Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Malware?


  • This topic is locked This topic is locked
15 replies to this topic

#1 Jonjo99

Jonjo99

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 25 October 2012 - 10:47 AM

In January one of our laptops was infected with a virus which I thought had been cleared away. Recently though my email addresse were hacked into and I found a Java exploit on the laptop. I am now worried that other computers on our home network may have been infected and on checking this desktop computer I noticed a file that had been modified around the time of the virus called ieexec.exe. After googling this I found that this may potentially be a virus but none of avast, malwarebytes or microsoft safety scanner have flagged it as such. I really need to know if it is dangerous and how to get rid of it if it is. I willl post the dds logs below but the GMER scan kept crashing the computer before completion.

Many thanks.



DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Administrator at 16:07:12 on 2012-10-25
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.72 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HPPAVI~1\Pavilion\XPEWWBP4\plugin\bin\PCHButton.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.co.uk/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://srch-gb10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue SpeedUpMyPC] c:\program files\uniblue\speedupmypc 3\SpeedUpMyPC.exe -s
uRun: [Acme.PCHButton] c:\progra~1\hppavi~1\pavilion\xpewwbp4\plugin\bin\PCHButton.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Reader Library Launcher] c:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [F-Secure TNB] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [F-Secure Manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [SetDefaultMidi] MIDIDEF.EXE
dRunOnce: [CMSRegOW.exe] "c:\program files\installshield installation information\{56f3e1ff-54fe-4384-a153-6ccaba097814}\CMSRegOW.exe" /r
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoViewOnDrive = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx
TCP: Interfaces\{1879AFE6-BD88-4950-93B2-C0E6854A27A6} : DHCPNameServer = 192.168.1.254
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 counter.kaspersky.com
Hosts: 127.0.0.1 directads.mcafee.com
Hosts: 127.0.0.1 ads.mcafee.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\yaopvulv.default\
FF - prefs.js: browser.startup.homepage - hxxp://orange.co.uk
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-6-8 65720]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-7-7 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-11-1 355632]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-6-8 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-6-8 166840]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-1 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-7 44808]
R3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;c:\windows\system32\drivers\tiacxusb.sys [2003-9-7 177792]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-9-1 250808]
S3 BTUsbrXP®;BT Voyager 1010 USB Adapter;c:\windows\system32\drivers\BTUSBRXP.SYS [2004-4-24 90240]
S3 pohci13F;pohci13F;\??\c:\docume~1\admini~1\locals~1\temp\pohci13f.sys --> c:\docume~1\admini~1\locals~1\temp\pohci13F.sys [?]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-30 21520]
S3 TIAcxubt;D-Link WLAN USB Boot Device;c:\windows\system32\drivers\tiacxubt.sys [2007-9-14 17536]
.
=============== Created Last 30 ================
.
2012-10-24 08:33:30 -------- dc----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-10-24 08:33:07 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-10-24 08:33:02 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-24 08:33:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-16 08:25:43 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-10-16 08:25:42 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-10-16 08:24:38 14676960 ----a-w- c:\program files\mozilla firefox\xul.dll
2012-10-16 08:24:37 19424 ----a-w- c:\program files\mozilla firefox\xpcom.dll
2012-10-16 08:24:17 270816 ----a-w- c:\program files\mozilla firefox\updater.exe
2012-10-16 08:24:17 10571728 ----a-w- c:\program files\mozilla firefox\videocaster.exe
2012-10-16 08:24:12 889848 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2012-10-16 08:24:12 145376 ----a-w- c:\program files\mozilla firefox\ssl3.dll
2012-10-16 08:24:10 91104 ----a-w- c:\program files\mozilla firefox\smime3.dll
2012-10-16 08:24:10 155104 ----a-w- c:\program files\mozilla firefox\softokn3.dll
.
==================== Find3M ====================
.
2012-10-09 09:36:43 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 09:36:43 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-21 09:13:15 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:12:33 41224 ----a-w- c:\windows\avastSS.scr
2007-12-20 19:37:13 1491592 -c--a-w- c:\program files\install_flash_player.exe
.
============= FINISH: 16:09:29.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 PM

Posted 26 October 2012 - 09:00 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

The Hosts file was altered, so please for your added security install this one.

Download HostsXpert

Tutorial, go here:
http://i28.photobucket.com/albums/c227/tetonbob/emoticons/HostsXpert4.jpg
  • Unzip HostsXpert to it's own folder.
  • Run HostsXpert.exe
  • Click: Make Writable? in the upper left corner.
  • Click: Download
  • Click: MVPs Hosts
  • Click: Replace
  • Click: OK
  • Click: Make ReadOnly
  • Close HostsXpert.
*/*
I suggest that you update the new version of the Hosts file, every 6 weeks. I Do.

