Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SearchProtection.exe pop-up, Cmd pop-up, and Win32.downloader.gen malware


  • This topic is locked This topic is locked
44 replies to this topic

#1 fixcompsafe

fixcompsafe

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 24 July 2013 - 09:27 PM

Hi all. Since yesterday all my browsers have been loading very slowly. I ran Spybot and it found
the  win32.downloader.gen malware and Spybot removed it but was not able to remove SelectionLinks registry keys. After a computer restart, all of my desktop programs, task bar, start menu were not there. Only my wallpaper was visible. And then out of nowhere  the cmd box popped up a few times.  So I restarted again and this time everything was back but the cmd popped up again and my shortcuts from the task bar disappeared. I then ran SuperantiSpyware which found nothing. While Malwarebytes was scanning I got another pop-up which said "SearchProtection.exe - Fatal Application Exit" and under it "Unhandled Exception! Please report the log file: C:\ documents and Settiongs\ All Users\ Application Date\ SearchProtection\log1.txt".


(Just an fyi I have  AVG, Spybot  Search and Destroy, SuperAntiSpyware, Ad-Aware Antivirus,
Malwarebites Anti-Malware. I don't know if having all these will cause conflict. Let me know if I
should uninstall or disable any of these softwares.)

And please recommend me a better firewall than the default Windows XP one. Thanks in advance.

 

 

 

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Account at 19:09:28 on 2013-07-24
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.315 [GMT -4:00]
.
AV: PC Cleaner Pro *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: AVG Internet Security 2013 *Enabled*
FW: Lavasoft Ad-Aware *Disabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\Documents and Settings\All Users\Application Data\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sama\Local Settings\Apps\F.lux\flux.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securedsearch2.lavasoft.com/index.php?pr=vmn&id=adawaretb&v=3_1&ent=hp&u=861F09909F9CA521166E6E51EFEA9765
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
uURLSearchHooks: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [F.lux] "c:\documents and settings\sama\local settings\apps\f.lux\flux.exe" /noshow
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
mRun: [Search Protection] c:\documents and settings\all users\application data\search protection\SearchProtection.exe
mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1323900258406
TCP: NameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{7A57D42E-3592-4DBB-8EB7-AD0D427D35FE} : DHCPNameServer = 167.206.254.1 167.206.254.2
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-07-24 16:47; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-07-24 16:57; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2013-07-24 16:57; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2013-07-24 16:57; {45d8ff86-d909-11db-9705-005056c00008}; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\{45d8ff86-d909-11db-9705-005056c00008}.xpi
FF - ExtSQL: 2013-07-24 16:57; {1018e4d6-728f-4b20-ad56-37578a4de76b}; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - ExtSQL: 2013-07-24 16:57; [email protected]; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\[email protected]
FF - ExtSQL: 2013-07-24 16:58; [email protected]; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\[email protected]
FF - ExtSQL: 2013-07-24 17:09; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2013-07-24 17:09; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-07-24 17:13; [email protected]; c:\documents and settings\sama\application data\mozilla\firefox\profiles\ugdtyl2h.default-1374698606859\extensions\[email protected]
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-10-15 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 245048]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-10-5 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 39224]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-7-24 13560]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-10-22 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 182072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2013-6-13 1236336]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-5-14 4937264]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-4-18 283136]
S0 cerc6;cerc6; [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-7-23 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-7-23 701512]
S2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2012-9-20 3677000]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-7-23 22856]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2012-8-16 13024]
.
=============== Created Last 30 ================
.
2013-07-24 22:07:31    --------    d-----w-    c:\documents and settings\sama\application data\SUPERAntiSpyware.com
2013-07-24 22:07:13    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-07-24 22:07:13    --------    d-----w-    c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-07-24 20:06:45    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2013-07-24 20:06:45    --------    d-----w-    c:\documents and settings\all users\application data\Spybot - Search & Destroy
2013-07-24 18:38:11    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-07-24 15:03:18    --------    d-----w-    c:\documents and settings\sama\application data\LavasoftStatistics
2013-07-24 15:00:10    --------    d-----w-    c:\documents and settings\all users\application data\Ad-Aware Antivirus
2013-07-24 14:55:56    --------    d-----w-    c:\program files\Ad-Aware Antivirus
2013-07-24 14:55:14    --------    d-----w-    c:\documents and settings\all users\application data\Downloaded Installations
2013-07-24 14:55:11    --------    d-----w-    c:\documents and settings\sama\local settings\application data\adawarebp
2013-07-24 14:55:11    --------    d-----w-    c:\documents and settings\all users\application data\Search Protection
2013-07-24 14:55:10    --------    d-----w-    c:\documents and settings\all users\application data\blekko toolbars
2013-07-24 14:55:09    --------    d-----w-    c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2013-07-24 14:55:01    --------    d-----w-    c:\program files\Toolbar Cleaner
2013-07-24 14:54:17    --------    d-----w-    c:\documents and settings\sama\application data\adawaretb
2013-07-24 14:54:16    --------    d-----w-    c:\program files\adawaretb
2013-07-24 14:52:38    44424    ----a-w-    c:\windows\system32\sbbd.exe
2013-07-24 14:52:38    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
2013-07-24 14:52:33    --------    d-----w-    c:\documents and settings\sama\application data\Ad-Aware Antivirus
2013-07-24 03:30:19    --------    d-----w-    c:\documents and settings\sama\application data\Malwarebytes
2013-07-24 03:29:41    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-24 03:29:41    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M  ====================
.
2013-07-24 03:26:56    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-24 03:26:55    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 03:55:44    385024    ------w-    c:\windows\system32\html.iec
2013-06-07 21:56:06    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56:06    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40:45    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-09 04:28:02    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-05-03 01:26:26    2193536    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:18    2070144    ----a-w-    c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 19:09:49.29 ===============
 

