Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web browser infected


  • This topic is locked This topic is locked
11 replies to this topic

#1 Mooglebooboo

Mooglebooboo

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 31 July 2012 - 11:37 PM

Whever I'm browsing a random tab is added to my firefox tabs. It keeps doing that nonstop. I keep getting an ad called cosumerlifestyles. No matter where i browse i get the same page that adds itself to my firefox tabs. Its not a popup. I was told to post here. I even reinstalled firefox and it didn't help. The tab also appears when I'm not browsing or anything. It just pops up on its own. Also my adobe flash is lagging bad. It freezes the picture of the video and the audio is messed up. Also the audio in the background is messing up. Like there's static in the background when the sound plays or someone in the video speaks. I tried refreshing the page but got the same static sound. The sound was working just awhile ago now its permanently static in the sound. First it was a video lag problem where the screen would freeze and the audio would play. But now the audio is messed up and slow. My antispyware is microsoft security essentials but for some reasoni ts not working but icon still appears. It says my computer is risk and is out of date. I tried to fix it but i get an error that says:

Couldn't start security essentials. The specified service doesn't exist as an installed service. Click help for more information on this problem Error code:0x80070424

Plus my adobe flash problem returned. EVerything is extrememly slow too. Whenever i watch a video i get lag and also the sound and repeats one word and lags. My adobe then has static in the background when i play a video. Someone helped me with this but the problem came back. After all the problems going on with the video that's playing on my web browser, the adobe flash crashes. Reinstalling it doesn't help. I reinstalled it so many times. Even troubleshooting for firefox doesn't work. When the videos on the web have a hard time playing the video and audio i get a warning:unresponsive script. I get it a lot.

My original post:

http://www.bleepingcomputer.com/forums/topic461364.html/page__st__15__gopid__2780807#entry2780807

I was able to fix my antivirus so that doesn't need help with.

Whever I'm browsing a random tab is added to my firefox tabs. It keeps doing that nonstop. I keep getting an ad called cosumerlifestyles. No matter where i browse i get the same page that adds itself to my firefox tabs. Its not a popup. I was told to post here. I even reinstalled firefox and it didn't help. The tab also appears when I'm not browsing or anything. It just pops up on its own. Also my adobe flash is lagging bad. It freezes the picture of the video and the audio is messed up. Also the audio in the background is messing up. Like there's static in the background when the sound plays or someone in the video speaks. I tried refreshing the page but got the same static sound. The sound was working just awhile ago now its permanently static in the sound. First it was a video lag problem where the screen would freeze and the audio would play. But now the audio is messed up and slow. My antispyware is microsoft security essentials but for some reasoni ts not working but icon still appears. It says my computer is risk and is out of date. I tried to fix it but i get an error that says:

Couldn't start security essentials. The specified service doesn't exist as an installed service. Click help for more information on this problem Error code:0x80070424

Plus my adobe flash problem returned. EVerything is extrememly slow too. Whenever i watch a video i get lag and also the sound and repeats one word and lags. My adobe then has static in the background when i play a video. Someone helped me with this but the problem came back. After all the problems going on with the video that's playing on my web browser, the adobe flash crashes. Reinstalling it doesn't help. I reinstalled it so many times. Even troubleshooting for firefox doesn't work. When the videos on the web have a hard time playing the video and audio i get a warning:unresponsive script. I get it a lot.

My original post:

http://www.bleepingcomputer.com/forums/topic461364.html/page__st__15__gopid__2780807#entry2780807

i was able to remove a trojab but there the problem is still there. First it freezes the video and the audio lags that you can't understand what its saying then a box appears 'warning:unresponsive script' Then it shows the link in the box with the word static in front of the link. It happens a lot during the video that i cannot even watch and enjoy crunchyroll video T_T Since the trojan was removed, this error has been appearing less but i'd like it to stop. Unresponsive script appeared so much it caused adobe to crash. All that's left is the problem above.

when i get a unresponsive script error, that's when the problem occurs.