All you need to know about the hosts file.
http://www.mvps.org/winhelp2002/hosts.htm
===


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#3 Jonjo99

Jonjo99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 26 October 2012 - 03:09 PM

Hi nasdaq. Thank you very much for replying. Please find below the logs you requested. I notice that the suspicious file I mentioned that was modified in January is still there. I notice there are a few files in the .Net Framework folder that were modified around this time as well. Is this bad news? Anyway, here are the logs:

# AdwCleaner v2.005 - Logfile created 10/26/2012 at 20:39:34
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - COMPUTER1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Found : C:\Program Files\Trymedia

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKU\S-1-5-21-2683340446-3672299655-4190854137-500\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.1 (en-GB)

Profile name : default
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yaopvulv.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1434 octets] - [26/10/2012 20:39:34]

########## EOF - C:\AdwCleaner[R1].txt - [1494 octets] ##########






ComboFix 12-10-26.03 - Administrator 26/10/2012 16:10:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.70 [GMT 1:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Otto
c:\documents and settings\Administrator\Application Data\Otto\config.set
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
c:\documents and settings\Administrator\My Documents\~WRD3782.tmp
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\windows\help\wmplayer.bak
c:\windows\iun6002.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\ps2.bat
c:\windows\system32\spool\prtprocs\w32x86\Ppbiproc.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\winhelp.ini
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NVSVC
-------\Service_NVSvc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-26 to 2012-10-26 )))))))))))))))))))))))))))))))
.
.
2012-10-24 08:33 . 2012-10-24 08:33 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-10-24 08:33 . 2012-10-24 08:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-24 08:33 . 2012-10-24 08:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-24 08:33 . 2012-09-29 18:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 10:18 . 2012-07-07 22:05 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-23 10:18 . 2009-11-01 14:19 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-23 10:18 . 2009-11-01 14:19 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-23 10:18 . 2009-11-01 14:19 360392 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-23 10:18 . 2009-11-01 14:19 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-23 10:18 . 2009-11-01 14:19 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-23 10:18 . 2009-11-01 14:19 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-23 10:18 . 2009-11-01 14:19 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-23 10:17 . 2010-11-07 09:37 41224 ----a-w- c:\windows\avastSS.scr
2012-10-23 10:17 . 2009-11-01 14:19 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-09 09:36 . 2012-09-01 14:28 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 09:36 . 2011-08-05 16:28 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-28 15:14 . 2004-02-06 17:05 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2003-11-03 16:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2003-11-03 16:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2003-11-03 16:05 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2003-11-03 16:02 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2002-08-29 08:04 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-12-20 19:37 . 2007-12-20 19:35 1491592 -c--a-w- c:\program files\install_flash_player.exe
2007-06-21 18:38 . 2012-10-16 08:22 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 18:38 . 2012-10-16 08:22 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 18:38 . 2012-10-16 08:22 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 18:38 . 2012-10-16 08:22 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 18:39 . 2012-10-16 08:22 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 18:39 . 2012-10-16 08:22 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 18:39 . 2012-10-16 08:22 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 18:39 . 2012-10-16 08:22 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 18:40 . 2012-10-16 08:22 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-10-16 08:25 . 2012-10-16 08:22 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-23 10:17 121528 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 1885464]
"Acme.PCHButton"="c:\progra~1\HPPAVI~1\Pavilion\XPEWWBP4\plugin\bin\PCHButton.exe" [2003-10-21 155648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Reader Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"CTHelper"="CTHELPER.EXE" [2003-05-28 28672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2002-12-03 49152]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
backup=c:\windows\pss\Office Startup.lnkCommon Startup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6748:TCP"= 6748:TCP:ppLive
"2267:UDP"= 2267:UDP:ppLive
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [08/06/2012 21:42 65720]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [07/07/2012 23:05 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [01/11/2009 15:19 360392]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 17:57 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [08/06/2012 21:42 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/06/2012 21:42 166840]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [01/11/2009 15:19 21256]
R2 VaultClientSRV;BT Auto Backup Service;c:\program files\BT Auto Backup\VaultClientSRV.exe [04/07/2007 22:01 943480]
R3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;c:\windows\system32\drivers\tiacxusb.sys [07/09/2003 21:07 177792]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/11/2010 10:37 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01/09/2012 15:28 250808]
S3 BTUsbrXP®;BT Voyager 1010 USB Adapter;c:\windows\system32\drivers\BTUSBRXP.SYS [24/04/2004 00:54 90240]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07/11/2010 10:37 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [09/05/2012 11:20 115168]
S3 pohci13F;pohci13F;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\pohci13F.sys [?]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [30/05/2012 10:25 21520]
S3 TIAcxubt;D-Link WLAN USB Boot Device;c:\windows\system32\drivers\tiacxubt.sys [14/09/2007 22:05 17536]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-01 09:36]
.
2012-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:57]
.
2012-10-26 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-07 10:17]
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 09:37]
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 09:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.co.uk/
uDefault_Search_URL = hxxp://srch-gb10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yaopvulv.default\
FF - prefs.js: browser.startup.homepage - hxxp://orange.co.uk
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Uniblue SpeedUpMyPC - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
HKLM-Run-F-Secure TNB - c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe
HKLM-Run-F-Secure Manager - c:\program files\F-Secure Internet Security\Common\FSM32.EXE
HKU-Default-RunOnce-CMSRegOW.exe - c:\program files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe
AddRemove-Creative Driver - c:\windows\System32\ctdrvins
AddRemove-Creative Jukebox Driver - c:\program files\Creative\Jukebox 3 Drivers\DrvUnins.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-26 16:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2683340446-3672299655-4190854137-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,1a,57,5c,6c,79,45,41,ad,25,0e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,1a,57,5c,6c,79,45,41,ad,25,0e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-10-26 16:56:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-26 15:56
.
Pre-Run: 469,790,720 bytes free
Post-Run: 2,546,212,864 bytes free
.
- - End Of File - - AFAB5218E96E32704A1B559EF923D196





