Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI MoneyPak Virus - Tidbit of Information


  • This topic is locked This topic is locked
5 replies to this topic

#1 Alamo-Girl

Alamo-Girl

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 09 October 2012 - 10:14 PM

About three days ago my husband's Dell Windows XP system picked up the notorious FBI $200 ransom virus. The system froze on that screen when he went in under his user name but did not when going in under my user name.

I rebooted in Safe Mode and ran scans I've read about here on BleepingComputer: TDSSKiller, aswMBR, ESET, MalwareBytes, EmsiSoft.

MalwareBytes found it each time, but when rebooting normally to his user name, the FBI ransom virus would come right back and freeze on that screen.

I noticed that each time it came back, it had recreated a directory called "HelloMoto" with two files (as I recall.) Each time I'd forcefully delete the files and directory. And each time after rebooting it normally, it'd come back again along with the FBI screen.

Obviously, the virus was being reloaded either in startup or shutdown - so with considerable trepidation, I browsed the registry using regedit (after first exporting it just in case I made a mistake.)

I discovered a seemingly out-of-place filename in HKEY_LOCAL MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: c:\Documents and Settings\my husbands user name\Local Settings\Application Data\Microsoft\Windows\3182\simpdata.exe

The path looked out of whack to everything else in that registry entry and the name "simpdata.exe" didn't seem right. I searched around and found several simpdata.tlb but only this confusingly similar one ending in ".exe"

So even knowing that changing the registry manually can have unintended consequences and I would NEVER suggest anyone else do it --- I decided it was worth the risk, took a chance, renamed the file and deleted that entry from the registry.

Poof, the virus was gone and didn't come back after many normal reboots.

Exactly what happened I don't know. And I can't say what the scanning software did that made this anomaly come to light.

But since you're the experts and have always been so very helpful to me, I wanted to pass this along in case there is anything here that might help someone else.

Alamo-Girl

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:03 PM

Posted 11 October 2012 - 10:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I suggest you run these tools and make sure all traces of this infection is removed.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
===

Please post the logs and let me know if the problem persists.

#3 Alamo-Girl

Alamo-Girl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 12 October 2012 - 02:41 PM

Here are the logs you requested:

ComboFix 12-10-12.01 - John Venable 10/12/2012 13:30:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.450 [GMT -5:00]
Running from: c:\documents and settings\John Venable\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\l4d01b4rsrv_o\us_sres.data
c:\documents and settings\All Users\Application Data\19849012
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Desktop\Internet Security.lnk
c:\documents and settings\John Venable\Application Data\Mozilla\Firefox\Profiles\j9r06ok1.default\searchplugins\bing-zugo.xml
c:\documents and settings\John Venable\Local Settings\Application Data\assembly\tmp
c:\documents and settings\John Venable\WINDOWS
c:\documents and settings\Nokia Pics\20110202
c:\documents and settings\Nokia Pics\20110202\Image0087.jpg
c:\program files\CouponAlert_2pEI
c:\program files\INSTALL.LOG
c:\program files\LP
c:\program files\LP\8304\180.tmp
c:\program files\LP\8304\25C.tmp
c:\program files\LP\8304\25D.tmp
c:\program files\LP\8304\25E.tmp
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\program files\SelectRebates
c:\windows\EventSystem.log
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\roboot.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
F:\Autorun.inf
F:\install.exe
F:\Setup.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_COUPONALERT_2PSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2012-09-12 to 2012-10-12 )))))))))))))))))))))))))))))))
.
.
2012-10-09 22:17 . 2012-10-09 22:36 -------- d-----w- c:\documents and settings\John Venable\Application Data\Nico Mak Computing
2012-10-09 03:10 . 2012-10-09 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-08 03:26 . 2012-10-08 03:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-10-07 15:22 . 2012-10-07 15:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-10-07 15:03 . 2012-10-07 15:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 13:06 . 2012-06-14 08:14 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 13:06 . 2011-05-19 14:34 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-07 22:04 . 2011-04-20 21:41 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14 . 2005-08-16 09:18 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2005-08-16 09:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2005-08-16 09:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2005-08-16 09:18 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2005-08-16 09:18 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2005-08-16 09:18 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-08-04 03:59 2027520 ------w- c:\windows\system32\ntkrnlpa.exe
2012-07-28 11:04 . 2008-02-25 19:11 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-04-26 17:23 . 2012-04-26 17:23 437 ----a-w- c:\program files\0426201212234919.bat
2001-11-05 14:30 . 2006-09-11 21:12 165376 ----a-w- c:\program files\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\yt.dll" [2012-03-21 1523512]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-22 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"EPSON Stylus C88 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-06-05 296056]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"EPSON Stylus C88 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\John Venable\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE [1997-10-24 255408]
Microsoft Works Calendar Reminders.lnk - c:\program files\MSWorks\Calendar\WKCALREM.EXE [1998-7-21 68368]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2006-9-3 27136]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\Software Suite\TotalMedia Backup & Record\uBBMonitor.exe [2010-4-20 266240]
ZyXEL G-220v3 Wireless USB Adapter Utility.lnk - c:\program files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe [2009-4-28 10792960]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [3/28/2011 8:32 PM 53816]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\John Venable\Desktop\emsisoftemergencykit\Run\a2ddax86.sys [10/8/2012 6:37 AM 17904]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [4/13/2011 4:37 AM 57144]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [3/28/2011 8:32 PM 66360]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/28/2011 8:32 PM 158904]
R3 CXFALCON;Conexant Falcon Video Capture;c:\windows\system32\drivers\cxfalcon.sys [9/3/2006 1:07 PM 101632]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [4/28/2009 5:19 PM 735232]
S1 MpKsl043b1a4e;MpKsl043b1a4e; [x]
S1 MpKsl23abff07;MpKsl23abff07; [x]
S1 MpKsl268ea0a4;MpKsl268ea0a4; [x]
S1 MpKsl47633ee4;MpKsl47633ee4; [x]
S1 MpKsl56f33640;MpKsl56f33640; [x]
S1 MpKsl76efe338;MpKsl76efe338; [x]
S1 MpKsl78d4fca6;MpKsl78d4fca6; [x]
S1 MpKsl7a924756;MpKsl7a924756; [x]
S1 MpKsl87297323;MpKsl87297323; [x]
S1 MpKsla4606813;MpKsla4606813; [x]
S1 MpKsla73b70df;MpKsla73b70df; [x]
S1 MpKsldfad2942;MpKsldfad2942; [x]
S1 MpKsle639eb46;MpKsle639eb46; [x]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/14/2012 3:14 AM 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 3:13 PM 135664]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 3:13 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-14 13:06]
.
2012-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 20:13]
.
2012-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 20:13]
.
2012-10-11 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2012-10-11 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-04-06 21:30]
.
2012-10-12 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2012-10-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3486443039-1947873220-3481591297-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-10-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3486443039-1947873220-3481591297-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-10-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3486443039-1947873220-3481591297-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-10-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3486443039-1947873220-3481591297-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-10-12 c:\windows\Tasks\ReclaimerUpdateFiles_John Venable.job
- c:\documents and settings\John Venable\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-22 09:02]
.
2012-10-12 c:\windows\Tasks\ReclaimerUpdateXML_John Venable.job
- c:\documents and settings\John Venable\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-22 09:02]
.
2012-10-12 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_John Venable.job
- c:\documents and settings\John Venable\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-22 09:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 24.245.95.11 24.245.95.17 12.25.244.11
DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} - hxxp://webcam.prejeans.com/activex/AMC.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam.prejeans.com/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\John Venable\Application Data\Mozilla\Firefox\Profiles\j9r06ok1.default\
FF - prefs.js: browser.search.selectedEngine - Blekko
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63798
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Oberon GamesBar: gamesbar@oberon-media.com - %profile%\extensions\gamesbar@oberon-media.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: extentions.y2layers.installId - 49bfa4d7-3925-43a6-b477-1a9f1b2d628c
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{f15ff29f-85a1-43cd-9674-e5ba40016c97} - c:\program files\DailyBibleGuide\bar\2.bin\2vSrcAs.dll
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-12 14:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\E_S00RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Visioneer\OneTouch 4.0\OtService.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\SAgent4.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Visioneer\OneTouch 4.0\OtMonEx.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-10-12 14:15:09 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-12 19:15
.
Pre-Run: 69,058,535,424 bytes free
Post-Run: 72,734,273,536 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - CE376C595F62FE9DA586C95217400A43


