Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

THINK MACHINE IS STILL INFECTED AFTER AV +AMWB CLEANING


  • This topic is locked This topic is locked
16 replies to this topic

#1 Sorrow-Miss

Sorrow-Miss

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 24 April 2012 - 09:00 AM

Hi

I have been called in to help with a friends Dell pc after it became infected with a virus. The first signs were that the machine became very slow, and that the IE toolbar was "different" - some of the menu items such as Internet Options were either greyed out or not showing. Internet Options was also missing in the Control Panel. However, the main problem came when she tried to install a regular Windows upgrade which crashed. Following this she was unable to use her Sky TV remote connection to watch TV on the PC (it's main use, although you will probably spot in the log below that it had previously been used for her son's games). Any attempt at rolling system back failed, and now the roll back option is no longer there and cannot be switched back on.

The other worrying problem was that her AVG antivirus product had also disappeared from her desktop and Start Menu (the program folder is still there if you drill down through the C:\Program Files folder).

As I wasn't going to be able to get over to see her within the next couple of days, I advised her to install and run an old version of Norton 360 that she still had, and to then download and run MalwareBytes Anti-Malware. She did this and says that both programs found and successfully cleaned some malware, but unfortunately she didn't keep a note of the reports and had been unable to find them on her PC - if this is a major problem, I can probably hunt them down on the machine. (nb: Spybot was also run and found nothing; the Norton 360 cannot be updated as she no longer has a licence).

The machine is running much better BUT the IE toolbar is still strange with many options missing or greyed out, and she is still unable to access AVG. I am therefore concerned that whatever the virus was that got on to the machine, it still has its hooks deep in the registry and will eventually reinfect the machine. I have therefore run Hijack this and would be grateful if someone could take a look at the log to see if there are any worrying signs. As the main use for this PC is for watching Sky, I am very tempted to reinstall Windows but as the PC is over 5 years old I do realise that it would be a lengthy process to get it back up to date with WU before it could be considered safe to use again 8-(

HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:53:59, on 13/04/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton 360\Engine\4.4.0.12\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton 360\Engine\4.4.0.12\ccSvcHst.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.4.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.4.0.12\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.4.0.12\coIEPlg.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WNDA3100v2 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\4.4.0.12\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: WSWNDA3100 - Unknown owner - C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe

--
End of file - 7032 bytes



Many thanks
Sorrow-Miss

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 29 April 2012 - 08:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs and let me know if the problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 05 May 2012 - 09:00 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 16 May 2012 - 10:24 AM

Topic reopened.

#5 Sorrow-Miss

Sorrow-Miss
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 18 May 2012 - 09:49 PM

Hi Nasdaq

Here Are logs requested:

