Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SUSPECTED Malware Issue


  • This topic is locked This topic is locked
26 replies to this topic

#1 stonemanjr

stonemanjr

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 29 October 2012 - 09:28 PM

IN the last weeks our main machine is freezing/sticking, internet very slow to open, then at times frozen or closes on its own. Recently ran Malwarebytes and removed a load of FunMoods entries that were picked up with a recent driver backup download. Also identified 2 trojans. We have run also run TFC and some of the other: Kasperskys TDSS, ESET, Emisoft, GMER, etc. that were recc'd on your site. Recently, it blue screened twice which is a concern as it has only done this once in its life. Thanks for your help!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,849 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:11 AM

Posted 29 October 2012 - 11:23 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 30 October 2012 - 12:04 PM

ok Thank you. Sending logs in moment. Do they want a HiJackThis or ComboFix log also?

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,849 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:11 AM

Posted 30 October 2012 - 12:19 PM

Not unless specifically requested by your helper. Please do not run ComboFix on your own. If you already have, then please include the log already generated.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 30 October 2012 - 12:51 PM

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Owner at 12:58:28 on 2012-10-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.83 [GMT -4:00]
.
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\windows\Explorer.EXE
C:\Program Files\Wise\Wise Care 365\WiseTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Western Digital\WD Apps\WDDriveAutoUnlock.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Western Digital\WD Drive Manager\WDDriveService.exe
C:\windows\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k rpcss
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [WD Drive Unlocker] c:\program files\western digital\wd apps\WDDriveAutoUnlock.exe
mRun: [WD Quick View] c:\program files\western digital\wd quick view\WDDMStatus.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: MaxRecentDocs = dword:18
mPolicies-Explorer: NoSMConfigurePrograms = dword:1
mPolicies-Explorer: NoRecentDocsNetHood = dword:1
mPolicies-Explorer: MemCheckBoxInRunDlg = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340331428000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{616A82A5-0FA6-476B-BC4C-A959D389CD12} : DHCPNameServer = 192.168.1.1 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\yl4etcqn.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2012-10-29 10:33; firefox1@myibay.com; c:\documents and settings\owner\application data\mozilla\firefox\profiles\yl4etcqn.default\extensions\firefox1@myibay.com.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 193552]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-15 11608]
R1 MpKsl4214d938;MpKsl4214d938;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8312e5f4-5093-4e92-85d7-81f9a5658594}\MpKsl4214d938.sys [2012-10-30 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2010-6-29 114416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-15 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-15 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-15 66616]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
R2 WDDriveService;WD Drive Manager;c:\program files\western digital\wd drive manager\WDDriveService.exe [2012-9-19 248248]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
RUnknown MpKslec14af7d;MpKslec14af7d; [x]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
S2 WDBackup;WD Backup;c:\program files\western digital\wd smartware\WDBackupEngine.exe [2012-9-19 1157056]
S2 WDRulesService;WD Rules;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2012-9-19 1177536]
