Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:JS/Medfos.B Removal Help! (same problem, different person))


  • This topic is locked This topic is locked
22 replies to this topic

#1 orangegrease

orangegrease

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 03 October 2012 - 10:15 PM

Dear bleepingcomputer,

I did the 3 steps Gringo laid out in the post below:

http://www.bleepingcomputer.com/forums/topic470019.html

Did a search of the site and could not find any other posts on this Trojan so started this new one. I have the DDS.txt & Attach.txt mentioned. I've run Malwarebytes (14 detections) & Hitman Pro (2 detections--YontooIEClient.dll & _Setupx.dll) and uninstalled Java but still getting Microsoft Security Essentials running a lot (Alert Level: Severe) which is quarantining the Trojan. I've been removing the Microsoft Security Essentials from time to time but not sure if that is advisable. Seen some tips to get into registry but am wary of that. Thank you for any help.

BC AdBot (Login to Remove)

 


#2 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 AM

Posted 04 October 2012 - 07:36 AM

Hi orangegrease :)
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I would like you to post (dont attach) but post all those logs you previously spoke of. I need DDS logs, Malwarebytes logs with the 14 removed entries, and the Hitman Pro logs with the 2 detections.

#3 orangegrease

orangegrease
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 05 October 2012 - 06:00 AM

Thanks Karsten. This all started when someone on this computer accidentally got the "System Progressive Protection" rogue. I followed this guide (ran rkill and than Malwarebytes) and have not seen a trace of it since:

http://www.bleepingcomputer.com/virus-removal/remove-system-progressive-protection

Not sure if this Trojan is related.

Here are the two Malwarebytes logs. The first was after rkill I think. The second was an attempt to address this Trojan.

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.03.04

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Minion :: MINION-9XHIN6NB [administrator]

10/3/2012 1:58:47 AM
mbam-log-2012-10-03 (01-58-47).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 357557
Time elapsed: 1 hour(s), 44 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B2E7205E8C676FFB003CB2E6E3E7DFF6 (Trojan.FakeAV) -> Data: C:\Documents and Settings\All Users\Application Data\B2E7205E8C676FFB003CB2E6E3E7DFF6\B2E7205E8C676FFB003CB2E6E3E7DFF6.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ofief (Trojan.RedirRdll2.Gen) -> Data: rundll32.exe "C:\Documents and Settings\Minion\Application Data\ofief.dll",AReleaseDevice -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$068d91b3df97c5bb4552944075ceeb81\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-1390067357-1085031214-839522115-1004\$068d91b3df97c5bb4552944075ceeb81\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\Documents and Settings\Minion\Start Menu\Programs\System Progressive Protection (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully.

Files Detected: 16
C:\Documents and Settings\All Users\Application Data\B2E7205E8C676FFB003CB2E6E3E7DFF6\B2E7205E8C676FFB003CB2E6E3E7DFF6.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1390067357-1085031214-839522115-1004\$068d91b3df97c5bb4552944075ceeb81\n (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\Minion\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\12\23b49d4c-51782c83 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Minion\Local Settings\Temp\appipu.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\Minion\Local Settings\Temp\attw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Minion\Local Settings\Temp\~!#353.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$068d91b3df97c5bb4552944075ceeb81\n (Trojan.0Access) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$068d91b3df97c5bb4552944075ceeb81\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$068d91b3df97c5bb4552944075ceeb81\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$068d91b3df97c5bb4552944075ceeb81\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1390067357-1085031214-839522115-1004\$068d91b3df97c5bb4552944075ceeb81\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1390067357-1085031214-839522115-1004\$068d91b3df97c5bb4552944075ceeb81\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1390067357-1085031214-839522115-1004\$068d91b3df97c5bb4552944075ceeb81\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\Minion\Desktop\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Minion\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Minion\Application Data\ofief.dll (Trojan.RedirRdll2.Gen) -> Quarantined and deleted successfully.

(end)


////////////////////////////


Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.03.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Minion :: MINION-9XHIN6NB [administrator]

10/3/2012 5:27:32 PM
mbam-log-2012-10-03 (17-27-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199553
Time elapsed: 30 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



/////////////

log labeled "ATTACH":