First Combofix

ComboFix 12-05-18.03 - Brill 19/05/2012 2:33.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.519 [GMT 1:00]
Running from: c:\documents and settings\Brill\Desktop\ComboFix.exe
‰>!–»—€>– t»L—ΎΓ–‹>˜Ή ¬<?uŠ< tͺCβρ±° 8t°.ͺ¬<?uŠ< t - 1252,
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_USNJSVC
.
.
((((((((((((((((((((((((( Files Created from 2012-04-19 to 2012-05-19 )))))))))))))))))))))))))))))))
.
.
2012-05-13 20:39 . 2012-05-13 20:39 -------- d-----w- c:\documents and settings\Brill\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-02-05 06:57 . 2007-02-05 06:57 60518 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-02-05 06:57 . 2007-02-05 06:57 49248 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-02-05 06:57 . 2007-02-05 06:57 165992 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"NortonUpdateAgent"="c:\documents and settings\All Users\Application Data\Norton\NUA.exe" [2011-10-12 2697656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2012-04-12 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2012-04-12 249856]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Adobe Reader Speed Launch.lnk.disabled [2006-6-11 1757]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-12 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2010-7-29 3272704]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"MSKDetectorExe"=c:\program files\McAfee\SpamKiller\MSKDetct.exe /uninstall
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
‰>!–»—€>– t»L—ΎΓ–‹>˜Ή ¬<?uŠ< tͺCβρ±° 8t°.ͺ¬<?uŠ< t - 1252,
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brill\Application Data\Mozilla\Firefox\Profiles\vdwm2uqo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B945e994c-9c31-4d96-9426-7360b3a68edc%7D&mid=555b36b8b2dc47d08513d16df4a33577-da64ba60f76ebf4f5ccb25afd1fa61e67feca77a&ds=ft011&v=10.2.0.3&lang=en&pr=sa&d=2012-04-02%2014%3A16%3A34&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-EEventManager - c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-19 02:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.4.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.4.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3617262079-1936740233-2371126351-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5c,74,4a,c1,b7,0b,87,24,fb,39,86,71,a2,14,ba,a2,e2,5d,ed,2a,be,5f,79,
5e,5e,c7,18,3e,1e,d2,48,64,82,c4,62,2c,ec,95,bb,a9,f4,37,a9,0f,ce,92,0c,e8,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
[HKEY_USERS\S-1-5-21-3617262079-1936740233-2371126351-1005\Software\SecuROM\License information*]
"datasecu"=hex:47,6b,26,20,aa,77,2b,c9,87,13,47,7b,b6,7d,1c,7b,59,28,f9,ea,7e,
89,c8,90,f3,ad,67,96,22,e4,d8,00,aa,fa,75,71,96,2b,de,7d,d7,3c,ce,c8,61,4d,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Norton 360\Engine\4.4.0.12\ccSvcHst.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\OSK.exe
c:\windows\system32\MSSWCHX.EXE
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\program files\Norton 360\Engine\4.4.0.12\ccSvcHst.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\ntvdm.exe
.
**************************************************************************
.
Completion time: 2012-05-19 02:52:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-19 01:52
.
Pre-Run: 44,587,307,008 bytes free
Post-Run: 46,630,506,496 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 5B9927FABA718008D04127D3722C6FBF


and then Checkup.txt:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
AVG 2011
Norton 360
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Java 2 Runtime Environment, SE v1.4.2_03
Mozilla Firefox (1.5). Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````


I am still having problems with Internet Explorer: I cannot open Internet Options from the Control Panel and the menu bars are missing many options including tools menu: it also closes unexpectedly if you try to click on some of the remaining menu options. I know it is possible to reset the toolbars through regedit but dont want to do anything until you agree :-)

Previous AV [AVG] seems to no longer be available and am therefore without proper protection... no intention to browse anywhere yet but need to fix; again will wait for your okbefore reinstalling



thanks your help
Sorrow-miss

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 19 May 2012 - 08:31 AM

AVG 2011
Norton 360
Antivirus out of date! (On Access scanning disabled!)


I suggest you remove both of these virus protection and reinstall only one of them.

You can remove these programs using the Add/Remove programs list.
If you have any difficulties reinstalling the application your can download and run their cleaner tool.


AVAST Uninstall Utility
http://www.avast.com/uninstall-utility

Download and run the Norton Removal Tool FOR YOUR CURRENT PROGRAM.
https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080710133834EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb

p.s. before you remove the application make sure you have the installation programs for the one you will reinstall.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java 2 Runtime Environment, SE v1.4.2_03


===

I am still having problems with Internet Explorer: I cannot open Internet Options from the Control Panel and the menu bars are missing many options including tools menu: it also closes unexpectedly if you try to click on some of the remaining menu options. I know it is possible to reset the toolbars through regedit but dont want to do anything until you agree :-)


How do you expect to do that.
The only solution to your problem found on Google is to reinstall IE.
You have version 8 so possibly remove this version and reinstalling it would possibly solve your problem.

#7 Sorrow-Miss

Sorrow-Miss
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 20 May 2012 - 05:56 PM

thanks for your help

have reinstalled AVG and removed Norton, also updated java as recommended.
The IE toolbar fix I referred to was a regedit key deletion. But I decided it was best to reinstall IE8. That is when I hit more problems :-(

IE cannot reinstall as some necessary files have been overwritten by unrecognisable files;to get past this I need a system disk with SP3, mine is only SP2. I know there is afix for this but its not so simple and I have other problems that may need fixing first.

