Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restore malware reappearing on computer after removal


  • This topic is locked This topic is locked
24 replies to this topic

#1 cloudeleven

cloudeleven

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 05 November 2011 - 12:41 AM

For a couple of months I've been having problems with malware on my computer that Malwarebytes, Hitman Pro 3.5, and every other spyware/malware and virus scan program I've tried hasn't been able to remove. I might get rid of the malware for a few days, but then it reappears. In September I had a Google redirecting malware or rootkit (not sure which one exactly, possibly Alureon, TDL3, or TDSS), but I thought I had gotten rid of that. Five days ago, the System Restore malware suddenly appeared on my computer. I tried the Bleeping Computer instructions here to remove it:

http://www.bleepingcomputer.com/virus-removal/remove-system-restore

including running the program to remove Google-redirecting malware (TDSSKiller), and System Restore was removed for a few days. But now System Restore has reappeared on my computer, and I'm not sure how to completely get rid of this malware so it won't reappear.

I don't have any Google-redirecting problems; I haven't had that problem in over a month.

Also, I'm not sure GMER was able to scan to completion, because after it had been scanning a few hours a pop-up box appeared in GMER that said rootkit activity had been detected, and the GMER scan stopped. I was still able to save my GMER text file.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_16
Run by Justin Carroll at 13:43:41 on 2011-11-03
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.845 [GMT -5:00]
.
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Replay Media Catcher\FLVSrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\GammaAdjuster\GammaAdjuster.exe
C:\Documents and Settings\All Users\Application Data\KpLRDMpSNRdCe.exe
C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Justin Carroll\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Documents and Settings\All Users\Application Data\1kAlMiG2Kb7FzP.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\attrib.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.bing.com/?pc=AVBR
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: vshare.tv Bar Toolbar: {7aeb3efd-e564-43f1-b658-5058a7c5743b} - c:\program files\vshare.tv_bar\prxtbvsha.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: vshare.tv Bar Toolbar: {7aeb3efd-e564-43f1-b658-5058a7c5743b} - c:\program files\vshare.tv_bar\prxtbvsha.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: vshare.tv Bar Toolbar: {7aeb3efd-e564-43f1-b658-5058a7c5743b} - c:\program files\vshare.tv_bar\prxtbvsha.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {9377C91E-EB13-4AF4-9B45-42BE835BB548} - No File
TB: {4A360645-F363-416A-A7A3-54E4804F90ED} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Screenshot Captor] "c:\program files\screenshotcaptor\ScreenshotCaptor.exe" /autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\justin carroll\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [KpLRDMpSNRdCe.exe] c:\documents and settings\all users\application data\KpLRDMpSNRdCe.exe
mRun: [GammaAdjuster] c:\program files\gammaadjuster\GammaAdjuster.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk"&"inst=NzctNzI5NDc4NzQ4LVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ"&"prod=90"&"ver=2012.0.1808"&"mid=08e265eed46b47d198e3d15857710216-0c10fdb33029cccac1e82bc66ff1e53f2b8aff8b
uPolicies-explorer: NoDesktop = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: + Offline &Explorer: Download the link - file://c:\program files\offline explorer pro\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\offline explorer pro\Add_AllO.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Save video on Savevid.com - c:\program files\savevid\redirect.htm
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: aol.com\free
Trusted Zone: microsoft.com\codecs
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106446161968
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37680.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{E33B789D-FCA7-4C9E-A054-82B57FC3959A} : DhcpNameServer = 68.87.68.166 68.87.74.166
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli
mASetup: {28681820-917D-11d5-8177-005056FDDA4B} - rundll32.exe c:\windows\system32\shellext\dafitech\cpy2clip\cpy2clip.dll,CreateUserSettings
.
============= SERVICES / DRIVERS ===============
.
R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [2010-11-22 17264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-8-29 532224]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S1 jbpfumea;jbpfumea;\??\c:\windows\system32\drivers\jbpfumea.sys --> c:\windows\system32\drivers\jbpfumea.sys [?]
S1 walzpykr;walzpykr;\??\c:\windows\system32\drivers\walzpykr.sys --> c:\windows\system32\drivers\walzpykr.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-6 136176]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2002-2-18 303360]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-4-22 188506]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-4-22 31003]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-4-22 9882]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-6 136176]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
.
=============== Created Last 30 ================
.
2011-11-03 17:15:22 378880 ---ha-w- c:\documents and settings\all users\application data\1kAlMiG2Kb7FzP.exe
2011-11-03 17:14:40 493568 ---ha-w- c:\documents and settings\all users\application data\KpLRDMpSNRdCe.exe
2011-10-31 18:40:34 -------- d--h--w- c:\windows\system32\scripting
2011-10-31 18:40:31 -------- d--h--w- c:\windows\l2schemas
2011-10-31 18:40:28 -------- d--h--w- c:\windows\system32\en
2011-10-31 18:40:27 -------- d--h--w- c:\windows\system32\bits
2011-10-31 18:25:49 -------- d--h--w- c:\windows\EHome
2011-10-26 03:37:13 -------- d-sh--w- C:\found.000
2011-10-11 21:06:41 -------- d-sh--w- c:\documents and settings\justin carroll\local settings\application data\20fbb412
.
==================== Find3M ====================
.
2011-10-12 20:25:54 23624 ---ha-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-03 00:58:12 134464 ---ha-w- c:\windows\system32\LnkProtect.dll
2011-10-01 00:50:36 0 ---ha-w- c:\windows\system32\ConduitEngine.tmp
2011-09-03 02:10:47 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 22:00:50 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2004-08-24 01:13:16 222208 ---ha-w- c:\program files\mp3Trim.exe
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
.
============= FINISH: 13:45:59.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 PM