Attached Files


Edited by fixcompsafe, 24 July 2013 - 09:33 PM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 25 July 2013 - 06:57 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 fixcompsafe

fixcompsafe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 25 July 2013 - 08:04 AM

Hi TB-Psychotic. Thank you so much for the prompt reply!

 

Before I proceed I want to let you know that before your reply to my topic I downloaded additional protection softwares: Keyscrambler, SpyShelter Personal, and did a Malwarebytes Rootkit scan which found nsb14.tmp\nsProcess.dll (Trojan.FakeAlert) and did a cleanup. Should I post updated dds and attach files?

 

And when you say "Close all other running programs as well as your Browser.", do I have to also disable and close processes running in the background like f.lux.exe, Keyscrambler.exe, SpyShelter.exe, avgemcx.exe, SASCore.exe?



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 25 July 2013 - 08:13 AM

Skip Gmer - post up the logfile of Malwarebytes Antirootkit


Edited by TB-Psychotic, 25 July 2013 - 08:13 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 fixcompsafe

fixcompsafe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 25 July 2013 - 08:22 AM

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.25.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Account :: D1100 [administrator]

7/25/2013 1:43:57 AM
mbar-log-2013-07-25 (01-43-57).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 261852
Time elapsed: 1 hour(s), 51 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
c:\Documents and Settings\Account\Local Settings\Temp\nsb14.tmp\nsProcess.dll (Trojan.FakeAlert) -> Delete on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 25 July 2013 - 08:32 AM

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 fixcompsafe

fixcompsafe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 25 July 2013 - 10:38 AM

