Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win 32 malware gen threat & "blue screen of death"


  • This topic is locked This topic is locked
29 replies to this topic

#1 angicx

angicx

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:04:45 AM

Posted 04 December 2011 - 10:28 PM

***EDIT as of 12/5- I tried to run ESET again right before I went to bed last night and it finally updated and ran. I saw the results the morning... it found 2 threats and deleted them. I closed it without saving the file. I'm sorry about that, I just wasn't thinking. I wanted to let you guys know so you wouldn't waste your time with this new post if it wasn't necessary. I will await your advice before I do anything further.***

My computer has been sluggish and quits responding at times. Some keyboard keys stop working from time to time but I'm not sure if that's just a keyboard problem. I don't think it is though because the problem seems so random.

I originally ran a full scan with Avast and it detected a generic threat. I think I've seen this or something similar on my machine before semi-recently. I deleted it last time but thought I might need help for more thorough removal in case it's the same one popping back up. I've gone through malware and virus removal before on this machine and the last fix I made was a few years ago in which I had to reformat and wipe the restore files to get rid of a bug hiding there. Haven't had anything serious since.

I have Windows XP on an Acer laptop.

NEW NOTE: Since having originally posted the above info in the "am I infected" forum and received some assistance there trying to get it removed, my laptop is now going to the "blue screen of death" after the windows start up screen. I am scanning and posting in safe mode now.

Also, I tried to run the gmer program once before but my system froze up before it competed, so I'm not sure if it actually completed the first time, but this is the second run.

Link to original thread:
http://www.bleepingcomputer.com/forums/topic427904.html/page__pid__2475235#entry2475235

Thanks again in advance.
Angi C.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Angi at 22:04:42 on 2011-11-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.49 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3DO\update_check.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Angi\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\Angi\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Upgrade_Client] c:\program files\3do\update_check.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
dRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
dRun: [LClock] c:\program files\lclock\LClock.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{75A2B0D9-5143-4D47-B030-29E6EC025DDF} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\angi\application data\mozilla\firefox\profiles\esatl8mj.default\
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R? FlyUsb;FLY Fusion
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? MpFilter;Microsoft Malware Protection Driver
R? StumbleUponUpdateService;StumbleUponUpdateService
R? WDC_SAM;WD SCSI Pass Thru driver
R? XDva390;XDva390
S? !SASCORE;SAS Core Service
S? aswFsBlk;aswFsBlk
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? MBAMProtector;MBAMProtector
S? MBAMService;MBAMService
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
.
=============== Created Last 30 ================
.
2011-11-20 05:11:25 -------- d-----w- c:\documents and settings\angi\application data\SUPERAntiSpyware.com
2011-11-20 05:10:11 -------- d-----w- c:\documents and settings\all users.windows\application data\!SASCORE
2011-11-20 05:10:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-19 18:42:57 -------- d-----w- c:\documents and settings\angi\application data\Malwarebytes
2011-11-19 18:42:46 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2011-11-19 18:42:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-19 18:42:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-18 00:18:07 -------- d-----w- c:\program files\ESET
2011-11-13 11:55:47 -------- d-sh--w- c:\documents and settings\angi\PrivacIE
2011-11-05 02:20:14 -------- d-----w- C:\3590F75ABA9E485486C100C1A9D4FF06ZZZZZZZ....ZZ.ZZ
.
==================== Find3M ====================
.
2011-11-05 02:15:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:38:05 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 22:09:08.34 ===============

Attached Files


Edited by angicx, 05 December 2011 - 08:12 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:45 AM

Posted 09 December 2011 - 10:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430797 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:45 AM

Posted 10 December 2011 - 02:21 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know if the problem persists.

Post the logs for my review.

#4 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:04:45 AM

Posted 10 December 2011 - 05:44 PM

Hello. I'm having all the same problems as before.

I have run eset, superantispy and malwarebytes. All found issues and deleted them, but the problems remain. I also deleted restore files in case the malware was hiding there, as it was last time, but problems remain.

No, I do not have a windows disc.

Thanks in advance for your help.