S2 WiseBootAssistant;Wise Boot Assistant;c:\program files\wise\wise care 365\BootTime.exe [2012-10-11 580648]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-8-30 250808]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-1-24 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-10-29 115168]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\docume~1\owner\locals~1\temp\7zo17.tmp\sysprotdrv.sys --> c:\docume~1\owner\locals~1\temp\7zo17.tmp\SysProtDrv.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2012-10-28 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
ShellExec: Foxit Reader.exe: print="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/p "%1"
ShellExec: Foxit Reader.exe: printto="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/t "%1" "%2" "%3" "%4"
.
=============== Created Last 30 ================
.
2012-10-30 16:47:30 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8312e5f4-5093-4e92-85d7-81f9a5658594}\MpKsl4214d938.sys
2012-10-30 12:42:07 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8312e5f4-5093-4e92-85d7-81f9a5658594}\MpKslec14af7d.sys
2012-10-30 02:57:01 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8312e5f4-5093-4e92-85d7-81f9a5658594}\MpKslaf93c980.sys
2012-10-30 01:29:36 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8312e5f4-5093-4e92-85d7-81f9a5658594}\MpKslc6c4a5b2.sys
2012-10-29 22:01:14 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8312e5f4-5093-4e92-85d7-81f9a5658594}\mpengine.dll
2012-10-29 21:45:32 -------- d-----w- C:\67c21b6cd355495049ee9777403c75cc
2012-10-29 21:45:04 -------- d-----w- C:\22273a9c196c1a373ce0a9
2012-10-29 14:28:34 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-10-29 14:15:09 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-29 13:34:01 -------- d-----w- c:\documents and settings\owner\local settings\application data\Western_Digital
2012-10-28 22:22:22 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2012-10-28 22:21:34 -------- d-----w- c:\program files\common files\Western Digital
2012-10-28 20:20:50 -------- d-----w- C:\MGtools
2012-10-28 05:51:36 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-28 01:46:57 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-10-28 01:46:57 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-27 21:03:06 110602 ----a-w- c:\windows\system32\xcdsfx32.bin
2012-10-27 21:02:58 -------- d-----w- c:\program files\Driver Magician
2012-10-27 20:56:17 -------- d-----w- C:\My Drivers
2012-10-27 20:53:59 -------- d-----w- c:\program files\JerMar Software Corp
2012-10-27 20:25:06 -------- d-----w- c:\documents and settings\owner\local settings\application data\Innovative Solutions
2012-10-27 20:23:23 -------- d-----w- c:\program files\Innovative Solutions
2012-10-27 19:53:11 -------- d-----w- c:\documents and settings\owner\application data\Funmoods
2012-10-27 19:51:03 -------- d-----w- c:\documents and settings\owner\local settings\application data\Wajam
2012-10-27 19:50:34 -------- d-----w- c:\program files\My Drivers
2012-10-27 19:49:51 -------- d-----w- c:\program files\Wajam
2012-10-26 21:37:42 -------- d-----w- c:\program files\Western Digital
2012-10-26 21:03:59 290816 ----a-w- c:\windows\system32\dllcache\adsiis51.dll
2012-10-26 21:03:57 43520 ----a-w- c:\windows\system32\dllcache\admwprox.dll
2012-10-22 00:10:56 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-13 18:34:17 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-10-11 21:49:07 -------- d-----w- c:\documents and settings\owner\application data\Wise Care 365
2012-10-11 21:20:46 -------- d-----w- c:\program files\Wise
2012-10-11 21:20:22 -------- d-----w- c:\documents and settings\owner\application data\Wise Registry Cleaner
.
==================== Find3M ====================
.
2012-10-09 16:17:23 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 16:17:22 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-29 23:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-25 03:16:58 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-25 03:16:53 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-25 02:56:00 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-19 22:03:11 177496 ----a-w- c:\windows\system32\drivers\42519383.sys