Results of screen317's Security Check version 0.99.51
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware Free Edition
Malwarebytes Anti-Malware version 1.65.0.1400
Java™ 6 Update 31
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (3.6.12) Firefox out of Date!
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


# AdwCleaner v2.004 - Logfile created 10/12/2012 at 14:27:04
# Updated 06/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : John Venable - JCV
# Boot Mode : Normal
# Running from : C:\Documents and Settings\John Venable\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\John Venable\Application Data\Mozilla\Firefox\Profiles\j9r06ok1.default\searchplugins\CouponAlert_2p.xml
File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\All Users\Application Data\WeCareReminder
Folder Deleted : C:\Documents and Settings\John Venable\Application Data\Mozilla\Firefox\Profiles\j9r06ok1.default\extensions\plugin@yontoo.com
Folder Deleted : C:\Documents and Settings\John Venable\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\John Venable\Local Settings\Application Data\Ilivid Player
Folder Deleted : C:\Program Files\vGrabber
Folder Deleted : C:\Program Files\Yontoo

***** [Registry] *****

Key Deleted : HKCU\Software\Babylon
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B0DE3308-5D5A-470D-81B9-634FC078393B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0702A2B6-13AA-4090-9E01-BCDC85DD933F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B0DE3308-5D5A-470D-81B9-634FC078393B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\wecarereminder
Key Deleted : HKLM\Software\AskBarDis
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{13119113-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{33119133-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0F1794F2-900B-4C81-8146-9234E5CC5BE2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{58E64AEE-516A-4DFC-AC38-31C50E8AF0F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6BDA50D2-5597-4C68-A842-9B857FCCDA49}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6CA3D0AB-F807-462C-BA7F-E27F07F91E32}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6F99D2AE-5C90-43C2-A2FE-81DBE512E2FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8997561D-CF0B-42C7-AAE6-78801B3ADC7F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{92580E8C-88F5-4551-9D9E-8147E7EE2C32}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A786F51D-B3C7-4F52-91EF-E1A892C2A2AE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8AF87C1-0B1E-494B-AAF0-CECC3FFEDF99}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC4DAE-7794-4E16-9A98-F6001303DCD0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAB77009-B974-48DF-8229-E70CFAA11C69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EBAA6283-B61F-4DDD-9659-56635433A307}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFB0C189-5077-4340-9838-AF7B8E792A54}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFB4F034-3EB5-48D5-84DD-89BBCF9A182F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F9D45087-1CF1-452E-9649-FDFDAC578E03}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AF08E71-3657-462F-898C-F7E791948F94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965DCF-718F-4148-BECF-5A2B466F4556}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F99D2AE-5C90-43C2-A2FE-81DBE512E2FC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225F6C9-CF64-4D6D-AE8A-169779FD7B4D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\CouponAlert_2pbar Uninstall
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6.12 (en-US)

Profile name : default
File : C:\Documents and Settings\John Venable\Application Data\Mozilla\Firefox\Profiles\j9r06ok1.default\prefs.js

C:\Documents and Settings\John Venable\Application Data\Mozilla\Firefox\Profiles\j9r06ok1.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultenginename", "Blekko");
Deleted : user_pref("browser.search.order.1", "Blekko");
Deleted : user_pref("browser.search.selectedEngine", "Blekko");

Profile name : default
File : C:\Documents and Settings\Sandi Venable.JCV\Application Data\Mozilla\Firefox\Profiles\5h3z92pe.default\prefs.js

Deleted : user_pref("extensions.toolbar.mindspark._2vMembers_.homepage", "hxxp://home.mywebsearch.com/index.jh[...]

