Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown


  • This topic is locked This topic is locked
9 replies to this topic

#1 nexus_99

nexus_99

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 28 March 2012 - 07:01 PM

Hello there,

My computer is infected with an unknown virus. It will not allow anything to be opened, simply pops up to say that "<program that was tried to open> is infected."

DDS and GMER logs had to be run in Safemode...sorry.

*****************************************************************************************************
DDS LOG:

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Cindy Sgroi at 15:15:29 on 2012-03-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2760 [GMT -4:00]
.
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.torontomls.net/Login.asp
uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.3.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.3.6\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.3.6\coIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
uRunOnce: [F4D55F3B03CAF76109E57505D151FC4E] c:\documents and settings\all users\application data\f4d55f3b03caf76109e57505d151fc4e\F4D55F3B03CAF76109E57505D151FC4E.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1304276010281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F3DCFC89-8C6E-4052-9176-B7806D188FD5} - hxxp://www.disneyphotopass.com/Scripts/ImageUploader7.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.3.6\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008030.006\SymEFA.sys [2011-10-11 310320]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-7-25 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-7-25 41760]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008030.006\BHDrvx86.sys [2011-10-11 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008030.006\cchpx86.sys [2011-10-11 467592]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20101102.001\IDSXpx86.sys [2010-10-19 341880]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]
S2 MSSQL$RETSDATA;MSSQL$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sretsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sRETSDATA [?]
S2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.3.6\ccSvcHst.exe [2011-10-11 117648]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-7-25 112512]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-30 102448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20101103.002\NAVENG.SYS [2010-11-3 86064]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20101103.002\NAVEX15.SYS [2010-11-3 1371184]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.exe -i retsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.EXE -i RETSDATA [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
.
=============== Created Last 30 ================
.
2012-03-28 18:56:29 -------- d-----w- c:\documents and settings\all users\application data\F4D55F3B03CAF76109E57505D151FC4E
.
==================== Find3M ====================
.
2012-02-21 22:43:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 15:15:57.62 ===============

***************************************************************************************************************************************
GMER LOG:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-28 19:51:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FCDO
Running: rv19hl9d.exe; Driver: C:\DOCUME~1\CINDYS~1\LOCALS~1\Temp\kwlyqkoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS The system cannot find the file specified. !
? C:\DOCUME~1\CINDYS~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:23 PM

Posted 31 March 2012 - 08:08 PM

Greetings nexus_99 and Welcome to the Forum,

Your description of the issue has me wondering how you were able run gmer. DDS, I can understand since it's a script file but gmer is an executable so it's intriguing to say the least. Can you provide the names of the couple of programs you tried to open?

Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 02 April 2012 - 02:30 PM

Hi There 1972Vet,

Thank you so very much for helping me out with this. I wasn't able to open anything - Excel documents, Word documents, DDS, Internet Explorer - anything at all. I was only able to run DDS and GMER after rebooting in safemode.

The weekend with the computer being off seems to have settled it down. It booted normally, and (maybe because it didn't have internet?) allowed me to open programs. I took this oppourtunity to re-run GMER and then ran ComboFix as your requested. Both logs are below.

*******************************************************************************************************
GMER LOG:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-02 12:48:04
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FCDO
Running: rv19hl9d.exe; Driver: C:\DOCUME~1\CINDYS~1\LOCALS~1\Temp\kwlyqkoc.sys


---- System - GMER 1.0.15 ----

SSDT 89A34098 ZwAlertResumeThread
SSDT 899C89A8 ZwAlertThread
SSDT 88A162C8 ZwAllocateVirtualMemory
SSDT 89A123A8 ZwAssignProcessToJobObject
SSDT 892509C0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA1C07130]
SSDT 8924A1F8 ZwCreateMutant
SSDT 891B9B28 ZwCreateSymbolicLinkObject
SSDT 8992E8A0 ZwCreateThread
SSDT 89A1F970 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA1C073B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA1C07910]
SSDT 893A4900 ZwDuplicateObject
SSDT 89468A90 ZwFreeVirtualMemory
SSDT 89A1F3B0 ZwImpersonateAnonymousToken
SSDT 89A09440 ZwImpersonateThread
SSDT 89251AF8 ZwLoadDriver
SSDT 89480138 ZwMapViewOfSection
SSDT 899FD910 ZwOpenEvent
SSDT 89385D80 ZwOpenProcess
SSDT 899F0C98 ZwOpenProcessToken
SSDT 89A0B110 ZwOpenSection
SSDT 893890C8 ZwOpenThread
SSDT 892B4818 ZwProtectVirtualMemory
SSDT 898E61A0 ZwResumeThread
SSDT 8996B370 ZwSetContextThread
SSDT 89355110 ZwSetInformationProcess
SSDT 89A131A8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA1C07B60]
SSDT 89A0FE60 ZwSuspendProcess
SSDT 899B96A8 ZwSuspendThread
SSDT 8996E140 ZwTerminateProcess
SSDT 899B1910 ZwTerminateThread
SSDT 899715C0 ZwUnmapViewOfSection
SSDT 88A3D798 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1188] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 9821CD20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