I mentioned in previous posts that I could not access Internet Options either from IE browser or from the control panel and this is still the same. The browser window title bar shows only the ie logo - no words as would normally be expected. Several of the menu icons are missing or not working. All could be down to the damaged files but i supect that this is all due to the original infection which is not completely cleaned from the machine.

AVG found some inected files on initial scan which it cleaned. now, I gt regular Shield alerts to say infected files have been found. Log follows:

Resident Shield detection
Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Virus identified Win32/Zbot.G;"c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0001435.dll";"Healed";"20/05/2012, 23:07:01";"file";"C:\WINDOWS\system32\svchost.exe"
Virus identified Win32/Zbot.G;"c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0001435.dll";"Healed";"20/05/2012, 22:41:35";"file";"C:\WINDOWS\system32\svchost.exe"
Virus identified Win32/Zbot.G;"c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0001434.dll";"Healed";"20/05/2012, 21:11:53";"file";"C:\WINDOWS\system32\svchost.exe"
Found Tracking cookie.Webtrends;"c:\Documents and Settings\Brill\Cookies\0P7K99FF.txt";"";"20/05/2012, 19:46:41";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
May be infected by unknown virus Win32/DH{WBIANQ8};"c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0001433.exe";"Object is inaccessible.";"20/05/2012, 18:50:55";"file";"C:\WINDOWS\system32\sv ichost.exe"
May be infected by unknown virus Win32/DH{WBIANQ8};"c:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0001433.exe";"Moved to Virus Vault";"20/05/2012, 18:35:54";"file";"C:\WINDOWS\system32\svchost.exe"

Checking the virus vault, it seems the virus is in a restore point. I don't really want to delete restore points until m/c is healthy - is that right? Grateful for your suggestions!

Sorrow-Miss

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 21 May 2012 - 07:03 AM

Checking the virus vault, it seems the virus is in a restore point. I don't really want to delete restore points until m/c is healthy - is that right? Grateful for your suggestions!


All malware files in the Restore point are not doing any arms.

They will be re activated if you ever restore it.
Do not restore anything until this problem is solved.

===========

Download the Windows XP 3 service pack from this link.
http://support.microsoft.com/kb/322389

===

"C:\Program Files\Internet Explorer\:iexplore.exe" May be infected by unknown virus Win32/DH{WBIANQ8}


Let check this out.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    iexplore.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Edited by nasdaq, 22 May 2012 - 08:03 AM.


#9 Sorrow-Miss

Sorrow-Miss
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 21 May 2012 - 05:22 PM

hi, thanks for reassurance on the restore points.

Download the Windows XP 3 service pack from this link.
http://support.microsoft.com/kb/322389

===


I dont think I was very clear on the OS: pc is running XP SP3 but the only disk I have is SP2, the SP3 was part of the update service so was downloaded. If you put the SP2 disk in as requested during uninstall or new install process for IE8, it is rejected as it does not match the patched OS.

I cannot repair or reload any version of IE, but the owner needs this as she cannot access some of the online programs with firefox or chrome, and she also cannot access her sky tv on those either and this main use of the pc.


Ran the SystemLook utility and log is as follows:

SystemLook 30.07.11 by jpshortstuff
Log created at 23:13 on 21/05/2012 by Brill
Administrator - Elevation successful

========== filefind ==========

========== filefind ==========

-= EOF =-


Once again, thanks for all your help :-D

Sorrow-Miss

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 22 May 2012 - 08:05 AM

My apologies I should have read my reply.

I wanted to search for iexplore.exe but unfortunately I pasted the wrong command.

Please run the Systemlook tool and use this command.

:filefind
iexplore.exe


p.s.
I have corrected my previous post.

