Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove system check


  • This topic is locked This topic is locked
31 replies to this topic

#1 Needhelpbigtime

Needhelpbigtime

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 26 January 2012 - 09:08 PM

I have computer running Vista and have System Check virus. Computer set up with 3 users and the administrator account seems to be the one with the biggest problem. Tried following thing the instructions in the Uninstall guide - ran RKill (but had a lot of problems), TDSSkill and then Malwarebytes'. Thought it was gone, but now a day later, it's back. Have Microsoft Security Essentials. Please Help.

BC AdBot (Login to Remove)

 


#2 Needhelpbigtime

Needhelpbigtime
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 28 January 2012 - 12:18 PM

Just an update - I started running through the steps in the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". My Windows Firewall is currently off, although I had it "on" and when I try to change the settings i get a message that says "Due to an unidentified problem, Windows cannot display Windows Firewall settings." Also, I have since disconnected the computer from the internet.

#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:55 PM

Posted 29 January 2012 - 03:56 PM

Hi Needhelpbigtime,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

 

That error is common with some of the most recent malware infections. You can connect back to the Internet to do the following...

Please take note:

  • If you have since resolved the original problem you were having, I would appreciate you letting me know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and I will guide you.
  • Please tell me if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps I have recommended please try one more time and if unsuccessful alert us of such and I will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

I need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links.. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


I also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Edited by jntkwx, 29 January 2012 - 03:56 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 Needhelpbigtime

Needhelpbigtime
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 30 January 2012 - 06:04 AM

Hello Jason, my name is John. First, thanks in advance for your help. I am sure that I have the original Windows disks, because I never throw them away. However, upon a quick search, I could not locate them but I will keep looking. Also, there is a Factory Image drive that came pre-installed on the computer. I am not sure if the files are contained on that, or not.

Here is the DDS log.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Elisabeth at 21:36:10 on 2012-01-29
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.1095 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\V0350Mon.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\ProgramData\notifyc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Sony\SonicStage\SSAAD.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://verizon.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: ooVoo Toolbar: {59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\progra~1\iwinga~1\IWINGA~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers (Drop Down Deals): {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime (drop down deals)\YontooIEClient.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: ooVoo Toolbar: {59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [Creative Live! Cam Manager] "c:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [notifyc] c:\programdata\notifyc.exe
uRun: [configwiz] c:\users\elisabeth\appdata\roaming\configwiz.exe
uRun: [2934696CB8C1A23915A896E0A04586E1D14D478D._service_run] "c:\program files\google\chrome\application\chrome.exe" --type=service
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [V0350Mon.exe] c:\windows\V0350Mon.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office x3\programs\QFSCHD130.EXE"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [notifyc] c:\programdata\notifyc.exe
mRun: [configwiz] c:\users\elisabeth\appdata\roaming\configwiz.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
LSP: c:\windows\system32\wpclsp.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12 68.237.161.12
TCP: Interfaces\{77BE3792-1846-41B1-97B1-13D9C1F82B57} : DhcpNameServer = 192.168.1.1 71.250.0.12 68.237.161.12
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-3 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-24 652872]
R3 dhdusb.NTx86;Dynex Enhanced Wireless G USB Network Adapter Service;c:\windows\system32\drivers\bcmusbdhdlh.sys [2008-1-9 241656]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-24 20464]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [2008-2-12 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [2008-2-12 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [2008-2-12 170368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
SUnknown cyrmxqrg;cyrmxqrg; [x]
.
=============== Created Last 30 ================
.
2012-01-30 02:25:39 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{93a53b81-28b3-4e91-8b97-3d60d25a31d9}\offreg.dll
2012-01-28 16:56:05 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{93a53b81-28b3-4e91-8b97-3d60d25a31d9}\mpengine.dll
2012-01-25 00:09:08 -------- d-----w- c:\users\elisabeth\appdata\roaming\Malwarebytes
2012-01-25 00:09:01 -------- d-----w- c:\programdata\Malwarebytes
2012-01-25 00:08:58 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-25 00:08:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-21 20:10:42 172032 ----a-w- c:\windows\system32\igfxres.dll
2012-01-21 19:10:00 -------- d-----w- c:\program files\iPod
2012-01-21 19:09:56 -------- d-----w- c:\program files\iTunes
2012-01-18 11:12:17 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 11:12:17 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 11:12:17 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 11:12:17 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 11:12:16 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-18 11:12:16 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-17 17:19:52 -------- d-----w- c:\programdata\529C5084006E95E3002148CF570F1C8B
2012-01-17 17:19:03 -------- d-----w- c:\users\elisabeth\appdata\roaming\Pazouz
2012-01-17 17:19:03 -------- d-----w- c:\users\elisabeth\appdata\roaming\Fyo
2012-01-17 04:12:36 128488 --sha-w- c:\users\elisabeth\appdata\local\dplayx.dll
2012-01-17 04:12:35 109544 ----a-w- c:\users\elisabeth\appdata\roaming\configwiz.exe
2012-01-17 04:12:35 109544 ----a-w- c:\programdata\notifyc.exe
2012-01-16 21:44:24 49536 ----a-w- c:\windows\system32\drivers\tiehdusb.sys
2012-01-16 21:44:24 11520 ----a-w- c:\windows\system32\drivers\wdmstub.sys
2012-01-16 21:44:24 -------- d-----w- c:\program files\common files\TI Shared
2012-01-16 21:43:12 193696 ----a-w- c:\windows\system32\drivers\windrvr6.sys
2012-01-16 21:43:09 17424 ----a-w- c:\windows\system32\drivers\ezusb.sys
2012-01-16 21:42:40 -------- d-----w- c:\program files\common files\Vernier Software
2012-01-16 21:41:28 -------- d-----w- c:\programdata\Vernier
2012-01-16 21:41:28 -------- d-----w- c:\program files\Vernier Software
2012-01-16 21:39:05 -------- d-----w- c:\users\elisabeth\appdata\local\Downloaded Installations
2012-01-11 16:01:43 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 16:01:43 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 16:01:42 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 16:01:40 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 16:01:39 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 16:01:38 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-01-11 16:01:34 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 16:01:33 497152 ----a-w- c:\windows\system32\qdvd.dll
.
==================== Find3M ====================
.
2012-01-25 00:03:32 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-04 09:26:22 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-26 14:50:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
.
============= FINISH: 21:38:41.65 ===============

