Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Live Security Platinum Followup


  • This topic is locked This topic is locked
26 replies to this topic

#1 aninkling

aninkling

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 03 August 2012 - 02:27 PM

This work to date on this topic is http://www.bleepingcomputer.com/forums/topic462434.html/page__p__2779507__fromsearch__1#entry2779507at http://www.bleepingcomputer.com/forums/topic462434.html/page__p__2779507__fromsearch__1#entry2779507.

I was sent to this forum to continue. Before I begin, let me say that I installed Comodo firewall before I started these next steps, so I can see any unsavory outgoing info. (This is an XP system). I also manually changed the DNS servers to point to COMODOs servers... to see if that would help. It didn't.

  • Defogger run
  • DDS Run
  • GMER run

Results: DDS.TXT
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Shelley at 14:08:20 on 2012-08-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.481 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Internet Explorer, optimized for Bing and MSN
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\20.0.1132.57\npchrome_frame.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Version Cue CS2] c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\PicLens.dll
Trusted Zone: 1.cab\photocenter_activexx_3.0.0
Trusted Zone: atthemeadow.com\www
Trusted Zone: intuit.com\quicken
Trusted Zone: schwab.com\client
Trusted Zone: snapfish.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213897459515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/legacy/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F8E9DCB9-4E03-421B-8FA6-9B96C9E1ED40} : NameServer = 8.26.56.26,8.20.247.20
TCP: Interfaces\{F8E9DCB9-4E03-421B-8FA6-9B96C9E1ED40} : DhcpNameServer = 192.168.1.254
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\20.0.1132.57\npchrome_frame.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-12-19 494816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-12-19 31704]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-11-23 1052472]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-12-19 1960584]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]
R2 WV5Communication;WV5Communication;c:\program files\heavyweatherwv5\HeavyWeatherService.exe [2011-10-23 1854464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-8 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-08-03 17:20:11 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-07-27 00:32:46 694833 -c--a-w- C:\FSS.exe
2012-07-26 17:30:03 1045 ----a-w- c:\documents and settings\all users\application data\currdat.lst.tmp
2012-07-12 02:34:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 02:34:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-20 15:23:52 38791408 ----a-w- c:\program files\GoogleSketchUpWEN.exe
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-04-26 01:09:25 22259528 ----a-w- c:\program files\vlc-2.0.1-win32.exe
2012-02-14 02:34:08 16606229 ----a-w- c:\program files\Race-Keeper Comparo Setup 1.00.01.05 - BMW.exe
2011-10-24 01:10:44 11700670 ----a-w- c:\program files\setup_hw_wv5_us-1.5.4.exe
2011-10-04 02:53:25 11478168 ----a-w- c:\program files\LogitechHarmonySoftware.exe
2011-08-17 01:47:53 4727808 ----a-w- c:\program files\Works632_en-US.msi
2011-07-18 02:28:53 1081823 ----a-w- c:\program files\APGuitarSetup.EXE
2011-05-04 01:38:16 24042728 ----a-w- c:\program files\MyPublishersetup4561407-USD-en-US.exe
2010-07-09 11:26:50 1045384 ----a-w- c:\program files\DriverInstaller_DD.exe
2010-07-07 13:19:41 476520 ----a-w- c:\program files\vlc-setup.exe
2010-03-11 21:36:28 206216 ----a-w- c:\program files\SiteBuilderSetup.exe
2010-01-14 21:54:54 568320 ----a-w- c:\program files\HDViewInstall_1_20_IE.msi
2009-11-05 15:20:21 11418208 ----a-w- c:\program files\MyPublishersetup-USD-en-US.exe
2008-11-23 18:33:11 11784984 ----a-w- c:\program files\setup-ET.exe
2008-08-09 20:42:45 4891216 ----a-w- c:\program files\Silverlight.2.0.exe
2008-08-05 20:30:56 13475025 ----a-w- c:\program files\ysitebuilder.exe
2008-07-04 17:20:31 15903600 ----a-w- c:\program files\Quicken_Home_Inventory.exe
.
============= FINISH: 14:13:37.01 ===============
The GMER run is taking quite a long time. I'll attach that in another post when it is finished.

