Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Dropper/SVCHost-Fake.Process and a PUP toolbar downloader


  • This topic is locked This topic is locked
13 replies to this topic

#1 XML2005

XML2005

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:54 PM

Posted 14 August 2012 - 04:23 PM

I had Trojan.Dropper/SVCHost-Fake.Process and a PUP toolbar downloader. After Global Moderator "boopme" in Forum "Am I infected,What do I do" kindly reassured me that neither of these would result in identity theft, he/she then walked me through removing the files and cleaning up the junk. I ran SuperAntiSpyware, Malwarebytes, TDSSKiller, aswMBR, TrendMicro Rootkit Buster, SpywareBlaster, and I removed old restore points.

After cleanup, Trojan.Dropper/SVCHost-Fake.Process and a PUP toolbar downloader no longer were there, but now I saw I had an unknown program in my Programs list, named "WinPcap 4.1.1". I uninstalled it, and ran new scans.

This time, Trend Micro RootkitBuster found several items which it marked as "unable to fix", and TDSSKiller found cercsr6, NetSvc and rmdnhfjovqbv (all of which I do not recognize.) I do not know whether or not I still am infected, and whether I must remove any of these unrecognized items. So boopme recommended I post DDS & GMER reports in this forum. I'm hoping you can help, please.

I really appreciate the efforts all of you are expending so generously on my behalf!

Original post in "Am I infected" forum: http://www.bleepingcomputer.com/forums/topic463339.html/page__p__2788021__fromsearch__1#entry2788021

ATTACH.TXT (from DDS) and ARK.TXT (from GMER) are attached.