Results of screen317's Security Check version 0.99.53
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 22
Java 2 Runtime Environment, SE v1.4.2
Java version out of Date!
Adobe Flash Player 11.4.402.287
Adobe Reader X (10.1.4)
Mozilla Firefox (16.0.1)
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
````````Process Check: objlist.exe by Laurent````````
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 30% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 PM

Posted 27 October 2012 - 09:35 AM

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..


Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 22
Java 2 Runtime Environment, SE v1.4.2


===

checking this desktop computer I noticed a file that had been modified around the time of the virus called ieexec.exe.
Delete the file in bold.

===

Take the time to defrag your Hard Disk. It may take some time so do it when you know you will not need the computer for a few hours.

===

Driver::
pohci13F

ClearJavaCache::



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Please let me know of any remaining issues with this computer.

#5 Jonjo99

Jonjo99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 29 October 2012 - 04:57 AM

Ok I have deleted the ieexec.exe file but I noticed some other .dll files in the .Net Framework folder that had been modified at the same time as well as two more .exe programs that were modified a few days earlier (aspnet_wp.exe and aspnet_state.exe) Should I delete these or are they legit?

Also the computer freezes when I run the AdwCleaner tool so I have been unable to use it.

Here is the Combofix report:

ComboFix 12-10-26.05 - Administrator 28/10/2012 23:10:07.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.202 [GMT 0:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_POHCI13F
-------\Service_pohci13F
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-28 )))))))))))))))))))))))))))))))
.
.
2012-10-28 16:58 . 2003-10-21 15:19 53352 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-10-24 08:33 . 2012-10-24 08:33 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-10-24 08:33 . 2012-10-24 08:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-24 08:33 . 2012-10-24 08:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-24 08:33 . 2012-09-29 18:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 10:18 . 2012-07-07 22:05 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-23 10:18 . 2009-11-01 14:19 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-23 10:18 . 2009-11-01 14:19 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-23 10:18 . 2009-11-01 14:19 360392 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-23 10:18 . 2009-11-01 14:19 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-23 10:18 . 2009-11-01 14:19 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-23 10:18 . 2009-11-01 14:19 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-23 10:18 . 2009-11-01 14:19 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-23 10:17 . 2010-11-07 09:37 41224 ----a-w- c:\windows\avastSS.scr
2012-10-23 10:17 . 2009-11-01 14:19 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-09 09:36 . 2012-09-01 14:28 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 09:36 . 2011-08-05 16:28 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-28 15:14 . 2004-02-06 17:05 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2003-11-03 16:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2003-11-03 16:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2003-11-03 16:05 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2003-11-03 16:02 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2002-08-29 08:04 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-12-20 19:37 . 2007-12-20 19:35 1491592 -c--a-w- c:\program files\install_flash_player.exe
2007-06-21 18:38 . 2012-10-16 08:22 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 18:38 . 2012-10-16 08:22 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 18:38 . 2012-10-16 08:22 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 18:38 . 2012-10-16 08:22 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 18:39 . 2012-10-16 08:22 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 18:39 . 2012-10-16 08:22 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 18:39 . 2012-10-16 08:22 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 18:39 . 2012-10-16 08:22 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 18:40 . 2012-10-16 08:22 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-10-16 08:25 . 2012-10-16 08:22 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-23 10:17 121528 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 1885464]
"Acme.PCHButton"="c:\progra~1\HPPAVI~1\Pavilion\XPEWWBP4\plugin\bin\PCHButton.exe" [2003-10-21 155648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Reader Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"CTHelper"="CTHELPER.EXE" [2003-05-28 28672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2002-12-03 49152]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
backup=c:\windows\pss\Office Startup.lnkCommon Startup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6748:TCP"= 6748:TCP:ppLive
"2267:UDP"= 2267:UDP:ppLive
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [08/06/2012 20:42 65720]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [07/07/2012 22:05 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [01/11/2009 14:19 360392]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 16:57 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [08/06/2012 20:42 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/06/2012 20:42 166840]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [01/11/2009 14:19 21256]