I also have a question. This could possibly be the cause:
http://www.bleepingcomputer.com/forums/topic463133.html/page__p__2786271#entry2786271

Located total 4 trojans:

even if the unresponsive script error doesn't appear, my video lags. It never lagged before. Any video any size. I even tried to make the video smaller and still it freezes and the audio is choppy you can't understand what's it s saying. Every where i watch a video on the web browser there's a problem so I think there's something wrong with my computer. I can't even watch one video without it having to mess up. Sometimes the videos just freeze giving me no choice but to refresh but then later on it freezes again. I started having these problems two weeks ago so i know there's got to be something wrong with my computer. Then sometimes it freezes, i refresh and it still won't play. The audio sounds like the way you hear things when you go on a roller coaster.

My antivirus detected something. I'm guessing the virus came back.

There was one before now there's 4:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.29.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ayra1008 :: XD [administrator]

7/29/2012 7:06 PM
mbam-log-2012-07-29 (19-06-41).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 297155
Time elapsed: 1 hour(s), 53 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Ayra1008\Local Settings\Application Data\{424923de-e62c-a96d-ea0f-322bd541463d}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\WINDOWS\Installer\{424923de-e62c-a96d-ea0f-322bd541463d}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\WINDOWS\assembly\GAC\Desktop.ini (Trojan.0access) -> Quarantined and deleted successfully.

(end)

BC AdBot (Login to Remove)

 


#2 Mooglebooboo

Mooglebooboo
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 31 July 2012 - 11:39 PM