DDS.TXT follows:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Leah1 at 14:50:16 on 2012-08-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.405 [GMT -4:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton 360\Engine\6.2.1.5\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Norton 360\Engine\6.2.1.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: GhosteryBHO Class: {237eb6da-3fea-4dd2-8a61-a901b5c489d7} - c:\program files\ghosteryieplugin\GhosteryBrowserHelperObjec.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\6.2.1.5\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\6.2.1.5\ips\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\6.2.1.5\coIEPlg.dll
TB: {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - No File
TB: {05933148-9B77-4630-A691-C0D0D9AA11F9} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: {46FB16E4-A7E1-41D1-9BA1-BDF72C2C63A0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - c:\program files\ghosteryieplugin\GhosteryBrowserHelperObjec.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ally.com\www
Trusted Zone: aol.com\mail
Trusted Zone: aol.com\my.screenname
Trusted Zone: dell.com\www
Trusted Zone: nymag.com\secure
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1 192.168.1.1
TCP: Interfaces\{B9845C6B-1850-43CE-8149-7364BADB32F5} : DhcpNameServer = 167.206.254.2 167.206.254.1 192.168.1.1
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {56F9679E-7826-4C84-81F3-532071A8BCC5} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\leah1\application data\mozilla\firefox\profiles\71cgrnr3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bd9a3b00e-9700-4ff7-8ce4-60b04277c1a6%7D&mid=60514e6093d147d0af1bd15a66241108-466ec35eae5e30de17ce347538481a73b3240a25&ds=is015&v=11.1.0.12&lang=en&pr=sa&d=2012-07-10%2020%3A03%3A23&sap=ku&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn_2011_7_1_3\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\leah1\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-7-11 14776]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0602010.005\symds.sys [2012-7-26 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0602010.005\symefa.sys [2012-7-26 905336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\bashdefs\20120811.003\BHDrvx86.sys [2012-8-10 995488]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\0602010.005\ccsetx86.sys [2012-7-26 132744]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0602010.005\ironx86.sys [2012-7-26 149624]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-12-28 47640]
R2 N360;Norton 360;c:\program files\norton 360\engine\6.2.1.5\ccsvchst.exe [2012-7-26 138232]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-10-20 126904]
R2 RHDISK;RHDISK;c:\program files\rohos\rhdisk.sys [2010-1-24 33280]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-9 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\ipsdefs\20120813.001\IDSXpx86.sys [2012-8-14 369632]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\virusdefs\20120814.002\NAVENG.SYS [2012-8-14 87928]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\virusdefs\20120814.002\NAVEX15.SYS [2012-8-14 1589752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-22 22344]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-9-20 30368]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2012-3-8 25088]
S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-9-20 16080]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2011-12-25 913792]
S4 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;c:\program files\cobian backup 11\cbVSCService11.exe [2012-5-21 67584]
S4 CobianBackup11;Cobian Backup 11 Gravity;c:\program files\cobian backup 11\cbService.exe [2012-5-21 1131008]
S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-9-20 239600]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-4-17 116648]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-4-17 116648]
S4 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-9-20 820568]
S4 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\logmein\x86\lmiguardiansvc.exe" --> c:\program files\logmein\x86\LMIGuardianSvc.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-22 655944]
S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-1 113120]
S4 Rohos Disk;Rohos Disk service;c:\program files\rohos\agent.exe [2010-1-24 800880]
S4 SPDFCreatorReadSpool;SolidPDFCreatorReadSpool;c:\program files\soliddocuments\solidpdfcreator\spc\SolidPdfService.exe [2011-10-3 180552]
.
=============== Created Last 30 ================
.
2012-08-13 15:58:03 -------- d-----w- c:\program files\SpywareBlaster
2012-07-27 21:31:54 -------- d-----w- c:\documents and settings\leah1\local settings\application data\NPE
2012-07-27 00:40:01 905336 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symefa.sys
2012-07-27 00:40:01 388216 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symtdi.sys
2012-07-27 00:40:01 345208 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symtdiv.sys
2012-07-27 00:40:01 340088 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symds.sys
2012-07-27 00:40:01 32888 ----a-w- c:\windows\system32\drivers\n360\0602010.005\srtspx.sys
2012-07-27 00:40:01 318584 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symnets.sys
2012-07-27 00:40:00 574072 ----a-w- c:\windows\system32\drivers\n360\0602010.005\srtsp.sys
2012-07-27 00:40:00 149624 ----a-r- c:\windows\system32\drivers\n360\0602010.005\ironx86.sys
2012-07-27 00:40:00 132744 ----a-r- c:\windows\system32\drivers\n360\0602010.005\ccsetx86.sys
2012-07-27 00:39:32 4782 ----a-w- c:\windows\system32\drivers\n360\0602010.005\symvtcer.dat
2012-07-27 00:39:32 -------- d-----w- c:\windows\system32\drivers\n360\0602010.005
2012-07-27 00:34:54 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-07-27 00:34:54 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-07-27 00:34:54 -------- d-----w- c:\program files\Symantec
2012-07-27 00:31:13 -------- d-----w- c:\windows\system32\drivers\N360
2012-07-27 00:31:01 -------- d-----w- c:\program files\Norton 360
2012-07-25 04:59:59 -------- d-----w- C:\bkup
2012-07-23 19:54:34 -------- d-----w- c:\program files\Axantum
2012-07-19 20:08:07 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-07-19 00:50:58 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-19 00:50:58 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 21:35:26 222448 -c--a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-01 00:20:28 499712 -c--a-w- c:\windows\system32\msvcp71.dll
2012-06-01 00:20:28 348160 -c--a-w- c:\windows\system32\msvcr71.dll
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-24 14:48:10 21376 -c--a-w- c:\windows\system32\RegistryDefragBootTime.exe
.
============= FINISH: 14:51:56.60 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:54 PM

Posted 19 August 2012 - 08:32 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

p.s. The Microsoft site is down at present. You may ignore the remark from ComboFix and continue running the tool.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
===

Please post the logs and let me know if the problem persists.

#3 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:54 PM

Posted 19 August 2012 - 09:41 PM

Thanks for offering to help.

I ran into problems running Combofix and am not sure whether or not to continue with the next step.

When Combofix attempted to install Microsoft Windows Recovery Console, a dialog box popped up telling me it "failed to download required files, aborting." and asking me whether to continue. Unsure of whether I was taking the proper step, I said "Yes". Combofix proceeded to run, and forced an automatic reboot; but during this reboot, while shutting down, a message popped up too quickly for me to copy it all down, reading "The instruction at [I didnt' catch the code] could not be read." Combofix then continued shutting down and then restarted.

BTW, the folder deleted by ComboFix for user "Leah1" is the unneeded folder for an obsolete user.

Should I continue with SecurityCheck & adwCleaner; or should I first try to install MS Windows Recovery Console some other way; or should I do something else altogether?

Thank you again for your assistance.