#11 Sorrow-Miss

Sorrow-Miss
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 22 May 2012 - 03:59 PM

hi nasdaq

haha - wondered what the command was meant to do; should have checked. never mind.
Have now run the program again and here are the slightly longer results:

SystemLook 30.07.11 by jpshortstuff
Log created at 21:52 on 22/05/2012 by Brill
Administrator - Elevation successful

========== filefind ==========

Searching for "iexplore.exe"
C:\d893b0e3dd137e016e\iexplore.exe --a---- 638816 bytes [13:09 08/03/2009] [13:09 08/03/2009] B60DDDD2D63CE41CB8C487FCFBB6419E
C:\Program Files\Internet Explorer\iexplore.exe ------- 638816 bytes [03:40 16/08/2005] [13:09 08/03/2009] B60DDDD2D63CE41CB8C487FCFBB6419E
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\iexplore.exe --a---- 199240 bytes [18:54 13/04/2012] [14:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\$hf_mig$\KB2360131-IE7\SP3QFE\iexplore.exe --a---- 634648 bytes [11:07 25/08/2010] [11:07 25/08/2010] F047BEB9771E45A05F425499A30F9BBA
C:\WINDOWS\$hf_mig$\KB2416400-IE7\SP3QFE\iexplore.exe --a---- 634648 bytes [10:36 18/10/2010] [10:36 18/10/2010] DA6E1F0F1932B62DD2F6ED05541C555C
C:\WINDOWS\$hf_mig$\KB2482017-IE7\SP3QFE\iexplore.exe --a---- 634648 bytes [10:49 20/12/2010] [10:49 20/12/2010] B74CBEBA34E3CAA2CCACC87FEE8A16C0
C:\WINDOWS\$hf_mig$\KB2497640-IE7\SP3QFE\iexplore.exe --a---- 634648 bytes [11:36 14/02/2011] [11:36 14/02/2011] E3CC8CCF21BFDC954255BB17083FB9F0
C:\WINDOWS\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe --a---- 634648 bytes [10:34 21/04/2011] [10:34 21/04/2011] 3E23DBEBE1020D52C63235E4189FAC03
C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe --a---- 625152 bytes [09:17 09/05/2007] [06:51 28/02/2007] D321092F8529CDAE843D6E24E3CAC6CB
C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe --a---- 625152 bytes [14:20 24/04/2007] [14:20 24/04/2007] 9B3516C1F30DA17ADD3818573047D63C
C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe --a---- 625152 bytes [09:16 27/06/2007] [09:16 27/06/2007] BD8502DFD53FC24FB8D6929DC46B8C2C
C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe --a---- 625152 bytes [10:12 17/08/2007] [10:12 17/08/2007] 5577D0E3AC2F9F035ACD81B44AF5F511
C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe --a---- 625664 bytes [08:16 10/10/2007] [08:16 10/10/2007] 632BDE0179847234433CA50945442ACB
C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe --a---- 625664 bytes [08:34 06/12/2007] [08:34 06/12/2007] 809D17D8FA0FDAEE07778CD821CAFFDE
C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe --a---- 625664 bytes [11:37 09/04/2008] [09:40 22/02/2008] 6E0888626E0CAC79F57149814E22DB4D
C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe --a---- 625664 bytes [06:36 11/06/2008] [08:02 22/04/2008] 197B7E4030CFBD8D2979D375E1787AA2
C:\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe --a---- 634632 bytes [07:25 29/06/2009] [07:25 29/06/2009] 02E2754D3E566C11A4934825920C47DD
C:\WINDOWS\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe --a---- 634648 bytes [05:18 27/08/2009] [05:18 27/08/2009] 332EC7562F3AA7364F2D4231C56DA986
C:\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe --a---- 634632 bytes [06:54 28/10/2009] [06:54 28/10/2009] 80675329E0FD54F016C4F8A83C616349
C:\WINDOWS\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe --a---- 634632 bytes [07:00 18/12/2009] [07:00 18/12/2009] D19E56D5930C37CF211867DF450C372A
C:\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe --a---- 634648 bytes [05:19 23/02/2010] [05:19 23/02/2010] C8DDA4028065D5CE39CBE7A156B72AB9