Attached Files



BC AdBot (Login to Remove)

 


#2 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 03 August 2012 - 04:30 PM

Attached is the GMER log.

Attached Files

  • Attached File  ark.zip   7.51KB   3 downloads


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 08 August 2012 - 02:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/463731 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:11 AM

Posted 13 August 2012 - 04:04 PM

Greetings aninkling and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. :thumbup2:


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:11 AM

Posted 13 August 2012 - 07:35 PM

Greetings aninkling,

Your computer still shows signs of infection and I will provide our first step to begin the cleaning process. However first I must advise you of the following:


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


ComboFix

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.

Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image



Click on Yes, to continue scanning for malware.

Please Note: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If ComboFix has stopped running please stop and advise me.

  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • Please describe the current state of your computer

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 16 August 2012 - 08:09 PM

I will follow the instructions and post results by Monday, Aug 20. Thank you.

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:11 AM

Posted 16 August 2012 - 08:12 PM

Greetings aninkling,

Great to see you! I will await for your post.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 19 August 2012 - 07:58 PM

Combofix ran and following is the log. During the run I got a message two different times: "Rootkit.ZeroAccess inserted into tci/ip stack. This is a particularly difficult infection." And something to the effect that reboots may occur or be necessary." It did reboot 3 times. Note that I turned both Comodo and MSE off. The log:
----------------------------------------------------------------------------------------------
ComboFix 12-08-18.03 - Shelley 08/19/2012 14:15:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.555 [GMT -4:00]
Running from: c:\documents and settings\Shelley\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\currdat.lst.tmp
c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
c:\documents and settings\Shelley\My Documents\ZDL18772.TMP
c:\documents and settings\Shelley\WINDOWS
c:\program files\MyPublishersetup4561407-USD-en-US.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\$NtUninstallKB62916$
c:\windows\$NtUninstallKB62916$\1725091934
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.afd
.
.
((((((((((((((((((((((((( Files Created from 2012-07-19 to 2012-08-19 )))))))))))))))))))))))))))))))
.
.
2012-08-03 18:33 . 2012-08-03 18:33 -------- d-----w- c:\program files\Belarc
2012-08-03 18:33 . 2011-08-09 20:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2012-08-03 17:26 . 2012-08-03 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\CPA_VA
2012-08-03 17:20 . 2012-08-03 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2012-08-03 17:20 . 2012-08-03 17:20 -------- d-----w- c:\program files\Comodo
2012-08-03 17:20 . 2012-08-03 17:20 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-08-02 18:41 . 2012-08-02 18:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\MSN6
2012-08-02 18:41 . 2012-08-02 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2012-08-02 18:37 . 2012-08-02 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2012-07-30 13:59 . 2008-04-13 19:19 138112 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-07-30 13:59 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2012-07-27 00:39 . 2012-07-27 00:32 694833 -c--a-w- C:\FSS.exe
2012-07-25 18:43 . 2012-07-25 18:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-07-25 18:39 . 2012-07-25 19:15 -------- d-----w- c:\documents and settings\Duane
2012-07-25 17:59 . 2012-07-25 17:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-07-25 17:57 . 2012-07-25 17:57 -------- d-----w- c:\program files\Microsoft Security Essentials
2012-07-25 17:21 . 2012-07-25 17:21 -------- d-----w- c:\documents and settings\Shelley\Application Data\GlarySoft
2012-07-25 17:21 . 2012-07-25 17:21 -------- d-----w- c:\program files\Glary Utilities