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\John Venable\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.15] : homepage = "hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=C937EA3F38E5FE4A073B504FF59A142D&tbp=homepage",
Deleted [l.19] : urls_to_restore_on_startup = [ "hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=C937EA3F38E5FE4A073B504FF59A142D&tbp=homepage", "hxxp://isearch.avg.com/?cid={7F5D12C1-86F7-479B-8E51-FEAC02BD0BED}&mid=5712e2c6edcc47d08188d1508d107bc1-3f091e806f0237a81c24546730e62641d17d9493&lang=en&ds=ts025&pr=sa&d=2012-06-21 10:32:56&v=11.1.0.7&sap=hp" ]
Deleted [l.68] : keyword = "blekko",
Deleted [l.71] : search_url = "hxxp://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=C937EA3F38E5FE4A073B504FF59A142D&q={searchTerms}",
Deleted [l.1351] : homepage = "hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=C937EA3F38E5FE4A073B504FF59A142D&tbp=homepage",
Deleted [l.1771] : urls_to_restore_on_startup = [ "hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=C937EA3F38E5FE4A073B504FF59A142D&tbp=homepage", "hxxp://isearch.avg.com/?cid={7F5D12C1-86F7-479B-8E51-FEAC02BD0BED}&mid=5712e2c6edcc47d08188d1508d107bc1-3f091e806f0237a81c24546730e62641d17d9493&lang=en&ds=ts025&pr=sa&d=2012-06-21 10:32:56&v=11.1.0.7&sap=hp" ]

*************************

AdwCleaner[S1].txt - [11210 octets] - [12/10/2012 14:27:04]

########## EOF - C:\AdwCleaner[S1].txt - [11271 octets] ##########


The FBI Moneypak Virus has not returned. However, my husband got a suspicious window earlier today saying that Microsoft has three updates and asking whether he wanted to install them. I told him to X because I did not get an auto-update last night. We are both XP.

Thank you for your assistance,

Alamo-Girl

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:03 PM

Posted 13 October 2012 - 09:10 AM

That was a good cleanup.

Open notepad and copy/paste the text in the quote box below into it:


Driver::
MpKsl043b1a4e
MpKsl23abff07
MpKsl268ea0a4
MpKsl47633ee4
MpKsl56f33640
MpKsl76efe338
MpKsl78d4fca6
MpKsl7a924756
MpKsl87297323
MpKsla4606813
MpKsla73b70df
MpKsldfad2942
MpKsle639eb46

ClearJavaCache::


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 31


===

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

===

Do a manual Windows update for your XP.
Download and install the important updates.

http://www.ehow.com/how_4867579_install-windows-updates-manually.html
===

C:: 16% Defragment your hard drive soon!
This may take some time. Do it when you know you will not need the computer for a few hours.

===

#5 Alamo-Girl

Alamo-Girl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 13 October 2012 - 10:45 PM

Here's the log you requested:

ComboFix 12-10-13.04 - John Venable 10/13/2012 22:12:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.421 [GMT -5:00]
Running from: c:\documents and settings\John Venable\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Venable\Desktop\CFScript..txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL043B1A4E
-------\Legacy_MPKSL23ABFF07
-------\Legacy_MPKSL268EA0A4
-------\Legacy_MPKSL47633EE4
-------\Legacy_MPKSL56F33640
-------\Legacy_MPKSL76EFE338
-------\Legacy_MPKSL78D4FCA6
-------\Legacy_MPKSL7A924756
-------\Legacy_MPKSL87297323
-------\Legacy_MPKSLA4606813
-------\Legacy_MPKSLA73B70DF
-------\Legacy_MPKSLDFAD2942
-------\Legacy_MPKSLE639EB46
-------\Service_MpKsl043b1a4e
-------\Service_MpKsl23abff07
-------\Service_MpKsl268ea0a4
-------\Service_MpKsl47633ee4
-------\Service_MpKsl56f33640
-------\Service_MpKsl76efe338
-------\Service_MpKsl78d4fca6
-------\Service_MpKsl7a924756
-------\Service_MpKsl87297323
-------\Service_MpKsla4606813
-------\Service_MpKsla73b70df
-------\Service_MpKsldfad2942
-------\Service_MpKsle639eb46
.
.
((((((((((((((((((((((((( Files Created from 2012-09-14 to 2012-10-14 )))))))))))))))))))))))))))))))
.
.
2012-10-09 22:17 . 2012-10-09 22:36 -------- d-----w- c:\documents and settings\John Venable\Application Data\Nico Mak Computing
2012-10-09 03:10 . 2012-10-09 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-08 03:26 . 2012-10-08 03:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-10-07 15:22 . 2012-10-07 15:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-10-07 15:03 . 2012-10-07 15:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 13:06 . 2012-06-14 08:14 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 13:06 . 2011-05-19 14:34 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-07 22:04 . 2011-04-20 21:41 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14 . 2005-08-16 09:18 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2005-08-16 09:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2005-08-16 09:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2005-08-16 09:18 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2005-08-16 09:18 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2005-08-16 09:18 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-08-04 03:59 2027520 ------w- c:\windows\system32\ntkrnlpa.exe
2012-07-28 11:04 . 2008-02-25 19:11 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-04-26 17:23 . 2012-04-26 17:23 437 ----a-w- c:\program files\0426201212234919.bat
2001-11-05 14:30 . 2006-09-11 21:12 165376 ----a-w- c:\program files\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\yt.dll" [2012-03-21 1523512]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-22 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"EPSON Stylus C88 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-06-05 296056]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"EPSON Stylus C88 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\John Venable\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE [1997-10-24 255408]
Microsoft Works Calendar Reminders.lnk - c:\program files\MSWorks\Calendar\WKCALREM.EXE [1998-7-21 68368]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2006-9-3 27136]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\Software Suite\TotalMedia Backup & Record\uBBMonitor.exe [2010-4-20 266240]
ZyXEL G-220v3 Wireless USB Adapter Utility.lnk - c:\program files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe [2009-4-28 10792960]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [3/28/2011 8:32 PM 53816]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\John Venable\Desktop\emsisoftemergencykit\Run\a2ddax86.sys [10/8/2012 6:37 AM 17904]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [4/13/2011 4:37 AM 57144]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [3/28/2011 8:32 PM 66360]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/28/2011 8:32 PM 158904]
R3 CXFALCON;Conexant Falcon Video Capture;c:\windows\system32\drivers\cxfalcon.sys [9/3/2006 1:07 PM 101632]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [4/28/2009 5:19 PM 735232]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/14/2012 3:14 AM 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 3:13 PM 135664]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 3:13 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-14 13:06]
.
2012-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 20:13]
.
2012-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 20:13]
.
2012-10-13 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2012-10-13 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-04-06 21:30]
.
2012-10-13 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2012-10-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3486443039-1947873220-3481591297-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-10-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3486443039-1947873220-3481591297-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-10-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3486443039-1947873220-3481591297-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-10-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3486443039-1947873220-3481591297-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 24.245.95.11 24.245.95.17 12.25.244.11
DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} - hxxp://webcam.prejeans.com/activex/AMC.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam.prejeans.com/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\John Venable\Application Data\Mozilla\Firefox\Profiles\j9r06ok1.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63798
FF - prefs.js: network.proxy.type - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-13 22:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3688)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\E_S00RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Visioneer\OneTouch 4.0\OtService.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\SAgent4.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Visioneer\OneTouch 4.0\OtMonEx.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-10-13 22:40:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-14 03:40
ComboFix2.txt 2012-10-12 19:15
.
Pre-Run: 64,027,103,232 bytes free
Post-Run: 64,084,160,512 bytes free
.
- - End Of File - - 54A186CA7A4CFA198D61E8837A15183F


I'll proceed to update his software per your recommendations.

Thanks again,

Alamo-Girl

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:03 PM

Posted 14 October 2012 - 09:20 AM

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users