C:\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe --a---- 634648 bytes [11:08 16/04/2010] [11:08 16/04/2010] B24A4E23A2FEDB6976EB04D334AD82B2
C:\WINDOWS\ERDNT\cache\iexplore.exe --a---- 638816 bytes [01:49 19/05/2012] [13:09 08/03/2009] B60DDDD2D63CE41CB8C487FCFBB6419E
C:\WINDOWS\ie7\iexplore.exe --a--c- 93184 bytes [11:55 12/02/2007] [04:00 10/08/2004] E7484514C0464642BE7B4DC2689354C8
C:\WINDOWS\ie7updates\KB2360131-IE7\iexplore.exe -----c- 634656 bytes [23:03 27/11/2010] [11:43 16/04/2010] C4BA5E36FB57F547117305BF1E0FE454
C:\WINDOWS\ie7updates\KB2416400-IE7\iexplore.exe -----c- 634648 bytes [22:57 21/12/2010] [11:30 25/08/2010] E5412ED9E07C42C20C48D3FF71E6B1E8
C:\WINDOWS\ie7updates\KB2482017-IE7\iexplore.exe -----c- 634648 bytes [22:43 11/02/2011] [11:07 18/10/2010] 72D1F43C4146D312B0DB6AB98C21340E
C:\WINDOWS\ie7updates\KB2497640-IE7\iexplore.exe -----c- 634648 bytes [20:58 15/04/2011] [11:25 20/12/2010] 091D358EFC9D22901BD879EF37F0DAC4
C:\WINDOWS\ie7updates\KB2530548-IE7\iexplore.exe -----c- 634648 bytes [22:13 16/06/2011] [12:17 14/02/2011] E4A798DFDE7FE6E79F23548F0EF0F844
C:\WINDOWS\ie7updates\KB928090-IE7\iexplore.exe -----c- 622080 bytes [01:38 18/02/2007] [12:04 17/10/2006] 5334D4461AA92A7B008755FE6D13C5F2
C:\WINDOWS\ie7updates\KB931768-IE7\iexplore.exe -----c- 623616 bytes [22:18 09/05/2007] [18:08 08/01/2007] 93A6A4F5293AE19E3B37021AABCF0902
C:\WINDOWS\ie7updates\KB933566-IE7\iexplore.exe -----c- 623616 bytes [22:43 13/06/2007] [08:00 21/02/2007] 683DDE71BCF03B501B912D20CB93B549
C:\WINDOWS\ie7updates\KB937143-IE7\iexplore.exe -----c- 625152 bytes [09:58 15/08/2007] [14:26 24/04/2007] 10BDB55982586A432A3951EB19A26009
C:\WINDOWS\ie7updates\KB939653-IE7\iexplore.exe -----c- 625152 bytes [23:04 10/10/2007] [08:27 27/06/2007] 275CEE268B9E5D82474C43D5D249D111
C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe -----c- 625152 bytes [23:04 12/12/2007] [10:21 17/08/2007] 3AC2BC667DA0AF2C968E96E1630F5AB5
C:\WINDOWS\ie7updates\KB944533-IE7\iexplore.exe -----c- 625152 bytes [01:48 14/02/2008] [10:59 10/10/2007] E854D02E4231F704D9BE782A424E6D8B
C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe -----c- 625664 bytes [00:00 10/04/2008] [11:01 06/12/2007] 2703D940A62B731AA220529DD7331A78
C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe -----c- 625664 bytes [10:40 12/06/2008] [08:55 29/02/2008] 2D0E5592AB5A46C27DAF7CCAFF4F5B59
C:\WINDOWS\ie7updates\KB972260-IE7\iexplore.exe -----c- 625664 bytes [21:38 24/09/2009] [07:40 22/04/2008] 232B22817B90AE0AFF2D189E3E3735AC
C:\WINDOWS\ie7updates\KB974455-IE7\iexplore.exe -----c- 634632 bytes [10:34 18/10/2009] [08:35 29/06/2009] 3CFC56F73D494FC1AA2B6E981DF15ACD
C:\WINDOWS\ie7updates\KB976325-IE7\iexplore.exe -----c- 634648 bytes [22:02 08/01/2010] [05:18 27/08/2009] F232BA9F39BC0F722672C7E79E68EBEA
C:\WINDOWS\ie7updates\KB978207-IE7\iexplore.exe -----c- 634632 bytes [21:17 22/01/2010] [06:54 28/10/2009] 4F9B04D546C23A295F3F0AE015BE51DB
C:\WINDOWS\ie7updates\KB980182-IE7\iexplore.exe -----c- 634648 bytes [20:46 01/04/2010] [13:05 18/12/2009] 53C291F3B01EECECBD7FD358EA3ACC94
C:\WINDOWS\ie7updates\KB982381-IE7\iexplore.exe -----c- 634648 bytes [19:38 30/06/2010] [05:20 23/02/2010] B5116340B84824DDD0A641E36B126194
C:\WINDOWS\ie8\iexplore.exe --a---- 634648 bytes [09:29 07/07/2011] [10:58 21/04/2011] B6E13F9C120C776A89D783E26D6C15C5
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe ------- 93184 bytes [10:33 25/09/2009] [00:12 14/04/2008] 55794B97A7FAABD2910873C85274F409
C:\WINDOWS\system32\dllcache\iexplore.exe ------- 638816 bytes [03:40 16/08/2005] [13:09 08/03/2009] B60DDDD2D63CE41CB8C487FCFBB6419E