ComboFix 13-07-24.03 - Account 07/25/2013  11:18:40.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.690 [GMT -4:00]
Running from: c:\documents and settings\Sama\Desktop\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: AVG Internet Security 2013 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
C:\install.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\049d48bf4d8b30f2.fb
c:\windows\system32\Cache\083332b34f04fefe.fb
c:\windows\system32\Cache\1431043590fc3b52.fb
c:\windows\system32\Cache\15fb190aec40df78.fb
c:\windows\system32\Cache\2314e1ec8d4eaebd.fb
c:\windows\system32\Cache\268f5511ffb99873.fb
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\425fbb50bee0f454.fb
c:\windows\system32\Cache\4d4759793e4ac406.fb
c:\windows\system32\Cache\576cba7f036f9046.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\f80f6e91c42885fb.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\Cache\fd05a99678b22d9a.fb
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-25 to 2013-07-25  )))))))))))))))))))))))))))))))
.
.
2013-07-25 13:53 . 2013-07-25 13:53    --------    d-----w-    c:\documents and settings\Sama\Application Data\TuneUp Software
2013-07-25 05:21 . 2013-05-23 01:03    33080    ----a-w-    c:\windows\system32\SpyShelterShellExt.dll
2013-07-25 05:21 . 2012-10-22 23:21    54784    ----a-w-    c:\windows\system32\inject_logon_dll.dll
2013-07-25 05:21 . 2012-10-22 23:21    1740800    ----a-w-    c:\windows\system32\Osklauncher.exe
2013-07-25 05:21 . 2013-07-25 05:37    --------    d-----w-    c:\documents and settings\Sama\Application Data\SpyShelter
2013-07-25 05:21 . 2013-07-25 05:21    --------    d-----w-    c:\program files\SpyShelter Personal Free
2013-07-25 05:20 . 2013-05-31 14:53    209016    ----a-w-    c:\windows\system32\drivers\keyscrambler.sys
2013-07-25 05:20 . 2013-07-25 05:20    --------    d-----w-    c:\program files\KeyScrambler
2013-07-25 04:54 . 2013-07-25 04:54    --------    d-----w-    c:\documents and settings\Sama\Application Data\LavasoftStatistics
2013-07-25 04:53 . 2013-07-25 04:53    --------    d-----w-    c:\documents and settings\Sama\Application Data\QFX Software
2013-07-25 04:53 . 2013-07-25 04:53    --------    d-----w-    c:\documents and settings\All Users\Application Data\QFX Software
2013-07-25 04:52 . 2013-07-25 04:52    --------    d-----w-    c:\documents and settings\All Users\Application Data\blekko toolbars
2013-07-25 04:52 . 2013-07-25 04:52    --------    d-----w-    c:\program files\adawaretb
2013-07-25 04:52 . 2013-07-25 04:52    --------    d-----w-    c:\documents and settings\Sama\Application Data\adawaretb
2013-07-25 04:52 . 2013-07-25 04:52    --------    d-----w-    c:\program files\Toolbar Cleaner
2013-07-25 04:41 . 2013-07-25 04:41    --------    d-----w-    c:\documents and settings\All Users\Application Data\Licenses
2013-07-25 04:07 . 2013-07-25 04:07    1060864    ----a-w-    c:\windows\system32\mfc71.dll
2013-07-25 04:07 . 2013-07-25 04:07    1700352    ----a-w-    c:\windows\system32\gdiplus.dll
2013-07-25 04:05 . 2013-07-25 04:40    --------    d-----w-    c:\documents and settings\All Users\Application Data\COMODO
2013-07-24 20:06 . 2013-07-24 20:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search &amp;amp; Destroy
2013-07-24 20:06 . 2013-07-24 20:10    --------    d-----w-    c:\program files\Spybot - Search &amp;amp; Destroy
2013-07-24 14:55 . 2013-07-24 14:55    --------    d-----w-    c:\documents and settings\All Users\Application Data\Downloaded Installations
2013-07-24 14:52 . 2013-07-25 05:04    44424    ----a-w-    c:\windows\system32\sbbd.exe
2013-07-24 14:52 . 2013-07-25 05:04    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