ComboFix.txt
ComboFix 12-08-18.03 - Leah1 08/19/2012 21:58:11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.737 [GMT -4:00]
Running from: c:\documents and settings\Leah1\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Leah1\Favorites\meta.fm
c:\documents and settings\Leah1\GoToAssistDownloadHelper.exe
c:\documents and settings\Leah1\WINDOWS
C:\drvrtmp
c:\windows\system32\Cache
c:\windows\system32\Drivers\rmdnhfjovqbv.sys
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Legacy_rmdnhfjovqbv
-------\Service_rmdnhfjovqbv
.
.
((((((((((((((((((((((((( Files Created from 2012-07-20 to 2012-08-20 )))))))))))))))))))))))))))))))
.
.
2012-08-13 15:58 . 2012-08-16 00:13 -------- d-----w- c:\program files\SpywareBlaster
2012-08-13 14:29 . 2012-08-13 14:29 -------- d-----w- c:\documents and settings\Guest
2012-07-30 21:52 . 2012-07-30 21:52 103904 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-07-30 21:52 . 2012-07-30 21:52 103904 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-07-27 21:31 . 2012-07-27 21:35 -------- d-----w- c:\documents and settings\Leah1\Local Settings\Application Data\NPE
2012-07-27 00:34 . 2012-07-27 00:34 -------- d-----w- c:\program files\Symantec
2012-07-27 00:34 . 2012-07-27 00:34 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-07-27 00:34 . 2012-07-27 00:34 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-07-27 00:31 . 2012-08-15 18:46 -------- d-----w- c:\windows\system32\drivers\N360
2012-07-27 00:31 . 2012-07-27 00:31 -------- d-----w- c:\program files\Norton 360
2012-07-25 04:59 . 2012-07-31 02:40 -------- d-----w- C:\bkup
2012-07-23 19:54 . 2012-07-23 19:54 -------- d-----w- c:\program files\Axantum
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-19 00:50 . 2012-07-19 00:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-19 00:50 . 2012-07-19 00:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-06 13:58 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2008-03-14 01:48 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 17:46 . 2011-07-22 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 13:40 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-06-05 15:50 . 2008-09-17 01:21 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-05 07:37 . 2012-07-19 20:08 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-06-04 21:35 . 2007-07-31 00:18 222448 -c--a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2007-07-31 00:18 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2008-03-14 01:50 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2008-03-14 01:50 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2008-03-14 01:50 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2007-07-31 00:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2008-03-14 01:50 35864 -c--a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2008-03-14 01:50 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2007-07-31 00:19 45080 -c--a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2007-07-31 00:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2007-07-31 00:18 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2008-03-14 01:50 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2008-03-14 01:50 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2008-03-16 02:13 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2008-03-14 22:33 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-01 00:20 . 2008-03-14 18:05 499712 -c--a-w- c:\windows\system32\msvcp71.dll
2012-06-01 00:20 . 2008-03-14 18:05 348160 -c--a-w- c:\windows\system32\msvcr71.dll
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-24 14:48 . 2011-12-25 19:56 21376 -c--a-w- c:\windows\system32\RegistryDefragBootTime.exe
2012-06-25 17:42 . 2011-09-05 17:42 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7}]
2010-05-14 18:10 561400 -c--a-w- c:\program files\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-24 00:45 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-02-01 02:30 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mozy Status.lnk]
backup=c:\windows\pss\Mozy Status.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]
backup=c:\windows\pss\MozyHome Status.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Leah1^Start Menu^Programs^Startup^CNET TechTracker.lnk]
backup=c:\windows\pss\CNET TechTracker.lnkStartup
path=c:\documents and settings\Leah1\Start Menu\Programs\Startup\CNET TechTracker.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^Leah1^Start Menu^Programs^Startup^jConnect 4.4.lnk]
backup=c:\windows\pss\jConnect 4.4.lnkStartup
path=c:\documents and settings\Leah1\Start Menu\Programs\Startup\jConnect 4.4.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^Leah1^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 4