2012-08-31 02:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:13:45 920064 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:13:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:13:44 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:41 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:52:39 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:48:40 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 13:05:55 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 13:02:12.12 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/21/2011 6:35:36 PM
System Uptime: 10/30/2012 12:42:54 PM (1 hours ago)
.
Motherboard: Intel Corporation | | D850EMV2
Processor: Intel® Pentium® 4 CPU 2.53GHz | J2E1 | 2519/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 270.198 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is FIXED (NTFS) - 74 GiB total, 58.096 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP687: 9/6/2012 12:44:51 PM - System Checkpoint
RP688: 9/7/2012 8:44:10 AM - Software Distribution Service 3.0
RP689: 9/8/2012 8:45:50 AM - Software Distribution Service 3.0
RP690: 9/9/2012 1:59:20 AM - Software Distribution Service 3.0
RP691: 9/9/2012 8:53:37 AM - Software Distribution Service 3.0
RP692: 9/10/2012 9:32:16 AM - System Checkpoint
RP693: 9/11/2012 8:39:00 AM - Software Distribution Service 3.0
RP694: 9/12/2012 9:00:21 AM - Software Distribution Service 3.0
RP695: 9/12/2012 8:57:11 PM - Revo Uninstaller's restore point - YTD Toolbar v6.2
RP696: 9/12/2012 8:58:14 PM - Removed YTD Toolbar v6.2.
RP697: 9/13/2012 8:32:19 AM - Software Distribution Service 3.0
RP698: 9/14/2012 9:06:02 AM - Software Distribution Service 3.0
RP699: 9/15/2012 9:29:37 AM - Software Distribution Service 3.0
RP700: 9/16/2012 2:29:13 AM - Software Distribution Service 3.0
RP701: 9/16/2012 9:57:12 AM - Software Distribution Service 3.0
RP702: 9/17/2012 3:56:33 PM - Revo Uninstaller's restore point - Mozilla Firefox 15.0.1 (x86 en-GB)
RP703: 9/17/2012 5:31:56 PM - Software Distribution Service 3.0
RP704: 9/18/2012 5:33:11 PM - Software Distribution Service 3.0
RP705: 9/19/2012 6:01:58 PM - Software Distribution Service 3.0
RP706: 9/19/2012 10:35:37 PM - Revo Uninstaller's restore point - Mozilla Firefox 15.0.1 (x86 en-US)
RP707: 9/19/2012 11:53:52 PM - CLEAN MASTER Good
RP708: 9/20/2012 7:51:14 PM - Software Distribution Service 3.0
RP709: 9/21/2012 7:51:52 PM - System Checkpoint
RP710: 9/24/2012 8:38:55 AM - Software Distribution Service 3.0
RP711: 9/24/2012 9:00:33 AM - Software Distribution Service 3.0
RP712: 9/24/2012 6:22:29 PM - Software Distribution Service 3.0
RP713: 9/25/2012 8:57:22 AM - Software Distribution Service 3.0
RP714: 9/27/2012 8:44:05 AM - Software Distribution Service 3.0
RP715: 9/27/2012 9:08:58 AM - Software Distribution Service 3.0
RP716: 9/28/2012 4:06:20 PM - System Checkpoint
RP717: 10/1/2012 8:52:46 AM - Software Distribution Service 3.0
RP718: 10/2/2012 9:00:27 AM - Software Distribution Service 3.0
RP719: 10/2/2012 9:18:26 AM - Software Distribution Service 3.0
RP720: 10/3/2012 10:31:59 AM - Software Distribution Service 3.0
RP721: 10/5/2012 9:18:00 AM - Software Distribution Service 3.0
RP722: 10/6/2012 9:52:40 AM - Software Distribution Service 3.0
RP723: 10/7/2012 2:21:15 AM - Software Distribution Service 3.0
RP724: 10/7/2012 9:52:55 AM - Software Distribution Service 3.0
RP725: 10/8/2012 10:02:32 AM - Software Distribution Service 3.0
RP726: 10/9/2012 4:33:07 PM - System Checkpoint
RP727: 10/9/2012 9:26:22 PM - Software Distribution Service 3.0
RP728: 10/10/2012 7:51:39 PM - LAST Best POINT
RP729: 10/11/2012 8:42:17 AM - Software Distribution Service 3.0
RP730: 10/11/2012 9:00:49 AM - Software Distribution Service 3.0
RP731: 10/11/2012 10:52:37 PM - OCTOBER RESET BEST
RP732: 10/12/2012 1:26:27 AM - Created by Wise Care 365
RP733: 10/12/2012 9:33:24 AM - Software Distribution Service 3.0
RP734: 10/13/2012 3:06:17 PM - Software Distribution Service 3.0
RP735: 10/14/2012 2:30:59 AM - Software Distribution Service 3.0