*********************************************************************************************************
COMBOFIX LOG:

ComboFix 12-04-01.03 - Cindy Sgroi 02/04/2012 12:51:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2504 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\dasetup.log
c:\windows\system32\twain.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-03-28 18:56 . 2012-04-02 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F3B03CAF76109E57505D151FC4E
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-21 22:43 . 2012-02-21 22:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-04 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-22 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-22 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-22 150040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 148888]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-12 2220032]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-04 122368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-07-23 933888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008030.006\SymEFA.sys [11/10/2011 10:12 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008030.006\BHDrvx86.sys [11/10/2011 10:12 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008030.006\cchpx86.sys [11/10/2011 10:12 AM 467592]
R2 MSSQL$RETSDATA;MSSQL$RETSDATA;c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe -sRETSDATA --> c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe -sRETSDATA [?]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [11/10/2011 10:12 AM 117648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [25/07/2009 7:13 PM 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/05/2010 4:00 AM 102448]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [25/07/2009 7:13 PM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [25/07/2009 7:13 PM 41760]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101102.001\IDSXpx86.sys [19/10/2010 4:36 PM 341880]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2010 1:23 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2010 1:23 PM 135664]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE -i RETSDATA --> c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE -i RETSDATA [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25/04/2008 12:16 PM 14336]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - kwlyqkoc
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:23]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.torontomls.net/Login.asp
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1 192.168.1.1
DPF: {F3DCFC89-8C6E-4052-9176-B7806D188FD5} - hxxp://www.disneyphotopass.com/Scripts/ImageUploader7.cab
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Smart Fortress 2012 - c:\documents and settings\All Users\Application Data\F4D55F3B03CAF76109E57505D151FC4E\F4D55F3B03CAF76109E57505D151FC4E.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 12:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1296)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-04-02 12:56:41
ComboFix-quarantined-files.txt 2012-04-02 16:56
.
Pre-Run: 224,603,463,680 bytes free
Post-Run: 226,085,789,696 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 5D2A4F9B23A94F06715FA7C18977C021

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:23 PM

Posted 02 April 2012 - 04:19 PM

Please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated along with the "Add-Remove programs.txt" which you'll find inside the qoobox folder on the c:\drive. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

dds:
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} -

folder::
c:\documents and settings\All Users\Application Data\F4D55F3B03CAF76109E57505D151FC4E

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 02 April 2012 - 04:39 PM

Thanks for the speedy reply. Both logs posted below.

**********************************************************************************
COMBOFIX LOG:

ComboFix 12-04-01.03 - Cindy Sgroi 02/04/2012 17:27:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2464 [GMT -4:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript Apr 2.txt
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\F4D55F3B03CAF76109E57505D151FC4E
c:\documents and settings\All Users\Application Data\F4D55F3B03CAF76109E57505D151FC4E\F4D55F3B03CAF76109E57505D151FC4E
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-21 22:43 . 2012-02-21 22:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-02_16.55.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-02 21:32 . 2012-04-02 21:32 16384 c:\windows\Temp\Perflib_Perfdata_3b8.dat
+ 2012-04-02 21:31 . 2012-04-02 21:31 16384 c:\windows\Temp\Perflib_Perfdata_32c.dat
+ 2012-04-02 21:31 . 2012-04-02 21:31 16384 c:\windows\Temp\Perflib_Perfdata_30c.dat
+ 2008-04-25 16:16 . 2012-04-02 21:28 87546 c:\windows\system32\perfc009.dat
- 2008-04-25 16:16 . 2012-04-02 15:50 87546 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2012-04-02 21:28 484812 c:\windows\system32\perfh009.dat
- 2008-04-25 16:16 . 2012-04-02 15:50 484812 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-04 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-22 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-22 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-22 150040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 148888]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-12 2220032]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-04 122368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-07-23 933888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008030.006\SymEFA.sys [11/10/2011 10:12 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008030.006\BHDrvx86.sys [11/10/2011 10:12 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008030.006\cchpx86.sys [11/10/2011 10:12 AM 467592]
R2 MSSQL$RETSDATA;MSSQL$RETSDATA;c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe -sRETSDATA --> c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe -sRETSDATA [?]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [11/10/2011 10:12 AM 117648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [25/07/2009 7:13 PM 112512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/05/2010 4:00 AM 102448]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [25/07/2009 7:13 PM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [25/07/2009 7:13 PM 41760]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101102.001\IDSXpx86.sys [19/10/2010 4:36 PM 341880]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2010 1:23 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2010 1:23 PM 135664]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE -i RETSDATA --> c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE -i RETSDATA [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25/04/2008 12:16 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:23]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 17:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.torontomls.net/Login.asp
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {F3DCFC89-8C6E-4052-9176-B7806D188FD5} - hxxp://www.disneyphotopass.com/Scripts/ImageUploader7.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 17:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1304)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3564)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\brsvc01a.exe
c:\drivers\audio\r211990\stacsv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\DellTPad\HidFind.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-04-02 17:34:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-02 21:34
ComboFix2.txt 2012-04-02 16:56
.
Pre-Run: 226,097,143,808 bytes free
Post-Run: 226,095,001,600 bytes free
.
- - End Of File - - E4C5D5D750FAB4E9A67148E5A855AF2C

