Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with System Check; Blacole.ck; Java/CVE


  • This topic is locked This topic is locked
62 replies to this topic

#1 valerie586

valerie586

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 29 January 2012 - 04:49 AM

I got a threat notice that appeared to be through Microsoft Security Essentials, so i clicked "clean"...then a bunch of boxes popped up that says "delayed writed failed", "failed to save all components to the file system 321100000668. The file is corrupted or unreadable".
Also getting messages that say to scan the hard disk, which I did not do. Messages say "hard drive clusters partly damaged; segment load failure".
I ran Malware and it said the following "hkey_local_machine\software\microsoft\windows\current version\policies\system\disable task manager (PUM:hijack.taskmanager). It quaranteed and deleted it.
Malware also said file infected: c:\\documentsandsettings\admin\localsettings\temp\0.10065340141216073.exe (trojan.dropper) it quaranteed and deleted this.
I ran spybot and it found:
win32agent.bkr trojansC-05
microsoft.windows.security.firewallopenports
Spybot removed these.

I then ran rkill.
Then ran the tdsskiller, but it did not find any threats.

I tried to run the GMER, but got the following:
Type ?
Name: c/documents/adminlocals/~1temp\mbr.sys
Value: The system cannot find the file specified


DDS File:

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by ADMIN at 2:05:47 on 2012-01-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2759 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou2.dll
uURLSearchHooks: FCToolbarURLSearchHook Class: {da879c19-9088-418b-a63a-2e6fb294eaf0} - c:\program files\aadvantage eshoppingsm toolbar\Helper.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou2.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AAdvantage eShoppingSM Toolbar BHO: {5712a6bb-b6c8-4e52-a152-1ba741c9a6a2} - c:\program files\aadvantage eshoppingsm toolbar\Toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Coupons.com Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - c:\program files\coupons.com\prxtbCou2.dll
TB: AAdvantage eShoppingSM Toolbar: {85741f1d-ed47-4dcf-9109-07d10213c4d0} - c:\program files\aadvantage eshoppingsm toolbar\Toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [KndCLIWLJesl.exe] c:\documents and settings\all users\application data\KndCLIWLJesl.exe
mRunServices: [Dynamichplnchap1001] c:\docume~1\admin\locals~1\temp\exe.exe
mRunServices: [Wed1Album] c:\program files\nova development\photo explosion deluxe\project category\matching sets\weddings\albumwed128253.exe
mRunServices: [UpdaterProduct1.0.0.2] c:\program files\common files\nova development\shared\updaternova.exe
mRunServices: [Digireadreader] c:\program files\adobe\adobe photoshop cs2\plug-ins\digimarc\imagebridgetmdigisnep.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\hpsimp~1.lnk - c:\documents and settings\admin\application data\hp simplesave application\StartHelper.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ebay.com
Trusted Zone: facebook.com\www
Trusted Zone: google.com\www
Trusted Zone: hotmail.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: live.com
Trusted Zone: live.com\*.mail
Trusted Zone: msn.com
Trusted Zone: passport.com
Trusted Zone: windowslivehelp.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://allstate.webex.com/client/T27L10NSP11EP14/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
S0 cerc6;cerc6; [x]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
S2 BackupService;BackupService;c:\documents and settings\admin\application data\hp simplesave application\uUACTokenSvc.exe [2010-11-26 83512]
S2 File Backup;File Backup Service;c:\program files\starfield\offSyncService.exe [2010-7-16 1310960]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-5 136176]
S2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
S2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2010-12-26 206120]
S2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2010-12-26 185640]
S2 VZWConfigService;VZW Config Service;c:\program files\novatel wireless\lte support\VZWMSConfig.exe [2011-2-11 139776]
S3 egxfilter;egxfilter;c:\windows\system32\drivers\egxfilter.sys [2010-9-5 93568]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-5 136176]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-25 30576]
S3 NWRmNet_022;Novatel Wireless MiFi 4510 RmNet Network Adapter;c:\windows\system32\drivers\NWRmNet_022.sys [2011-3-1 243712]
S3 NWUSBModem_022;Novatel Wireless Verizon MiFi LTE USB Modem Driver;c:\windows\system32\drivers\nwusbmdm_022.sys [2011-3-1 176384]
S3 NWUSBPort_022;Novatel Wireless Verizon MiFi LTE USB Status Port Driver;c:\windows\system32\drivers\nwusbser_022.sys [2011-3-1 176384]
S3 NWUSBPort2_022;Novatel Wireless Verizon MiFi LTE USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2_022.sys [2011-3-1 176384]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2011-3-18 114704]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
.
=============== Created Last 30 ================
.
2012-01-29 03:40:02 435968 ---ha-w- c:\documents and settings\all users\application data\KndCLIWLJesl.exe
2012-01-28 16:34:04 6557240 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1b857718-6ab6-49a1-98c7-c5cc86679d5d}\mpengine.dll
.
==================== Find3M ====================
.
2012-01-04 09:26:22 236576 ---h--w- c:\windows\system32\MpSigStub.exe
2011-12-20 19:40:00 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 293376 ---ha-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ---ha-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ---ha-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ---ha-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ---ha-w- c:\windows\system32\schannel.dll
2011-11-04 19:20:51 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ---h--w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ---h--w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ---ha-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ---ha-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ---ha-w- c:\windows\system32\ole32.dll
.
============= FINISH: 2:07:21.67 ===============