RP736: 10/14/2012 3:47:12 PM - Software Distribution Service 3.0
RP737: 10/15/2012 4:04:42 PM - Software Distribution Service 3.0
RP738: 10/16/2012 8:04:55 AM - Removed Java™ 7 Update 4
RP739: 10/17/2012 4:23:57 AM - Software Distribution Service 3.0
RP740: 10/18/2012 5:01:31 AM - System Checkpoint
RP741: 10/18/2012 11:22:11 AM - Software Distribution Service 3.0
RP742: 10/19/2012 11:44:56 AM - Software Distribution Service 3.0
RP743: 10/20/2012 12:54:25 PM - Software Distribution Service 3.0
RP744: 10/21/2012 1:35:54 AM - Software Distribution Service 3.0
RP745: 10/21/2012 2:50:22 PM - Software Distribution Service 3.0
RP746: 10/21/2012 8:09:55 PM - Installed Java 7 Update 9
RP747: 10/22/2012 2:50:20 PM - Software Distribution Service 3.0
RP748: 10/24/2012 8:42:55 AM - Software Distribution Service 3.0
RP749: 10/25/2012 9:18:34 AM - Software Distribution Service 3.0
RP750: 10/26/2012 9:47:51 AM - Software Distribution Service 3.0
RP751: 10/26/2012 5:36:17 PM - Installed SES Driver
RP752: 10/27/2012 5:40:19 PM - Software Distribution Service 3.0
RP753: 10/27/2012 9:39:05 PM - Revo Uninstaller's restore point - Funmoods
RP754: 10/27/2012 9:44:49 PM - Restore Operation
RP755: 10/27/2012 10:00:11 PM - Software Distribution Service 3.0
RP756: 10/28/2012 1:51:25 AM - Software Distribution Service 3.0
RP757: 10/29/2012 2:44:16 AM - System Checkpoint
RP758: 10/29/2012 10:09:35 AM - Revo Uninstaller's restore point - Mozilla Firefox 16.0.1 (x86 en-US)
RP759: 10/29/2012 10:26:53 AM - Installed WD Software Upgrader
RP760: 10/29/2012 5:44:03 PM - Software Distribution Service 3.0
RP761: 10/29/2012 6:00:36 PM - Software Distribution Service 3.0
RP762: 10/29/2012 7:51:27 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
7-Zip 4.65
Acronis Migrate Easy
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Advanced Windows Mail Recovery
Alt-Tab Task Switcher Powertoy for Windows XP
Apple Software Update
AutoStreamer
Avira AntiVir Personal - Free Antivirus
Compatibility Pack for the 2007 Office system
ESET Online Scanner v3
Eusing Free Registry Cleaner
Eusing Free Registry Defrag
Foxit Reader
Free Internet Window Washer
Free YouTube Downloader 3.5.126
Glary Undelete 1.6.0.262
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
HashCheck Shell Extension (x86-32)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Java 7 Update 9
Java Auto Updater
Java™ 6 Update 37
JavaFX 2.1.0
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mozilla Firefox 16.0.2 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB973685)
MWSnap 3
NirSoft WinUpdatesList
nLite 1.4.9.1
Open Command Prompt Shell Extension (x86-32)
QuickTime
QuickTime Alternative 3.0.0
Recuva
Revo Uninstaller 1.94
ScreenShot V1.0.0.0
Secunia PSI (2.0.0.3001)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Spybot - Search & Destroy
SpywareBlaster 4.4
SUPERAntiSpyware
UBitMenu UK
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB955759)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
User Profile Hive Cleanup Service
VC 9.0 Runtime
WD Drive Utilities
WD Security
WD SmartWare
WebEx Recorder and Player
WebFldrs XP
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WinUndelete 3.50
Wise Care 365 version 2.03
Wise Disk Cleaner 5.93
Wise Registry Cleaner 7.51
YTD Video Downloader 3.9.2
.
==== Event Viewer Messages From Past Week ========
.
10/30/2012 8:41:10 AM, error: Service Control Manager [7000] - The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
10/30/2012 12:45:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the WD Rules service to connect.
10/30/2012 12:45:40 PM, error: Service Control Manager [7001] - The WD Backup service depends on the WD Rules service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
10/30/2012 12:45:40 PM, error: Service Control Manager [7000] - The WD Rules service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 31 October 2012 - 09:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#7 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 31 October 2012 - 04:06 PM

