Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Believed infected with Adobe Update Virus


  • This topic is locked This topic is locked
8 replies to this topic

#1 grog5150

grog5150

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 17 November 2012 - 11:03 PM

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 9.0.8112.16450 BrowserJavaVersion: 10.9.2
Run by Joe at 22:52:30 on 2012-11-17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3006.1651 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Joe.Missy-PC.003\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Joe.Missy-PC.003\AppData\Local\Akamai\netsession_win.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080103
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080103
uProxyOverride = 127.0.0.1:9421;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Akamai NetSession Interface] "c:\users\joe.missy-pc.003\appdata\local\akamai\netsession_win.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Mobile Device Center] c:\windows\windowsmobile\wmdc.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.2.1 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{CB909B91-7B54-4FBD-AD27-B3861D04AAC6} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{D2C79C22-0F2C-4939-948C-DB60511D0979} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{F9857B0A-CCC8-40CB-8C96-940AACCDABA7} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{F9857B0A-CCC8-40CB-8C96-940AACCDABA7} : DHCPNameServer = 192.168.2.1 68.105.28.12 68.105.29.12 68.105.28.11
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2008-7-29 4608]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-7-29 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-29 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-11-15 399432]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-11-15 676936]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 99272]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-11-15 22856]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-11-18 03:44:58 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-18 03:37:23 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f3195cf9-b2e2-4aea-aebc-18a25c8d7aa3}\offreg.dll
2012-11-18 03:37:16 740784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e61904f0-6151-cf58-e2a1-3f2c17482929}\GapaEngine.dll
2012-11-17 15:48:31 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f3195cf9-b2e2-4aea-aebc-18a25c8d7aa3}\mpengine.dll
2012-11-17 02:31:42 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-11-17 02:17:45 -------- d-----w- c:\program files\HitmanPro
2012-11-17 02:17:33 -------- d-----w- c:\programdata\HitmanPro
2012-11-17 02:08:18 -------- d-----w- c:\windows\ERUNT
2012-11-17 02:08:00 -------- d-----w- C:\JRT
2012-11-16 00:49:18 -------- d-----w- c:\users\joe.missy-pc.003\appdata\roaming\SUPERAntiSpyware.com
2012-11-16 00:49:08 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-11-16 00:49:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-11-15 21:07:53 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-15 02:10:41 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-11-14 05:01:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-14 04:13:57 -------- d-sh--w- C:\found.000
2012-11-13 23:08:22 -------- d-----w- c:\program files\ESET
2012-11-13 22:36:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-28 16:18:01 -------- d-----w- c:\program files\Perion
2012-10-28 16:17:43 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-10-28 16:17:43 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-10-28 16:17:43 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-10-28 16:17:43 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-10-28 16:17:43 421200 ----a-w- c:\windows\system32\msvcp100.dll
2012-10-19 21:25:11 740784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ec0a4e2c-4aea-476d-8785-dd368139ecff}\gapaengine.dll
2012-10-19 16:55:58 -------- d-----w- c:\program files\Belarc
2012-10-19 16:46:18 -------- d-----w- c:\program files\MSECache
.
==================== Find3M ====================
.
2012-10-16 00:40:22 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-16 00:40:22 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-16 00:37:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-16 00:37:03 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-13 13:28:08 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-31 02:03:50 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-31 02:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-29 11:27:41 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-29 11:27:41 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 15:53:29 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 22:54:30.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:58 AM

Posted 18 November 2012 - 10:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Nothing suspicious was found on your DDS log.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review and let me know what problems you have with this computer.

#3 grog5150

grog5150
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 18 November 2012 - 04:18 PM

HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
Completion time: 2012-11-18 16:01:26
ComboFix-quarantined-files.txt 2012-11-18 21:01
.
Pre-Run: 144,937,107,456 bytes free
Post-Run: 145,364,946,944 bytes free
.
- - End Of File - - FB09A15403A0639EDD153EA7B4221824


Results of screen317's Security Check version 0.99.54
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Java™ 6 Update 11
Java 7 Update 9
Java™ SE Runtime Environment 6
Adobe Reader X (10.1.4)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````


# AdwCleaner v2.008 - Logfile created 11/18/2012 at 16:14:18
# Updated 17/11/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Joe - MISSY-PC
# Boot Mode : Normal
# Running from : C:\Users\Joe.Missy-PC.003\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files\Perion

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : HKU\S-1-5-21-1080283046-2531959896-3594056198-1009\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

*************************

AdwCleaner[R1].txt - [707 octets] - [16/11/2012 07:55:53]
AdwCleaner[R2].txt - [1046 octets] - [18/11/2012 16:14:18]

########## EOF - C:\AdwCleaner[R2].txt - [1106 octets] ##########

#4 grog5150

grog5150
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 18 November 2012 - 04:25 PM

restarted computer after running combofix, security, and adware....still getting a windows host has stopped working error message.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:58 AM

Posted 19 November 2012 - 07:52 AM

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..

Please post the complete ComboFix log for my review.

Let me know if the problem persists.