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/22/2011 9:23:07 PM
System Uptime: 10/3/2012 7:07:49 PM (0 hours ago)
.
Motherboard: Dell Computer Corp. | | 0J0592
Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2657/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 23.971 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP545: 7/4/2012 2:34:10 PM - Software Distribution Service 3.0
RP546: 7/5/2012 2:54:34 PM - Software Distribution Service 3.0
RP547: 7/6/2012 3:09:08 PM - Software Distribution Service 3.0
RP548: 7/7/2012 11:36:21 PM - Software Distribution Service 3.0
RP549: 7/9/2012 12:38:18 AM - Software Distribution Service 3.0
RP550: 7/10/2012 3:44:27 AM - System Checkpoint
RP551: 7/10/2012 11:42:26 AM - Software Distribution Service 3.0
RP552: 7/11/2012 3:00:20 AM - Software Distribution Service 3.0
RP553: 7/11/2012 3:17:11 PM - Software Distribution Service 3.0
RP554: 7/12/2012 8:01:17 PM - System Checkpoint
RP555: 7/13/2012 4:13:48 AM - Software Distribution Service 3.0
RP556: 7/14/2012 4:28:24 AM - System Checkpoint
RP557: 7/14/2012 12:49:58 PM - Software Distribution Service 3.0
RP558: 7/15/2012 1:45:54 AM - Software Distribution Service 3.0
RP559: 7/15/2012 6:13:27 PM - Installed Java™ 7 Update 5
RP560: 7/15/2012 6:14:43 PM - Installed JavaFX 2.1.1
RP561: 7/16/2012 4:00:32 AM - Software Distribution Service 3.0
RP562: 7/18/2012 4:01:49 AM - Software Distribution Service 3.0
RP563: 7/19/2012 4:51:10 AM - Software Distribution Service 3.0
RP564: 7/20/2012 1:43:08 PM - Software Distribution Service 3.0
RP565: 7/21/2012 8:13:28 PM - System Checkpoint
RP566: 7/21/2012 11:53:28 PM - Software Distribution Service 3.0
RP567: 7/23/2012 4:26:24 AM - System Checkpoint
RP568: 7/23/2012 1:30:19 PM - Software Distribution Service 3.0
RP569: 7/24/2012 2:11:03 PM - Software Distribution Service 3.0
RP570: 7/25/2012 2:19:12 PM - System Checkpoint
RP571: 7/26/2012 5:13:26 AM - Software Distribution Service 3.0
RP572: 7/27/2012 5:37:33 AM - System Checkpoint
RP573: 7/27/2012 1:47:42 PM - Software Distribution Service 3.0
RP574: 7/28/2012 5:02:23 PM - System Checkpoint
RP575: 7/29/2012 1:35:33 AM - Software Distribution Service 3.0
RP576: 7/30/2012 5:07:51 AM - System Checkpoint
RP577: 7/30/2012 1:37:57 PM - Software Distribution Service 3.0
RP578: 7/31/2012 2:35:33 PM - Software Distribution Service 3.0
RP579: 8/1/2012 2:43:00 PM - Software Distribution Service 3.0
RP580: 8/2/2012 3:54:46 PM - System Checkpoint
RP581: 8/3/2012 1:57:23 PM - Software Distribution Service 3.0
RP582: 8/4/2012 5:01:05 PM - System Checkpoint
RP583: 8/5/2012 2:16:11 AM - Software Distribution Service 3.0
RP584: 8/7/2012 5:27:01 AM - Software Distribution Service 3.0
RP585: 8/8/2012 9:52:58 AM - Software Distribution Service 3.0
RP586: 8/9/2012 1:25:33 PM - Software Distribution Service 3.0
RP587: 8/10/2012 1:47:51 PM - System Checkpoint
RP588: 8/11/2012 12:44:31 PM - Software Distribution Service 3.0
RP589: 8/12/2012 2:24:53 AM - Software Distribution Service 3.0
RP590: 8/13/2012 2:33:23 AM - System Checkpoint
RP591: 8/13/2012 12:52:55 PM - Software Distribution Service 3.0
RP592: 8/14/2012 4:15:00 PM - System Checkpoint
RP593: 8/15/2012 12:04:35 PM - Software Distribution Service 3.0
RP594: 8/16/2012 2:05:25 AM - Software Distribution Service 3.0
RP595: 8/17/2012 12:32:15 AM - Software Distribution Service 3.0
RP596: 8/18/2012 2:23:00 AM - System Checkpoint
RP597: 8/18/2012 11:44:01 AM - Software Distribution Service 3.0
RP598: 8/19/2012 1:53:52 AM - Software Distribution Service 3.0
RP599: 8/20/2012 2:25:59 AM - System Checkpoint
RP600: 8/20/2012 1:08:52 PM - Software Distribution Service 3.0
RP601: 8/21/2012 5:37:43 PM - System Checkpoint
RP602: 8/22/2012 12:13:49 PM - Software Distribution Service 3.0
RP603: 8/22/2012 10:20:49 PM - Installed Remove Hidden Data Tool
RP604: 8/23/2012 12:21:12 PM - Software Distribution Service 3.0
RP605: 8/24/2012 1:13:27 PM - Software Distribution Service 3.0
RP606: 8/25/2012 3:43:35 PM - System Checkpoint
RP607: 8/26/2012 2:00:48 AM - Software Distribution Service 3.0
RP608: 8/27/2012 9:37:27 AM - Software Distribution Service 3.0
RP609: 8/28/2012 11:25:30 AM - Software Distribution Service 3.0
RP610: 8/29/2012 11:28:41 AM - System Checkpoint
RP611: 8/31/2012 12:34:27 AM - Software Distribution Service 3.0
RP612: 9/1/2012 12:52:16 AM - System Checkpoint
RP613: 9/1/2012 3:02:33 PM - Software Distribution Service 3.0
RP614: 9/2/2012 1:58:05 AM - Software Distribution Service 3.0
RP615: 9/3/2012 2:07:53 AM - System Checkpoint
RP616: 9/3/2012 12:59:42 PM - Software Distribution Service 3.0
RP617: 9/4/2012 2:28:02 PM - System Checkpoint
RP618: 9/5/2012 12:57:00 PM - Software Distribution Service 3.0
RP619: 9/6/2012 3:14:57 PM - System Checkpoint
RP620: 9/7/2012 12:48:57 PM - Software Distribution Service 3.0
RP621: 9/8/2012 2:25:30 PM - Software Distribution Service 3.0
RP622: 9/9/2012 1:51:42 AM - Software Distribution Service 3.0
RP623: 9/10/2012 4:07:30 AM - System Checkpoint
RP624: 9/10/2012 2:53:36 PM - Software Distribution Service 3.0
RP625: 9/11/2012 4:10:04 PM - System Checkpoint
RP626: 9/12/2012 3:00:31 AM - Software Distribution Service 3.0
RP627: 9/12/2012 12:17:06 PM - Software Distribution Service 3.0
RP628: 9/13/2012 2:17:38 PM - Software Distribution Service 3.0
RP629: 9/14/2012 7:25:54 PM - Software Distribution Service 3.0
RP630: 9/15/2012 7:46:52 PM - System Checkpoint
RP631: 9/16/2012 1:37:48 AM - Software Distribution Service 3.0
RP632: 9/17/2012 2:13:00 AM - System Checkpoint
RP633: 9/17/2012 2:18:33 PM - Software Distribution Service 3.0
RP634: 9/18/2012 2:50:35 PM - Software Distribution Service 3.0
RP635: 9/19/2012 3:44:33 PM - System Checkpoint
RP636: 9/20/2012 1:42:25 PM - Software Distribution Service 3.0
RP637: 9/21/2012 2:19:07 PM - Software Distribution Service 3.0
RP638: 9/21/2012 10:26:15 PM - Software Distribution Service 3.0
RP639: 9/22/2012 2:49:21 PM - Software Distribution Service 3.0
RP640: 9/23/2012 2:33:56 AM - Software Distribution Service 3.0
RP641: 9/24/2012 2:49:45 AM - System Checkpoint
RP642: 9/24/2012 2:00:10 PM - Software Distribution Service 3.0
RP643: 9/25/2012 2:43:30 PM - Software Distribution Service 3.0
RP644: 9/26/2012 3:10:26 PM - Software Distribution Service 3.0
RP645: 9/27/2012 9:46:28 PM - System Checkpoint
RP646: 9/28/2012 3:39:21 PM - Software Distribution Service 3.0
RP647: 9/29/2012 4:06:58 PM - System Checkpoint
RP648: 9/30/2012 2:03:27 AM - Software Distribution Service 3.0
RP649: 10/1/2012 2:41:38 AM - System Checkpoint
RP650: 10/1/2012 2:49:27 PM - Software Distribution Service 3.0
RP651: 10/2/2012 3:00:21 AM - Software Distribution Service 3.0
RP652: 10/3/2012 5:34:02 AM - System Checkpoint
RP653: 10/3/2012 6:39:58 PM - Removed JavaFX 2.1.1
.
==== Installed Programs ======================
.
Active@ DVD Eraser v 1.1
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Brother MFL-Pro Suite
BurnAware Free 5.2
Compatibility Pack for the 2007 Office system
Conexant SmartHSFi V92 56K DF PCI Modem
Coupon Printer for Windows
Dell ResourceCD
Exact Audio Copy 1.0beta2
foobar2000 v1.1.7
FREE Hi-Q Recorder 1.92
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Intel® PRO Ethernet Adapter and Software
Java 7 Update 7
Java Auto Updater
Living Trust Forms
Malwarebytes Anti-Malware version 1.65.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox 15.0.1 (x86 en-US)
Mozilla Maintenance Service
Nero
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
PaperPort
Remove Hidden Data Tool
Secunia PSI (3.0.0.4001)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SMC Connection Manager
SoulSeek 157 NS 13e
SoundMAX
SugarSync Manager
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 2.0.2
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR 4.01 (32-bit)
Works Suite OS Pack
Yontoo Layers Runtime 1.10.01
.
==== Event Viewer Messages From Past Week ========
.
10/3/2012 7:42:57 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
10/3/2012 7:09:19 PM, error: Service Control Manager [7024] - The HitmanPro 3.6 Crusader (Boot) service terminated with service-specific error 0 (0x0).
10/3/2012 6:39:06 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
10/3/2012 5:25:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/3/2012 5:25:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/3/2012 5:21:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
10/3/2012 5:21:00 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/3/2012 5:21:00 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/3/2012 5:21:00 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/3/2012 5:21:00 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================