ComboFix 12-10-29.05 - Owner 10/29/2012 21:58:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.207 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-30 )))))))))))))))))))))))))))))))
.
.
2012-10-30 01:29 . 2012-10-30 01:29 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8312E5F4-5093-4E92-85D7-81F9A5658594}\MpKslc6c4a5b2.sys
2012-10-29 23:30 . 2012-10-29 23:30 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8312E5F4-5093-4E92-85D7-81F9A5658594}\MpKsl614b51a2.sys
2012-10-29 22:01 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8312E5F4-5093-4E92-85D7-81F9A5658594}\mpengine.dll
2012-10-29 21:45 . 2012-10-29 21:46 -------- d-----w- C:\67c21b6cd355495049ee9777403c75cc
2012-10-29 21:45 . 2012-10-29 21:45 -------- d-----w- C:\22273a9c196c1a373ce0a9
2012-10-29 14:15 . 2012-10-29 21:24 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-29 13:34 . 2012-10-29 13:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Western_Digital
2012-10-28 22:22 . 2011-12-16 17:18 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2012-10-28 22:21 . 2012-10-28 22:21 -------- d-----w- c:\program files\Common Files\Western Digital
2012-10-28 20:20 . 2012-10-28 20:26 -------- d-----w- C:\MGtools
2012-10-28 05:51 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-28 01:46 . 2012-10-28 01:46 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-27 21:03 . 2004-08-11 19:55 110602 ----a-w- c:\windows\system32\xcdsfx32.bin
2012-10-27 21:02 . 2012-10-28 01:46 -------- d-----w- c:\program files\Driver Magician
2012-10-27 20:56 . 2012-10-27 20:57 -------- d-----w- C:\My Drivers
2012-10-27 20:53 . 2012-10-27 20:53 -------- d-----w- c:\program files\JerMar Software Corp
2012-10-27 20:53 . 2012-10-27 20:53 -------- d-----w- c:\program files\InstallShield Installation Information
2012-10-27 20:25 . 2012-10-27 20:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Innovative Solutions
2012-10-27 20:23 . 2012-10-27 20:23 -------- d-----w- c:\program files\Innovative Solutions
2012-10-27 19:53 . 2012-10-28 01:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Funmoods
2012-10-27 19:51 . 2012-10-27 19:51 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Wajam
2012-10-27 19:50 . 2012-10-28 01:46 -------- d-----w- c:\program files\My Drivers
2012-10-27 19:49 . 2012-10-28 01:46 -------- d-----w- c:\program files\Wajam
2012-10-26 21:37 . 2012-10-29 14:37 -------- d-----w- c:\program files\Western Digital
2012-10-26 21:03 . 2008-04-14 12:00 290816 ----a-w- c:\windows\system32\dllcache\adsiis51.dll
2012-10-26 21:03 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\dllcache\admwprox.dll
2012-10-22 00:10 . 2012-09-25 03:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-16 12:20 . 2012-10-16 12:20 -------- d-----w- c:\program files\Common Files\Java
2012-10-13 18:34 . 2012-10-13 18:34 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-10-11 21:49 . 2012-10-30 01:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Wise Care 365
2012-10-11 21:20 . 2012-10-11 21:20 -------- d-----w- c:\program files\Wise
2012-10-11 21:20 . 2012-10-11 21:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Wise Registry Cleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-28 20:26 . 2012-10-28 20:21 152470 ----a-w- C:\MGlogs.zip
2012-10-09 16:17 . 2012-04-03 22:49 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 16:17 . 2012-02-23 21:46 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-29 23:54 . 2011-01-29 01:08 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-25 03:16 . 2012-05-17 14:33 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-25 03:16 . 2011-01-22 00:59 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-25 02:56 . 2011-12-22 01:16 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-19 22:03 . 2012-09-19 22:03 177496 ----a-w- c:\windows\system32\drivers\42519383.sys
2012-08-31 02:03 . 2010-10-25 03:25 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:13 . 2009-10-19 08:27 920064 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:13 . 2009-10-19 08:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:13 . 2009-10-19 08:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2009-10-19 08:25 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:52 . 2009-10-19 08:27 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:48 . 2009-10-19 08:26 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 13:05 . 2009-08-04 16:47 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-24 17:50 . 2012-10-29 14:28 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-06 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2012-07-06 30192]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"WD Drive Unlocker"="c:\program files\Western Digital\WD Apps\WDDriveAutoUnlock.exe" [2011-12-16 1687968]
"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-09-20 5236664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKslc6c4a5b2;MpKslc6c4a5b2;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8312E5F4-5093-4E92-85D7-81F9A5658594}\MpKslc6c4a5b2.sys [10/29/2012 9:29 PM 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [6/29/2010 1:48 PM 114416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/15/2011 7:52 PM 136360]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 10:24 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 10:24 AM 399416]
R2 WDDriveService;WD Drive Manager;c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe [9/19/2012 9:02 PM 248248]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2012 3:59 PM 136176]
S2 WDBackup;WD Backup;c:\program files\Western Digital\WD SmartWare\WDBackupEngine.exe [9/19/2012 9:10 PM 1157056]
S2 WDRulesService;WD Rules;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [9/19/2012 9:10 PM 1177536]
S2 WiseBootAssistant;Wise Boot Assistant;c:\program files\Wise\Wise Care 365\BootTime.exe [10/11/2012 5:20 PM 580648]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/30/2012 1:02 PM 250808]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/24/2011 10:57 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2012 3:59 PM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [10/29/2012 10:15 AM 115168]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\docume~1\Owner\LOCALS~1\Temp\7zO17.tmp\SysProtDrv.sys --> c:\docume~1\Owner\LOCALS~1\Temp\7zO17.tmp\SysProtDrv.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [10/28/2012 6:22 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLC6C4A5B2
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 18:59]
.
2012-10-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-30 16:17]
.
2012-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 19:58]
.
2012-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 19:58]
.
2012-10-30 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
2012-10-29 c:\windows\Tasks\User_Feed_Synchronization-{F51BDFA4-4B2F-4CA5-8A91-76142D68EC61}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
2012-10-30 c:\windows\Tasks\Wise Care 365.job
- c:\program files\Wise\Wise Care 365\WiseTray.exe [2012-10-11 21:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yl4etcqn.default\
FF - ExtSQL: 2012-10-29 10:33; firefox1@myibay.com; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yl4etcqn.default\extensions\firefox1@myibay.com.xpi
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HitmanPro36 - c:\documents and settings\Owner\My Documents\HitmanPro36.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-29 22:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1844823847-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{23CBCFBB-AEC5-CA23-CA98-CF93341FF517}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3728)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2012-10-29 22:15:59
ComboFix-quarantined-files.txt 2012-10-30 02:15
ComboFix2.txt 2012-10-26 05:49
ComboFix3.txt 2012-10-22 20:09
ComboFix4.txt 2012-10-22 00:44
ComboFix5.txt 2012-10-28 14:51
.
Pre-Run: 290,303,397,888 bytes free
Post-Run: 290,267,639,808 bytes free
.
- - End Of File - - A5741011729EE690070975604B3E1776

