center
Dell Support 5.0.0 (766)
Digital Line Detect
DigitPower
Google Chrome
GoToAssist 8.0.0.514
GoToMeeting 4.8.0.723
Help and Support Customization
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iLinc Client
Inbox Toolbar
Intel® Extreme Graphics Driver
Internet Explorer Default Page
Java Auto Updater
Java™ 6 Update 3
Java™ 6 Update 33
Java™ 6 Update 5
Java™ 6 Update 7
Learn2 Player (Uninstall Only)
LiveUpdate
Malwarebytes Anti-Malware version 1.65.0.1400
MGI PhotoSuite 8.06 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft XML Parser
MID Converter 3.2
Mozilla Firefox (3.0.17)
MozyHome
MREP Custom Review Builder
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
Musicmatch® Jukebox
OpenOffice.org 3.3
Options 360™
Palm Desktop
PDFlib 4.0.1
Qualxserve Service Agreement
Quicken Deluxe 2000
QuickTime
Real Estate Success System
RealPlayer
Rhapsody Player Engine
Scan Manager 5.2
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shockwave
Skype™ 4.2
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SUPERAntiSpyware Free Edition
TechConnect
Trust Associates Buying, Selling and Holding 2005.3
Trust Associates MAS Auto-Fill Bonus Disk 2008.1
Trust Associates MPI Bonus Disk 2008.2
Trust Associates Short Sale Profits 2008.1
Trust Associates Street Smart Asset Protection - TRUSTS 2007.3
Trust Associates Work For Equity Program 2007.3
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
ZENcast Organizer
.
==== Event Viewer Messages From Past Week ========
.
11/7/2012 10:50:31 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/6/2012 3:48:03 PM, error: Service Control Manager [7000] - The SAVRoam service failed to start due to the following error: The system cannot find the path specified.
11/6/2012 3:48:03 PM, error: Service Control Manager [7000] - The NAVAPEL service failed to start due to the following error: The system cannot find the path specified.
11/6/2012 3:46:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/6/2012 3:23:16 AM, error: Print [23] - Printer Lexmark Z23-Z33,0 failed to initialize because a suitable Lexmark Z23-Z33 driver could not be found.
11/6/2012 10:17:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec mozyFilter MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
11/6/2012 10:17:04 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2012 10:17:04 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2012 10:17:04 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2012 10:17:04 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2012 10:16:52 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/1/2012 12:01:18 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Akamai service.
.
==== End Of File ===========================





DDS (Ver_2012-11-05.02) - NTFS_x86 MINIMAL
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33
Run by Elvis at 11:19:12 on 2012-11-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.556 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/a/
uProxyOverride = 127.0.0.1:9421;<local>
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Inbox Toolbar: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - c:\program files\inbox toolbar\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Inbox Toolbar: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - c:\program files\inbox toolbar\Inbox.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Akamai NetSession Interface] "c:\documents and settings\elvis\local settings\application data\akamai\netsession_win.exe"
uRun: [Google Update] "c:\documents and settings\elvis\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\elvis\startm~1\programs\startup\ctfmon.lnk - c:\documents and settings\all users\application data\lsass.exe
StartupFolder: c:\docume~1\elvis\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\elvis\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
Trusted Zone: musicmatch.com
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.tscmaps.com/shared/viewer/mgaxctrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mandtuniversity.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{23CC36FF-C537-46C3-BAE6-8D6207EBB691} : DHCPNameServer = 192.168.1.254
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\program files\inbox toolbar\Inbox.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\elvis\applic~1\mozilla\firefox\profiles\gd1mtlel.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\elvis\application data\mozilla\firefox\profiles\gd1mtlel.default\extensions\[email protected]\components\plugins.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\elvis\application data\real\rhapsodyplayerengine\nprhapengine.dll
FF - plugin: c:\documents and settings\elvis\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Inbox Toolbar: inboxcomt[email protected] - %profile%\extensions\[email protected]
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.12
============= SERVICES / DRIVERS ===============
.
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-17 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-17 29712]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-17 243152]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2003-7-16 14336]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
S2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2004-5-19 36404]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\navnt\navapel.sys --> c:\program files\navnt\NAVAPEL.SYS [?]
S2 ppsio2;PPDevice;c:\windows\system32\drivers\PPSIO2.SYS [2004-6-2 22400]
S2 SAVRoam;SAVRoam;c:\progra~1\navnt\savroam.exe --> c:\progra~1\navnt\SavRoam.exe [?]
S3 NAVAP;NAVAP;\??\c:\progra~1\navnt\navap.sys --> c:\progra~1\navnt\NAVAP.sys [?]
S3 palmusb;USB Comm driver (WDM);c:\windows\system32\drivers\palmusb.sys [2001-12-20 72800]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
.
=============== Created Last 30 ================
.
2012-11-07 15:51:23 -------- d--h--w- c:\windows\PIF
2012-11-06 08:02:40 33280 ----a-w- c:\docume~1\alluse~1\application data\lsass.exe
2012-10-20 17:51:15 12639208 ----a-w- c:\docume~1\alluse~1\Tempmozy-manualupdate-4a89cedd164c5f5e19189bfd5deb26c7.exe
.
==================== Find3M ====================
.
2012-09-19 21:09:55 1409 ----a-w- c:\windows\QTFont.for
2012-09-07 21:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-18 08:53:32 2994688 ----a-w- c:\program files\openofficeorg33.msi
2011-01-18 08:52:10 475016 ----a-w- c:\program files\setup.exe
2004-06-02 14:52:01 3696336 ----a-w- c:\program files\dgt.exe
2001-09-28 23:00:28 164864 ----a-w- c:\program files\UNWISE.EXE
.
============= FINISH: 11:19:25.50 ===============