At first, I had trouble running Gmer and had to run it four times before it ran all the way through. On the first three attempts it got stuck on \Device\HarddiskVolumeShadowCopyN, where N was the numbers 1, 2, and 4, consecutively. Then I would get a popup message that said that gmer.exe has stopped working. All I could do was click on "Close program".

Attached are the results from the fourth scan.

John

Attached Files

  • Attached File  Ark.log   11.33KB   2 downloads


#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:55 PM

Posted 30 January 2012 - 01:37 PM

Hi Needhelpbigtime,

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 Needhelpbigtime

Needhelpbigtime
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 30 January 2012 - 04:47 PM

I got a message when running ComboFix that said that my AV was still in Realtime protection, although I had turned it off. I also got the folloiwing message - ComboFix has detected the presence of rootkit activity and needs to reboot the machine. It also rebooted itself a second time, but I wasn't in front of the computer to witness. I have re-enabled AV. Computer seems to be working ok now. Below is log from ComboFix.


ComboFix 12-01-30.02 - Elisabeth 01/30/2012 14:45:20.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.1198 [GMT -5:00]
Running from: c:\users\Elisabeth\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~cXVKDwo6F6FU1V
c:\programdata\~cXVKDwo6F6FU1Vr
c:\programdata\cXVKDwo6F6FU1V
c:\programdata\notifyc.exe
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\users\Dad\AppData\Roaming\configwiz.exe
c:\users\Elisabeth\AppData\Local\dplayx.dll
c:\users\Elisabeth\AppData\Roaming\configwiz.exe
c:\users\Elisabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\Elisabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\Elisabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\users\Kevin\OMT.dll
c:\users\Kevin\sb3.exe
c:\windows\$NtUninstallKB30971$
c:\windows\$NtUninstallKB30971$\1383863443
c:\windows\$NtUninstallKB30971$\2632705040\@
c:\windows\$NtUninstallKB30971$\2632705040\bckfg.tmp
c:\windows\$NtUninstallKB30971$\2632705040\cfg.ini
c:\windows\$NtUninstallKB30971$\2632705040\Desktop.ini
c:\windows\$NtUninstallKB30971$\2632705040\keywords
c:\windows\$NtUninstallKB30971$\2632705040\kwrd.dll
c:\windows\$NtUninstallKB30971$\2632705040\L\qnbwvoto
c:\windows\$NtUninstallKB30971$\2632705040\lsflt7.ver
c:\windows\$NtUninstallKB30971$\2632705040\U\00000001.@
c:\windows\$NtUninstallKB30971$\2632705040\U\00000002.@
c:\windows\$NtUninstallKB30971$\2632705040\U\00000004.@
c:\windows\$NtUninstallKB30971$\2632705040\U\80000000.@
c:\windows\$NtUninstallKB30971$\2632705040\U\80000004.@
c:\windows\$NtUninstallKB30971$\2632705040\U\80000032.@
c:\windows\desktop
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-30 )))))))))))))))))))))))))))))))
.
.
2012-01-30 20:03 . 2012-01-30 20:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-30 20:03 . 2012-01-30 20:03 -------- d-----w- c:\users\Dad\AppData\Local\temp
2012-01-30 20:02 . 2012-01-30 21:07 -------- d-----w- c:\users\Elisabeth\AppData\Local\temp
2012-01-30 20:02 . 2012-01-30 20:02 -------- d-----w- c:\users\Kevin\AppData\Local\temp
2012-01-30 07:55 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90812252-3307-4CDC-B1F7-97128976F068}\mpengine.dll
2012-01-25 03:34 . 2012-01-25 03:34 -------- d-----w- c:\users\Dad\AppData\Roaming\Malwarebytes
2012-01-25 00:09 . 2012-01-25 00:09 -------- d-----w- c:\users\Elisabeth\AppData\Roaming\Malwarebytes
2012-01-25 00:09 . 2012-01-25 00:09 -------- d-----w- c:\programdata\Malwarebytes
2012-01-25 00:08 . 2012-01-25 03:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-25 00:08 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-22 21:44 . 2012-01-28 17:07 -------- d-----w- c:\users\Dad\AppData\Roaming\604AF
2012-01-22 21:44 . 2012-01-28 17:08 -------- d-----w- c:\users\Dad\AppData\Roaming\6EF60
2012-01-22 21:44 . 2012-01-22 21:44 -------- d-----w- c:\users\Dad\AppData\Local\SanctionedMedia
2012-01-22 13:56 . 2012-01-22 13:56 -------- d-----w- c:\windows\Sun
2012-01-21 20:10 . 2007-08-25 00:26 172032 ----a-w- c:\windows\system32\igfxres.dll
2012-01-21 19:10 . 2012-01-21 19:10 -------- d-----w- c:\program files\iPod
2012-01-21 19:09 . 2012-01-21 19:11 -------- d-----w- c:\program files\iTunes
2012-01-18 11:12 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 11:12 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 11:12 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 11:12 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 11:12 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 11:12 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-18 02:49 . 2012-01-18 02:49 -------- d-----w- c:\users\Dad\AppData\Local\ElevatedDiagnostics
2012-01-18 02:03 . 2012-01-18 02:03 -------- d-----w- c:\program files\Common Files\Adobe