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Angi at 11:47:33 on 2011-12-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.55 [GMT -6:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\3DO\update_check.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Upgrade_Client] c:\program files\3do\update_check.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
dRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
dRun: [LClock] c:\program files\lclock\LClock.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: ForceActiveDesktopOn = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{75A2B0D9-5143-4D47-B030-29E6EC025DDF} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\angi\application data\mozilla\firefox\profiles\esatl8mj.default\
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-28 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-19 320856]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-7-18 123264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-19 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-19 44768]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\mpfilter.sys --> c:\windows\system32\drivers\MpFilter.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-13 136176]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-9-16 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-13 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-19 22216]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2010-3-25 120232]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 XDva390;XDva390;\??\c:\windows\system32\xdva390.sys --> c:\windows\system32\XDva390.sys [?]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-19 366152]
.
=============== Created Last 30 ================
.
2011-11-20 05:11:25 -------- d-----w- c:\documents and settings\angi\application data\SUPERAntiSpyware.com
2011-11-20 05:10:11 -------- d-----w- c:\documents and settings\all users.windows\application data\!SASCORE
2011-11-20 05:10:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-19 18:42:57 -------- d-----w- c:\documents and settings\angi\application data\Malwarebytes
2011-11-19 18:42:46 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2011-11-19 18:42:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-19 18:42:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-18 00:18:07 -------- d-----w- c:\program files\ESET
2011-11-13 11:55:47 -------- d-sh--w- c:\documents and settings\angi\PrivacIE
.
==================== Find3M ====================
.
2011-11-05 02:15:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 11:49:52.90 ===============