Posted 09 November 2011 - 12:27 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 PM

Posted 12 November 2011 - 01:55 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 cloudeleven

cloudeleven
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 12 November 2011 - 04:52 PM

Hi, sorry for the delay. I'm trying to copy and paste my OTL log file into my post, but I'm getting the message "Your post was too long. Please go back and shorten it a little." What should I do?

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 PM

Posted 12 November 2011 - 05:07 PM

upload it to mediafire.com and send me the link here+
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 cloudeleven

cloudeleven
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 12 November 2011 - 06:30 PM

Here's the link to my OTL log file:

http://www.mediafire.com/?74uhaod944gezx2

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 PM

Posted 13 November 2011 - 04:59 AM

Hello

I want you to run this custom OTL script for me and then let me know how things are after you finish.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :otl
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\Justin Carroll\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
    O3 - HKU\S-1-5-21-3094084607-98206127-3707447253-1006\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKLM..\Run: [KpLRDMpSNRdCe.exe] C:\Documents and Settings\All Users\Application Data\KpLRDMpSNRdCe.exe File not found
    O9 - Extra Button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ File not found
    O9 - Extra Button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ File not found
    O9 - Extra Button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
    O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxacm.CAB (Reg Error: Key error.)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O20 - Winlogon\Notify\dimsntfy: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
    O33 - MountPoints2\{6e3fbc1e-3052-11de-9427-00111195ebe5}\Shell - "" = AutoRun
    O33 - MountPoints2\{6e3fbc1e-3052-11de-9427-00111195ebe5}\Shell\AutoRun - "" = Auto&Play
    O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
    O2 - BHO: (vshare.tv Bar Toolbar) - {7aeb3efd-e564-43f1-b658-5058a7c5743b} - C:\Program Files\vshare.tv_Bar\prxtbvsha.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (vshare.tv Bar Toolbar) - {7aeb3efd-e564-43f1-b658-5058a7c5743b} - C:\Program Files\vshare.tv_Bar\prxtbvsha.dll (Conduit Ltd.)
    O3 - HKU\S-1-5-21-3094084607-98206127-3707447253-1006\..\Toolbar\WebBrowser: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
    O3 - HKU\S-1-5-21-3094084607-98206127-3707447253-1006\..\Toolbar\WebBrowser: (vshare.tv Bar Toolbar) - {7AEB3EFD-E564-43F1-B658-5058A7C5743B} - C:\Program Files\vshare.tv_Bar\prxtbvsha.dll (Conduit Ltd.)
    O32 - AutoRun File - [2011/03/31 12:12:08 | 000,083,635 | ---- | M] () - G:\AutoAdmit_com - our college admissions system is so bleeped up.htm -- [ FAT32 ]
    O32 - AutoRun File - [2011/09/08 09:48:52 | 000,272,106 | ---- | M] () - G:\AutoAdmit_com - Consulting sort of sucks as well.htm -- [ FAT32 ]
    O32 - AutoRun File - [2011/04/05 09:45:34 | 000,018,023 | ---- | M] () - G:\AutoAdmit_com - History of LSAT.htm -- [ FAT32 ]
    O32 - AutoRun File - [2011/09/08 09:48:50 | 000,000,000 | ---D | M] - G:\AutoAdmit_com - Consulting sort of sucks as well_files -- [ FAT32 ]
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [emptyjava]
    [EMPTYFLASH]
    [RESETHOSTS]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 cloudeleven

cloudeleven
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 15 November 2011 - 07:27 PM