2012-01-17 17:19 . 2012-01-30 02:34 -------- d-----w- c:\programdata\529C5084006E95E3002148CF570F1C8B
2012-01-17 17:19 . 2012-01-18 07:53 -------- d-----w- c:\users\Elisabeth\AppData\Roaming\Pazouz
2012-01-17 17:19 . 2012-01-17 17:19 -------- d-----w- c:\users\Elisabeth\AppData\Roaming\Fyo
2012-01-16 21:44 . 2012-01-16 21:44 -------- d-----w- c:\program files\Common Files\TI Shared
2012-01-16 21:44 . 2004-02-04 16:27 49536 ----a-w- c:\windows\system32\drivers\tiehdusb.sys
2012-01-16 21:44 . 2003-11-14 20:53 11520 ----a-w- c:\windows\system32\drivers\wdmstub.sys
2012-01-16 21:43 . 2008-07-03 15:59 193696 ----a-w- c:\windows\system32\drivers\windrvr6.sys
2012-01-16 21:43 . 2007-01-10 18:23 17424 ----a-w- c:\windows\system32\drivers\ezusb.sys
2012-01-16 21:42 . 2012-01-16 21:42 -------- d-----w- c:\program files\Common Files\Vernier Software
2012-01-16 21:41 . 2012-01-16 21:41 -------- d-----w- c:\programdata\Vernier
2012-01-16 21:41 . 2012-01-16 21:41 -------- d-----w- c:\program files\Vernier Software
2012-01-16 21:39 . 2012-01-16 21:39 -------- d-----w- c:\users\Elisabeth\AppData\Local\Downloaded Installations
2012-01-11 16:01 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 16:01 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 16:01 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 16:01 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 16:01 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 16:01 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-11 16:01 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 16:01 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 00:03 . 2008-10-03 16:55 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-06 04:19 . 2011-09-16 13:47 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-04 09:26 . 2009-10-04 02:07 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-26 14:50 . 2011-11-26 14:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37 . 2011-12-15 00:46 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:42 . 2011-12-15 00:46 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-11-16 23:41 196384 ----a-w- c:\program files\Yontoo Layers Runtime (Drop Down Deals)\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2007-02-05 476728]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 155648]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"2934696CB8C1A23915A896E0A04586E1D14D478D._service_run"="c:\program files\Google\Chrome\Application\chrome.exe" [2011-06-13 1011768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"V0350Mon.exe"="c:\windows\V0350Mon.exe" [2007-08-23 28672]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2005-12-01 77892]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-25 129560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-25 154136]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - c:\program files\Greetings Workshop\GWREMIND.EXE [1997-9-4 50688]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2011-09-01 19:06 137536 ----atw- c:\users\Elisabeth\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2009-03-12 16:31 2303216 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2435005171-3217023625-1624576511-1002Core.job
- c:\users\Elisabeth\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-01 19:06]
.
2012-01-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2435005171-3217023625-1624576511-1002UA.job
- c:\users\Elisabeth\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-01 19:06]
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 14:45]
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 14:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12 68.237.161.12
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-{59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU-Run-notifyc - c:\programdata\notifyc.exe
HKCU-Run-configwiz - c:\users\Elisabeth\AppData\Roaming\configwiz.exe
HKLM-Run-notifyc - c:\programdata\notifyc.exe
HKLM-Run-configwiz - c:\users\Elisabeth\AppData\Roaming\configwiz.exe
SafeBoot-67708464.sys
AddRemove-Age of Mythology 1.0 - c:\program files\Microsoft Games\Age of Mythology\UNINSTAL.EXE
AddRemove-My HP Game Console - c:\program files\HP Games\My HP Game Console\Uninstall.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-30 16:07
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\ELISAB~1\AppData\Local\Temp\Cab405B.tmp 47186 bytes
c:\users\ELISAB~1\AppData\Local\Temp\RpT252D.tmp 308 bytes
c:\users\ELISAB~1\AppData\Local\Temp\Tar4D47.tmp 98304 bytes
.
scan completed successfully
hidden files: 3
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3888)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\RtHDVCpl.exe
c:\program files\Sony\SonicStage\SSAAD.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-30 16:16:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-30 21:15
.
Pre-Run: 44,452,843,520 bytes free
Post-Run: 46,422,011,904 bytes free
.
- - End Of File - - B1F05FF54CB96DEF49691D4722B78D99