Attached Files



#5 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:04:45 AM

Posted 10 December 2011 - 11:13 PM

Results of screen317's Security Check version 0.99.28
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 26
Java version out of date!
Adobe Flash Player 11.0.1.152
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (8.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
``````````End of Log````````````

Attached Files

  • Attached File  log.txt   11.79KB   0 downloads


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:45 AM

Posted 11 December 2011 - 08:40 AM

Please post the ComboFix log for my review.

#7 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:04:45 AM

Posted 11 December 2011 - 04:30 PM

Oops, sorry!



ComboFix 11-12-10.01 - Angi 12/10/2011 20:40:45.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.265 [GMT -6:00]
Running from: c:\documents and settings\Angi\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Desktopicon
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\Angi\Application Data\Desktopicon
c:\documents and settings\Angi\WINDOWS
c:\documents and settings\Default User.WINDOWS\Application Data\Desktopicon
c:\windows\CSC\d6
c:\windows\system32\config\systemprofile\Application Data\Desktopicon
.
.
((((((((((((((((((((((((( Files Created from 2011-11-11 to 2011-12-11 )))))))))))))))))))))))))))))))
.
.
2011-12-11 02:23 . 2011-12-11 02:32 -------- d-----w- C:\32788R22FWJFW
2011-12-01 23:45 . 2011-12-01 23:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-11-20 05:11 . 2011-11-20 05:11 -------- d-----w- c:\documents and settings\Angi\Application Data\SUPERAntiSpyware.com
2011-11-20 05:10 . 2011-11-20 05:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\!SASCORE
2011-11-20 05:10 . 2011-11-20 05:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-19 18:42 . 2011-11-19 18:42 -------- d-----w- c:\documents and settings\Angi\Application Data\Malwarebytes
2011-11-19 18:42 . 2011-11-19 18:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-11-19 18:42 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-19 18:42 . 2011-11-19 18:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-18 00:18 . 2011-11-18 00:18 -------- d-----w- c:\program files\ESET
2011-11-13 11:55 . 2011-11-13 11:55 -------- d-sh--w- c:\documents and settings\Angi\PrivacIE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-05 02:15 . 2011-05-29 13:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-04-24 21:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 17:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 17:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 17:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-09 14:04 . 2011-05-08 00:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-18 10:38 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Upgrade_Client"="c:\program files\3DO\update_check.exe" [2011-05-01 59392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2011-02-03 77824]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2011-02-03 737360]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2011-02-03 737360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2011-02-03 208949]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Angi^Start Menu^Programs^Startup^Styler.lnk]
path=c:\documents and settings\Angi\Start Menu\Programs\Startup\Styler.lnk
backup=c:\windows\pss\Styler.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2005-12-21 20:02 53248 ------w- c:\program files\Realtek\InstallShield\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
2007-11-01 22:13 151552 ------w- c:\program files\CyberLink\PCM4Everio\EverioService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
2002-10-14 20:09 57344 ----a-w- c:\program files\Lexmark X74-X75\lxbbbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2011-08-23 22:17 211296 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-06-28 19:54 16248320 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 23:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-07-29 01:09 4599680 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-03 18:07 761946 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VZWSUAM]
2011-04-13 20:42 196608 ----a-w- c:\documents and settings\Angi\Application Data\Verizon\SUA\VZWSUAM.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\rusty hearts\\ClientLauncher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\LimeZilla\\LimeZilla.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/28/2011 9:01 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/19/2010 1:16 PM 320856]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/19/2010 1:16 PM 20568]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [9/16/2011 6:44 PM 18560]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/19/2011 12:42 PM 22216]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-13 20:22]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-13 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Angi\Application Data\Mozilla\Firefox\Profiles\esatl8mj.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-RocketDock - c:\program files\RocketDock\RocketDock.exe
HKU-Default-Run-LClock - c:\program files\LClock\LClock.exe
MSConfigStartUp-LClock - c:\program files\LClock\LClock.exe
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-10 21:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(500)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-12-10 21:11:10
ComboFix-quarantined-files.txt 2011-12-11 03:10
.
Pre-Run: 23,434,928,128 bytes free
Post-Run: 23,484,272,640 bytes free
.
- - End Of File - - 61EC05F704F259FC0B62E29189982E7D

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:45 AM

Posted 12 December 2011 - 11:03 AM

The ComboFix log is clean.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Please let me know of any remaining issues with this computer.

#9 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:04:45 AM

Posted 12 December 2011 - 09:08 PM

It's still acting pretty strange. Any audio that runs is robotic and glitchy sounding. My keyboard is also still only working sporadically.

I was able to update adobe but not java...it just keeps trying to load the page once I hit download, and then times out each time. I know the system is pretty full so I'm going to go ahead and see what I can uninstall or delete, but I'm not sure if that's the problem. I got the blue screen just yesterday and every time windows loads, it does the scan disc thing automatically.

EDIT: After my above post, I ran Malwarebytes again. I'm going to post the log below. Whatever this dvd ripper thing is, it keeps showing up, even after it's supposedly been quarantined and deleted. Over the past weeks this has happened with Malwareytes, SuperAntiSpy, Eset, and Avast. Nothing can clean it and it appears to keep moving around because each time, it's showing up in a different location and sometimes as more than one file. After I saved the log, I let the program delete the file. Supposedly. <_<





Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8362

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/13/2011 6:22:27 AM
mbam-log-2011-12-13 (06-22-06).txt