-= EOF =-

Hope that gives some clues
many many thanks
Sorrow-Miss

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 23 May 2012 - 08:24 AM

Open notepad and copy/paste the text in the quote box below into it:

File::
C:\d893b0e3dd137e016e\iexplore.exe

FCOPY::
C:\WINDOWS\ie8\iexplore.exe | C:\Program Files\Internet Explorer\iexplore.exe


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

#13 Sorrow-Miss

Sorrow-Miss
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 23 May 2012 - 04:19 PM

Hello nasdaq

Have run Combofix with the saved file and log follows:

ComboFix 12-05-23.05 - Brill 23/05/2012 21:36:18.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.604 [GMT 1:00]
Running from: c:\documents and settings\Brill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brill\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\d893b0e3dd137e016e\iexplore.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\d893b0e3dd137e016e\iexplore.exe
c:\documents and settings\Brill\Application Data\AdobeDLM.log
C:\Thumbs.db
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Thumbs.db
.
.
--------------- FCopy ---------------
.
c:\windows\ie8\iexplore.exe --> c:\program files\Internet Explorer\iexplore.exe
.
((((((((((((((((((((((((( Files Created from 2012-04-23 to 2012-05-23 )))))))))))))))))))))))))))))))
.
.
2012-05-20 21:01 . 2012-05-20 21:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-20 21:01 . 2012-05-20 21:01 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-20 21:01 . 2012-05-20 21:01 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-20 18:20 . 2012-05-20 18:20 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-20 01:03 . 2012-05-20 01:03 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-20 00:54 . 2012-05-20 00:54 -------- d-----w- c:\documents and settings\Brill\Application Data\AVG2012
2012-05-20 00:41 . 2012-05-20 00:41 -------- d-----w- c:\documents and settings\Brill\Local Settings\Application Data\AVG Secure Search
2012-05-20 00:40 . 2012-05-20 20:23 -------- d-----w- c:\program files\AVG Secure Search
2012-05-20 00:39 . 2012-05-23 19:52 -------- d-----w- c:\windows\system32\drivers\AVG
2012-05-20 00:39 . 2012-05-20 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-05-19 18:41 . 2008-04-13 23:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-05-19 18:41 . 2001-08-17 21:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-05-19 18:41 . 2008-04-13 23:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-05-19 18:41 . 2001-08-17 21:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-05-19 18:41 . 2001-08-17 21:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-05-19 18:40 . 2001-08-17 21:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2012-05-19 18:40 . 2001-08-17 11:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-05-19 18:40 . 2004-08-03 20:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-05-19 18:40 . 2004-08-03 20:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2012-05-19 18:40 . 2008-04-13 23:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2012-05-19 18:40 . 2008-04-13 17:36 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2012-05-19 18:40 . 2004-08-03 20:31 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2012-05-19 18:38 . 2001-08-17 11:14 249402 ----a-w- c:\windows\system32\dllcache\vinwm.sys
2012-05-19 18:37 . 2001-08-17 12:58 22912 ----a-w- c:\windows\system32\dllcache\umaxpcls.sys
2012-05-19 18:36 . 2001-08-17 13:01 241664 ----a-w- c:\windows\system32\dllcache\tosdvd02.sys
2012-05-19 18:35 . 2001-08-17 21:36 53760 ----a-w- c:\windows\system32\dllcache\sw_wheel.dll
2012-05-19 18:34 . 2004-08-10 04:00 10240 ----a-w- c:\windows\system32\dllcache\snmpstup.dll
2012-05-19 18:33 . 2001-08-17 11:50 104064 ----a-w- c:\windows\system32\dllcache\sisgrp.sys
2012-05-19 18:32 . 2001-08-17 12:52 11648 ----a-w- c:\windows\system32\dllcache\scsiprnt.sys
2012-05-19 18:31 . 2001-08-17 21:36 82432 ----a-w- c:\windows\system32\dllcache\rwia450.dll
2012-05-19 18:30 . 2001-08-17 12:28 128286 ----a-w- c:\windows\system32\dllcache\ptserli.sys