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 02:34 . 2012-04-08 12:31 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 02:34 . 2011-05-20 12:48 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2008-11-18 15:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19 . 2003-03-31 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-06-19 20:17 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2003-03-31 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2003-03-31 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2008-06-19 17:47 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2008-06-19 17:47 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2008-06-19 17:47 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2008-06-19 17:47 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2007-07-30 23:19 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2008-06-19 17:47 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2008-06-19 17:47 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2008-06-19 17:47 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2008-06-18 13:21 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2003-03-31 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2008-06-19 17:47 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2008-06-19 17:47 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2008-06-18 13:21 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2009-03-29 21:44 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2009-03-29 21:44 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:18 . 2009-03-29 21:44 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2003-03-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-20 15:23 . 2012-05-20 15:23 38791408 ----a-w- c:\program files\GoogleSketchUpWEN.exe
2012-04-26 01:09 . 2012-04-26 01:09 22259528 ----a-w- c:\program files\vlc-2.0.1-win32.exe
2012-02-14 02:34 . 2012-02-14 02:34 16606229 ----a-w- c:\program files\Race-Keeper Comparo Setup 1.00.01.05 - BMW.exe
2011-10-24 01:10 . 2011-10-24 01:10 11700670 ----a-w- c:\program files\setup_hw_wv5_us-1.5.4.exe
2011-10-04 02:53 . 2011-10-04 02:53 11478168 ----a-w- c:\program files\LogitechHarmonySoftware.exe
2011-08-17 01:47 . 2011-08-17 01:47 4727808 ----a-w- c:\program files\Works632_en-US.msi
2011-07-18 02:28 . 2000-07-31 17:23 1081823 ----a-w- c:\program files\APGuitarSetup.EXE
2010-07-09 11:26 . 2010-07-09 11:26 1045384 ----a-w- c:\program files\DriverInstaller_DD.exe
2010-07-07 13:19 . 2010-07-07 13:19 476520 ----a-w- c:\program files\vlc-setup.exe
2010-03-11 21:36 . 2010-03-11 21:35 206216 ----a-w- c:\program files\SiteBuilderSetup.exe
2010-01-14 21:54 . 2008-09-16 13:01 568320 ----a-w- c:\program files\HDViewInstall_1_20_IE.msi
2009-11-05 15:20 . 2009-11-05 15:20 11418208 ----a-w- c:\program files\MyPublishersetup-USD-en-US.exe
2008-11-23 18:33 . 2008-11-23 18:33 11784984 ----a-w- c:\program files\setup-ET.exe
2008-08-09 20:42 . 2008-08-09 20:42 4891216 ----a-w- c:\program files\Silverlight.2.0.exe
2008-08-05 20:30 . 2008-08-05 20:30 13475025 ----a-w- c:\program files\ysitebuilder.exe
2008-07-04 17:20 . 2008-07-04 17:20 15903600 ----a-w- c:\program files\Quicken_Home_Inventory.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 6676808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" -osboot
"HPHUPD08"=c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"WD Drive Manager"=c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [12/19/2011 6:59 PM 494816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/19/2011 6:59 PM 31704]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO GeekBuddy\CLPSLS.exe [11/23/2011 6:27 AM 1052472]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 5:38 AM 92008]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]
R2 WV5Communication;WV5Communication;c:\program files\HeavyWeatherWV5\HeavyWeatherService.exe [10/23/2011 9:14 PM 1854464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2009 3:26 PM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/8/2012 8:31 AM 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2009 3:26 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 02:34]
.
2012-08-19 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-07-25 01:06]
.
2012-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 19:26]
.
2012-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 19:26]
.
2012-08-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]
.
2012-08-19 c:\windows\Tasks\User_Feed_Synchronization-{93769B24-E8F2-4ABB-8D2E-214FED60EBB5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: 1.cab\photocenter_activexx_3.0.0
Trusted Zone: atthemeadow.com\www
Trusted Zone: intuit.com\quicken
Trusted Zone: schwab.com\client
Trusted Zone: snapfish.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-AP Guitar Tuner - c:\program files\Audio Phonics
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-19 14:33
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3576)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
- - - - - - - > 'csrss.exe'(664)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2012-08-19 14:38:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-19 18:38
.
Pre-Run: 88,365,883,392 bytes free
Post-Run: 88,696,541,184 bytes free
.
- - End Of File - - 26A1782BDB07D8E4A4158614124E5BBD

#9 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 20 August 2012 - 10:39 AM

I tried to access the internet after the Combofix run and I failed. Have you any idea what is being modified to deny access to the internet? There must be a registry entry or two that I can look at.