2013-07-24 03:30 . 2013-07-24 03:30    --------    d-----w-    c:\documents and settings\Sama\Application Data\Malwarebytes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-24 03:26 . 2012-04-03 14:14    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-24 03:26 . 2011-12-16 17:47    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 03:55 . 2008-04-14 12:00    385024    ------w-    c:\windows\system32\html.iec
2013-06-07 21:56 . 2008-04-14 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2008-04-14 12:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2008-04-14 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2008-04-14 12:00    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-04-14 12:00    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-09 04:28 . 2006-10-19 02:47    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-05-03 01:26 . 2008-04-14 12:00    2193536    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01    2070144    ----a-w-    c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries &amp;amp; legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F.lux"="c:\documents and settings\Sama\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2013-07-14 508048]
"SpyShelter"="c:\program files\SpyShelter Personal Free\SpyShelter.exe" [2013-07-08 4047160]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [7/24/2013 10:52 AM 13560]
R1 Spyshelter;Spyshelter;c:\program files\SpyShelter Personal Free\SpyShelter.sys [7/25/2013 1:21 AM 354104]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [7/25/2013 1:20 AM 209016]
S0 cerc6;cerc6; [x]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [8/16/2012 12:35 PM 13024]
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 03:26]
.
2013-07-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2012-01-30 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securedsearch2.lavasoft.com/index.php?pr=vmn&amp;amp;id=adawaretb&amp;amp;v=3_1&amp;amp;ent=hp&amp;amp;u=861F09909F9CA521166E6E51EFEA9765
IE: E&amp;amp;xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
FF - ProfilePath - c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\
FF - ExtSQL: 2013-07-24 16:47; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-07-24 16:57; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2013-07-24 16:57; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2013-07-24 16:57; {45d8ff86-d909-11db-9705-005056c00008}; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\{45d8ff86-d909-11db-9705-005056c00008}.xpi
FF - ExtSQL: 2013-07-24 16:57; {1018e4d6-728f-4b20-ad56-37578a4de76b}; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - ExtSQL: 2013-07-24 16:57; [email protected]; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\[email protected]
FF - ExtSQL: 2013-07-24 16:58; [email protected]; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\[email protected]
FF - ExtSQL: 2013-07-24 17:09; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2013-07-24 17:09; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-07-24 17:13; [email protected]; c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\ugdtyl2h.default-1374698606859\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
HKLM-Run-Search Protection - c:\documents and settings\All Users\Application Data\Search Protection\SearchProtection.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-25 11:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
c:\combofix\Catchme.tmp [24484] 0x85318020
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
Completion time: 2013-07-25  11:31:43
ComboFix-quarantined-files.txt  2013-07-25 15:31
.
Pre-Run: 12,155,928,576 bytes free
Post-Run: 12,354,953,216 bytes free
.
- - End Of File - - EF1715AE7F54B8548198A1B65272EFCA
8F558EB6672622401DA993E1E865C861
 