ooops made a double sorry

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Ayra1008 at 15:51:53 on 2012-07-26
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.345 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdnserv.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Lexmark 2600 Series\ezprint.exe
C:\WINDOWS\system32\WTMKM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
"C:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Facebook Update] "c:\documents and settings\ayra1008\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2600 series\ezprint.exe"
mRun: [MacrokeyManager] WTMKM.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: Download with Xilisoft YouTube Video Converter - c:\program files\xilisoft\youtube video converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F83BF51E-C2D2-4E9D-B457-0750D5580137} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ayra1008\application data\mozilla\firefox\profiles\ltrnjz7s.default\
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\ayra1008\application data\kalydo\kalydoplayer\npkalydo.dll
FF - plugin: c:\documents and settings\ayra1008\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S3 apf001;apf001;\??\c:\game\softnyxgame\gunboundis\apf001.sys --> c:\game\softnyxgame\gunboundis\apf001.sys [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
.
=============== Created Last 30 ================
.
2012-07-24 21:47:46 -------- d-----w- c:\program files\Oracle
2012-07-24 00:33:33 -------- d--h--w- c:\documents and settings\ayra1008\application data\42B4F4DB
2012-07-24 00:33:31 122880 ----a-w- c:\documents and settings\ayra1008\application data\KB00762753.exe
2012-07-23 18:29:52 6891424 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6bf2a927-fe15-438b-9ddd-7eafb0fb67f6}\mpengine.dll
2012-07-23 18:17:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-21 23:25:23 6891424 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-17 03:24:28 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 13:43:41 -------- d-----w- C:\My Shared Folder
2012-07-08 13:43:31 -------- d-----w- c:\program files\Kazaa Lite
2012-07-05 23:45:34 5030088 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2012-07-01 20:28:50 -------- d-----r- c:\program files\Skype
.
==================== Find3M ====================
.
2012-07-06 03:07:08 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-06 03:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 02:48:57 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-05-15 02:48:23 1840 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2010-12-28 00:23:50 400384 ----a-w- c:\program files\JavaRa.exe
.
============= FINISH: 15:54:31.06 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/21/2011 11:58:55 AM
System Uptime: 7/26/2012 11:28:02 AM (4 hours ago)
.
Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel® CPU T2060 @ 1.60GHz | Microprocessor | 798/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 57.509 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11.6
AIM 7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom 440x 10/100 Integrated Controller
CCleaner
Conexant HDA D110 MDC V.92 Modem
Coupon Printer for Windows
Dell Driver Download Manager
Dell Wireless WLAN Card
DivxToDVD 0.5.2b
ESET Online Scanner v3
Facebook Video Calling 1.2.0.159
FeralHeart version 1.13
GIMP 2.8.0
GoonzuEng
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Deskjet 1000 J110 series Basic Device Software
HP Deskjet 1000 J110 series Help
HP Deskjet 1000 J110 series Product Improvement Study
HP Photo Creations
HP Update
IconArt
ijji Auto Installer
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
iTunes
Java Auto Updater
Java™ 7 Update 5
JavaFX 2.1.1
K-Lite v2.7
Kalydo Player 3.10.04
Kazaa Lite 2.7
Lexmark 2600 Series
Luminary - Rise of Goonzu 654
Malwarebytes Anti-Malware version 1.62.0.1300
Manga Studio Debut 4.0
mCore
mDriver
mDrWiFi
Media Player Codec Pack 3.9.9
mHlpDell
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