#7 Needhelpbigtime

Needhelpbigtime
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 01 February 2012 - 06:11 AM

So things having been running well for the past two days. I need to run defogger again to enable CD emulation. Any other recommendations?

Thank you again for your help!

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:55 PM

Posted 01 February 2012 - 09:40 AM

Needhelpbigtime,

We're not quite done. Sorry for the delay.

Do you use or want to use Yontoo Layers? If you want to keep it installed, don't include the DDS line in the fix below (remove the DDS:: line and the line below it).

:step1: Rerun Combofix

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    http://www.bleepingcomputer.com/forums/topic440096.html
    
    Collect::
    c:\users\ELISAB~1\AppData\Local\Temp\Cab405B.tmp
    c:\users\ELISAB~1\AppData\Local\Temp\RpT252D.tmp
    c:\users\ELISAB~1\AppData\Local\Temp\Tar4D47.tmp
    
    DDS::
    BHO: Yontoo Layers (Drop Down Deals): {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime (drop down deals)\YontooIEClient.dll
    
    DirLook::
    c:\programdata\529C5084006E95E3002148CF570F1C8B
    c:\users\Elisabeth\AppData\Roaming\Pazouz
    c:\users\Elisabeth\AppData\Roaming\Fyo
    
  • Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exeRefering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


:step2: Please also copy and paste the contents of this file in your next reply: C:\Qoobox\Add-Remove Programs.txt
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 Needhelpbigtime

Needhelpbigtime
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 01 February 2012 - 07:44 PM

Again, ComboFix said that my AV was running although I turned off real time protection. I did not want Yontoo layers (don't even know what that is). Below is the ComboFix Log.

ComboFix 12-01-30.02 - Elisabeth 02/01/2012 17:31:28.2.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.1046 [GMT -5:00]
Running from: c:\users\Elisabeth\Desktop\ComboFix.exe
Command switches used :: c:\users\Elisabeth\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-01 to 2012-02-01 )))))))))))))))))))))))))))))))
.
.
2012-02-01 22:47 . 2012-02-01 22:47 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-01 22:43 . 2012-02-01 22:48 -------- d-----w- c:\users\Elisabeth\AppData\Local\temp
2012-02-01 22:43 . 2012-02-01 22:43 -------- d-----w- c:\users\Kevin\AppData\Local\temp
2012-02-01 22:43 . 2012-02-01 22:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-01 22:43 . 2012-02-01 22:43 -------- d-----w- c:\users\Dad\AppData\Local\temp
2012-02-01 20:16 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E4BFBA07-94A7-42A7-953C-0ADEDE01C445}\mpengine.dll
2012-01-25 03:34 . 2012-01-25 03:34 -------- d-----w- c:\users\Dad\AppData\Roaming\Malwarebytes
2012-01-25 00:09 . 2012-01-25 00:09 -------- d-----w- c:\users\Elisabeth\AppData\Roaming\Malwarebytes
2012-01-25 00:09 . 2012-01-25 00:09 -------- d-----w- c:\programdata\Malwarebytes
2012-01-25 00:08 . 2012-01-25 03:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-25 00:08 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-22 21:44 . 2012-01-28 17:07 -------- d-----w- c:\users\Dad\AppData\Roaming\604AF
2012-01-22 21:44 . 2012-01-28 17:08 -------- d-----w- c:\users\Dad\AppData\Roaming\6EF60
2012-01-22 21:44 . 2012-01-22 21:44 -------- d-----w- c:\users\Dad\AppData\Local\SanctionedMedia
2012-01-22 13:56 . 2012-01-22 13:56 -------- d-----w- c:\windows\Sun
2012-01-21 20:10 . 2007-08-25 00:26 172032 ----a-w- c:\windows\system32\igfxres.dll
2012-01-21 19:10 . 2012-01-21 19:10 -------- d-----w- c:\program files\iPod
2012-01-21 19:09 . 2012-01-21 19:11 -------- d-----w- c:\program files\iTunes
2012-01-18 11:12 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 11:12 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 11:12 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 11:12 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 11:12 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 11:12 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-18 02:49 . 2012-01-18 02:49 -------- d-----w- c:\users\Dad\AppData\Local\ElevatedDiagnostics
2012-01-18 02:03 . 2012-01-18 02:03 -------- d-----w- c:\program files\Common Files\Adobe
2012-01-17 17:19 . 2012-01-30 02:34 -------- d-----w- c:\programdata\529C5084006E95E3002148CF570F1C8B