/////////////////////




LOG LABELED "CHECKUP":

Results of screen317's Security Check version 0.99.51
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Microsoft Security Essentials
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (3.0.0.4001)
Malwarebytes Anti-Malware version 1.65.0.1400
Java 7 Update 7
Adobe Flash Player 11.4.402.278
Adobe Reader X (10.1.4)
Mozilla Firefox (15.0.1)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



/////////////////////



LOG LABELED "DDS":

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by Minion at 19:42:53 on 2012-10-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1204 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SugarSync\SugarSyncManager.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
svchost.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SMC\Common\RaRegistry.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Minion\My Documents\Downloads\Defogger(1).exe
C:\Documents and Settings\Minion\My Documents\Downloads\SecurityCheck.exe
C:\WINDOWS\system32\notepad.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://login.yahoo.com/config/login_verify2?.intl=us&.partner=&.src=ym&.done=http%3a//mail.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SugarSync] "c:\program files\sugarsync\SugarSyncManager.exe" -startInTray -usedelay=true
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [qeroas] "c:\windows\system32\rundll32.exe" "c:\documents and settings\minion\application data\qeroas.dll",Node_ListTree
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1311405852881
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{EDC2B346-8365-41F7-B785-AB05DD718677} : DhcpNameServer = 209.18.47.61 209.18.47.62
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\minion\application data\mozilla\firefox\profiles\zs0f5b4v.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.partner=&.src=ym&.done=http%3a//mail.yahoo.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 MpKsl0e2c4878;MpKsl0e2c4878;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6a966b7-45af-4d73-9dc7-7331f62d7921}\MpKsl0e2c4878.sys [2012-10-3 29904]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\smc\common\RaRegistry.exe [2011-9-20 185632]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2011-9-20 19072]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-9-24 1328736]
R3 hitmanpro36;HitmanPro 3.6 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-10-3 27424]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-9-24 656480]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 250288]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 114144]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2011-9-20 803328]
.
=============== Created Last 30 ================
.
2012-10-04 02:10:18 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6a966b7-45af-4d73-9dc7-7331f62d7921}\offreg.dll
2012-10-04 02:09:34 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6a966b7-45af-4d73-9dc7-7331f62d7921}\MpKsl0e2c4878.sys
2012-10-04 02:08:33 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-10-04 01:52:32 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-10-04 01:14:19 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-04 01:14:08 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-04 01:02:48 -------- d-----w- c:\documents and settings\minion\local settings\application data\Secunia PSI
2012-10-04 01:01:47 -------- d-----w- c:\program files\Secunia
2012-10-03 11:30:47 6980552 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6a966b7-45af-4d73-9dc7-7331f62d7921}\mpengine.dll
2012-10-03 11:28:41 -------- d-----w- c:\program files\Microsoft Security Client
2012-10-02 13:51:38 -------- d-----w- c:\documents and settings\minion\local settings\application data\{407CDE74-0C98-11E2-8271-B8AC6F996F26}
2012-10-02 13:51:35 479744 ----a-w- c:\documents and settings\minion\application data\qeroas.dll
2012-10-02 13:51:32 -------- d-----w- c:\documents and settings\all users\application data\B2E7205E8C676FFB003CB2E6E3E7DFF6
2012-09-25 23:18:39 -------- d-----w- c:\program files\BurnAware Free
2012-09-07 09:05:38 192600 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
.
==================== Find3M ====================
.
2012-10-04 01:13:32 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-04 01:13:32 746984 -c--a-w- c:\windows\system32\deployJava1.dll
2012-09-21 09:50:13 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-21 09:50:12 73136 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-08 00:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-02 19:51:24 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-08-31 05:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-02 01:47:09 69632 ----a-w- c:\windows\system32\realbap1.dll
2012-08-02 01:47:09 45568 ----a-w- c:\windows\system32\realbsf1.dll
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
.
============= FINISH: 19:43:38.21 ===============