mIWA
mLogView
mMHouse
Mouse Suite for Laptop Computers
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
Mp3tag v2.51
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 6 Service Pack 2 (KB973686)
mWlsSafe
mWMI
mZConfig
Nexon Game Manager
Pando Media Booster
Pen Pad Driver with Macro Key Manager
QuickSet
QuickTime
Revo Uninstaller 1.94
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SigmaTel Audio
Skype Click to Call
Skype™ 5.10
SPORE™
StarCraft
swMSM
System Requirements Lab for Intel
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows XP Service Pack 3
WinPatrol
WinRAR 4.01 (32-bit)
Xilisoft YouTube Video Converter
Zoo Tycoon: Complete Collection
.
==== Event Viewer Messages From Past Week ========
.
7/24/2012 9:18:06 AM, error: Dhcp [1002] - The IP address lease 192.168.0.101 for the Network Card with network address 0019B95FB7D7 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/24/2012 8:57:26 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001A92CF9129. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
7/24/2012 8:34:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASKUTIL
7/24/2012 8:34:54 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/24/2012 8:34:54 AM, error: Service Control Manager [7000] - The SAS Core Service service failed to start due to the following error: The system cannot find the path specified.
7/24/2012 8:34:17 AM, error: Dhcp [1002] - The IP address lease 192.168.0.101 for the Network Card with network address 001A92CF9129 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/24/2012 4:50:58 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 4:50:58 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 4:50:53 PM, error: Service Control Manager [7034] - The WTService service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 4:50:52 PM, error: Service Control Manager [7034] - The Skype C2C Service service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 4:50:48 PM, error: Service Control Manager [7034] - The lxdnCATSCustConnectService service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 4:50:48 PM, error: Service Control Manager [7034] - The lxdn_device service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 4:50:48 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 4:50:48 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/24/2012 12:17:25 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.101 with the system having network hardware address 00:11:D8:E1:65:77. Network operations on this system may be disrupted as a result.
7/24/2012 10:00:38 AM, error: Dhcp [1002] - The IP address lease 72.210.66.153 for the Network Card with network address 0019B95FB7D7 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/22/2012 4:55:29 PM, error: Print [19] - Sharing printer failed + 1722, Printer Lexmark 2600 Series share name Printer2.
7/21/2012 6:14:36 PM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer.
7/19/2012 9:58:38 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
.
==== End Of File ===========================

still waiting on the gmer

Edited by Mooglebooboo, 31 July 2012 - 11:40 PM.


#3 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:11 AM

Posted 01 August 2012 - 02:17 PM

Hello and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. :)


Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
I know you've already run TDSSKiller before, but please run it one more time so we have an up-to-date idea of what may be remaining on the computer.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Skip is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: Do not choose Cure or Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


----------Step 3----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

#4 Mooglebooboo

Mooglebooboo
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 03 August 2012 - 09:18 PM

tdss no threats found about to run combofix

Edited by Mooglebooboo, 03 August 2012 - 09:44 PM.