2012-01-17 17:19 . 2012-01-18 07:53 -------- d-----w- c:\users\Elisabeth\AppData\Roaming\Pazouz
2012-01-17 17:19 . 2012-01-17 17:19 -------- d-----w- c:\users\Elisabeth\AppData\Roaming\Fyo
2012-01-16 21:44 . 2012-01-16 21:44 -------- d-----w- c:\program files\Common Files\TI Shared
2012-01-16 21:44 . 2004-02-04 16:27 49536 ----a-w- c:\windows\system32\drivers\tiehdusb.sys
2012-01-16 21:44 . 2003-11-14 20:53 11520 ----a-w- c:\windows\system32\drivers\wdmstub.sys
2012-01-16 21:43 . 2008-07-03 15:59 193696 ----a-w- c:\windows\system32\drivers\windrvr6.sys
2012-01-16 21:43 . 2007-01-10 18:23 17424 ----a-w- c:\windows\system32\drivers\ezusb.sys
2012-01-16 21:42 . 2012-01-16 21:42 -------- d-----w- c:\program files\Common Files\Vernier Software
2012-01-16 21:41 . 2012-01-16 21:41 -------- d-----w- c:\programdata\Vernier
2012-01-16 21:41 . 2012-01-16 21:41 -------- d-----w- c:\program files\Vernier Software
2012-01-16 21:39 . 2012-01-16 21:39 -------- d-----w- c:\users\Elisabeth\AppData\Local\Downloaded Installations
2012-01-11 16:01 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 16:01 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 16:01 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 16:01 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 16:01 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 16:01 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-11 16:01 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 16:01 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2009-10-04 02:07 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 00:03 . 2008-10-03 16:55 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-06 04:19 . 2011-09-16 13:47 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-26 14:50 . 2011-11-26 14:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37 . 2011-12-15 00:46 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54 . 2011-03-01 01:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-08 14:42 . 2011-12-15 00:46 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\529C5084006E95E3002148CF570F1C8B ----
.
2012-01-17 17:19 . 2012-01-18 03:13 320 ----a-w- c:\programdata\529C5084006E95E3002148CF570F1C8B\529C5084006E95E3002148CF570F1C8B
.
---- Directory of c:\users\Elisabeth\AppData\Roaming\Fyo ----
.
.
---- Directory of c:\users\Elisabeth\AppData\Roaming\Pazouz ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2007-02-05 476728]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 155648]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"2934696CB8C1A23915A896E0A04586E1D14D478D._service_run"="c:\program files\Google\Chrome\Application\chrome.exe" [2011-06-13 1011768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"V0350Mon.exe"="c:\windows\V0350Mon.exe" [2007-08-23 28672]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2005-12-01 77892]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-25 129560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-25 154136]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - c:\program files\Greetings Workshop\GWREMIND.EXE [1997-9-4 50688]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2011-09-01 19:06 137536 ----atw- c:\users\Elisabeth\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2009-03-12 16:31 2303216 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2435005171-3217023625-1624576511-1002Core.job
- c:\users\Elisabeth\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-01 19:06]
.
2012-02-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2435005171-3217023625-1624576511-1002UA.job
- c:\users\Elisabeth\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-01 19:06]
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 14:45]
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 14:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12 68.237.161.12
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4092)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\RtHDVCpl.exe
c:\program files\Sony\SonicStage\SSAAD.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-02-01 18:02:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-01 23:02
ComboFix2.txt 2012-01-30 21:16
.
Pre-Run: 46,619,619,328 bytes free
Post-Run: 46,534,230,016 bytes free
.
- - End Of File - - 3989D32C532574D22D7571B9C660627C