Edited by fixcompsafe, 25 July 2013 - 12:38 PM.


#8 fixcompsafe

fixcompsafe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 25 July 2013 - 10:52 PM

ComboFix really messed up my computer and made me lose my volume control and sound. So I did a system restore  to a point from March and my computer's volume control was back but my browsers are still being slow.  Should I close this thread and make a new one? I'm still afraid I have spyware/adware/malware, or maybe even rootkits.



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 26 July 2013 - 01:05 AM

Of course your browsers are slow - why do you restore your system without giving me the chance to solve that issue?

Now we can start again.

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 fixcompsafe

fixcompsafe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 26 July 2013 - 12:34 PM

I kind of panicked when I lost my sound. Sorry for doing the system restore without consulting you first. .

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Sama at 11:24:50 on 2013-07-26
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.491 [GMT -4:00]
.
AV: PC Cleaner Pro *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
FW: AVG Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sama\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
uURLSearchHooks: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [F.lux] "c:\documents and settings\sama\local settings\apps\f.lux\flux.exe" /noshow
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1323900258406
TCP: NameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{7A57D42E-3592-4DBB-8EB7-AD0D427D35FE} : DHCPNameServer = 167.206.254.1 167.206.254.2
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sama\application data\mozilla\firefox\profiles\f6n06fej.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid={5A4D1317-D654-4E90-8508-8FF3D30234FE}&mid=9cfd93121e1547d1aa6cd15a6639eb8c-679665c9b57f99a1cbe3b1b5746f8d34d676503f&lang=en&ds=avgab0&pr=sa&d=2012-12-06 14:27:19&v=13.2.0.4&sap=ku&q=
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-7-25 13560]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-7-25 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-7-25 1033688]
S0 cerc6;cerc6; [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-7-25 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-7-25 701512]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-7-25 171928]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-7-25 22856]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2012-8-16 13024]
.
=============== Created Last 30 ================
.
2013-07-26 15:18:53    --------    d-----w-    c:\documents and settings\sama\local settings\application data\Avg2013
2013-07-26 03:34:36    --------    d-----w-    c:\documents and settings\sama\application data\Malwarebytes
2013-07-26 03:34:21    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-26 03:34:21    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-26 03:26:27    --------    d-----w-    c:\documents and settings\sama\application data\LavasoftStatistics
2013-07-26 03:20:46    --------    d-----w-    c:\documents and settings\all users\application data\Downloaded Installations
2013-07-26 03:20:44    --------    d-----w-    c:\documents and settings\all users\application data\blekko toolbars
2013-07-26 03:20:31    --------    d-----w-    c:\program files\adawaretb
2013-07-26 03:20:31    --------    d-----w-    c:\documents and settings\sama\application data\adawaretb
2013-07-26 03:20:30    --------    d-----w-    c:\program files\Toolbar Cleaner
2013-07-26 03:18:52    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
2013-07-26 03:18:51    44424    ----a-w-    c:\windows\system32\sbbd.exe
2013-07-26 00:16:43    15224    ----a-w-    c:\windows\system32\sdnclean.exe
2013-07-26 00:16:31    --------    d-----w-    c:\program files\Spybot - Search & Destroy 2
2013-07-25 23:54:37    --------    d-----w-    c:\documents and settings\sama\application data\TuneUp Software
2013-07-25 23:41:44    --------    d-----w-    c:\documents and settings\sama\local settings\application data\MFAData
2013-07-25 23:41:44    --------    d-----w-    c:\documents and settings\all users\application data\MFAData
2013-07-25 21:29:51    --------    d-----w-    c:\documents and settings\sama\local settings\application data\PCHealth
2013-07-25 21:25:19    --------    d-----w-    C:\c6f996a4799bdb71e872adfa300acc
2013-07-25 20:28:16    --------    d-----w-    c:\windows\system32\wbem\repository\FS
2013-07-25 20:28:16    --------    d-----w-    c:\windows\system32\wbem\Repository
2013-07-25 20:16:48    --------    d-----w-    c:\documents and settings\sama\local settings\application data\Sun
2013-07-25 20:16:41    --------    d-----w-    c:\program files\Jyotish Tools
2013-07-25 20:13:42    --------    d-----w-    c:\windows\system32\cache
2013-07-25 19:47:07    --------    d-----w-    c:\program files\Microsoft(2).NET
2013-07-25 19:44:40    771424    ----a-w-    c:\windows\system32\TBD101.tmp
2013-07-25 19:43:33    --------    d-----w-    C:\e9528cba87a374aa7902
2013-07-25 18:00:25    --------    d-----w-    c:\documents and settings\all users\application data\AVAST Software
2013-07-25 17:09:22    --------    d-----w-    C:\RECYCLER(2)
2013-07-25 16:46:51    --------    d-----w-    c:\windows\system32\ReinstallBackups
2013-07-25 15:17:03    --------    d-----w-    C:\ComboFix(2)
2013-07-25 14:09:02    --------    d-----w-    C:\cmdcons
2013-07-25 13:35:31    --------    d-----w-    c:\windows\pss
2013-07-25 04:52:29    --------    d-----w-    c:\documents and settings\all users\application data\blekko toolbars(2)
2013-07-24 20:06:45    --------    d-----w-    c:\documents and settings\all users\application data\Spybot - Search & Destroy
.
==================== Find3M  ====================
.
2013-07-25 21:48:10    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-25 21:48:09    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 03:55:44    385024    ------w-    c:\windows\system32\html.iec
2013-06-07 21:56:06    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56:06    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-06-07 21:56:05    11112960    ----a-w-    c:\windows\system32\ieframe(2).dll
2013-06-04 07:23:02    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40:45    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-09 04:28:02    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-05-07 22:30:06    920064    ----a-w-    c:\windows\system32\wininet(3).dll
2013-05-07 22:30:06    1215488    ----a-w-    c:\windows\system32\urlmon(3).dll
2013-05-07 22:30:05    105984    ----a-w-    c:\windows\system32\url(3).dll
2013-05-03 01:26:26    2193536    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:18    2070144    ----a-w-    c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 11:26:02.62 ===============
 