The fix killed the Internet connection on the infected computer for some reason. I'm posting this on another computer in my house. Also, when I restart the infected computer now, the Dell screen and Windows XP splash screen appear and I'm able to input my password to log on to the computer, but after that I get a black screen for 5 minutes before my desktop will appear. After my desktop appears, the Internet doesn't work. I didn't have these issues before I ran the fix.

See log below:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\@tools.google.com/Google Update;version=8\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{BA52B914-B692-46c4-B683-905236F6F655} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA52B914-B692-46c4-B683-905236F6F655}\ not found.
Registry value HKEY_USERS\S-1-5-21-3094084607-98206127-3707447253-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KpLRDMpSNRdCe.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669B269B-0D4E-41FB-A3D8-FD67CA94F646}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{669B269B-0D4E-41FB-A3D8-FD67CA94F646}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8828075D-D097-4055-AA02-2DBFA9D85E8A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8828075D-D097-4055-AA02-2DBFA9D85E8A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{97809617-3937-4F84-B335-9BB05EF1A8D4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97809617-3937-4F84-B335-9BB05EF1A8D4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\ deleted successfully.
Starting removal of ActiveX control {00000075-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\voxacm.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000075-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000075-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{00000075-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000075-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {33564D57-0000-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-0000-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6e3fbc1e-3052-11de-9427-00111195ebe5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6e3fbc1e-3052-11de-9427-00111195ebe5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6e3fbc1e-3052-11de-9427-00111195ebe5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6e3fbc1e-3052-11de-9427-00111195ebe5}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ deleted successfully.
C:\Program Files\ConduitEngine\prxConduitEngine.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7aeb3efd-e564-43f1-b658-5058a7c5743b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7aeb3efd-e564-43f1-b658-5058a7c5743b}\ deleted successfully.
C:\Program Files\vshare.tv_Bar\prxtbvsha.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{30F9B915-B755-4826-820B-08FBA6BD249D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ not found.
File C:\Program Files\ConduitEngine\prxConduitEngine.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{7aeb3efd-e564-43f1-b658-5058a7c5743b} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7aeb3efd-e564-43f1-b658-5058a7c5743b}\ not found.
File C:\Program Files\vshare.tv_Bar\prxtbvsha.dll not found.
Registry value HKEY_USERS\S-1-5-21-3094084607-98206127-3707447253-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{30F9B915-B755-4826-820B-08FBA6BD249D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ not found.
File C:\Program Files\ConduitEngine\prxConduitEngine.dll not found.
Registry value HKEY_USERS\S-1-5-21-3094084607-98206127-3707447253-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7AEB3EFD-E564-43F1-B658-5058A7C5743B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7AEB3EFD-E564-43F1-B658-5058A7C5743B}\ not found.
File C:\Program Files\vshare.tv_Bar\prxtbvsha.dll not found.
File G:\AutoAdmit_com - our college admissions system is so bleeped up.htm not found.
File G:\AutoAdmit_com - Consulting sort of sucks as well.htm not found.
File G:\AutoAdmit_com - History of LSAT.htm not found.
File not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Justin Carroll\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Justin Carroll\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56502 bytes

User: Justin Carroll
->Temp folder emptied: 588740784 bytes
->Temporary Internet Files folder emptied: 330368252 bytes
->Java cache emptied: 72330846 bytes
->FireFox cache emptied: 136134049 bytes
->Google Chrome cache emptied: 41690939 bytes
->Apple Safari cache emptied: 18138112 bytes
->Flash cache emptied: 6481567 bytes

User: LocalService
->Temp folder emptied: 70232 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 348 bytes