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Foxmarks
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RamBooster
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIUCU
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\360Amigo]
2011-06-03 04:01 4939264 -c--a-w- c:\program files\360Amigo\360Amigo.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 5]
2012-05-28 19:56 288128 ----a-w- c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2011-07-26 22:23 397992 -c--a-w- c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 11 interface]
2012-05-26 06:37 4406272 -c--a-w- c:\program files\Cobian Backup 11\cbInterface.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax]
2012-06-19 22:46 11324352 ----a-w- c:\program files\DriverMax\drivermax.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 01:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 01:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 01:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Malware Fighter]
2011-07-20 16:19 4393816 -c--a-w- c:\program files\IObit\IObit Malware Fighter\IMF.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.4]
2008-10-07 21:53 95744 -c--a-w- c:\program files\j2 Messenger 4.4\J2GDllCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeePass 2 PreLoad]
2012-05-01 15:06 1895424 -c--a-w- c:\program files\KeePass Password Safe 2.17\KeePass.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-07-03 17:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 -csh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rohos]
2010-09-21 14:24 800880 -c--a-w- c:\program files\Rohos\agent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMessaging]
2012-06-27 19:51 55752 ----a-w- c:\program files\SOS Online Backup\SMessaging.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOSUAUI]
2012-06-27 19:51 36296 ----a-w- c:\program files\SOS Online Backup\sosuploadagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 -c----w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-09 23:38 4777856 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoToAssist"=3 (0x3)
"mozybackup"=2 (0x2)
"MDM"=2 (0x2)
"aawservice"=3 (0x3)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=3 (0x3)
"Rohos Disk"=3 (0x3)
"SQLWriter"=2 (0x2)
"MSSQL$SQLEXPRESS"=3 (0x3)
"SQLBrowser"=3 (0x3)
"SQLAgent$SQLEXPRESS"=3 (0x3)
"MSSQLServerADHelper100"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"Symantec RemoteAssist"=3 (0x3)
"SolutoService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"cbVSCService"=3 (0x3)
"WSearch"=2 (0x2)
"IS360service"=3 (0x3)
"MSSQLSERVER"=2 (0x2)
"LMIGuardianSvc"=2 (0x2)
"AdvancedSystemCareService"=2 (0x2)
"MBAMService"=2 (0x2)
"Updater Service for StartNow Toolbar"=2 (0x2)
"IMFservice"=2 (0x2)
"MatSvc"=3 (0x3)
"AdvancedSystemCareService5"=2 (0x2)
"SPDFCreatorReadSpool"=2 (0x2)
"ReflectService.exe"=2 (0x2)
"TeamViewer7"=2 (0x2)
"Guard Agent"=2 (0x2)
"EaseUS Agent"=2 (0x2)
"EPSON_PM_RPCV4_04"=2 (0x2)
"EPSON_EB_RPCV4_04"=2 (0x2)
"EpsonBidirectionalService"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"CobianBackup11"=3 (0x3)
"cbVSCService11"=3 (0x3)
"vToolbarUpdater11.2.0"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [7/11/2012 1:17 AM 14776]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0603000.00E\symds.sys [8/14/2012 9:05 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0603000.00E\symefa.sys [8/14/2012 9:05 PM 924320]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120811.003\BHDrvx86.sys [8/10/2012 8:25 PM 995488]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\0603000.00E\ccsetx86.sys [8/14/2012 9:05 PM 132768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0603000.00E\ironx86.sys [8/14/2012 9:05 PM 149624]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\6.3.0.14\ccsvchst.exe [8/14/2012 9:04 PM 138272]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [10/20/2010 4:37 PM 126904]
R2 RHDISK;RHDISK;c:\program files\Rohos\rhdisk.sys [1/24/2010 2:52 PM 33280]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/9/2012 9:37 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120817.001\IDSXpx86.sys [8/17/2012 5:59 PM 369632]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/22/2011 4:46 PM 22344]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 10:19 AM 15544]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [9/20/2011 11:52 PM 30368]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [3/8/2012 2:40 PM 25088]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [9/20/2011 11:52 PM 16080]
S4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [12/25/2011 3:41 PM 913792]