Rkill 2.4.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/07/2012 10:55:07 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* AFD Networking Support Environment (AFD) is not Running.
Startup Type set to: System

* DHCP Client (Dhcp) is not Running.
Startup Type set to: Automatic

* DNS Client (Dnscache) is not Running.
Startup Type set to: Automatic

* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Manual

* Network Connections (Netman) is not Running.
Startup Type set to: Manual

* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic

* AFD Networking Support Environment (AFD) is not Running.
Startup Type set to: System

* IPSEC driver (IPSec) is not Running.
Startup Type set to: System

* NetBios over Tcpip (NetBT) is not Running.
Startup Type set to: System

* TCP/IP Protocol Driver (Tcpip) is not Running.
Startup Type set to: System

* wuauserv [Missing Service]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 11/07/2012 10:56:20 AM
Execution time: 0 hours(s), 1 minute(s), and 13 seconds(s)

#8 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:10:24 AM

Posted 08 November 2012 - 06:48 AM

Hello oxblood,

yes, is just what I asked. :thumbup2:

Now from your clean computer please download ComboFix (more info about the program here) and then copy it on a USB Drive.

Then

  • Boot the sick computer in Safe Mode and plug the USB drive into it
  • Put ComboFix.exe on your desktop
  • Close/disable all anti-virus and anti-malware programs. Refer to this page if you are not sure how
  • Close any open windows
  • Double click on ComboFix.exe and follow the prompts
  • When ComboFix asks for installing the Recovery Console, click on the No button to start the scan
  • During the scan leave your sick computer alone and do not mouseclick combofix's window, it may cause it to stall
  • If ComboFix asks to restart your computer, allow it to do so.
  • When finished, it will produce and display a report. Close it.
When done, copy the C:\ComboFix.txt file from the sick computer to the USB Drive, plug the USB drive in your clean computer and post its contents in your next reply.

Note: if after the scan with ComboFix the desktop is shown, please refrain to connect the sick computer to the internet.


Regards

#9 oxblood

oxblood
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 08 November 2012 - 02:32 PM

Clairvoyant I have downloaded combofix to usb on my laptop. I also accessed the link concerning disabling all malware & virus programs on the infected desktop of which there are three, AVG, MalwareBytes and SuperAntiSpyware.

Unfortunately I cannot access the system tray in Safe Mode nor were there any options to disable when I opened each of the three in safe mode. I will await your advice on the disablement issue before proceeding to install combofix for fear of doing damage. I await your reply.

Many Thanks

#10 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:10:24 AM

Posted 08 November 2012 - 03:43 PM

Hello oxblood :),

please try to run ComboFix using these instructions.