#5 Mooglebooboo

Mooglebooboo
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 03 August 2012 - 10:32 PM

ComboFix 12-07-31.06 - Ayra1008 08/03/2012 23:07:36.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.597 [GMT -5:00]
Running from: c:\documents and settings\Ayra1008\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\AegisI5Installer.exe
c:\windows\system32\roboot.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-04 to 2012-08-04 )))))))))))))))))))))))))))))))
.
.
2012-08-04 04:07 . 2012-08-04 04:07 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5EAFB06F-DD12-4866-9231-984A2CCF353C}\MpKsl15638508.sys
2012-08-04 04:06 . 2012-08-04 04:06 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5EAFB06F-DD12-4866-9231-984A2CCF353C}\offreg.dll
2012-08-02 21:33 . 2012-08-02 21:33 -------- d-----w- c:\documents and settings\Ayra1008\Application Data\Nico Mak Computing
2012-08-02 21:33 . 2012-08-02 21:33 -------- d-----w- c:\program files\WinZip Registry Optimizer
2012-08-02 21:33 . 2012-08-02 21:33 -------- d-----w- c:\program files\BitTorrent
2012-08-02 21:32 . 2012-08-04 04:05 -------- d-----w- c:\documents and settings\Ayra1008\Application Data\BitTorrent
2012-08-01 15:43 . 2012-07-16 07:41 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5EAFB06F-DD12-4866-9231-984A2CCF353C}\mpengine.dll
2012-07-26 23:23 . 2012-07-16 07:41 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-26 23:15 . 2012-07-26 23:17 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-24 21:47 . 2012-07-24 21:47 -------- d-----w- c:\program files\Oracle
2012-07-24 00:33 . 2012-07-24 01:13 -------- d--h--w- c:\documents and settings\Ayra1008\Application Data\42B4F4DB
2012-07-23 18:17 . 2012-08-03 19:06 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-17 03:24 . 2012-08-03 19:06 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 13:43 . 2012-07-08 13:43 -------- d-----w- C:\My Shared Folder
2012-07-08 13:43 . 2012-07-09 00:29 -------- d-----w- c:\program files\Kazaa Lite
2012-07-05 23:45 . 2012-07-05 23:45 5030088 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-06 03:07 . 2012-02-28 21:21 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-06 03:06 . 2011-07-15 00:28 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 18:46 . 2012-05-15 02:17 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2009-08-19 21:07 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2011-04-21 16:53 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2011-04-21 16:53 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2011-04-21 16:53 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2011-04-21 16:53 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2011-04-21 16:53 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2011-04-21 16:53 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2011-04-21 16:53 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2012-01-13 00:41 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2012-01-13 00:41 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 20:18 . 2012-01-13 00:41 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 17:25 . 2012-05-17 15:27 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 02:48 . 2012-05-15 02:48 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-05-15 02:48 . 2012-05-15 02:48 1840 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2012-05-15 02:34 . 2012-05-15 02:34 388096 ----a-r- c:\documents and settings\Ayra1008\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-11 14:42 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-28 00:23 . 2012-04-13 21:39 400384 ----a-w- c:\program files\JavaRa.exe
2012-07-14 00:17 . 2012-07-26 16:45 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\Ayra1008\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-06-08 17425072]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2012-08-02 6156696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2010-02-04 660136]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2010-02-04 107176]
"MacrokeyManager"="WTMKM.exe" [2009-12-22 5873384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-04-15 374368]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 22:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
R1 MpKsl15638508;MpKsl15638508;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5EAFB06F-DD12-4866-9231-984A2CCF353C}\MpKsl15638508.sys [8/3/2012 11:07 PM 29904]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [4/26/2011 10:30 AM 94208]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [7/5/2012 6:41 PM 3048136]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
S1 movlbemg;movlbemg;\??\c:\windows\system32\drivers\movlbemg.sys --> c:\windows\system32\drivers\movlbemg.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/7/2012 7:12 PM 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/28/2012 2:55 PM 250056]
S3 apf001;apf001;\??\c:\game\SoftnyxGame\GunBoundIS\apf001.sys --> c:\game\SoftnyxGame\GunBoundIS\apf001.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 10:08 AM 11336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/26/2012 11:45 AM 113120]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL15638508
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 19:06]
.
2012-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-07-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-790525478-1123561945-725345543-1004Core.job
- c:\documents and settings\Ayra1008\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-05-27 22:37]
.
2012-08-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-790525478-1123561945-725345543-1004UA.job
- c:\documents and settings\Ayra1008\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-05-27 22:37]
.
2012-08-04 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
.
2012-08-02 c:\windows\Tasks\Registry Optimizer_UPDATES.job
- c:\program files\WinZip Registry Optimizer\Winzipro.exe [2012-08-02 15:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Download with Xilisoft YouTube Video Converter - c:\program files\Xilisoft\YouTube Video Converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Ayra1008\Application Data\Mozilla\Firefox\Profiles\ltrnjz7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{302A1E2E-DD58-4673-BC99-9CC10EC2637A} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~1\{302A1~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-03 23:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-1123561945-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:3b,2d,81,69,cf,71,5b,84,9e,e8,c1,f8,ef,53,75,09,12,8f,8a,77,07,
bb,c1,7b,85,f6,99,ff,77,37,86,3c,c4,b2,6e,9f,ae,85,a5,b4,79,f9,9c,72,a4,11,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
Completion time: 2012-08-03 23:29:42
ComboFix-quarantined-files.txt 2012-08-04 04:29
.
Pre-Run: 59,664,924,672 bytes free
Post-Run: 60,655,263,744 bytes free
.
- - End Of File - - 80DE899CD30EE55AC5CD2A52746E4510