User: NetworkService
->Temp folder emptied: 4216 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Sharron Carroll
->Temp folder emptied: 501344706 bytes
->Temporary Internet Files folder emptied: 4152270 bytes
->Java cache emptied: 16504367 bytes
->FireFox cache emptied: 33532487 bytes
->Flash cache emptied: 386134 bytes

%systemdrive% .tmp files removed: 6597 bytes
%systemroot% .tmp files removed: 1053321 bytes
%systemroot%\System32 .tmp files removed: 59446865 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13800465 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 210948200 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 72986357 bytes

Total Files Cleaned = 2,011.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: Justin Carroll
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: Sharron Carroll
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Justin Carroll
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

User: Sharron Carroll
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 11152011_161235

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Edited by cloudeleven, 15 November 2011 - 07:34 PM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 PM

Posted 16 November 2011 - 08:55 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


lets try this to get you back online, let me know if it works

Download and run WinSockFix. This is a two step process that will Back up the Registry and Reset the Winsock Stack.
  • Double click on WinsockXPFix.exe to open.
  • On the Winsock and TCP Repair Utility screen, click "ReG-Backup"
  • On the ERDNT Welcome screen, click "OK".
  • On the Backup to: screen, click "OK".
  • On the Folder does not exist question screen click "Yes".
  • You will see a status screen as your registry is being backed up.
  • On the Registry backup is complete! screen, click "OK" and you will go back to the main window.
  • On the Winsock and TCP Repair Utility screen, click "Fix".
  • On the Apply the VB_Winsock fix? screen click "Yes".
  • The screen will display a status message "repair completed please reboot."
  • On the Repair Completed screen click "OK" to reboot your computer.
  • If your computer was not using DHCP, you will need to reconfigure TCP/IP.
  • You should have connectivity restored.
If you have internet back come back and let me know if not go to next step

Download LSPFix and save to your desktop.
alternate download site
alternate download site
  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Click "Finish" and LSPfix will restore the chain numbers.
  • restart the computer


Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 cloudeleven

cloudeleven
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 16 November 2011 - 02:48 PM

I was able to connect back to the Internet with the WinsockxpFix program. I ran ComboFix as instructed. I did encounter this message with ComboFix:

"System file is infected! Attempting to restore:

C:\WINDOWS\system32\winlogon.exe

A readily available replacement was not found. An intensive search may take a while"

(not sure exactly what that last sentence said. Something like that)

Not sure if ComboFix fixed winlogon.exe. Hopefully it did.

Also, ComboFix told me I was infected with Rootkit.ZeroAccess, and it had inserted itself into the tcp/ip stack. Hopefully ComboFix fixed that.

I don't seem to be having any problems with my computer right now.

Here's the ComboFix log:

ComboFix 11-11-16.01 - Justin Carroll 11/16/2011 12:56:10.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.1155 [GMT -6:00]
Running from: c:\documents and settings\Justin Carroll\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\070531nwo_spellwinner.flv (wmr).ini
c:\data\070531nwo_spellwinner.flv (wmr).txt
c:\documents and settings\All Users\Application Data\1kAlMiG2Kb7FzP.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Justin Carroll\Application Data\inst.exe
c:\documents and settings\Justin Carroll\Local Settings\Application Data\20fbb412\U
c:\documents and settings\Justin Carroll\Local Settings\Application Data\20fbb412\U\80000000.@
c:\documents and settings\Justin Carroll\Start Menu\Programs\System Restore
c:\documents and settings\Justin Carroll\Start Menu\Programs\System Restore\System Restore.lnk
c:\documents and settings\Justin Carroll\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
c:\documents and settings\Justin Carroll\WINDOWS
c:\windows\$NtUninstallKB27414$
c:\windows\$NtUninstallKB27414$\4286062378
c:\windows\$NtUninstallKB27414$\553366546\@
c:\windows\$NtUninstallKB27414$\553366546\click.tlb
c:\windows\$NtUninstallKB27414$\553366546\L\odetmngk
c:\windows\$NtUninstallKB27414$\553366546\loader.tlb
c:\windows\$NtUninstallKB27414$\553366546\U\@00000001
c:\windows\$NtUninstallKB27414$\553366546\U\@000000c0
c:\windows\$NtUninstallKB27414$\553366546\U\@000000cb
c:\windows\$NtUninstallKB27414$\553366546\U\@000000cf
c:\windows\$NtUninstallKB27414$\553366546\U\@80000000
c:\windows\$NtUninstallKB27414$\553366546\U\@800000c0
c:\windows\$NtUninstallKB27414$\553366546\U\@800000cb
c:\windows\$NtUninstallKB27414$\553366546\U\@800000cf
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\iun6002.exe
c:\windows\system32\
c:\windows\system32\_003397_.tmp.dll
c:\windows\system32\_003398_.tmp.dll
c:\windows\system32\_003399_.tmp.dll
c:\windows\system32\_003400_.tmp.dll
c:\windows\system32\_003407_.tmp.dll
c:\windows\system32\_003408_.tmp.dll
c:\windows\system32\_003409_.tmp.dll
c:\windows\system32\_003410_.tmp.dll
c:\windows\system32\_003412_.tmp.dll
c:\windows\system32\_003413_.tmp.dll
c:\windows\system32\_003416_.tmp.dll
c:\windows\system32\_003417_.tmp.dll
c:\windows\system32\_003419_.tmp.dll
c:\windows\system32\_003420_.tmp.dll
c:\windows\system32\_003421_.tmp.dll
c:\windows\system32\_003423_.tmp.dll
c:\windows\system32\_003426_.tmp.dll
c:\windows\system32\_003427_.tmp.dll
c:\windows\system32\_003431_.tmp.dll
c:\windows\system32\_003432_.tmp.dll
c:\windows\system32\_003434_.tmp.dll
c:\windows\system32\_003436_.tmp.dll
c:\windows\system32\_003437_.tmp.dll
c:\windows\system32\_003439_.tmp.dll
c:\windows\system32\_003440_.tmp.dll
c:\windows\system32\_003441_.tmp.dll
c:\windows\system32\_003442_.tmp.dll
c:\windows\system32\_003443_.tmp.dll
c:\windows\system32\_003446_.tmp.dll
c:\windows\system32\_003447_.tmp.dll
c:\windows\system32\_003448_.tmp.dll
c:\windows\system32\_003449_.tmp.dll
c:\windows\system32\_003450_.tmp.dll
c:\windows\system32\_003455_.tmp.dll
c:\windows\system32\_003457_.tmp.dll
c:\windows\system32\_003458_.tmp.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\Temp
c:\windows\system32\Temp\DE99B447R3
F:\install.exe
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-10-16 to 2011-11-16 )))))))))))))))))))))))))))))))
.
.
2011-10-31 18:40 . 2011-10-31 18:46 -------- d-----w- c:\windows\system32\scripting
2011-10-31 18:40 . 2011-10-31 18:46 -------- d-----w- c:\windows\l2schemas
2011-10-31 18:40 . 2011-10-31 18:46 -------- d-----w- c:\windows\system32\en
2011-10-31 18:40 . 2011-10-31 18:46 -------- d-----w- c:\windows\system32\bits
2011-10-31 18:25 . 2011-10-31 18:25 -------- d-----w- c:\windows\EHome
2011-10-26 03:37 . 2011-10-26 03:37 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-12 20:25 . 2011-10-03 01:00 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-03 00:58 . 2011-10-03 00:58 134464 ----a-w- c:\windows\system32\LnkProtect.dll
2011-09-03 02:10 . 2011-09-03 02:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 22:00 . 2010-08-29 17:15 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-08-24 01:13 . 2005-05-28 21:03 222208 ----a-w- c:\program files\mp3Trim.exe
2006-05-03 10:06 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-12-05 . E87C49F5B660865CBFE5500F42BDDE20 . 502272 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Screenshot Captor"="c:\program files\ScreenshotCaptor\ScreenshotCaptor.exe" [2005-08-27 1372672]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-10-29 1652736]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ask and Record FLV Service"="c:\program files\Replay Media Catcher\FLVSrvc.exe" [2009-09-22 156672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-24 149280]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"Conime"="c:\windows\system32\conime.exe" [2004-08-04 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-05-07 1638400]
"GammaAdjuster"="c:\program files\GammaAdjuster\GammaAdjuster.exe" [2009-02-12 191488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzI5NDc4NzQ4LVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1808&mid=08e265eed46b47d198e3d15857710216-0c10fdb33029cccac1e82bc66ff1e53f2b8aff8b" [?]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lexmark X125 Settings Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lexmark X125 Settings Utility.lnk