  • On your clean computer open notepad
  • Copy the red bolded instruction

    KILLALL::
  • Paste it into the notepad file
  • Save the file as CFScript.txt and close it
  • Copy CFScript.txt onto your USB drive
  • Boot in Safe Mode you sick computer
  • Plug the USB drive into it
  • Copy the CFScript.txt file on your desktop
  • Drag CFScript.txt and drop it on the ComboFix icon

    Posted Image
  • When ComboFix asks for installing the Recovery Console, click on the No button to start the scan
  • During the scan leave your sick computer alone and do not mouseclick combofix's window, it may cause it to stall
  • If ComboFix asks to restart your computer, allow it to do so.
  • When finished, it will produce and display a report. Close it.
When done, copy the C:\ComboFix.txt file from the sick computer to the USB Drive, and from your clean computer post its contents in your next reply.


Regards

#11 oxblood

oxblood
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 08 November 2012 - 06:19 PM

Clairvoyant - Hope this works

Thanks


ComboFix 12-11-08.01 - Elvis 11/08/2012 16:26:57.2.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.591 [GMT -5:00]
Running from: F:\ComboFix.exe
Command switches used :: c:\documents and settings\Elvis\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\lsass.exe
c:\documents and settings\All Users\Application Data\netdislw.pad
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\Tempmozy-manualupdate-4a89cedd164c5f5e19189bfd5deb26c7.exe
c:\documents and settings\Elvis\g2mdlhlpx.exe
c:\documents and settings\Elvis\GoToAssistDownloadHelper.exe
c:\documents and settings\Elvis\Local Settings\Application Data\flxm.exe
c:\documents and settings\Elvis\Local Settings\Application Data\ivpo.exe
c:\documents and settings\Elvis\Local Settings\Application Data\smli.exe
c:\documents and settings\Elvis\Local Settings\Application Data\vxlj.exe
c:\documents and settings\Elvis\My Documents\~WRL1972.tmp
c:\documents and settings\Elvis\WINDOWS
c:\program files\Setup.exe
c:\windows\EventSystem.log
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\regobj.dll
c:\windows\system32\spool\prtprocs\w32x86\LXAIPP5C.DLL
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-08 to 2012-11-08 )))))))))))))))))))))))))))))))
.
.
2012-11-08 21:44 . 2012-11-08 21:44 -------- d-----w- c:\windows\LastGood
2012-11-07 15:51 . 2012-11-07 15:51 -------- d--h--w- c:\windows\PIF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-19 21:09 . 2012-09-19 21:09 1409 ----a-w- c:\windows\QTFont.for
2012-09-07 21:04 . 2010-03-23 22:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-18 08:53 . 2011-01-18 08:53 2994688 ----a-w- c:\program files\openofficeorg33.msi
2004-06-02 14:52 . 2004-06-02 14:51 3696336 ----a-w- c:\program files\dgt.exe
2001-09-28 23:00 . 2007-10-03 00:18 164864 ----a-w- c:\program files\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2012-09-18 18:51 4756880 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2012-09-18 18:51 4756880 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-29 2012912]
"Akamai NetSession Interface"="c:\documents and settings\Elvis\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-10-09 4441920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-06 77824]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-13 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Elvis\Start Menu\Programs\Startup\
ctfmon.lnk - c:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\lsass.exe.vir [2012-11-6 33280]
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-4-13 299008]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2012-9-18 4533648]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-02 20:00 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk *
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
2002-09-24 21:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 13:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 06:04 114741 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 13:59 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 13:59 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-10-08 14:49 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-05-06 23:23 77824 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-13 19:59 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1081:TCP"= 1081:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [7/16/2003 3:47 PM 14336]
R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [5/19/2004 2:50 PM 36404]
R2 ppsio2;PPDevice;c:\windows\SYSTEM32\DRIVERS\PPSIO2.SYS [6/2/2004 9:38 AM 22400]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 SAVRoam;SAVRoam;c:\progra~1\navnt\SavRoam.exe --> c:\progra~1\navnt\SavRoam.exe [?]
S3 palmusb;USB Comm driver (WDM);c:\windows\SYSTEM32\DRIVERS\palmusb.sys [12/20/2001 9:21 PM 72800]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2970542626-3849000294-3366335923-1007Core.job
- c:\documents and settings\Elvis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-15 15:55]
.
2012-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2970542626-3849000294-3366335923-1007UA.job
- c:\documents and settings\Elvis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-15 15:55]
.
2012-11-05 c:\windows\Tasks\ReclaimerUpdateFiles_Elvis.job
- c:\documents and settings\Elvis\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-25 01:07]
.
2012-11-06 c:\windows\Tasks\ReclaimerUpdateXML_Elvis.job
- c:\documents and settings\Elvis\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-25 01:07]
.
2012-11-08 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Elvis.job
- c:\documents and settings\Elvis\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-25 01:07]
.
2012-11-08 c:\windows\Tasks\User_Feed_Synchronization-{8CBC8DDE-230E-42EC-8D41-D65D20391EB5}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/a/
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
Trusted Zone: musicmatch.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Elvis\Application Data\Mozilla\Firefox\Profiles\gd1mtlel.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-08 16:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_b5e8a4c.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\mirror\***ublicRestricted1*MK*(]
"Attach.ToDesktop"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\windows\system32\CTsvcCDA.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MozyHome\mozybackup.exe
c:\windows\wanmpsvc.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\System32\vssvc.exe
c:\windows\System32\dllhost.exe
c:\windows\system32\dllhost.exe
c:\windows\System32\msdtc.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2012-11-08 17:00:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-08 22:00
.
Pre-Run: 18,413,350,912 bytes free
Post-Run: 18,361,311,232 bytes free
.
- - End Of File - - 6414B310FC5301BC6B96C95FBABFFA3C