#8 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 01 November 2012 - 12:36 AM

ComboFix 12-10-31.03 - Owner 10/31/2012 23:46:55.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.183 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-10-01 to 2012-11-01 )))))))))))))))))))))))))))))))
.
.
2012-10-31 21:25 . 2012-10-31 21:25 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DD2A717-7E8E-40C1-B79F-393F63BDE253}\MpKsl514f5327.sys
2012-10-31 17:41 . 2012-10-31 17:41 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DD2A717-7E8E-40C1-B79F-393F63BDE253}\MpKsl2ad826ee.sys
2012-10-31 12:35 . 2012-10-31 12:35 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DD2A717-7E8E-40C1-B79F-393F63BDE253}\MpKsle2101a28.sys
2012-10-30 22:47 . 2012-10-30 22:47 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DD2A717-7E8E-40C1-B79F-393F63BDE253}\MpKsla9465e61.sys
2012-10-30 22:35 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DD2A717-7E8E-40C1-B79F-393F63BDE253}\mpengine.dll
2012-10-30 18:36 . 2012-10-30 18:36 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-29 22:01 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-29 21:45 . 2012-10-29 21:46 -------- d-----w- C:\67c21b6cd355495049ee9777403c75cc
2012-10-29 21:45 . 2012-10-29 21:45 -------- d-----w- C:\22273a9c196c1a373ce0a9
2012-10-29 14:15 . 2012-10-29 21:24 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-29 13:34 . 2012-10-29 13:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Western_Digital
2012-10-28 22:22 . 2011-12-16 17:18 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2012-10-28 22:21 . 2012-10-28 22:21 -------- d-----w- c:\program files\Common Files\Western Digital
2012-10-28 20:20 . 2012-10-28 20:26 -------- d-----w- C:\MGtools
2012-10-27 21:03 . 2004-08-11 19:55 110602 ----a-w- c:\windows\system32\xcdsfx32.bin
2012-10-27 21:02 . 2012-10-28 01:46 -------- d-----w- c:\program files\Driver Magician
2012-10-27 20:56 . 2012-10-27 20:57 -------- d-----w- C:\My Drivers
2012-10-27 20:53 . 2012-10-27 20:53 -------- d-----w- c:\program files\JerMar Software Corp
2012-10-27 20:53 . 2012-10-27 20:53 -------- d-----w- c:\program files\InstallShield Installation Information
2012-10-27 20:25 . 2012-10-27 20:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Innovative Solutions
2012-10-27 20:23 . 2012-10-27 20:23 -------- d-----w- c:\program files\Innovative Solutions
2012-10-27 19:53 . 2012-10-28 01:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Funmoods
2012-10-27 19:51 . 2012-10-27 19:51 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Wajam
2012-10-27 19:50 . 2012-10-28 01:46 -------- d-----w- c:\program files\My Drivers
2012-10-27 19:49 . 2012-10-28 01:46 -------- d-----w- c:\program files\Wajam
2012-10-26 21:37 . 2012-10-29 14:37 -------- d-----w- c:\program files\Western Digital
2012-10-26 21:03 . 2008-04-14 12:00 290816 ----a-w- c:\windows\system32\dllcache\adsiis51.dll
2012-10-26 21:03 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\dllcache\admwprox.dll
2012-10-22 00:10 . 2012-09-25 03:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-16 12:20 . 2012-10-16 12:20 -------- d-----w- c:\program files\Common Files\Java
2012-10-13 18:34 . 2012-10-13 18:34 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-10-11 21:49 . 2012-10-31 22:30 -------- d-----w- c:\documents and settings\Owner\Application Data\Wise Care 365
2012-10-11 21:20 . 2012-10-11 21:20 -------- d-----w- c:\program files\Wise
2012-10-11 21:20 . 2012-10-11 21:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Wise Registry Cleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-28 20:26 . 2012-10-28 20:21 152470 ----a-w- C:\MGlogs.zip
2012-10-09 16:17 . 2012-04-03 22:49 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 16:17 . 2012-02-23 21:46 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-29 23:54 . 2011-01-29 01:08 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-25 03:16 . 2012-05-17 14:33 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-25 03:16 . 2011-01-22 00:59 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-25 02:56 . 2011-12-22 01:16 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-19 22:03 . 2012-09-19 22:03 177496 ----a-w- c:\windows\system32\drivers\42519383.sys