2012-05-19 18:29 . 2001-08-17 11:11 29769 ----a-w- c:\windows\system32\dllcache\pcntn5m.sys
2012-05-19 18:28 . 2001-08-17 11:20 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2012-05-19 18:27 . 2001-08-17 21:36 60480 ----a-w- c:\windows\system32\dllcache\neo20xx.dll
2012-05-19 18:26 . 2001-08-17 13:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2012-05-19 18:26 . 2008-04-13 17:54 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2012-05-19 18:26 . 2001-08-17 13:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2012-05-19 18:26 . 2008-04-13 17:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2012-05-19 18:26 . 2001-08-17 12:48 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2012-05-19 18:26 . 2008-04-13 17:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2012-05-19 18:26 . 2001-08-17 12:52 6528 ----a-w- c:\windows\system32\dllcache\miniqic.sys
2012-05-19 18:23 . 2001-08-17 11:12 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2012-05-19 18:22 . 2001-08-17 21:36 372824 ----a-w- c:\windows\system32\dllcache\iconf32.dll
2012-05-19 18:21 . 2001-08-17 12:28 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2012-05-19 18:20 . 2001-08-17 21:36 123392 ----a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2012-05-19 18:19 . 2001-08-17 11:12 24618 ----a-w- c:\windows\system32\dllcache\fa410nd5.sys
2012-05-19 18:18 . 2001-08-17 11:11 153631 ----a-w- c:\windows\system32\dllcache\el90xnd5.sys
2012-05-19 18:17 . 2001-08-17 11:11 24649 ----a-w- c:\windows\system32\dllcache\dfe650d.sys
2012-05-19 18:16 . 2001-08-17 11:13 46108 ----a-w- c:\windows\system32\dllcache\cben5.sys
2012-05-19 18:15 . 2001-08-17 12:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2012-05-19 18:09 . 2004-08-10 04:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2012-05-19 18:09 . 2001-08-17 13:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-05-19 18:08 . 2004-08-10 04:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2012-05-19 18:08 . 2004-08-10 04:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2012-05-19 18:08 . 2004-08-10 04:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2012-05-19 18:08 . 2004-08-10 04:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2012-05-19 18:08 . 2004-08-10 04:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2012-05-19 18:08 . 2004-08-10 04:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2012-05-13 20:39 . 2012-05-13 20:39 -------- d-----w- c:\documents and settings\Brill\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-20 18:20 . 2011-10-25 13:33 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 03:50 . 2012-04-19 03:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-13 20:53 . 2012-04-13 20:53 388096 ----a-r- c:\documents and settings\Brill\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-12 22:19 . 2007-05-28 20:55 61440 ----a-r- c:\documents and settings\Brill\Application Data\Microsoft\Installer\{45D3CD3E-7715-4341-8441-A3A6409FCDE4}\NewShortcut3_45D3CD3E771543418441A3A6409FCDE4.exe
2012-04-12 19:28 . 2005-10-31 15:56 700416 ----a-w- C:\StubInstaller.exe
2012-04-11 13:12 . 2005-08-16 03:18 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10 . 2005-08-16 03:18 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35 . 2004-08-03 21:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 14:56 . 2012-04-13 18:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-19 04:17 . 2012-03-19 04:17 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-03-01 11:01 . 2005-08-16 03:18 916992 ------w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2005-08-16 03:18 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2005-08-16 03:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2005-08-16 03:18 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2005-08-16 03:18 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2005-08-16 03:18 385024 ------w- c:\windows\system32\html.iec
2006-04-05 22:37 . 2006-04-05 22:37 559784 ----a-w- c:\program files\GoogleToolbarInstaller.exe