////////////////////////////


I'm sorry, but having trouble finding a log for Hitman Pro. I can see the "history" which is:

YontooIEClient.dll
C:\Program Files\Yontoo Layers Runtime\


_Setupx.dll
C:\Documents and Settings\All Users\Application Data\Tarma Insta... [it cuts off there]



Both of the above say Riskware and are dated Wed 3 Oct 2012 19:05 Quarantined (I did not remove)


Please let me know if you need anything else and thanks again!

#4 orangegrease

orangegrease
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 05 October 2012 - 06:08 AM

I also ran a full Microsoft Security Essentials twice I think and this made it sound like there is no log available:

http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/are-full-scan-reports-archived/cae09f26-538d-476f-b73b-b3e4754707ce

If you are interested in any "internal events" info, I can try and find that.

#5 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 AM

Posted 05 October 2012 - 06:32 AM

Hi orangegrease :),

:welcome: to BleepingComputer. My name is Karsten and I'll help you with the cleanup of malware from your computer.

Please be aware of the following:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all malware. Formatting is usually faster and always the safest way.
  • If you decide to clean your PC, work with us until a team member tells you that you are clean.
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.

Please, be patient while I analyze your logs, I will be back with answer ASAP.

#6 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 AM

Posted 06 October 2012 - 04:31 PM

Hi orangegrease :)
One or more of the identified infections was a backdoor trojan called Zero Access.

Though the trojan has been identified and has been cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


:step1: I think we will use Combofix to remove any leftovers from Zero Access, please do the following:

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

    Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

    • Check your computer clock. If it is still running then so is ComboFix
    • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
    • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
    Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.


:step2: I need to run Farbar's Service Scanner to check the current status of your network, please follow this:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup:
  • Combofix log (found at C:/Combofix.txt)
  • Farbar's Service Scanner log.


#7 orangegrease

orangegrease
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 October 2012 - 10:25 PM

Dear Karsten,

I read the two links and understand that "We can still clean this machine but I can't guarantee that it will be 100% secure afterwards". I think based on my computer use, it is worth giving cleaning a shot--unless it is possible for the bot to read what passwords I type in and then hack into online email or financial accounts. Or see the same information when those web pages are open. In that case, maybe a reformat makes more sense. Your clean vs. format advice based on what you see in the logs is appreciated. Thanks again for your help. I looked up zeroaccess and Sophos said "ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining".

http://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/

I don't use bitcoin (at least knowingly) and it sounds like click fraud defrauds advertisers and does not cost the computer user money. Of course, it would be nice to help prevent someone else from being defrauded.

This says that one of the ways people get this is "when already infected with malware that downloads additional malware on the machine".

http://www.net-security.org/secworld.php?id=13636

Maybe my case of zeroaccess came due to that "System Progressive Protection" rogue, don't you think?