S4 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;c:\program files\Cobian Backup 11\cbVSCService11.exe [5/21/2012 11:12 AM 67584]
S4 CobianBackup11;Cobian Backup 11 Gravity;c:\program files\Cobian Backup 11\cbService.exe [5/21/2012 11:12 AM 1131008]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [9/20/2011 11:52 PM 239600]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2012 11:39 AM 116648]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2012 11:39 AM 116648]
S4 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [9/20/2011 11:52 PM 820568]
S4 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\LogMeIn\x86\LMIGuardianSvc.exe" --> c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [?]
S4 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 11:09 PM 267568]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/22/2011 4:46 PM 655944]
S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/1/2012 1:49 PM 113120]
S4 Rohos Disk;Rohos Disk service;c:\program files\Rohos\agent.exe [1/24/2010 2:52 PM 800880]
S4 SPDFCreatorReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [10/3/2011 8:59 PM 180552]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-17 15:39]
.
2012-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-17 15:39]
.
2012-08-20 c:\windows\Tasks\Online Backup Update Notifier.job
- c:\program files\SOS Online Backup\SUpdateNotifier.exe [2012-06-27 19:51]
.
2012-08-13 c:\windows\Tasks\SOS Online Backup - testingfrank1.job
- c:\program files\SOS Online Backup\sosuploadagent.exe [2012-06-27 19:51]
.
2012-08-20 c:\windows\Tasks\User_Feed_Synchronization-{244DD933-FFC9-4C26-8680-CE5545F1D8E5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - c:\program files\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
Trusted Zone: ally.com\www
Trusted Zone: aol.com\mail
Trusted Zone: aol.com\my.screenname
Trusted Zone: dell.com\www
Trusted Zone: nymag.com\secure
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Leah1\Application Data\Mozilla\Firefox\Profiles\71cgrnr3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bd9a3b00e-9700-4ff7-8ce4-60b04277c1a6%7D&mid=60514e6093d147d0af1bd15a66241108-466ec35eae5e30de17ce347538481a73b3240a25&ds=is015&v=11.1.0.12&lang=en&pr=sa&d=2012-07-10%2020%3A03%3A23&sap=ku&q=
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
ShellIconOverlayIdentifiers-{95A27763-F62A-4114-9072-E81D87DE3B68} - (no file)
ShellIconOverlayIdentifiers-{E300CD91-100F-4E67-9AF3-1384A6124015} - (no file)
ShellIconOverlayIdentifiers-{5E529433-B50E-4bef-A63B-16A6B71B071A} - (no file)
ShellExecuteHooks-{56F9679E-7826-4C84-81F3-532071A8BCC5} - (no file)
SafeBoot-SolutoService
MSConfigStartUp-Advanced SystemCare 3 - c:\program files\IObit\Advanced SystemCare 3\AWC.exe
MSConfigStartUp-Cobian Backup 9 - c:\program files\Cobian Backup 9\Cobian.exe
MSConfigStartUp-Dell Photo AIO Printer 922 - c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe
MSConfigStartUp-dlbtmon - c:\program files\Dell Photo AIO Printer 922\dlbtmon.exe
MSConfigStartUp-EaseUs Tray - c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe
MSConfigStartUp-EaseUs Watch - c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe
MSConfigStartUp-EEventManager - c:\program files\Epson Software\Event Manager\EEventManager.exe
MSConfigStartUp-eFax 4 - c:\program files\eFax Messenger 4.4\J2GDllCmd.exe
MSConfigStartUp-FUFAXSTM - c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe
MSConfigStartUp-IObit Security 360 - c:\program files\IObit\IObit Security 360\IS360tray.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-SmartRAM - c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
MSConfigStartUp-SpeedTestPro - c:\program files\SpeedTestPro\SpeedTestPro.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-vProt - c:\program files\AVG Secure Search\vprot.exe
MSConfigStartUp-WorkForce 630(Network) - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIGBA.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-19 22:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\6.3.0.14\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\6.3.0.14\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-329068152-1965331169-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-4S49-FGGZ-RYTF-S6EX-CTDF-Z6GFBXS"
"Activated"="N"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(2724)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\mslbui.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\locator.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-08-19 22:22:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-20 02:22
.
Pre-Run: 18,328,694,784 bytes free
Post-Run: 18,190,512,128 bytes free
.
- - End Of File - - 6AA2A9B523936B43B8BCCB674FF52A25