I am rerunning Combofix and will post the results.

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:11 AM

Posted 20 August 2012 - 10:57 AM

Greetings aninkling,

Thank you for posting the information. For some reason I was not notified last night that you posted (should be automatic email). I have to leave for several hours but I will get to it today, I promise!
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:11 AM

Posted 20 August 2012 - 04:29 PM

Greetings aninkling,

Let's take a look at some of your internet related files/settings. The malicious software may have corrupted an important file. I am going to have you upload another file for me to check to make sure it is valid.

Please the following.


===================================================


Farbar's Service Scanner

--------------------

Please download Farbar Service Scanner, save it to your desktop, and run it.

  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===================================================


Virustotal Online Virus Scanner

--------------------

  • Please go to Virustotal
  • Select Choose File
  • Navigate to the following file, double click on it so the file name is populated, then click Scan it!

    c:\program files\setup-ET.exe
  • Once completed, highlight the information in the address bar and copy then paste the link in your reply


    Posted Image

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • FSS.txt
  • Virustotal link

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 22 August 2012 - 01:58 PM

FSS Results follow. However, as an additional experiment I pinged known DNS servers by IP address and they responded. (Note: COMODO was on and I permitted every action during the FSS run.

Farbar Service Scanner Version: 26-07-2012
Ran by Shelley (administrator) on 22-08-2012 at 14:47:00
Running from "C:\Documents and Settings\Shelley\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is offline
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Yahoo IP is offline
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================
ATTENTION!=====> Unable to retrieve HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\EnableFirewall value. The value does not exist.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
cmdHlp(12) Gpc(3) IPSec(5) NetBT(6) PSched(7) RFCOMM(9) Tcpip(4)
0x0D00000005000000010000000200000003000000040000000C000000060000000700000008000000090000000A0000000B0000000C000000
IpSec Tag value is correct.

**** End of log ****

#13 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 22 August 2012 - 02:02 PM

I guess the last instructions about VirusTotal don't make any sense because I can't get anywhere on the affected computer.

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:11 AM

Posted 22 August 2012 - 03:35 PM

Greetings aninkling,

We can check the file with VirusTotal once we get your internet up and running.

Please try this.


===================================================


Farbar's MiniToolBox

--------------------

  • From a clean computer please download MiniToolBox and save it to your USB device
  • Insert the USB device into your infected computer
  • Please close any Firefox browsers you may have open
  • Double click the Posted Image icon to launch the program
  • Make sure the following options are checked:

    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
  • Try to access the internet

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Result.txt
  • Do you have internet?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 22 August 2012 - 05:29 PM

Before I start your latest suggestion, I'll report on what I did. I ran McAfee Stinger. The results were:
McAfee® Labs Stinger™ Version 10.2.0.746 built on Aug 22 2012
Copyright © 2012 McAfee, Inc. All Rights Reserved.
Virus data file v100.0000 created on Aug 22 2012.
Ready to scan for 4866 viruses, trojans and variants.

Scan initiated on Wed Aug 22 15:07:13 2012
Rootkit scan result : Clean


Master Boot Record(s):....3
Possibly Infected:.............0
Boot Sector(s):.................2
Possibly Infected: ............0

C:\Documents and Settings\Shelley\Application Data\Sun\Java\Deployment\cache\6.0\9\61466349-60337c44
Found the Generic BackDoor.abz trojan !!!
C:\Documents and Settings\Shelley\Application Data\Sun\Java\Deployment\cache\6.0\9\61466349-60337c44 is infected with the Generic BackDoor.abz virus !!!
Number of clean files: 355458
Number of infected files: 1


-----------------------------------------------

I used Revo uninstaller to remove all Java libraries. I removed all files in the Java folder, which removed the above. I installed the latest Java version. I rebooted and tried to get on-line, but could not. I ran the winsock fixit program from Microsoft. Could not get on line. So... now on to your latest suggestion.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users