ComboFix 12-10-04.02 - Minion 10/06/2012 18:41:50.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.914 [GMT -7:00]
Running from: c:\documents and settings\Minion\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Minion\Application Data\qeroas.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\SET32.tmp
c:\windows\system32\SET34.tmp
c:\windows\system32\SET37.tmp
c:\windows\system32\SET3B.tmp
c:\windows\system32\SET43.tmp
c:\windows\system32\SET45.tmp
c:\windows\system32\SET8A.tmp
c:\windows\system32\SET8B.tmp
c:\windows\system32\SETAF.tmp
c:\windows\system32\SETB0.tmp
c:\windows\system32\SETB1.tmp
c:\windows\system32\SETB2.tmp
c:\windows\system32\SETB3.tmp
.
Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\kernel32.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-09-07 to 2012-10-07 )))))))))))))))))))))))))))))))
.
.
2012-10-07 01:34 . 2012-10-07 01:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-10-05 10:41 . 2012-10-05 10:41 -------- d-----w- c:\program files\HitmanPro
2012-10-04 02:08 . 2012-10-04 02:08 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-10-04 01:52 . 2012-10-04 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-04 01:15 . 2012-10-04 01:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-10-04 01:14 . 2012-10-04 01:14 -------- d-----w- c:\program files\Common Files\Java
2012-10-04 01:14 . 2012-10-04 01:13 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-04 01:14 . 2012-10-04 01:13 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-04 01:13 . 2012-10-04 01:13 -------- d-----w- c:\program files\Java
2012-10-04 01:02 . 2012-10-04 01:02 -------- d-----w- c:\documents and settings\Minion\Local Settings\Application Data\Secunia PSI
2012-10-04 01:01 . 2012-10-04 01:01 -------- d-----w- c:\program files\Secunia
2012-10-03 11:30 . 2012-09-19 07:59 6980552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F6A966B7-45AF-4D73-9DC7-7331F62D7921}\mpengine.dll
2012-10-03 11:28 . 2012-10-03 11:29 -------- d-----w- c:\program files\Microsoft Security Client
2012-10-02 21:28 . 2012-10-02 21:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-10-02 13:51 . 2012-10-02 13:51 -------- d-----w- c:\documents and settings\Minion\Local Settings\Application Data\{407CDE74-0C98-11E2-8271-B8AC6F996F26}
2012-10-02 13:51 . 2012-10-02 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\B2E7205E8C676FFB003CB2E6E3E7DFF6
2012-09-25 23:18 . 2012-09-25 23:19 -------- d-----w- c:\program files\BurnAware Free
2012-09-18 03:15 . 2012-09-18 03:21 -------- d-----w- c:\documents and settings\Minion\Application Data\dvdcss
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-04 01:13 . 2012-07-16 01:14 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-04 01:13 . 2012-07-16 01:14 746984 -c--a-w- c:\windows\system32\deployJava1.dll
2012-09-21 09:50 . 2012-04-02 10:30 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-21 09:50 . 2011-07-23 09:13 73136 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-08 00:04 . 2011-08-11 19:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-02 19:51 . 2012-09-02 19:51 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-08-31 05:03 . 2012-08-31 05:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2006-06-23 18:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2002-09-03 16:39 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2002-09-03 16:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-02 01:47 . 2012-03-30 09:47 69632 ----a-w- c:\windows\system32\realbap1.dll
2012-08-02 01:47 . 2012-03-30 09:47 45568 ----a-w- c:\windows\system32\realbsf1.dll
2012-09-07 09:08 . 2012-09-07 09:04 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-07-13 05:27 369784 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-07-13 05:27 369784 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-07-13 05:27 369784 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-07-13 05:27 369784 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2012-07-13 9798776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2012-9-24 573536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMC Connection Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMC Connection Manager.lnk
backup=c:\windows\pss\SMC Connection Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 22:04 40960 -c--a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 18:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 21:16 741376 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 21:46 57393 -c--a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 17:22 155648 -c--a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [9/20/2011 12:14 AM 19072]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [9/24/2012 5:46 AM 1328736]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [9/24/2012 5:46 AM 656480]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 7:19 AM 15544]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 3:30 AM 250288]
S3 hitmanpro36;HitmanPro 3.6 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [10/3/2012 7:08 PM 27424]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/3/2012 6:11 PM 114144]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 09:50]
.
2012-10-06 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-13 00:25]
.
2012-10-07 c:\windows\Tasks\User_Feed_Synchronization-{8C7C3E54-BA78-4EC0-A159-147AFD731B47}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/login_verify2?.intl=us&.partner=&.src=ym&.done=http%3a//mail.yahoo.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Minion\Application Data\Mozilla\Firefox\Profiles\zs0f5b4v.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.partner=&.src=ym&.done=http%3a//mail.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-qeroas - c:\documents and settings\Minion\Application Data\qeroas.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-06 18:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1712)
c:\windows\system32\WININET.dll
c:\program files\SugarSync\SugarSyncShellExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\SMC\Common\RaRegistry.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-10-06 19:04:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-07 02:04
.
Pre-Run: 27,814,985,728 bytes free
Post-Run: 28,480,847,872 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - CDA43D45EC3FBEB378C3FF0A312096FD



////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////



Farbar Service Scanner Version: 19-09-2012
Ran by Minion (administrator) on 06-10-2012 at 19:54:36
Running from "C:\Documents and Settings\Minion\My Documents\Downloads"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#8 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 AM

Posted 07 October 2012 - 10:07 AM

Hi Elise :)
Proposed post

Hi orangegrease :)

Maybe my case of zeroaccess came due to that "System Progressive Protection" rogue, don't you think?

Yes I do actually agree 100% with that thought!


:step1: I would like you to run Eset Online Scanner, please do this:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

:step2: To be sure you have a good and clean machine, please run this:

Please rerun Malwarebytes Anti-Malware Posted Image from your computer.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).


:step3: Finally please post a last DDS log.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Rerun DDS by sUBs, located on your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup:
  • Eset Online Scanner log
  • Malwarebytes Anti-Malware log
  • New DDS log

Edited by KarstenHansen, 07 October 2012 - 12:01 PM.


#9 orangegrease

orangegrease
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 October 2012 - 07:35 PM

Doing the ESET scan right now. It had a message about your anti-virus program could impact the quality of the scan but I left Microsoft Security Essentials on. I am also running Secunia PSI and it alerted me to:

Microsoft® Windows® Malicious Software Removal Tool (KB890830)ShareEmailHotmailBloggerAOLFacebook

Quick links
Overview
System requirements
Instructions
Looking for support?
Visit the Microsoft Support site now >
This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.


It happens to be close to the time for the new update (October 10) and I think I read that non-up to date programs are vulnerable to one of the problems I have. Do you think I should update and/or run the program now or after the new update? And before or after the cleaning is done? Thanks!

#10 orangegrease

orangegrease
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 October 2012 - 09:40 PM

ESET scan:

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Documents and Settings\Minion\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\42\71bbcd2a-120047b6 a variant of Java/Exploit.CVE-2012-4681.AZ trojan deleted - quarantined
C:\System Volume Information\_restore{DC40C607-B048-49D0-8CCC-48F767BDA264}\RP653\A0063742.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{DC40C607-B048-49D0-8CCC-48F767BDA264}\RP653\A0063743.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{DC40C607-B048-49D0-8CCC-48F767BDA264}\RP658\A0063967.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined


//////////////////////////////////////////////


Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.07.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Minion :: MINION-9XHIN6NB [administrator]