#6 grog5150

grog5150
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 19 November 2012 - 05:31 PM

# AdwCleaner v2.008 - Logfile created 11/19/2012 at 17:25:37
# Updated 17/11/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Joe - MISSY-PC
# Boot Mode : Normal
# Running from : C:\Users\Joe.Missy-PC.003\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Perion

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

*************************

AdwCleaner[R1].txt - [707 octets] - [16/11/2012 07:55:53]
AdwCleaner[R2].txt - [1175 octets] - [18/11/2012 16:14:18]
AdwCleaner[R3].txt - [1235 octets] - [19/11/2012 17:25:05]
AdwCleaner[S2].txt - [1019 octets] - [19/11/2012 17:25:37]

########## EOF - C:\AdwCleaner[S2].txt - [1079 octets] ##########


ComboFix 12-11-19.02 - Joe 11/19/2012 17:02:54.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3006.1914 [GMT -5:00]
Running from: c:\users\Joe.Missy-PC.003\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Outdated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Outdated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
.
.
2012-11-19 22:11 . 2012-11-19 22:11 -------- d-----w- c:\users\Joe.Missy-PC.003\AppData\Local\temp
2012-11-19 22:11 . 2012-11-19 22:11 -------- d-----w- c:\users\Work\AppData\Local\temp
2012-11-19 22:11 . 2012-11-19 22:11 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-11-19 22:11 . 2012-11-19 22:11 -------- d-----w- c:\users\Missy\AppData\Local\temp
2012-11-19 22:11 . 2012-11-19 22:11 -------- d-----w- c:\users\Joe\AppData\Local\temp
2012-11-19 22:11 . 2012-11-19 22:11 -------- d-----w- c:\users\Joe.Missy-PC\AppData\Local\temp
2012-11-19 22:11 . 2012-11-19 22:11 -------- d-----w- c:\users\Joe.Missy-PC.002\AppData\Local\temp
2012-11-19 22:11 . 2012-11-19 22:11 -------- d-----w- c:\users\Joe.Missy-PC.001\AppData\Local\temp
2012-11-18 03:44 . 2012-09-25 04:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-17 02:31 . 2012-11-17 02:31 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-11-17 02:17 . 2012-11-17 02:17 -------- d-----w- c:\program files\HitmanPro
2012-11-17 02:17 . 2012-11-17 02:31 -------- d-----w- c:\programdata\HitmanPro
2012-11-17 02:08 . 2012-11-17 02:08 -------- d-----w- c:\windows\ERUNT
2012-11-17 02:08 . 2012-11-17 02:08 -------- d-----w- C:\JRT
2012-11-14 05:01 . 2012-11-14 05:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-14 04:13 . 2012-11-14 04:13 -------- d-----w- C:\found.000
2012-11-13 23:08 . 2012-11-13 23:08 -------- d-----w- c:\program files\ESET
2012-10-28 16:18 . 2012-10-28 16:18 -------- d-----w- c:\program files\Perion
2012-10-28 16:17 . 2011-06-10 22:58 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-10-28 16:17 . 2011-06-10 22:58 421200 ----a-w- c:\windows\system32\msvcp100.dll
2012-10-28 16:17 . 2011-05-13 23:17 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-10-28 16:17 . 2011-05-13 23:17 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-10-28 16:17 . 2011-05-13 23:17 554832 ----a-w- c:\windows\system32\msvcp80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-19 00:14 . 2012-05-18 01:42 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-19 00:14 . 2011-06-20 22:06 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-16 00:40 . 2012-10-16 00:40 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-16 00:40 . 2012-10-16 00:40 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-13 13:28 . 2012-10-10 06:23 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-31 03:03 . 2012-08-31 03:03 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-31 03:03 . 2012-08-31 03:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-29 11:27 . 2012-10-10 06:23 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-29 11:27 . 2012-10-10 06:23 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 15:53 . 2012-10-10 06:23 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 06:59 . 2012-09-22 07:01 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-22 07:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-22 07:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 07:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 07:01 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-22 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2008-08-06 22:56 . 2008-08-06 22:56 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Akamai NetSession Interface"="c:\users\Joe.Missy-PC.003\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NISDRV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-18 00:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{F9857B0A-CCC8-40CB-8C96-940AACCDABA7}: NameServer = 208.67.222.222,208.67.220.220
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-19 17:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
Completion time: 2012-11-19 17:13:17
ComboFix-quarantined-files.txt 2012-11-19 22:13
ComboFix2.txt 2012-11-18 21:01
.
Pre-Run: 145,788,215,296 bytes free
Post-Run: 145,249,710,080 bytes free
.
- - End Of File - - 102C8D6FE9B67FC6819C207CD3A761D4

#7 grog5150

grog5150
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 19 November 2012 - 10:59 PM

seems to be running better :) ...the host process error still comes up, usually within a few minutes after reboot, with the ie border turning almost white, but it seems to fix itself after a minute or so and then run ok. Not sure if there is anything else that can be done to fix the host process error?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:58 AM

Posted 20 November 2012 - 11:16 AM

See if this article can help in identifying the culprit.

How to Fix "Host process for windows services stopped working and was closed"

http://www.online-tech-tips.com/computer-tips/host-process-for-windows-services-stopped-working/
===

Running this tool will ensure that you have all the correct files for the Operating system.
How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
http://support.microsoft.com/kb/929833

===

To check for 3rd party software run this tool.
Secunia Personal Software Inspector (PSI)
http://secunia.com/vulnerability_scanning/personal/
Secunia PSI is a security scanner which identifies programs that are insecure and need updates.
===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.
===

#9 grog5150

grog5150
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 21 November 2012 - 04:15 PM

Thanks for all of your help :thumbup2: :thumbup2: :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users