#4 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:54 PM

Posted 19 August 2012 - 10:03 PM

nasdaq, Something just occurred to me: Could my problems have anything to do with the fact that my CD emulator still is disabled via defogger? Should I re-enable or leave disabled?



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:54 PM

Posted 20 August 2012 - 07:39 AM

The ComboFix log is clean.

nasdaq, Something just occurred to me: Could my problems have anything to do with the fact that my CD emulator still is disabled via defogger? Should I re-enable or leave disabled?


Yes.
To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.
===

Should I continue with SecurityCheck & adwCleaner; or should I first try to install MS Windows Recovery Console some other way; or should I do something else altogether?

We learned recently the the Microsoft Site is down. We are investigating this. Forget it for now.


Continue with the other two scans.

===

#6 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:54 PM

Posted 20 August 2012 - 09:16 AM

I reenabled defogger and restarted. Then I disabled my firewall and antivirus. Ran SecurityCheck, but ran into problems again! An unexpected window popped up, reading “The following plugin updates are available:” Then, the window lists 4 items with checkboxes next to each one: Compare, MIME tools, NppExec, TextFX Characters. The window also has three buttons: Update Selected, Ignore Selected Updates, Cancel.



I left this window open. What should I check, and what should I respond? I cannot copy Checkup.Txt until this window is handled.

Thanks again





#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:54 PM

Posted 20 August 2012 - 09:30 AM

Ignore for the moment.

Have a look at your plug-ins list and make sure these are installed and used by you.

On second taught I check the name of the plug-ins with Google and the all seem to be associated with
Notepad++
http://sourceforge.net/projects/notepad-plus/

Your call.

#8 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:54 PM

Posted 20 August 2012 - 10:20 AM

I ignored the Notepad updates (for now) and proceeded with adwCleaner.

Then, to check whether the problems persist:

1) I looked for Program WinPCap. It now is gone. Good!

2) I reran TDSSkiller. It still found six items. I think I know what four of them are, but I don't know what cercsr6 and NetSvc are. I skipped all. (It no longer finds rmdnhfjovqbv, which it had found before I'd begun this process.) I don't know whether any of the six is a problem.
3) I reran Trend Micro RootkitBuster. It still found several items which it marked as "unabled to fix". I don't know whether any is a problem.


Please let me know how to proceed from here. I'm so grateful for your quick and clear responses.

Attached File  checkup.txt   986bytes   1 downloads
Attached File  AdwCleanerR1.txt   2.09KB   1 downloads
Attached File  TDSSkiller.txt   46.22KB   2 downloads
Attached File  RootkitBuster.txt   8.61KB   3 downloads


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:54 PM

Posted 20 August 2012 - 12:39 PM

The TDSSkiller log is clean. Nothing to worry about.

I reran Trend Micro RootkitBuster. It still found several items which it marked as "unabled to fix". I don't know whether any is a problem.

Unless I missed it I fo not see any mardked Unabled to fix.


Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 31
Java™ 6 Update 2


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Remove the AdWare.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.


#10 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:54 PM

Posted 20 August 2012 - 07:13 PM

Hi, nasdaq,

Rootkitbuster.txt lists 36 items, each beginning with "ZW", which it is unable to fix.
Attached File  RootkitBuster.txt   8.61KB   2 downloads
Attached File  ZW.pdf   117.65KB   1 downloads

adwCleaner Log: Attached File  AdwCleanerS1.txt   2.29KB   1 downloads

Should I run regularly any of the steps which I ran throughout this process, besides checking for latest versions of all programs?

Also, do you recommend I install Hosts antiPUP/adware from adwCleaner if I am running Norton, or is there a Norton setting I should be changing?

XML2005

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:54 PM

Posted 21 August 2012 - 09:20 AM

Rootkitbuster.txt lists 36 items, each beginning with "ZW", which it is unable to fix.

These are functions or your norton product.
I would not toutch them.
===

Also, do you recommend I install Hosts antiPUP/adware from adwCleaner if I am running Norton, or is there a Norton setting I should be changing?

Reading about this tool it add entries in your HOSTS file to block some of the sites relating to AdWare.

Norton may object to modifying the HOSTS file I do not know.

You may want to check with the owner before installing this tool.

Myself I would rather use the adwCleaner tool. The Database is updated regularly.
All you have to do is download the most recent copy of the tool and run it.

Items remove by the tool.
http://sd-1.archive-host.com/membres/up/17959594961240255/AdwCleaner/LS_AdwCleaner.txt
On top of the page you can verify the date of the update.

Your call.
===

Most of the tools we used are updated regularly.
Let me know what you would like to keep and I will give an option to keep or update it.

#12 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:54 PM

Posted 21 August 2012 - 10:36 AM

Thanks, nasdaq! I guess I'll just stick with Norton and SpyWareBlaster and SuperAntiSpyware, which is what I was left with after boopme had helped me; and I'll update them all regularly.

Thank you again for so patiently and promptly responding to all my questions and for giving me back my desktop!

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:54 PM

Posted 21 August 2012 - 01:23 PM

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

#14 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:54 PM

Posted 21 August 2012 - 03:05 PM

Done.

Thanks again, it always amazes me how your team always seems to know just which tool(s) to choose to resolve each member's issues. I'm looking forward to the day I have the time to join your training so I can enjoy helping others so well!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users