10/7/2012 7:17:15 PM
mbam-log-2012-10-07 (19-17-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 184504
Time elapsed: 9 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by Minion at 19:35:34 on 2012-10-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.549 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SugarSync\SugarSyncManager.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
svchost.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SMC\Common\RaRegistry.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = https://login.yahoo.com/config/login_verify2?.intl=us&.partner=&.src=ym&.done=http%3a//mail.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SugarSync] "c:\program files\sugarsync\SugarSyncManager.exe" -startInTray -usedelay=true
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1311405852881
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{EDC2B346-8365-41F7-B785-AB05DD718677} : DhcpNameServer = 209.18.47.61 209.18.47.62
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\minion\application data\mozilla\firefox\profiles\zs0f5b4v.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.partner=&.src=ym&.done=http%3a//mail.yahoo.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 MpKsl27ae0ada;MpKsl27ae0ada;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3520425-91ce-4fec-b480-66b8fbab35ad}\MpKsl27ae0ada.sys [2012-10-7 29904]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\smc\common\RaRegistry.exe [2011-9-20 185632]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2011-9-20 19072]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-9-24 1328736]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-9-24 656480]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 250288]
S3 hitmanpro36;HitmanPro 3.6 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-10-3 27424]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 114144]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2011-9-20 803328]
.
=============== Created Last 30 ================
.
2012-10-08 00:30:29 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3520425-91ce-4fec-b480-66b8fbab35ad}\offreg.dll
2012-10-08 00:10:37 -------- d-----w- c:\program files\ESET
2012-10-07 22:08:02 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3520425-91ce-4fec-b480-66b8fbab35ad}\MpKsl27ae0ada.sys
2012-10-07 09:34:25 6980552 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3520425-91ce-4fec-b480-66b8fbab35ad}\mpengine.dll
2012-10-07 02:23:25 6980552 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-07 01:37:45 -------- d-sha-r- C:\cmdcons
2012-10-07 01:35:13 98816 ----a-w- c:\windows\sed.exe
2012-10-07 01:35:13 518144 ----a-w- c:\windows\SWREG.exe
2012-10-07 01:35:13 256000 ----a-w- c:\windows\PEV.exe
2012-10-07 01:35:13 208896 ----a-w- c:\windows\MBR.exe
2012-10-05 10:41:44 -------- d-----w- c:\program files\HitmanPro
2012-10-04 02:08:33 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-10-04 01:52:32 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-10-04 01:14:19 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-04 01:14:08 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-04 01:02:48 -------- d-----w- c:\documents and settings\minion\local settings\application data\Secunia PSI
2012-10-04 01:01:47 -------- d-----w- c:\program files\Secunia
2012-10-03 11:28:41 -------- d-----w- c:\program files\Microsoft Security Client
2012-10-02 13:51:38 -------- d-----w- c:\documents and settings\minion\local settings\application data\{407CDE74-0C98-11E2-8271-B8AC6F996F26}
2012-10-02 13:51:32 -------- d-----w- c:\documents and settings\all users\application data\B2E7205E8C676FFB003CB2E6E3E7DFF6
2012-09-25 23:18:39 -------- d-----w- c:\program files\BurnAware Free
.
==================== Find3M ====================
.
2012-10-04 01:13:32 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-04 01:13:32 746984 -c--a-w- c:\windows\system32\deployJava1.dll
2012-09-21 09:50:13 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-21 09:50:12 73136 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-08 00:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-02 19:51:24 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-08-31 05:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-02 01:47:09 69632 ----a-w- c:\windows\system32\realbap1.dll
2012-08-02 01:47:09 45568 ----a-w- c:\windows\system32\realbsf1.dll
.
============= FINISH: 19:38:09.20 ===============

#11 orangegrease

orangegrease
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 October 2012 - 09:41 PM