Here is the C:\Qoobox\Add-Remove Programs.txt file:

Adobe Flash Player 11 ActiveX
Adobe Reader 8.3.1
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
Advanced Video FX Engine
Anime Studio Debut 7.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Backyard Football 2006
Bonjour
Canon iP3500 series
Canon iP3500 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Creative Live! Cam Center
Creative Live! Cam Doodling
Creative Live! Cam FX Creator
Creative Live! Cam Manager
Creative Live! Cam User's Guide
Creative Live! Cam Video Chat or Video IM Driver (1.03.01.00)
Creative Photo Calendar
Creative Photo Manager
Creative Software AutoUpdate
Creative System Information
Dell AIO Printer A940
Dynex Enhanced Wireless G USB Network Adapter Setup
EA SPORTS online 2006
Facebook Video Calling 1.1.1.1
Google Chrome
Google Earth
Google Update Helper
Greetings Workshop
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Total Care Advisor
HP Update
Intel® Graphics Media Accelerator Driver
iTunes
iWin Games (remove only)
Java Auto Updater
Java™ 6 Update 30
Java™ SE Runtime Environment 6 Update 1
KidsTime
LightScribe 1.6.45.1
Logger Pro 3.8.2
LoggerPro3
Madeline Rainy Day Activities
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office Home and Student 60 day trial
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
muvee autoProducer 6.0
muveeNow 2.0 - Creative
My HP Games
Mysteryville (remove only)
ooVoo
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
OpenOffice.org 3.3
PSSWCORE
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Safari
Scratch
Security Advisor
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
SightSpeed (remove only)
Skype™ 4.2
Snapfish Picture Mover
Soft Data Fax Modem with SmartCP
SonicStage 4.3
Spelling Dictionaries Support For Adobe Reader 8
SpongeBob SquarePants - Battle for Bikini Bottom
TSP_CODEC
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update Manager
Verizon Servicepoint 1.5.24
VideoToolkit01
WeatherBug Gadget
Windows Mobile Device Center
WordPerfect Office X3
Works Suite OS Pack
Yahoo! Detect
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection

Thanks for sticking with me!

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:55 PM

Posted 02 February 2012 - 01:16 PM

Needhelpbigtime,

Looking good. :thumbup2:

Combofix prompts to disable the antivirus program so that the antivirus program doesn't detect Combofix as a false positive, but Combofix ran fine regardless in this case.

:step1: Let's upload a couple file for a second opinion on what it actually is.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Virustotal: http://www.virustotal.com/

When the Virustotal page has finished loading, click the Choose File button and navigate to the following file and click the Scan It button.

c:\programdata\529C5084006E95E3002148CF570F1C8B\529C5084006E95E3002148CF570F1C8B

If prompted to reanalyze a file, please do so.

Please post back the website address (URL) of the Virustotal result in your next post.


:step2: Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware


In your next reply, please include:
  • Virustotal URL (website address)
  • Malwarebytes log
  • How's your computer running now?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 Needhelpbigtime

Needhelpbigtime
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 02 February 2012 - 09:40 PM

Virustotal did not come back with anything for that file. See below.

File name:

C:\ProgramData\529C5084006E95E3002148CF570F1C8B\529C5084006E95E3002148CF570F1C8B

Detection ratio:

0 / 43

Analysis date:

2012-02-03 02:06:38 UTC ( 2 minutes ago )


Also, Malwarebytes also found nothing suspicious. See below.

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.03.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Elisabeth :: LEGGEKIDS [administrator]

Protection: Enabled

2/2/2012 9:28:59 PM
mbam-log-2012-02-02 (21-28-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221104
Time elapsed: 9 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Everything seems to be working fine?

#12 Needhelpbigtime

Needhelpbigtime
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 03 February 2012 - 06:45 AM

Sorry, I meant to include that I still cannot turn on Windows Firewall (or Windows Defender).

#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:55 PM

Posted 04 February 2012 - 10:37 AM

Needhelpbigtime,

:step1: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

:step2: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


In your next reply, please include:
  • Farbar Service Scanner log
  • ESET log
  • How's your computer running now?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 Needhelpbigtime

Needhelpbigtime
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 04 February 2012 - 04:06 PM

Thanks for continuing to work with me. Both logs are below.

Farbar

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-10-20 12:12] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-10-20 12:11] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

ESET log

C:\Program Files\Yontoo Layers Runtime (Drop Down Deals)\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\notifyc.exe.vir a variant of Win32/Kryptik.ZCK trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Dad\AppData\Roaming\configwiz.exe.vir a variant of Win32/Kryptik.ZCK trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Elisabeth\AppData\Local\dplayx.dll.vir a variant of Win32/Kryptik.ZCK trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Elisabeth\AppData\Roaming\configwiz.exe.vir a variant of Win32/Kryptik.ZCK trojan cleaned by deleting - quarantined

#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:55 PM

Posted 06 February 2012 - 09:00 AM

Needhelpbigtime,

Sorry for the delay.

Let's repair the Windows Firewall.

Note that these instructions are specifically written for Needhelpbigtime.

  • Please download the Vista.zip file from HERE and save it to your desktop.
  • Extract Vista.zip to its own folder, named Vista.
  • Once extracted, double click on each of the mpssvc and legacy_mpssvc files. When prompted, click Yes.
  • Double click on the start_services file.
  • Please rerun FSS: Type the following in the search box:
    mpssvc;WinDefend
  • Click "Export Service" and post the log it makes (FSS.txt).

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users