Scan type: Full scan (C:\|)
Objects scanned: 336990
Time elapsed: 3 hour(s), 10 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Angi\local settings\temporary internet files\Content.IE5\2SDR52GP\oi_ivideoware_dvd_ripper_ultimate_8[1].exe (Adware.K.OpenInstall) -> No action taken.

Edited by angicx, 13 December 2011 - 07:34 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:45 AM

Posted 13 December 2011 - 11:21 AM

I checked on the ivideoware-dvd-ripper and my Norton stopped me from visiting the sire.

http://www.brothersoft.com/ivideoware-dvd-ripper-433407.html
This is a known malicious web site. It is recommended that you do NOT visit this site. The detailed report explains the security risks on this site.


Do you visit brothersoft or have any any programs from them?

Malwarebytes removes it from the Internet Explorer cache with indicates some visit to the site of some other site that exploit this.

===


Quoted from you attach.txt file.

C: is FIXED (NTFS) - 75 GiB total, 21.798 GiB free.


You have plenty of free space on the Hard Drive.
===

When was the last time you used the Defrag tool?
Check you Windows help file for Defragmentation. Follow the instructions to defrag the computer.

===

Let me check this file reported as unsigned by ComboFix.
c:\windows\system32\mspmsnsv.dll

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    mspmsnsv.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#11 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:04:45 AM

Posted 13 December 2011 - 07:54 PM

I don't recognize the site brothersoft, or the dvd ripper program. I haven't been the only one using this laptop though... my mom came over and just so happened to get a virus or malware on my laptop AND my desktop. Go figure!

Anyway, I seem to remember someone else from this site telling me my computer may be acting slow because it was almost full. I do have a lot of photos and video. I haven't defragged very lately but I have semi lately. I will do it again pretty quick. I'd also like to quit any unnecessary processes running at startup because it seems there is way too much going on there, but I don't know what is important and what isn't. Is there somewhere that can tell me what ONLY the necessary startup items are?


Here's the log, thanks.



SystemLook 30.07.11 by jpshortstuff
Log created at 12:54 on 13/12/2011 by Angi
Administrator - Elevation successful

========== filefind ==========

Searching for "mspmsnsv.dll"
C:\WINDOWS\system32\mspmsnsv.dll --a---- 27136 bytes [10:38 18/05/2008] [10:38 18/05/2008] C51B4A5C05A5475708E3C81C7765B71D

-= EOF =-

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:45 AM

Posted 14 December 2011 - 08:58 AM

Files Infected:
c:\documents and settings\Angi\local settings\temporary internet files\Content.IE5\2SDR52GP\oi_ivideoware_dvd_ripper_ultimate_8[1].exe (Adware.K.OpenInstall) -> No action taken.

It should have see this before. You did not take any action of this entry.

Run combofix and remove it.


This is my canned speech. Update the tool and run it in according with these instructions.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Run msconfig and disable these three processes in bold. They are not required at start up.
c:\windows\Alcmtr.exe
c:\program files\QuickTime\QTTask.exe
c:\program files\3do\update_check.exe
===


Open notepad and copy/paste the text in the quote box below into it:

Driver::
XDva390

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"=-



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

#13 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:04:45 AM

Posted 15 December 2011 - 08:30 PM

Quote: "It should have see this before. You did not take any action of this entry."

Actually, I let the program delete the threat after I saved the log. Sorry, whoops!



Here's the MBAM and combo fix logs. Not sure but it may have worked. I need to restart and see how it acts, which I will do and let you know if there's still a problem.

Thanks!



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8373

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/14/2011 11:21:23 PM
mbam-log-2011-12-14 (23-21-23).txt

Scan type: Quick scan
Objects scanned: 248424
Time elapsed: 20 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





ComboFix 11-12-13.03 - Angi 12/15/2011 6:59.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.235 [GMT -6:00]
Running from: c:\documents and settings\Angi\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Angi\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_XDVA390
-------\Service_XDva390
.
.
((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))
.
.
2011-12-15 04:56 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-15 04:56 . 2011-12-15 04:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 03:34 . 2011-12-15 03:34 -------- d-----w- c:\program files\Common Files\Java
2011-12-13 01:11 . 2011-12-13 01:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-12-11 19:02 . 2011-12-11 19:02 -------- d-----w- c:\windows\system32\wbem\snmp
2011-12-11 19:02 . 2011-12-11 19:02 -------- d-----w- c:\windows\system32\xircom
2011-12-11 19:02 . 2011-12-11 19:02 -------- d-----w- c:\program files\microsoft frontpage
2011-12-01 23:45 . 2011-12-01 23:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-11-20 05:11 . 2011-11-20 05:11 -------- d-----w- c:\documents and settings\Angi\Application Data\SUPERAntiSpyware.com
2011-11-20 05:10 . 2011-11-20 05:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\!SASCORE
2011-11-20 05:10 . 2011-11-20 05:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-19 18:42 . 2011-11-19 18:42 -------- d-----w- c:\documents and settings\Angi\Application Data\Malwarebytes
2011-11-19 18:42 . 2011-11-19 18:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-11-18 00:18 . 2011-11-18 00:18 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 18:01 . 2010-11-19 19:15 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2010-11-19 19:15 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2011-03-01 03:01 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 17:53 . 2010-11-19 19:16 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2010-11-19 19:16 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2010-11-19 19:16 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2010-11-19 19:15 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-28 17:51 . 2010-11-19 19:15 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-28 17:51 . 2010-11-19 19:16 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-28 17:48 . 2010-11-19 19:15 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-05 02:15 . 2011-05-29 13:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-04-24 21:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 11:06 . 2011-01-22 16:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 08:37 . 2011-01-22 16:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 17:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 17:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 17:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-09 14:04 . 2011-05-08 00:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-18 10:38 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-12-11_03.04.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-15 13:45 . 2011-12-15 13:45 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat
+ 2011-12-13 01:12 . 2011-12-13 01:12 28160 c:\windows\Installer\67b586f.msi
+ 2011-06-06 18:55 . 2011-06-06 18:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 18:55 . 2011-06-06 18:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 18:55 . 2011-06-06 18:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 18:55 . 2011-06-06 18:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 18:55 . 2011-06-06 18:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
+ 2011-12-15 03:27 . 2011-10-03 11:06 157472 c:\windows\system32\javaws.exe
- 2011-08-11 02:06 . 2011-05-04 09:52 157472 c:\windows\system32\javaws.exe
+ 2011-12-15 03:27 . 2011-10-03 11:06 145184 c:\windows\system32\javaw.exe
- 2011-08-11 02:06 . 2011-05-04 09:52 145184 c:\windows\system32\javaw.exe
+ 2011-12-15 03:27 . 2011-10-03 11:06 145184 c:\windows\system32\java.exe
- 2011-08-11 02:06 . 2011-05-04 09:52 145184 c:\windows\system32\java.exe
+ 2011-12-15 03:34 . 2011-12-15 03:34 203776 c:\windows\Installer\84c3eda.msi
+ 2011-06-06 18:55 . 2011-06-06 18:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 18:55 . 2011-06-06 18:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 18:55 . 2011-06-06 18:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2011-12-13 01:32 . 2011-12-13 01:32 2295808 c:\windows\Installer\67b59e6.msi
+ 2011-06-06 18:55 . 2011-06-06 18:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 18:55 . 2011-06-06 18:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2011-09-05 21:51 . 2011-09-05 21:51 13135872 c:\windows\Installer\67b59e7.msp
+ 2011-06-06 18:55 . 2011-06-06 18:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2011-02-03 77824]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2011-02-03 737360]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2011-02-03 737360]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2011-02-03 208949]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Angi^Start Menu^Programs^Startup^Styler.lnk]
path=c:\documents and settings\Angi\Start Menu\Programs\Startup\Styler.lnk
backup=c:\windows\pss\Styler.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2005-12-21 20:02 53248 ------w- c:\program files\Realtek\InstallShield\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
2007-11-01 22:13 151552 ------w- c:\program files\CyberLink\PCM4Everio\EverioService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
2002-10-14 20:09 57344 ----a-w- c:\program files\Lexmark X74-X75\lxbbbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2011-08-23 22:17 211296 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-06-28 19:54 16248320 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 23:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-07-29 01:09 4599680 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-03 18:07 761946 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Upgrade_Client]
2011-05-01 17:13 59392 ----a-w- c:\program files\3DO\update_check.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VZWSUAM]
2011-04-13 20:42 196608 ----a-w- c:\documents and settings\Angi\Application Data\Verizon\SUA\VZWSUAM.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\rusty hearts\\ClientLauncher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\LimeZilla\\LimeZilla.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/28/2011 9:01 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/19/2010 1:16 PM 314456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/18/2011 6:02 PM 123264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/19/2010 1:16 PM 20568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/14/2011 10:57 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/14/2011 10:56 PM 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/13/2011 2:22 PM 136176]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [9/16/2011 6:44 PM 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/13/2011 2:22 PM 136176]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [3/25/2010 2:21 PM 120232]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - MBAMSERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-13 20:22]
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-13 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Angi\Application Data\Mozilla\Firefox\Profiles\esatl8mj.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-15 07:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3152)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Alwil Software\Avast5\setup\avast.setup
.
**************************************************************************
.
Completion time: 2011-12-15 08:14:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-15 14:13
ComboFix2.txt 2011-12-15 04:37
ComboFix3.txt 2011-12-11 03:11
.
Pre-Run: 22,403,469,312 bytes free
Post-Run: 22,414,913,536 bytes free
.
- - End Of File - - 259E93ECBF31E599794588B058074FAF

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:45 AM

Posted 16 December 2011 - 09:14 AM

Looking good.

Any remaining issues?

#15 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:04:45 AM

Posted 16 December 2011 - 07:51 PM

Darn. Yeah, it seems worse unfortunately. I used something that was in my programs list called ultimate defrag 2008 and then realized that it only moved fragmented files, nothing else, so I thought I'd just use Windows's tool. I went to go defrag and it said that scandisc had been scheduled and needed to go through that process before defrag could do its thing, so I let it run last night. It was still going at bedtime so I left it going. When I got up the next morning, it had stalled at 98%. The light by the power button was flickering so I figured it wasn't frozen, just hung or something. So I started it again before I went to work. Got home 9 hours later and it was hung again, this time at 40%. I restarted and it took forever to go through startup (at the Windows screen) then I hit a button to skip scandisk. Took forever to boot up, probably 5 minutes from start to desktop. The processor is constantly running. Sounds like audio is still sketchy too.

Then I got online to post here when I noticed my Avast virus program wasn't running in my bottom right tool bar. So I went to minimize Firefox and it took like a full 60 seconds to gradually phase out from top to bottom. Then it took another 60 seconds to get to the start menu once I hit the button. Anyway, this is the second time I've had to go start Avast up manually. It looks like since I reinstalled MWAB, it's running a trial version (that's what it says when I mouse over the icon anyway) and it's staying in the toolbar. Is that why Avast isn't, I wonder? Anyway, I don't know what to do now. I'm not sure if defrag needs to run, or if it even will, or if all of this is indicative of a continuing infection. What the heck, didn't the logs look clean? I don't get it. :(

If I had a disc, I would just reformat. Grrr.

Edited by angicx, 17 December 2011 - 10:30 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users