ATTACH:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/22/2011 9:23:07 PM
System Uptime: 10/7/2012 3:06:40 PM (4 hours ago)
.
Motherboard: Dell Computer Corp. | | 0J0592
Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2657/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 26.381 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP550: 7/10/2012 3:44:27 AM - System Checkpoint
RP551: 7/10/2012 11:42:26 AM - Software Distribution Service 3.0
RP552: 7/11/2012 3:00:20 AM - Software Distribution Service 3.0
RP553: 7/11/2012 3:17:11 PM - Software Distribution Service 3.0
RP554: 7/12/2012 8:01:17 PM - System Checkpoint
RP555: 7/13/2012 4:13:48 AM - Software Distribution Service 3.0
RP556: 7/14/2012 4:28:24 AM - System Checkpoint
RP557: 7/14/2012 12:49:58 PM - Software Distribution Service 3.0
RP558: 7/15/2012 1:45:54 AM - Software Distribution Service 3.0
RP559: 7/15/2012 6:13:27 PM - Installed Java™ 7 Update 5
RP560: 7/15/2012 6:14:43 PM - Installed JavaFX 2.1.1
RP561: 7/16/2012 4:00:32 AM - Software Distribution Service 3.0
RP562: 7/18/2012 4:01:49 AM - Software Distribution Service 3.0
RP563: 7/19/2012 4:51:10 AM - Software Distribution Service 3.0
RP564: 7/20/2012 1:43:08 PM - Software Distribution Service 3.0
RP565: 7/21/2012 8:13:28 PM - System Checkpoint
RP566: 7/21/2012 11:53:28 PM - Software Distribution Service 3.0
RP567: 7/23/2012 4:26:24 AM - System Checkpoint
RP568: 7/23/2012 1:30:19 PM - Software Distribution Service 3.0
RP569: 7/24/2012 2:11:03 PM - Software Distribution Service 3.0
RP570: 7/25/2012 2:19:12 PM - System Checkpoint
RP571: 7/26/2012 5:13:26 AM - Software Distribution Service 3.0
RP572: 7/27/2012 5:37:33 AM - System Checkpoint
RP573: 7/27/2012 1:47:42 PM - Software Distribution Service 3.0
RP574: 7/28/2012 5:02:23 PM - System Checkpoint
RP575: 7/29/2012 1:35:33 AM - Software Distribution Service 3.0
RP576: 7/30/2012 5:07:51 AM - System Checkpoint
RP577: 7/30/2012 1:37:57 PM - Software Distribution Service 3.0
RP578: 7/31/2012 2:35:33 PM - Software Distribution Service 3.0
RP579: 8/1/2012 2:43:00 PM - Software Distribution Service 3.0
RP580: 8/2/2012 3:54:46 PM - System Checkpoint
RP581: 8/3/2012 1:57:23 PM - Software Distribution Service 3.0
RP582: 8/4/2012 5:01:05 PM - System Checkpoint
RP583: 8/5/2012 2:16:11 AM - Software Distribution Service 3.0
RP584: 8/7/2012 5:27:01 AM - Software Distribution Service 3.0
RP585: 8/8/2012 9:52:58 AM - Software Distribution Service 3.0
RP586: 8/9/2012 1:25:33 PM - Software Distribution Service 3.0
RP587: 8/10/2012 1:47:51 PM - System Checkpoint
RP588: 8/11/2012 12:44:31 PM - Software Distribution Service 3.0
RP589: 8/12/2012 2:24:53 AM - Software Distribution Service 3.0
RP590: 8/13/2012 2:33:23 AM - System Checkpoint
RP591: 8/13/2012 12:52:55 PM - Software Distribution Service 3.0
RP592: 8/14/2012 4:15:00 PM - System Checkpoint
RP593: 8/15/2012 12:04:35 PM - Software Distribution Service 3.0
RP594: 8/16/2012 2:05:25 AM - Software Distribution Service 3.0
RP595: 8/17/2012 12:32:15 AM - Software Distribution Service 3.0
RP596: 8/18/2012 2:23:00 AM - System Checkpoint
RP597: 8/18/2012 11:44:01 AM - Software Distribution Service 3.0
RP598: 8/19/2012 1:53:52 AM - Software Distribution Service 3.0
RP599: 8/20/2012 2:25:59 AM - System Checkpoint
RP600: 8/20/2012 1:08:52 PM - Software Distribution Service 3.0
RP601: 8/21/2012 5:37:43 PM - System Checkpoint
RP602: 8/22/2012 12:13:49 PM - Software Distribution Service 3.0
RP603: 8/22/2012 10:20:49 PM - Installed Remove Hidden Data Tool
RP604: 8/23/2012 12:21:12 PM - Software Distribution Service 3.0
RP605: 8/24/2012 1:13:27 PM - Software Distribution Service 3.0
RP606: 8/25/2012 3:43:35 PM - System Checkpoint
RP607: 8/26/2012 2:00:48 AM - Software Distribution Service 3.0
RP608: 8/27/2012 9:37:27 AM - Software Distribution Service 3.0
RP609: 8/28/2012 11:25:30 AM - Software Distribution Service 3.0
RP610: 8/29/2012 11:28:41 AM - System Checkpoint
RP611: 8/31/2012 12:34:27 AM - Software Distribution Service 3.0
RP612: 9/1/2012 12:52:16 AM - System Checkpoint
RP613: 9/1/2012 3:02:33 PM - Software Distribution Service 3.0
RP614: 9/2/2012 1:58:05 AM - Software Distribution Service 3.0
RP615: 9/3/2012 2:07:53 AM - System Checkpoint
RP616: 9/3/2012 12:59:42 PM - Software Distribution Service 3.0
RP617: 9/4/2012 2:28:02 PM - System Checkpoint
RP618: 9/5/2012 12:57:00 PM - Software Distribution Service 3.0
RP619: 9/6/2012 3:14:57 PM - System Checkpoint
RP620: 9/7/2012 12:48:57 PM - Software Distribution Service 3.0
RP621: 9/8/2012 2:25:30 PM - Software Distribution Service 3.0
RP622: 9/9/2012 1:51:42 AM - Software Distribution Service 3.0
RP623: 9/10/2012 4:07:30 AM - System Checkpoint
RP624: 9/10/2012 2:53:36 PM - Software Distribution Service 3.0
RP625: 9/11/2012 4:10:04 PM - System Checkpoint
RP626: 9/12/2012 3:00:31 AM - Software Distribution Service 3.0
RP627: 9/12/2012 12:17:06 PM - Software Distribution Service 3.0
RP628: 9/13/2012 2:17:38 PM - Software Distribution Service 3.0
RP629: 9/14/2012 7:25:54 PM - Software Distribution Service 3.0
RP630: 9/15/2012 7:46:52 PM - System Checkpoint
RP631: 9/16/2012 1:37:48 AM - Software Distribution Service 3.0
RP632: 9/17/2012 2:13:00 AM - System Checkpoint
RP633: 9/17/2012 2:18:33 PM - Software Distribution Service 3.0
RP634: 9/18/2012 2:50:35 PM - Software Distribution Service 3.0
RP635: 9/19/2012 3:44:33 PM - System Checkpoint
RP636: 9/20/2012 1:42:25 PM - Software Distribution Service 3.0
RP637: 9/21/2012 2:19:07 PM - Software Distribution Service 3.0
RP638: 9/21/2012 10:26:15 PM - Software Distribution Service 3.0
RP639: 9/22/2012 2:49:21 PM - Software Distribution Service 3.0
RP640: 9/23/2012 2:33:56 AM - Software Distribution Service 3.0
RP641: 9/24/2012 2:49:45 AM - System Checkpoint
RP642: 9/24/2012 2:00:10 PM - Software Distribution Service 3.0
RP643: 9/25/2012 2:43:30 PM - Software Distribution Service 3.0
RP644: 9/26/2012 3:10:26 PM - Software Distribution Service 3.0
RP645: 9/27/2012 9:46:28 PM - System Checkpoint
RP646: 9/28/2012 3:39:21 PM - Software Distribution Service 3.0
RP647: 9/29/2012 4:06:58 PM - System Checkpoint
RP648: 9/30/2012 2:03:27 AM - Software Distribution Service 3.0
RP649: 10/1/2012 2:41:38 AM - System Checkpoint
RP650: 10/1/2012 2:49:27 PM - Software Distribution Service 3.0
RP651: 10/2/2012 3:00:21 AM - Software Distribution Service 3.0
RP652: 10/3/2012 5:34:02 AM - System Checkpoint
RP653: 10/3/2012 6:39:58 PM - Removed JavaFX 2.1.1
RP654: 10/4/2012 6:58:28 PM - System Checkpoint
RP655: 10/5/2012 9:38:24 PM - System Checkpoint
RP656: 10/6/2012 7:23:19 PM - Software Distribution Service 3.0
RP657: 10/7/2012 2:34:10 AM - Software Distribution Service 3.0
RP658: 10/7/2012 3:00:29 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Active@ DVD Eraser v 1.1
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Brother MFL-Pro Suite
BurnAware Free 5.2
Compatibility Pack for the 2007 Office system
Conexant SmartHSFi V92 56K DF PCI Modem
Coupon Printer for Windows
Dell ResourceCD
ESET Online Scanner v3
Exact Audio Copy 1.0beta2
foobar2000 v1.1.7
FREE Hi-Q Recorder 1.92
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Intel® PRO Ethernet Adapter and Software
Java 7 Update 7
Java Auto Updater
Living Trust Forms
Malwarebytes Anti-Malware version 1.65.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox 15.0.1 (x86 en-US)
Mozilla Maintenance Service
Nero
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
PaperPort
Remove Hidden Data Tool
Secunia PSI (3.0.0.4001)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SMC Connection Manager
SoulSeek 157 NS 13e
SoundMAX
SugarSync Manager
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 2.0.2
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR 4.01 (32-bit)
Works Suite OS Pack
Yontoo Layers Runtime 1.10.01
.
==== End Of File ===========================