R2 VaultClientSRV;BT Auto Backup Service;c:\program files\BT Auto Backup\VaultClientSRV.exe [04/07/2007 21:01 943480]
R3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;c:\windows\system32\drivers\tiacxusb.sys [07/09/2003 20:07 177792]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/11/2010 09:37 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01/09/2012 14:28 250808]
S3 BTUsbrXP®;BT Voyager 1010 USB Adapter;c:\windows\system32\drivers\BTUSBRXP.SYS [23/04/2004 23:54 90240]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07/11/2010 09:37 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [09/05/2012 10:20 115168]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [30/05/2012 09:25 21520]
S3 TIAcxubt;D-Link WLAN USB Boot Device;c:\windows\system32\drivers\tiacxubt.sys [14/09/2007 21:05 17536]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-01 09:36]
.
2012-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:57]
.
2012-10-28 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-07 10:17]
.
2012-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 09:37]
.
2012-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 09:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.co.uk/
uDefault_Search_URL = hxxp://srch-gb10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yaopvulv.default\
FF - prefs.js: browser.startup.homepage - hxxp://orange.co.uk
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-28 23:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2683340446-3672299655-4190854137-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,1a,57,5c,6c,79,45,41,ad,25,0e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,1a,57,5c,6c,79,45,41,ad,25,0e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(956)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\ehome\ehRec.exe
c:\windows\system32\CTHELPER.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-10-28 23:56:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-28 23:56
ComboFix2.txt 2012-10-26 15:56
.
Pre-Run: 2,133,954,560 bytes free
Post-Run: 2,144,415,744 bytes free
.
- - End Of File - - 0158A15801D14B232762F4EB97E7BC56

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 PM

Posted 29 October 2012 - 09:46 AM

Remove the AdwCleaner tool.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Reinstall the application and run the Search function.
Post the log for my review.

#7 Jonjo99

Jonjo99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 29 October 2012 - 10:56 AM

# AdwCleaner v2.005 - Logfile created 10/29/2012 at 15:55:25
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - COMPUTER1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Found : C:\Program Files\Trymedia

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKU\S-1-5-21-2683340446-3672299655-4190854137-500\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-GB)

Profile name : default
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yaopvulv.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1434 octets] - [29/10/2012 15:55:25]

########## EOF - C:\AdwCleaner[R1].txt - [1494 octets] ##########

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 PM

Posted 29 October 2012 - 12:46 PM

Ok same type of log as the last one.

Run run the tool again and this time use the Delete option.

Post the log if you can.

#9 Jonjo99

Jonjo99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 29 October 2012 - 01:43 PM

# AdwCleaner v2.005 - Logfile created 10/29/2012 at 18:23:23
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - COMPUTER1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Deleted : C:\Program Files\Trymedia

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 PM

Posted 30 October 2012 - 08:07 AM

Good work.

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#11 Jonjo99

Jonjo99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 30 October 2012 - 09:09 AM

Ok all done. Did you see anything that would suggest the computer had been hacked? What about the files I mentioned a few posts back? Should I delete these or do you think they are ok?

Thanks

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 PM

Posted 30 October 2012 - 10:06 AM

Net Framework folder that had been modified at the same time as well as two more .exe programs that were modified a few days earlier (aspnet_wp.exe and aspnet_state.exe) Should I delete these or are they legit?

These files are good. They are used when required by the Operating system.

It's impossibly to find out what realy happened. I would however suggest you change your passwords for your added security.

#13 Jonjo99

Jonjo99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 30 October 2012 - 10:29 AM

Oh, ok. The reason I was suspicious of those files was not just the dates they were modified but also the time, which were in the middle of the night when the computer would have been switched off. Is this normal or even possible?

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 PM

Posted 30 October 2012 - 01:18 PM

Both file belongs to software Microsoft .NET Framework by Microsoft.
Look at the Properties of the files and make sure they are from Microsoft.

#15 Jonjo99

Jonjo99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 30 October 2012 - 06:10 PM

Yeah they are both from Microsoft, I was just suspicious of those modified time.

Anyway if the scans are clean now the that has given me some peace of mind. I just want to say thank you for taking the time to help me with this , I really appreciate it. You have been a big help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users