I still get a bunch of boxes that pop up and say the following:
"delayed writed failed", "failed to save all components to the file system 321100000668. The file is corrupted or unreadable".
Also getting messages that say to scan the hard disk, which I did not do. Messages say "hard drive clusters partly damaged; segment load failure".
there are also RAM errors, etc.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:31 AM

Posted 29 January 2012 - 10:08 AM

Hi,

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 valerie586

valerie586
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 02 February 2012 - 08:04 PM

Thank you for your reply and help. Here is the aswmbr.txt file.

I have also attached the MBR.zip file.


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-02 17:50:37
-----------------------------
17:50:37.046 OS Version: Windows 5.1.2600 Service Pack 3
17:50:37.046 Number of processors: 2 586 0xF0D
17:50:37.046 ComputerName: VALERIEDELL630 UserName: ADMIN
17:50:38.984 Initialize success
17:50:50.890 AVAST engine download error: 0
17:50:59.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
17:50:59.328 Disk 0 Vendor: TOSHIBA_MK8052GSX LV011D Size: 76319MB BusType: 3
17:50:59.375 Disk 0 MBR read successfully
17:50:59.390 Disk 0 MBR scan
17:50:59.421 Disk 0 Windows VISTA default MBR code
17:50:59.453 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76317 MB offset 2048
17:50:59.484 Disk 0 scanning sectors +156299264
17:50:59.625 Disk 0 scanning C:\WINDOWS\system32\drivers
17:51:22.687 Service scanning
17:51:33.421 Modules scanning
17:51:50.671 Disk 0 trace - called modules:
17:51:50.718 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
17:51:50.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ab241f0]
17:51:50.734 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8ab1dd98]
17:51:50.812 Scan finished successfully
17:52:02.734 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
17:52:02.765 The log file has been saved successfully to "E:\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   543bytes   0 downloads


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:31 AM

Posted 02 February 2012 - 08:20 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 valerie586

valerie586
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 02 February 2012 - 08:40 PM

I was not able to install the Microsoft Recovery Console, as it requires an internet connection. I can only work on the infected computer in Safe Mode, and do not have an internet connection in safe mode.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:31 AM

Posted 02 February 2012 - 08:44 PM

OK, that's fine

continue on without installing it, we can install it later if need be

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 valerie586

valerie586
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 02 February 2012 - 09:21 PM