#12 oxblood

oxblood
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 09 November 2012 - 06:38 PM

Clairvoyant - Are you out there?

OB

#13 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:10:24 AM

Posted 09 November 2012 - 06:53 PM

Hi oxblood,

sorry for the delay, but because I'm a trainee my replies need to be checked out by an instructor first. Your topic will be not overlooked.
You have posted the right log, my next reply will come asap.:)

Thanks for your patience.


Regards

#14 oxblood

oxblood
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 09 November 2012 - 07:56 PM

Clairvoyant - Thank you much for your kind attention & quick reply. As this is my third attempt to post a cogent response, please bear with me! I hope the combofix log was sufficient for you and your supervisors perusal & determination. I hope I can be advised as to how to check our individual posts within our thread without scrolling through each additional post ( time consuming ).

Bless You.

Oxblood

#15 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:10:24 AM

Posted 10 November 2012 - 12:47 PM

Hello oxblood :)

From your clean computer please download AdwCleaner, MBAM and MBAMrules, then copy then on a USB Drive.

Then

  • On your clean computer open notepad
  • Copy these instruction

    DDS:
    uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
    StartupFolder: c:\docume~1\elvis\startm~1\programs\startup\ctfmon.lnk - c:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\lsass.exe.vir
    
    Regnull:: 
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\mirror\***ublicRestricted1*MK*(]
    
    FileLook:: 
    c:\program files\dgt.exe
    c:\program files\UNWISE.EXE
  • Paste them into the notepad file
  • Save the file as CFScript.txt and close it
  • Copy CFScript.txt onto your USB drive
Now please boot your sick computer in Normal Mode, plug the USB drive into it and copy on your desktop the AdwCleaner, MBAM, MBAMrules and CFScript files, then

1- Run ComboFix
  • Run ComboFix by drag and drop the new CFScript file on the ComboFix icon like you have already done the last time
  • When ComboFix asks for installing the Recovery Console, click on the No button to start the scan
  • During the scan leave your sick computer alone and do not mouseclick combofix's window, it may cause it to stall
  • If ComboFix asks to restart your computer, allow it to do so
  • When finished, it will produce and display a report. Close it.
2- Run AdwCleaner
  • Close all open programs and internet browsers
  • Double click on AdwCleaner icon to run the tool
  • Click on Delete
  • Confirm each time with Ok
  • You will be prompted to restart your computer. A text file will open after the restart
  • Close it and quit AdwCleaner
3- Run MBAM
  • Double-click on the MBAM file to install it
  • When the installation begins, follow the prompts and do not make any changes to default settings
  • When the installation process finish, close MBAM
  • Double-click on the MBAMrules and follow the promps
  • Once MBAMrules has finished, close it
  • Double-click on the MBAM icon to start the program
  • Under the Scanner tab select Perform Full Scan
  • Click on the Scan button
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found
  • Make sure that everything is checked and then click Remove Selected
  • If MBAM asks to restart your computer, allow it to do so
  • When removal is completed, a log report will open in Notepad. Save it on your desktop
  • Exit Malwarebytes when done
From your clean computer please copy and paste in your next reply the log contents of:

ComboFix => it is C:\ComboFix.txt
AdwCleaner => it is C:\AdwCleaner[S1].txt
MBAM => it is mbam-log-2012-11-date. Be sure to post the complete log to include the top portion which shows the database version and your operating system.


Regards




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users