security check:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

ESET Online Scanner v3
Microsoft Security Essentials
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
JavaFX 2.1.1
Java™ 7 Update 5
Adobe Flash Player 11.3.300.270
Adobe Reader X (10.1.3)
Mozilla Firefox (14.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
``````````End of Log````````````

Edited by Mooglebooboo, 03 August 2012 - 10:35 PM.


#6 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:11 AM

Posted 04 August 2012 - 11:36 AM

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Folder::
c:\documents and settings\Ayra1008\Application Data\42B4F4DB

Driver::
movlbemg

File::
c:\windows\system32\drivers\movlbemg.sys

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

#7 Mooglebooboo

Mooglebooboo
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 August 2012 - 08:28 PM

ComboFix 12-08-05.02 - Ayra1008 08/04/2012 20:57:13.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.594 [GMT -5:00]
Running from: c:\documents and settings\Ayra1008\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ayra1008\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\movlbemg.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ayra1008\Application Data\42B4F4DB
c:\documents and settings\Ayra1008\Application Data\42B4F4DB\42B4F4DB.DAT
c:\documents and settings\Ayra1008\Application Data\42B4F4DB\42B4F4DB.DAT.DAT
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_movlbemg
.
.
((((((((((((((((((((((((( Files Created from 2012-07-05 to 2012-08-05 )))))))))))))))))))))))))))))))
.
.
2012-08-05 02:18 . 2012-08-05 02:18 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56857959-5C5F-4F8B-A11C-613621AA126C}\MpKsla420b0ee.sys
2012-08-05 01:57 . 2012-08-05 01:57 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56857959-5C5F-4F8B-A11C-613621AA126C}\MpKsle263c684.sys
2012-08-05 01:56 . 2012-08-05 01:56 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56857959-5C5F-4F8B-A11C-613621AA126C}\offreg.dll
2012-08-04 14:15 . 2012-07-16 07:41 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56857959-5C5F-4F8B-A11C-613621AA126C}\mpengine.dll
2012-08-02 21:33 . 2012-08-02 21:33 -------- d-----w- c:\documents and settings\Ayra1008\Application Data\Nico Mak Computing
2012-08-02 21:33 . 2012-08-02 21:33 -------- d-----w- c:\program files\WinZip Registry Optimizer
2012-08-02 21:33 . 2012-08-02 21:33 -------- d-----w- c:\program files\BitTorrent
2012-08-02 21:32 . 2012-08-05 02:20 -------- d-----w- c:\documents and settings\Ayra1008\Application Data\BitTorrent
2012-08-01 15:43 . 2012-07-16 07:41 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-26 23:15 . 2012-07-26 23:17 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-24 21:47 . 2012-07-24 21:47 -------- d-----w- c:\program files\Oracle
2012-07-23 18:17 . 2012-08-03 19:06 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-17 03:24 . 2012-08-03 19:06 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 13:43 . 2012-07-08 13:43 -------- d-----w- C:\My Shared Folder
2012-07-08 13:43 . 2012-07-09 00:29 -------- d-----w- c:\program files\Kazaa Lite
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-06 03:07 . 2012-02-28 21:21 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-06 03:06 . 2011-07-15 00:28 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 18:46 . 2012-05-15 02:17 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2009-08-19 21:07 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2011-04-21 16:53 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2011-04-21 16:53 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2011-04-21 16:53 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2011-04-21 16:53 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2011-04-21 16:53 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2011-04-21 16:53 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2011-04-21 16:53 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2012-01-13 00:41 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2012-01-13 00:41 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 20:18 . 2012-01-13 00:41 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 17:25 . 2012-05-17 15:27 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 02:48 . 2012-05-15 02:48 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-05-15 02:48 . 2012-05-15 02:48 1840 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2012-05-15 02:34 . 2012-05-15 02:34 388096 ----a-r- c:\documents and settings\Ayra1008\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-11 14:42 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-28 00:23 . 2012-04-13 21:39 400384 ----a-w- c:\program files\JavaRa.exe
2012-07-14 00:17 . 2012-07-26 16:45 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-04_04.26.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-05 02:17 . 2012-08-05 02:17 16384 c:\windows\temp\Perflib_Perfdata_308.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\Ayra1008\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-06-08 17425072]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2012-08-02 6156696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2010-02-04 660136]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2010-02-04 107176]
"MacrokeyManager"="WTMKM.exe" [2009-12-22 5873384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-04-15 374368]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 22:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 MpKsla420b0ee;MpKsla420b0ee;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56857959-5C5F-4F8B-A11C-613621AA126C}\MpKsla420b0ee.sys [8/4/2012 9:18 PM 29904]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [4/26/2011 10:30 AM 94208]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [7/5/2012 6:41 PM 3048136]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/7/2012 7:12 PM 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/28/2012 2:55 PM 250056]
S3 apf001;apf001;\??\c:\game\SoftnyxGame\GunBoundIS\apf001.sys --> c:\game\SoftnyxGame\GunBoundIS\apf001.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 10:08 AM 11336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/26/2012 11:45 AM 113120]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLA420B0EE
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 19:06]
.
2012-08-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-08-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-790525478-1123561945-725345543-1004Core.job