ComboFix 12-02-02.02 - ADMIN 02/02/2012 18:42:03.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2758 [GMT -7:00]
Running from: c:\documents and settings\ADMIN\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\KndCLIWLJesl.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\SET83.tmp
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2012-01-03 to 2012-02-03 )))))))))))))))))))))))))))))))
.
.
2012-01-29 03:48 . 2012-01-29 03:48 -------- d--h--w- c:\documents and settings\Administrator
2012-01-28 16:34 . 2012-01-06 04:19 6557240 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1B857718-6AB6-49A1-98C7-C5CC86679D5D}\mpengine.dll
2012-01-19 00:48 . 2012-01-19 00:48 -------- d--h--w- c:\documents and settings\All Users\Application Data\nView_Profiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 04:19 . 2010-10-17 12:55 6557240 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-04 09:26 . 2010-10-16 03:42 236576 ---h--w- c:\windows\system32\MpSigStub.exe
2011-12-20 19:40 . 2011-12-20 19:40 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2008-04-14 12:00 293376 ---ha-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ---ha-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-14 12:00 60416 ---ha-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-14 12:00 354816 ---ha-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-14 12:00 152064 ---ha-w- c:\windows\system32\schannel.dll
2005-01-07 21:20 . 2005-01-07 21:20 278528 ---ha-w- c:\program files\internet explorer\plugins\PanoViewer.dll
2005-01-07 21:20 . 2005-01-07 21:20 143360 ---ha-w- c:\program files\internet explorer\plugins\UPjpeg.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{37153479-1976-43c3-a1ee-557513977b64}"= "c:\program files\Coupons.com\prxtbCou2.dll" [2011-05-09 176936]
"{da879c19-9088-418b-a63a-2e6fb294eaf0}"= "c:\program files\AAdvantage eShoppingSM Toolbar\Helper.dll" [2011-10-13 361472]
.
[HKEY_CLASSES_ROOT\clsid\{37153479-1976-43c3-a1ee-557513977b64}]
.
[HKEY_CLASSES_ROOT\clsid\{da879c19-9088-418b-a63a-2e6fb294eaf0}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{26582F40-76E8-4A2A-B30C-26832801B787}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37153479-1976-43c3-a1ee-557513977b64}]
2011-05-09 09:49 176936 ---ha-w- c:\program files\Coupons.com\prxtbCou2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5712A6BB-B6C8-4E52-A152-1BA741C9A6A2}]
2011-10-13 18:53 1603072 ---ha-w- c:\program files\AAdvantage eShoppingSM Toolbar\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{37153479-1976-43c3-a1ee-557513977b64}"= "c:\program files\Coupons.com\prxtbCou2.dll" [2011-05-09 176936]
"{85741F1D-ED47-4DCF-9109-07D10213C4D0}"= "c:\program files\AAdvantage eShoppingSM Toolbar\Toolbar.dll" [2011-10-13 1603072]
.
[HKEY_CLASSES_ROOT\clsid\{37153479-1976-43c3-a1ee-557513977b64}]
.
[HKEY_CLASSES_ROOT\clsid\{85741f1d-ed47-4dcf-9109-07d10213c4d0}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{5E8947F8-3769-4215-877F-BEA00225DC12}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{37153479-1976-43C3-A1EE-557513977B64}"= "c:\program files\Coupons.com\prxtbCou2.dll" [2011-05-09 176936]
"{85741F1D-ED47-4DCF-9109-07D10213C4D0}"= "c:\program files\AAdvantage eShoppingSM Toolbar\Toolbar.dll" [2011-10-13 1603072]
.
[HKEY_CLASSES_ROOT\clsid\{37153479-1976-43c3-a1ee-557513977b64}]
.
[HKEY_CLASSES_ROOT\clsid\{85741f1d-ed47-4dcf-9109-07d10213c4d0}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{5E8947F8-3769-4215-877F-BEA00225DC12}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-14 8495104]
"NVHotkey"="nvHotkey.dll" [2007-12-14 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-14 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\ADMIN\Start Menu\Programs\Startup\
HP SimpleSave Monitor.lnk - c:\documents and settings\ADMIN\Application Data\HP SimpleSave Application\StartHelper.exe [2010-11-26 477080]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^ADMIN^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\ADMIN\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 18:28 684032 ---ha-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ---ha-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ---ha-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 20:29 159744 ---ha-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-09-07 22:49 1236992 ---ha-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 08:41 49152 ---ha-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
2007-07-02 20:29 159744 ---ha-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-05-20 22:27 119152 ---ha-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-16 21:21 28672 ---ha-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ---ha-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-12-14 00:46 1626112 ---ha-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare]
2010-01-16 20:30 206120 ---ha-w- c:\program files\Qwest\Quickcare\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ---ha-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qwest Personal Digital Vault]
2009-12-18 20:58 1064808 ---ha-w- c:\program files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QwestTouchPointAgent]
2010-08-27 04:59 45992 ---ha-w- c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Starfield Updater]
2010-12-07 03:33 32960 ---ha-w- c:\program files\Starfield\starfieldupdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.6]
2003-10-03 17:52 61440 ---ha-w- c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-09-06 04:45 39408 ---ha-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
2004-04-09 15:31 184320 ---ha-w- c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Legacy\\FamilySearch\\LegacyFS.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\AAdvantage eShoppingSM Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\AAdvantage eShoppingSM Toolbar\\ToolbarUpdate.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
S0 cerc6;cerc6; [x]
S2 BackupService;BackupService;c:\documents and settings\ADMIN\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [11/26/2010 10:06 PM 83512]
S2 File Backup;File Backup Service;c:\program files\Starfield\offSyncService.exe [7/16/2010 1:47 PM 1310960]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2010 9:45 PM 136176]
S2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
S2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [12/26/2010 2:59 PM 206120]
S2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [12/26/2010 2:59 PM 185640]
S2 VZWConfigService;VZW Config Service;c:\program files\Novatel Wireless\LTE Support\VZWMSConfig.exe [2/11/2011 3:44 PM 139776]
S3 egxfilter;egxfilter;c:\windows\system32\drivers\egxfilter.sys [9/5/2010 5:49 PM 93568]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2010 9:45 PM 136176]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/25/2010 3:15 PM 30576]
S3 NWRmNet_022;Novatel Wireless MiFi 4510 RmNet Network Adapter;c:\windows\system32\drivers\NWRmNet_022.sys [3/1/2011 1:44 PM 243712]
S3 NWUSBModem_022;Novatel Wireless Verizon MiFi LTE USB Modem Driver;c:\windows\system32\drivers\nwusbmdm_022.sys [3/1/2011 1:44 PM 176384]
S3 NWUSBPort_022;Novatel Wireless Verizon MiFi LTE USB Status Port Driver;c:\windows\system32\drivers\nwusbser_022.sys [3/1/2011 1:44 PM 176384]
S3 NWUSBPort2_022;Novatel Wireless Verizon MiFi LTE USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2_022.sys [3/1/2011 1:44 PM 176384]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [3/18/2011 8:28 PM 114704]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 2:43 PM 32408]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-06 04:45]
.
2012-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-06 04:45]
.
2012-02-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]
.
2012-02-03 c:\windows\Tasks\User_Feed_Synchronization-{4BF85380-8201-416C-857B-918CE2A3E998}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ebay.com
Trusted Zone: facebook.com\www
Trusted Zone: google.com\www
Trusted Zone: hotmail.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: live.com
Trusted Zone: live.com\*.mail
Trusted Zone: msn.com
Trusted Zone: passport.com
Trusted Zone: windowslivehelp.com
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-KndCLIWLJesl.exe - c:\documents and settings\All Users\Application Data\KndCLIWLJesl.exe
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Qualcomm\Eudora\EuShlExt.dll
MSConfigStartUp-OrderReminder - c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-02 18:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(284)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2012-02-02 19:09:28
ComboFix-quarantined-files.txt 2012-02-03 02:09
.
Pre-Run: 18,041,036,800 bytes free
Post-Run: 19,091,021,824 bytes free
.
- - End Of File - - A3F8275A6EA72E595F6EE7778E3E7F8E