 

Attached Files



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 27 July 2013 - 07:57 AM

Run Combofix - If your sound disappears or aliens make a landing next to your computer, don´t panic!

 

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 fixcompsafe

fixcompsafe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 27 July 2013 - 09:03 AM

Lol thankfully there was no volume control loss or alien landing this time.

 

ComboFix was saved inside a folder on my desktop. Is it a problem that ComboFix was not saved directly on the desktop? Just want to make sure.

 

 

 

 

 

 

 

 

ComboFix 13-07-25.02 - Sama 07/27/2013   9:22.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.542 [GMT -4:00]
Running from: c:\documents and settings\Sama\Desktop\Folder1\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
C:\install.exe
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-854245398-492894223-1801674531-1003(2)\INFO2
c:\windows\system32\Cache
c:\windows\system32\TBD101.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-27 to 2013-07-27  )))))))))))))))))))))))))))))))
.
.
2013-07-27 13:14 . 2013-07-27 13:14    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-07-27 13:09 . 2013-07-27 13:10    --------    d-----w-    c:\documents and settings\Sama\Local Settings\Application Data\Avg2013
2013-07-27 13:07 . 2013-07-27 13:07    --------    d-----w-    c:\documents and settings\Sama\Application Data\TuneUp Software
2013-07-26 15:37 . 2013-07-26 17:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-26 03:34 . 2013-07-26 03:34    --------    d-----w-    c:\documents and settings\Sama\Application Data\Malwarebytes
2013-07-26 03:34 . 2013-07-26 03:34    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-26 03:34 . 2013-04-04 18:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-26 03:20 . 2013-07-26 03:20    --------    d-----w-    c:\documents and settings\All Users\Application Data\Downloaded Installations
2013-07-26 03:20 . 2013-07-26 03:20    --------    d-----w-    c:\documents and settings\All Users\Application Data\blekko toolbars
2013-07-26 03:18 . 2013-07-26 03:18    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
2013-07-26 03:18 . 2013-07-26 03:18    44424    ----a-w-    c:\windows\system32\sbbd.exe
2013-07-26 00:16 . 2013-07-27 13:12    --------    d-----w-    c:\program files\Spybot - Search & Destroy 2
2013-07-25 23:41 . 2013-07-27 13:10    --------    d-----w-    c:\documents and settings\All Users\Application Data\MFAData
2013-07-25 23:41 . 2013-07-25 23:41    --------    d-----w-    c:\documents and settings\Sama\Local Settings\Application Data\MFAData
2013-07-25 21:29 . 2013-07-25 21:29    --------    d-----w-    c:\documents and settings\Sama\Local Settings\Application Data\PCHealth
2013-07-25 21:25 . 2013-07-25 21:32    --------    d-----w-    C:\c6f996a4799bdb71e872adfa300acc
2013-07-25 20:28 . 2013-07-25 20:28    --------    d-----w-    c:\windows\system32\wbem\Repository
2013-07-25 20:16 . 2013-07-25 20:16    --------    d-----w-    c:\documents and settings\Sama\Local Settings\Application Data\Sun
2013-07-25 20:16 . 2013-07-25 20:16    --------    d-----w-    c:\program files\Java
2013-07-25 19:47 . 2013-07-25 20:10    --------    d-----w-    c:\program files\Microsoft(2).NET
2013-07-25 19:43 . 2013-07-25 20:10    --------    d-----w-    C:\e9528cba87a374aa7902
2013-07-25 18:00 . 2013-07-25 18:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVAST Software