2012-08-31 02:03 . 2010-10-25 03:25 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:13 . 2009-10-19 08:27 920064 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:13 . 2009-10-19 08:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:13 . 2009-10-19 08:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2009-10-19 08:25 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:52 . 2009-10-19 08:27 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:48 . 2009-10-19 08:26 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 13:05 . 2009-08-04 16:47 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-24 17:50 . 2012-10-29 14:28 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-06 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2012-07-06 30192]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"WD Drive Unlocker"="c:\program files\Western Digital\WD Apps\WDDriveAutoUnlock.exe" [2011-12-16 1687968]
"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-09-20 5236664]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-01-05 413696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsl514f5327;MpKsl514f5327;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DD2A717-7E8E-40C1-B79F-393F63BDE253}\MpKsl514f5327.sys [10/31/2012 5:25 PM 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [6/29/2010 1:48 PM 114416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/15/2011 7:52 PM 136360]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 10:24 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 10:24 AM 399416]
R2 WDDriveService;WD Drive Manager;c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe [9/19/2012 9:02 PM 248248]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2012 3:59 PM 136176]
S2 WDBackup;WD Backup;c:\program files\Western Digital\WD SmartWare\WDBackupEngine.exe [9/19/2012 9:10 PM 1157056]
S2 WDRulesService;WD Rules;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [9/19/2012 9:10 PM 1177536]
S2 WiseBootAssistant;Wise Boot Assistant;c:\program files\Wise\Wise Care 365\BootTime.exe [10/11/2012 5:20 PM 580648]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/30/2012 1:02 PM 250808]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/24/2011 10:57 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2012 3:59 PM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [10/29/2012 10:15 AM 115168]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\docume~1\Owner\LOCALS~1\Temp\7zO17.tmp\SysProtDrv.sys --> c:\docume~1\Owner\LOCALS~1\Temp\7zO17.tmp\SysProtDrv.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [10/28/2012 6:22 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL514F5327
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 18:59]
.
2012-10-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-30 16:17]
.
2012-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 19:58]
.
2012-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 19:58]
.
2012-10-31 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
2012-10-31 c:\windows\Tasks\User_Feed_Synchronization-{F51BDFA4-4B2F-4CA5-8A91-76142D68EC61}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
2012-10-31 c:\windows\Tasks\Wise Care 365.job
- c:\program files\Wise\Wise Care 365\WiseTray.exe [2012-10-11 21:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yl4etcqn.default\
FF - ExtSQL: 2012-10-29 10:33; firefox1@myibay.com; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yl4etcqn.default\extensions\firefox1@myibay.com.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-31 23:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1844823847-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{23CBCFBB-AEC5-CA23-CA98-CF93341FF517}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-11-01 00:01:29
ComboFix-quarantined-files.txt 2012-11-01 04:01
ComboFix2.txt 2012-10-30 02:16
ComboFix3.txt 2012-10-26 05:49
ComboFix4.txt 2012-10-22 20:09
ComboFix5.txt 2012-10-30 22:50
.
Pre-Run: 289,868,742,656 bytes free
Post-Run: 289,887,297,536 bytes free
.
- - End Of File - - 2772D088C453292A55DE245DC107F88D