**********************************************************************************************************
ADD-REMOVE LOG:

Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.1
AgentOffice
AgentOffice 10.0
Apple Software Update
Bonjour
Brother MFL-Pro Suite
Dell Support Center
Dell Touchpad
Dell Wireless WLAN Card Utility
easyOFFER 2011 OREA
Google Chrome
Google Quick Search Box
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 13
Junk Mail filter update
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Publisher 2002
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Desktop Engine (RETSDATA)
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
Norton Internet Security
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Segoe UI
TrueForms 4.5 for FNF
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
XML Paper Specification Shared Components Pack 1.0

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:23 PM

Posted 02 April 2012 - 04:55 PM

Download FileHippo's Update Checker. Double-click the FHSetup.exe file to install it. When the install completes, you'll find the Update Checker shortcut on the desk top. Double-click on it and a scan begins with the results showing in your browser. Any software it finds to be out of date, will be presented in your browser. Just click on the download link provided there to download your software updates. Ignore the beta software unless you want that...during the scanner initialization, you can click the settings link, then click the results tab and check the box "Hide beta versions". After clicking the OK button, click the "Retry" link to continue the scan with those settings. When that completes, run a manual update to your on board anti-virus program and run a complete system scan. Allow the software to quarantine whatever it complains of. Post back the results and advise how the system behaves at this point. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 nexus_99

nexus_99
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 04 April 2012 - 10:19 AM

Thanks again 1972Vet.

I updated the files as per FilHippo, and since there is no onboard anti-virus I used MBAM. I've run a quick scan and a full scan, only thing found in the full scan was in the system restore.

Both logs are attached.

************************************************************************************
MBAM QUICK LOG:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.04.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Cindy Sgroi :: CINDYS_LAPTOP [administrator]

04/04/2012 10:45:30 AM
mbam-log-2012-04-04 (10-45-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196850
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
**************************************************************
MBAM FULL SCAN:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.04.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Cindy Sgroi :: CINDYS_LAPTOP [administrator]

04/04/2012 10:51:46 AM
mbam-log-2012-04-04 (10-51-46).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244838
Time elapsed: 19 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP122\A0036563.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:23 PM

Posted 04 April 2012 - 10:04 PM

Thanks again 1972Vet.

I updated the files as per FilHippo, and since there is no onboard anti-virus I used MBAM. I've run a quick scan and a full scan, only thing found in the full scan was in the system restore...

The logs, and your installed programs list show that you have Norton Internet Security. Norton antivirus is a part of it. You should be using an antivirus product...MalwareBytes is an anti-malware, not anti-virus. You can peruse the FAQ-Common Issues, Questions and their solutions and see, there are solutions recommended for those issues with the particular anti-virus products listed. The team members there, (of which I am one...and a Moderator on that forum), will tell you they do recommend using an anti-virus product along with mbam.

Please update Norton and run a full system scan at least once a week. Your mbam log, although impressive, won't find nor protect you from ALL the viruses out there. It does work well with anti-virus products so no worries there. Please run a Norton scan and post the log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:23 PM

Posted 09 April 2012 - 07:23 PM

Still with us nexus_99?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:23 PM

Posted 12 April 2012 - 05:49 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to anyone of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users