backup=c:\windows\pss\Lexmark X125 Settings Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Justin Carroll^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=c:\documents and settings\Justin Carroll\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=c:\windows\pss\HotSync Manager.LNKStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Justin Carroll^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Justin Carroll\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-14 19:46 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-14 19:49 94208 ----a-w- c:\windows\SYSTEM32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 04:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Kodak Printer\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak Printer\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak Printer\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak Printer\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"9323:TCP"= 9323:TCP:EKDiscovery
.
R0 HFXP2;HFXP2;c:\windows\SYSTEM32\DRIVERS\hfxp2.sys [11/22/2010 6:37 PM 17264]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 12:19 PM 50704]
R3 pcouffin;VSO Software pcouffin;c:\windows\SYSTEM32\DRIVERS\pcouffin.sys [12/18/2006 4:41 AM 47360]
S1 jbpfumea;jbpfumea;\??\c:\windows\system32\drivers\jbpfumea.sys --> c:\windows\system32\drivers\jbpfumea.sys [?]
S1 walzpykr;walzpykr;\??\c:\windows\system32\drivers\walzpykr.sys --> c:\windows\system32\drivers\walzpykr.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2010 11:01 AM 136176]
S3 ati2mpad;ati2mpad;c:\windows\SYSTEM32\DRIVERS\ati2mpad.sys [2/18/2002 2:19 PM 303360]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\SYSTEM32\DRIVERS\aticxcap.sys [4/22/2005 10:58 PM 188506]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\SYSTEM32\DRIVERS\aticxtun.sys [4/22/2005 10:58 PM 31003]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\SYSTEM32\DRIVERS\aticxxbr.sys [4/22/2005 10:58 PM 9882]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2010 11:01 AM 136176]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28681820-917D-11d5-8177-005056FDDA4B}]
2002-11-18 13:20 86016 ----a-w- c:\windows\SYSTEM32\ShellExt\DafiTech\Cpy2Clip\cpy2clip.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-06 17:01]
.
2011-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-06 17:01]
.
2011-11-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3094084607-98206127-3707447253-1006Core.job
- c:\documents and settings\Justin Carroll\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 17:21]
.
2011-11-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3094084607-98206127-3707447253-1006UA.job
- c:\documents and settings\Justin Carroll\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 17:21]
.
2010-12-25 c:\windows\Tasks\Phatsoft TMR Task 1.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-15 c:\windows\Tasks\Phatsoft TMR Task 10.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-16 c:\windows\Tasks\Phatsoft TMR Task 11.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-11 c:\windows\Tasks\Phatsoft TMR Task 12.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-10-09 c:\windows\Tasks\Phatsoft TMR Task 13.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-10 c:\windows\Tasks\Phatsoft TMR Task 14.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-13 c:\windows\Tasks\Phatsoft TMR Task 15.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-16 c:\windows\Tasks\Phatsoft TMR Task 16.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2010-12-31 c:\windows\Tasks\Phatsoft TMR Task 17.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-07-09 c:\windows\Tasks\Phatsoft TMR Task 18.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-10-01 c:\windows\Tasks\Phatsoft TMR Task 19.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-10-09 c:\windows\Tasks\Phatsoft TMR Task 2.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-14 c:\windows\Tasks\Phatsoft TMR Task 20.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-06 c:\windows\Tasks\Phatsoft TMR Task 21.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-04-09 c:\windows\Tasks\Phatsoft TMR Task 22.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-13 c:\windows\Tasks\Phatsoft TMR Task 23.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-09-17 c:\windows\Tasks\Phatsoft TMR Task 24.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-01-24 c:\windows\Tasks\Phatsoft TMR Task 25.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-09-17 c:\windows\Tasks\Phatsoft TMR Task 26.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-02-01 c:\windows\Tasks\Phatsoft TMR Task 27.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-04-06 c:\windows\Tasks\Phatsoft TMR Task 29.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-10-24 c:\windows\Tasks\Phatsoft TMR Task 3.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-10-19 c:\windows\Tasks\Phatsoft TMR Task 30.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-05-25 c:\windows\Tasks\Phatsoft TMR Task 31.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-10-19 c:\windows\Tasks\Phatsoft TMR Task 32.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-02-01 c:\windows\Tasks\Phatsoft TMR Task 33.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-02-01 c:\windows\Tasks\Phatsoft TMR Task 34.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-02-12 c:\windows\Tasks\Phatsoft TMR Task 35.