#12 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 AM

Posted 08 October 2012 - 09:11 AM

Hi orangegrease :)
First off before I can give you the good news I need us to uninstall a program, please do the following:

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Yontoo Layers Runtime 1.10.01

Additional instructions can be found here if needed.


I have very good news for you. :thumbsup:

Your machine appears clean!

Are you having any additional problems at this point? If so, please let me know. Otherwise feel free to enjoy use of your repaired machine after this little cleanup :thumbsup:

Let's do some housekeeping

We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:
Please do the following to delete ComboFix:

  • Press windows key Posted Image + r on your keyboard at the same time
  • Type combofix /uninstall and press enter.

Posted Image

This will remove Combofix and other tools we used from your computer.

NEXT

I recommend you regularly visit the Windows Update Site .
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:
If you want more information on methods malware use to infect your computer, consider browsing our How did I get infected? topic.

Now if you have more of our programs on your desktop, you can just rightclick on them and choose to delete them. Thanks for good coorperation, you have been a good help in helping me to doublecheck your own cleanup. I have enjoyed this. :thumbsup:

Edited by KarstenHansen, 08 October 2012 - 09:15 AM.


#13 orangegrease

orangegrease
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 08 October 2012 - 05:18 PM

That's great news! Thank you. When I try to uninstall Yontoo I get a box with "Tarma Installer" in the blue top border with "Setup initialization error" as the message. When I click the "OK" rectangle, it closes the box. Not sure what to do now. I looked it up and saw a recommendation to reinstall and then uninstall:

http://answers.yahoo.com/question/index?qid=20111218231258AAOkImb

The Microsoft Security Essentials icon in the status bar does not seem to be "spinning" a lot like it was before. In fact, I have not noticed it "spin" once. However, when Security Essentials is opened, the "History" page always shows a huge number of Trojan:JS/Medfos.B detected items, alert level "severe", action taken "quarantined". The "date" is whenever I open the History page. It says "recommended action: remove this software immediately". Before you helped me, I "removed all" of the detected items, but have not since. Don't know if this showing up in history is significant or if I should remove the detections.



When I was researching zeroaccess, I saw this tool:

http://www.mcafee.com/us/downloads/free-tools/how-to-use-rootkitremover.aspx?ClickID=bsf1kuv1unssd6q6qufgudlsqlgnvfngvqvs

Do you think that is worth running or might that mess things up?


Secunia PSI is detecting:

Microsoft® Windows® Malicious Software Removal Tool (KB890830)ShareEmailHotmailBloggerAOLFacebook

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.




When I was looking at the above, I also saw this:

This troubleshooter: "Diagnose and fix Windows security problems automatically" may automatically fix your problem.

This troubleshooter fixes many different problems. Run now



Do you think either or both of these Microsoft things are worth running now or from time to time in the future?


Thanks for the additional protection tips. I am going to check those out. I saw some stuff about PrevX and Webroot Security Essentials and apparently those can run at same time as Malwarebytes Pro.

#14 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 AM

Posted 09 October 2012 - 08:29 AM

Hi orangegrease :)

:step1: Okay, let us start by removing the history in MSE. Please do the following:
  • Open Microsoft Security Essentials.
  • Press and thereby enter the tab History.
  • In the buttom please press the REMOVE ALL button.
  • Let windows reboot if it needs to. Good job.
:step2: We can use AdwCleaner to remove the Yontoo program, please follow this:

Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.
:step3: Secunia explaination

Secunia PSI is detecting:

Microsoft® Windows® Malicious Software Removal Tool (KB890830)ShareEmailHotmailBloggerAOLFacebook

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

What this is telling you, is that the tool, Microsoft® Windows® Malicious Software Removal Tool, needs to be updated to the newest version. This is not a Antivirus program but a program that helps you to have all or most of your programs updated to the newest possible update.

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup:
  • Did you remove the Microsoft Security Essentials history and how did it go?
  • AdwCleaner log


#15 orangegrease

orangegrease
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 09 October 2012 - 05:18 PM

Before on the Security Essentials, I would check the boxes. This time I did not and just clicked "remove". Restarted Windows and clicked History and there was NOTHING. :)




ADWCLEANER (I was not sure if I should then hit "delete" after the scan so I did not. Please let me know.) Here is the log:



# AdwCleaner v2.004 - Logfile created 10/09/2012 at 14:26:40
# Updated 06/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Minion - MINION-9XHIN6NB
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Minion\My Documents\Downloads\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Documents and Settings\Minion\Desktop\Free Dolphin Screensaver.lnk
Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Found : C:\Program Files\Free Offers from Freeze.com

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Found : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Found : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Found : HKU\S-1-5-21-1390067357-1085031214-839522115-1004\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Minion\Application Data\Mozilla\Firefox\Profiles\zs0f5b4v.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2687 octets] - [09/10/2012 14:26:41]

########## EOF - C:\AdwCleaner[R1].txt - [2747 octets] ##########









Bravo, Karsten!


I was going to try that Microsoft Malicious Software Removal Tool after it updated but did not know what program to choose in order to open it. Not sure if it is supposed to be that way or not. It says "Type: File" when I put the cursor over the file.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users