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 01 November 2012 - 09:48 AM

You did see this warning?
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Execute this immediately.
How to install and use the Windows XP Recovery Console
http://www.bleepingcomputer.com/tutorials/tutorial117.html

You will be sorry if you do not and have to restore your operating system.

How to:
http://www.bleepingcomputer.com/tutorials/tutorial117.html
===

I also need to see the logs for the AdwCleaner and the Securty Check as requested on my previous post.

Post the logs and let me know what problem persists.

#10 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 01 November 2012 - 03:58 PM

ok the Adw cleaner showed nothing and I didnt see a Security screen? but will go back up and look

#11 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 01 November 2012 - 05:09 PM

OK my mistake, ran the wrong one and didnt see the Security screen....running now


# AdwCleaner v2.006 - Logfile created 11/01/2012 at 17:27:20
# Updated 30/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - ANONYMOUS
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\Owner\Application Data\Funmoods
Folder Deleted : C:\Documents and Settings\Owner\Application Data\OpenCandy
Folder Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Wajam
Folder Deleted : C:\Program Files\Wajam

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\yl4etcqn.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.5] : search_url = "hxxp://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtDyB0EzytCyEtByE0ByCyCtAyE0DtN0D0Tzu0CtAtDtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1270782237",

*************************

AdwCleaner[R1].txt - [2141 octets] - [01/11/2012 17:26:13]
AdwCleaner[S1].txt - [2094 octets] - [01/11/2012 17:27:20]

########## EOF - C:\AdwCleaner[S1].txt - [2154 octets] ##########

#12 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 01 November 2012 - 05:12 PM

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
SpywareBlaster 4.4
Spybot - Search & Destroy
SUPERAntiSpyware
Secunia PSI (2.0.0.3001)
Free Internet Window Washer
Eusing Free Registry Cleaner
Wise Disk Cleaner 5.93
Wise Registry Cleaner 7.51
JavaFX 2.1.0
Java™ 6 Update 37
Java 7 Update 9
Out of date Java installed!
Flash Player Out of Date!
Adobe Reader X (10.1.4)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Microsoft Security Essentials msseces.exe
``````````End of Log````````````

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 02 November 2012 - 07:39 AM

Remove this old version of Java 7 Update 9 using the Add/Remove Programs applet.

===

If you did get a BSOD recently and it happens please post the exact error message. It may help to identify the culprit.

Any other issues with this computer?

#14 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 02 November 2012 - 12:24 PM

ok will try this. Yes we are getting the BSOD daily ..not sure of its message. We had neer received this before until trying to remove the FUnmoods junk with Malwarebytes? The computer continues to stick/slow down and then either freeze or show the BSOD. Combofix does not seem to be curing this.

#15 stonemanjr

stonemanjr
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 02 November 2012 - 12:35 PM

What is the updated version for JAVA that we are supposed have since the one you cite is the one JAVA reccs as the update?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users