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-05-03 c:\windows\Tasks\Phatsoft TMR Task 36.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-09-18 c:\windows\Tasks\Phatsoft TMR Task 38.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-09-03 c:\windows\Tasks\Phatsoft TMR Task 4.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-10 c:\windows\Tasks\Phatsoft TMR Task 40.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-16 c:\windows\Tasks\Phatsoft TMR Task 42.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-03-06 c:\windows\Tasks\Phatsoft TMR Task 44.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-03-06 c:\windows\Tasks\Phatsoft TMR Task 45.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-03-06 c:\windows\Tasks\Phatsoft TMR Task 46.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-03-06 c:\windows\Tasks\Phatsoft TMR Task 47.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-15 c:\windows\Tasks\Phatsoft TMR Task 49.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-11-13 c:\windows\Tasks\Phatsoft TMR Task 5.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-06-22 c:\windows\Tasks\Phatsoft TMR Task 56.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2010-06-23 c:\windows\Tasks\Phatsoft TMR Task 8.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2011-10-09 c:\windows\Tasks\Phatsoft TMR Task 9.job
- c:\program files\TMR\TMR.exe [2003-11-27 20:35]
.
2009-04-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-06 19:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer Pro\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer Pro\Add_AllO.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Save video on Savevid.com - c:\program files\Savevid\redirect.htm
Trusted Zone: aol.com\free
Trusted Zone: microsoft.com\codecs
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37680.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{7aeb3efd-e564-43f1-b658-5058a7c5743b} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-AdaptecDirectCD - c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-PureText - c:\program files\PureText 2\PureText.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
AddRemove-AvantBrowser - g:\avant\Avant Browser\uninst.exe
AddRemove-clrmamepro - d:\money manager\Arcade\CLRMamePro\uninstall.exe
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
AddRemove-HijackThis - c:\docume~1\JUSTIN~1\LOCALS~1\Temp\Rar$EX00.516\HijackThis.exe
AddRemove-IrfanView - g:\irfanview\iv_uninstall.exe
AddRemove-Macromedia Shockwave Player - c:\windows\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-Mozilla Firefox (3.6.10) - g:\firefox\uninstall\helper.exe
AddRemove-Netscape Navigator (9.0.0.6) - g:\netscape\uninstall\helper.exe
AddRemove-SlimBrowser - g:\slimbroser\SlimBrowser\uninst.exe
AddRemove-WM_Recorder_102 - c:\windows\iun6002.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Justin Carroll\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
AddRemove-{59366175-55F2-411B-9911-3D71D46CD073} - c:\documents and settings\Justin Carroll\Local Settings\Application Data\{773E7240-B347-4DFF-A6EF-6E829EDD59DF}\Anonymizer_Software.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-16 13:13
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3094084607-98206127-3707447253-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*"j*ä*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3094084607-98206127-3707447253-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*"j*ä*\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(452)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3304)
c:\windows\system32\WININET.dll
c:\documents and settings\Justin Carroll\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\LnkProtect.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-11-16 13:20:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-16 19:20
.
Pre-Run: 2,495,594,496 bytes free
Post-Run: 2,830,528,512 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 12FDEAD9B0D1D993BF945928597EB5D0

Edited by cloudeleven, 16 November 2011 - 02:54 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 PM

Posted 16 November 2011 - 02:51 PM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
CopyFile:
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe c:\windows\SYSTEM32\winlogon.exe
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 cloudeleven

cloudeleven
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 16 November 2011 - 03:13 PM

I ran Blitzblank and the report is below. Not sure if you saw my edit above, but ComboFix also told me I was infected with Rootkit.ZeroAccess, and it had inserted itself into the tcp/ip stack. Hopefully ComboFix fixed that.



BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\softwaredistribution\download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 PM

Posted 16 November 2011 - 03:55 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 cloudeleven

cloudeleven
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 17 November 2011 - 02:13 AM

I didn't have any problems running the script. My computer seems OK.

Bleeping Computer says my ComboFix log is too long to post, so I uploaded it to Mediafire here:

http://www.mediafire.com/?wnw3n1irsmpc32a

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 PM

Posted 17 November 2011 - 02:46 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Java Web Start


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users