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:31 AM

Posted 02 February 2012 - 09:26 PM

are you now able to boot into normal mode?

Do you have your internet connection back?

how is the computer running?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 valerie586

valerie586
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 02 February 2012 - 09:47 PM

It boots up without any errors. It looks like all my documents are in tact, thank Goodness!!!. However, the desktop is completely blank...blue with no icons.

#10 valerie586

valerie586
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 03 February 2012 - 02:11 AM

The desktop icons are still missing.
The mouse right-click will not work on the desktop.
When I click on "Start", everything is missing...there is no "run" box, no shortcut to control panel, etc.

Thank you for all your help so far.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:31 AM

Posted 03 February 2012 - 02:51 AM

Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 valerie586

valerie586
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 03 February 2012 - 12:42 PM

That worked for the icons and start menu.
The only thing now that doesn't work is the Quick Launch. I have right-clicked and checked "Quick Launch" under tool bars. Also have right-clicked on properties and ticked "Show Quick Launch", rebooted, but it still isn't there.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:31 AM

Posted 03 February 2012 - 02:33 PM

Please read through these trouble shooting steps for the quick launch toolbar as there are many variables of what could be wrong, this web site pretty much covers all the issues

http://petermartinconsult.supanet.com/computer/windows/quicklau.htm#step2

Please let me know if you are able to restore it (and which solution worked)


mean time, let's see if there is any left over malware

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 valerie586

valerie586
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 04 February 2012 - 12:30 AM

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.03.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
ADMIN :: VALERIEDELL630 [administrator]

2/3/2012 5:34:21 PM
mbam-log-2012-02-03 (17-34-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193589
Time elapsed: 9 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KndCLIWLJesl.exe (Rogue.Agent.SA) -> Data: C:\Documents and Settings\All Users\Application Data\KndCLIWLJesl.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\KndCLIWLJesl.exe.vir a variant of Win32/Kryptik.ZRD trojan
C:\System Volume Information\_restore{A029713B-E857-4A3D-A355-5CD912F2C3D8}\RP628\A0042550.exe a variant of Win32/Kryptik.ZRD trojan

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:31 AM

Posted 04 February 2012 - 08:18 AM

That looks better, those items found by ESET are in old restore points or quarantine already, which we will clean up shortly

were you able to resolve the quick launch bar issue

Please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 30
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u30-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users