- c:\documents and settings\Ayra1008\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-05-27 22:37]
.
2012-08-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-790525478-1123561945-725345543-1004UA.job
- c:\documents and settings\Ayra1008\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-05-27 22:37]
.
2012-08-05 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
.
2012-08-02 c:\windows\Tasks\Registry Optimizer_UPDATES.job
- c:\program files\WinZip Registry Optimizer\Winzipro.exe [2012-08-02 15:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Download with Xilisoft YouTube Video Converter - c:\program files\Xilisoft\YouTube Video Converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Ayra1008\Application Data\Mozilla\Firefox\Profiles\ltrnjz7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-04 21:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-1123561945-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:3b,2d,81,69,cf,71,5b,84,9e,e8,c1,f8,ef,53,75,09,12,8f,8a,77,07,
bb,c1,7b,85,f6,99,ff,77,37,86,3c,c4,b2,6e,9f,ae,85,a5,b4,79,f9,9c,72,a4,11,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1032)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\windows\system32\lxdncoms.exe
c:\windows\system32\atwtusb.exe
c:\windows\system32\WTMKM.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-08-04 21:23:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-05 02:23
ComboFix2.txt 2012-08-04 04:29
.
Pre-Run: 60,618,760,192 bytes free
Post-Run: 60,533,694,464 bytes free
.
- - End Of File - - 0592C25D8152D97297DBDBFCC2F7EC04

#8 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:11 AM

Posted 05 August 2012 - 12:15 PM

Looking good. :)

Let's run an online scan to verify that you're now clean:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


#9 Mooglebooboo

Mooglebooboo
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 07 August 2012 - 05:42 PM

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f851bfd3c3551645b0ac9c7647c07b24
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-05-15 09:24:44
# local_time=2012-05-15 04:24:44 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777189 80 71 0 12676156 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=91590
# found=4
# cleaned=0
# scan_time=15346
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{72DAED16-5565-4CEC-8706-FDD8DF66996C}\RP221\A0207018.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{72DAED16-5565-4CEC-8706-FDD8DF66996C}\RP288\A0270474.exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{72DAED16-5565-4CEC-8706-FDD8DF66996C}\RP293\A0279801.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f851bfd3c3551645b0ac9c7647c07b24
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-16 02:17:45
# local_time=2012-05-15 09:17:45 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777189 80 71 0 12709083 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=14
# found=0
# cleaned=0
# scan_time=18
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f851bfd3c3551645b0ac9c7647c07b24
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-05-16 03:51:40
# local_time=2012-05-15 10:51:41 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777189 80 71 0 12709158 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=3179
# found=0
# cleaned=0
# scan_time=5558
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f851bfd3c3551645b0ac9c7647c07b24
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-05-16 07:24:39
# local_time=2012-05-16 02:24:39 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777173 80 71 0 12750297 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=91878
# found=4
# cleaned=0
# scan_time=20399
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{72DAED16-5565-4CEC-8706-FDD8DF66996C}\RP221\A0207018.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{72DAED16-5565-4CEC-8706-FDD8DF66996C}\RP288\A0270474.exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{72DAED16-5565-4CEC-8706-FDD8DF66996C}\RP293\A0279801.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f851bfd3c3551645b0ac9c7647c07b24
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-19 07:50:05
# local_time=2012-07-19 02:50:05 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 4739090 4739090 0 0
# compatibility_mode=5891 16776533 42 93 0 9824294 0 0
# compatibility_mode=8192 67108863 100 0 4686844 4686844 0 0
# scanned=93544
# found=2
# cleaned=2
# scan_time=17456
C:\Documents and Settings\Ayra1008\Local Settings\temp\D9qZY0yQ.exe.part a variant of Win32/Adware.iBryte.C application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\RECYCLER\S-1-5-21-790525478-1123561945-725345543-1004\Dc36.exe a variant of Win32/SoftonicDownloader.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f851bfd3c3551645b0ac9c7647c07b24
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-06 05:40:59
# local_time=2012-08-06 12:40:59 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 6253580 6253580 0 0
# compatibility_mode=5891 16776533 42 92 0 11338784 0 0
# compatibility_mode=8192 67108863 100 0 6201334 6201334 0 0
# scanned=4744
# found=0
# cleaned=0
# scan_time=7212
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f851bfd3c3551645b0ac9c7647c07b24
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-07 11:10:45
# local_time=2012-08-07 06:10:45 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 6391142 6391142 0 0
# compatibility_mode=5891 16776533 42 92 0 11476346 0 0
# compatibility_mode=8192 67108863 100 0 6338896 6338896 0 0
# scanned=85370
# found=0
# cleaned=0
# scan_time=19034

#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:11 AM

Posted 07 August 2012 - 06:00 PM

Your logs are looking clean.

Since all of your programs are all up-to-date (nice job :thumbup2:), I'll now provide you with some suggestions for security software.


First, please remove ComboFix.
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.


It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.
AntiVir
AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.
A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.
If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available A tutorial on understanding and using firewalls may be found here.


If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

#11 Mooglebooboo

Mooglebooboo
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 07 August 2012 - 09:10 PM

ok. ty for help :lol:

#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:11 AM

Posted 08 August 2012 - 01:41 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users