2012-04-21 01:19 . 2012-05-20 01:02 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-02-05 06:57 . 2007-02-05 06:57 60518 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-02-05 06:57 . 2007-02-05 06:57 49248 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-02-05 06:57 . 2007-02-05 06:57 165992 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-05-23_20.20.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-16 03:40 . 2011-04-21 10:58 634648 c:\windows\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-05-20 00:40 2067328 ----a-w- c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-05-20 2067328]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2012-04-12 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2012-04-12 249856]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-05-20 1116544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-12 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2010-7-29 3272704]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"MSKDetectorExe"=c:\program files\McAfee\SpamKiller\MSKDetct.exe /uninstall
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 04:50 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [31/01/2012 04:46 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [22/02/2012 05:25 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [19/03/2012 05:17 301248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14/02/2012 04:53 193288]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [20/05/2012 01:40 932736]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 13:32 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 13:32 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 13:32 17232]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [29/07/2010 21:23 632576]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [30/04/2012 09:44 5106744]
S2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [29/07/2010 21:23 278528]
S3 lac97inf;lac97inf;\??\c:\docume~1\Brill\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\Brill\LOCALS~1\Temp\lac97inf.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [20/05/2012 02:03 129976]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll
TCP: DhcpNameServer = 192.168.1.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\Brill\Application Data\Mozilla\Firefox\Profiles\vdwm2uqo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B945e994c-9c31-4d96-9426-7360b3a68edc%7D&mid=555b36b8b2dc47d08513d16df4a33577-da64ba60f76ebf4f5ccb25afd1fa61e67feca77a&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-05-20%2001%3A40%3A48&sap=ku&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-23 21:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3617262079-1936740233-2371126351-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5c,74,4a,c1,b7,0b,87,24,fb,39,86,71,a2,14,ba,a2,e2,5d,ed,2a,be,5f,79,
5e,5e,c7,18,3e,1e,d2,48,64,82,c4,62,2c,ec,95,bb,a9,f4,37,a9,0f,ce,92,0c,e8,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
[HKEY_USERS\S-1-5-21-3617262079-1936740233-2371126351-1005\Software\SecuROM\License information*]
"datasecu"=hex:47,6b,26,20,aa,77,2b,c9,87,13,47,7b,b6,7d,1c,7b,59,28,f9,ea,7e,
89,c8,90,f3,ad,67,96,22,e4,d8,00,aa,fa,75,71,96,2b,de,7d,d7,3c,ce,c8,61,4d,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45
.
Completion time: 2012-05-23 21:48:18
ComboFix-quarantined-files.txt 2012-05-23 20:48
ComboFix2.txt 2012-05-23 20:27
ComboFix3.txt 2012-05-19 01:52
.
Pre-Run: 45,538,086,912 bytes free
Post-Run: 45,515,739,136 bytes free
.
- - End Of File - - 72BF4083CDDEBFEA90490761ACD086B5

am going to reboot machine now and try surfing on IE: will let you know how I get on
:-)

thanks
Sorrow-Miss

#14 Sorrow-Miss

Sorrow-Miss
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 23 May 2012 - 05:58 PM

hello again

regret IE8 is now not working at all! Clicking on the iconbrings the hourglass for a few seconds then that disappears and nothing happens. Same with Internet Options i Control Panel (but that means no change from before).

best regards
Sorrow-Miss

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 24 May 2012 - 09:57 AM

Do you have a restore point just prior to you installing IE8?

If you do run it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users