2013-07-25 16:52 . 2013-07-25 16:52    --------    d-----w-    c:\program files\Intel
2013-07-24 20:06 . 2013-07-26 00:39    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-25 21:48 . 2012-04-03 14:14    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-25 21:48 . 2011-12-16 17:47    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 03:55 . 2008-04-14 12:00    385024    ------w-    c:\windows\system32\html.iec
2013-06-07 21:56 . 2008-04-14 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2008-04-14 12:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2009-03-08 09:39    11112960    ----a-w-    c:\windows\system32\ieframe(2).dll
2013-06-07 21:56 . 2008-04-14 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2008-04-14 12:00    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-04-14 12:00    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-09 04:28 . 2006-10-19 02:47    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-05-07 22:30 . 2008-04-14 12:00    920064    ----a-w-    c:\windows\system32\wininet(3).dll
2013-05-07 22:30 . 2008-04-14 12:00    1215488    ----a-w-    c:\windows\system32\urlmon(3).dll
2013-05-07 22:30 . 2008-04-14 12:00    105984    ----a-w-    c:\windows\system32\url(3).dll
2013-05-03 01:26 . 2008-04-14 12:00    2193536    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01    2070144    ----a-w-    c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F.lux"="c:\documents and settings\Sama\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [7/25/2013 11:18 PM 13560]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/27/2013 9:14 AM 40776]
S0 cerc6;cerc6; [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [7/25/2013 11:34 PM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/25/2013 11:34 PM 701512]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/25/2013 11:34 PM 22856]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [8/16/2012 12:35 PM 13024]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 21:48]
.
2013-07-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2012-01-30 03:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = localhost:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
FF - ProfilePath - c:\documents and settings\Sama\Application Data\Mozilla\Firefox\Profiles\f6n06fej.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid={5A4D1317-D654-4E90-8508-8FF3D30234FE}&mid=9cfd93121e1547d1aa6cd15a6639eb8c-679665c9b57f99a1cbe3b1b5746f8d34d676503f&lang=en&ds=avgab0&pr=sa&d=2012-12-06 14:27&v=13.2.0.4&sap=ku&q=
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-27 09:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
Completion time: 2013-07-27  09:30:36
ComboFix-quarantined-files.txt  2013-07-27 13:30
ComboFix2.txt  2013-07-25 15:31
.
Pre-Run: 11,164,168,192 bytes free
Post-Run: 11,159,445,504 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 117C8DBD843E4B9C9FBEED158CEA67A5
8F558EB6672622401DA993E1E865C861
 


Edited by fixcompsafe, 27 July 2013 - 09:18 AM.


#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 29 July 2013 - 12:32 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 fixcompsafe

fixcompsafe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 29 July 2013 - 11:40 AM

C:\AI_RecycleBin\{A25122F4-ECA1-4733-9756-1342EEFA97E2}\3\Strongvault\StrongVaultApp.exe    MSIL/Adware.StrongVault.A application
 



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 30 July 2013 - 02:52 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users