Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI MoneyPak Virus - New twist?


  • This topic is locked This topic is locked
16 replies to this topic

#1 process8

process8

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 12 December 2012 - 06:22 AM

Hi,

I'm jammed up with the FBI MoneyPak Virus on my PC and read the instructions here on how to get rid of it. But I have a problem.

The instructions say to use Safe Mode and log in under the user ID which contracted the virus. When I log in under that user in Safe Mode, the system shuts down by itself. So I'm unable to log on under that user.

Here'a another odd twist. I didn't even know it was the FBI MoneyPak virus until I went to Safe Mode and entered under "VGA Mode" or something like that which begins with "VGA." That's when the FBI page showed itself.

Before, just booting normally, it booted up okay, went to the welcome screen, then it flashed to my regular desktop for maybe 1/10 of a second, then went to blank blue screen, then a blank white screen and there it remained. I guess the FBI Virus is "hiding" behind that white screen when I boot normally.

I've downloaded the emsisoft kit on a flash drive using my laptop. I have only two users on my PC; "administrator" and "owner."

Owner is the user that contracted it. But Safe Mode under "owner" results in the automatic shutdown so I can't use the emsisoft program on the flash drive when in under "owner."

Any suggestions will be appreciated.

Thanks

Edited by process8, 12 December 2012 - 02:55 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:12 PM

Posted 12 December 2012 - 12:32 PM

I'll report this topic to appropriate helpers.
Hold on...

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:12 AM

Posted 12 December 2012 - 01:20 PM

Hello, can you run the Emsisoft Emergency Kit using the Administrator account (or whatever other account works)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 process8

process8
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 12 December 2012 - 02:16 PM

Hi Elise,

Not sure what fixed it ... but it's fixed. Virus is gone.

I have two users - "administrator" and "owner."

The virus came in under "owner." When I booted under "owner" I got a quick flash of my desktop and then went right to the white screen. Same with Safe Mode and owner. Quick flash of desktop and BANG right to white screen.

Safe Mode under "administator" using Emsisoft Emergencyh Kit was no help. The virus remained in "owner."

So I booted in Safe Mode, opened under "administrator," then swithched users to "owner" which gave me a second or two to open "My Computer" from the Start menu.

I was able to stay in Safe Mode using "owner" once I had "My Computer" open.

I had a flash drive with emsisoft emergency kit on it. I ran it, and I was so happy I was able to hang around in the "owner" user I ran everything I could throw at it - superantispyware, malware antimalware, and a few other things I can't recall. Most of them found something.

I've been trying to figure a way around the damn thing since about 2a.m. It's been a solid 12 hours and I'm bushed.

Anyway, it's gone (I hope). Off to bed.

Any advice on installations which will help prevent a reoccurrence

Edited by process8, 12 December 2012 - 02:58 PM.


#5 process8

process8
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 12 December 2012 - 02:39 PM

Oh. Here's a couple of questions.

Now that all seems to be well I noticed I have the old Microsoft gold shield with the exclamation point. I opened it up and it's telling me I have 11 updates to install.

I've always been paranoid about thise Microsoft updates. I've never liked introducing stuff into my computer without knowing AT LEAST a little about it.

and I don't think the shield popping up is a coincidence. I think one of the virus removers took some thing(s) out Microsoft wants me to put back in.

Should I add these 11 updates or not?

I also have Secunia PSI now in the systray but when I click on it nothing happens. I just get a white screen with an hourglass in the center of it. When I try to click out of it the "Program Not Responding" box opens up and I get out of it using "End Now."

What do you suppose is happening there?

Thank you.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:12 AM

Posted 12 December 2012 - 02:57 PM

That sounds like a legitimate windows update installation. These updates are extremely important because they address vulnerabilities in your windows installation that can be exploited by malware.

To be sure all bad stuff is gone, lets look a bit more in-depth.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 process8

process8
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 12 December 2012 - 03:24 PM

Okay, will do.

Where shall I post the log?

(And by the way, thank you very much).

#8 process8

process8
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 12 December 2012 - 03:36 PM

I couldn't find the instructions for posting the log. I'm so tired.

Attached File  attach.txt   24.74KB   4 downloads

Did I do it correctly?

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:12 AM

Posted 12 December 2012 - 03:45 PM

You can just copy/paste the logs in your reply. :)

We need to run a scan with Combofix:

  • Please go to the download page for ComboFix by sUBs.
  • Click the Download Now button pictured below and save the file to your desktop:

    Posted Image
  • Disable any anti-virus and/or firewall software you have installed.
    instructions can be found here if needed
  • Close all open windows including your web browser
    as mentioned in the first post, you may want to print out all instructions before starting
  • Double-click on the ComboFix icon on your desktop. Posted Image
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:

    Posted Image
  • DO NOT use your computer while ComboFix is running. There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.

    However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.

    Posted Image

    If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode
  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.

    Posted Image

More information about downloading and using ComboFix can be found here if needed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 process8

process8
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 12 December 2012 - 03:50 PM

The DDS log is attached above in post #8

I'll do the combofix now.

Edited by process8, 12 December 2012 - 03:51 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:12 AM

Posted 12 December 2012 - 04:07 PM

Okay, I'll wait for the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 process8

process8
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 12 December 2012 - 04:13 PM

Here it is. You are a patient person.

ComboFix 12-12-10.01 - Owner 12/12/2012 15:58:35.17.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.507 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix1.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: eTrust EZ AntiSpyware *Disabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\skype.dat
.
.
((((((((((((((((((((((((( Files Created from 2012-11-12 to 2012-12-12 )))))))))))))))))))))))))))))))
.
.
2012-12-12 20:15 . 2012-12-12 20:15 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-12-12 13:21 . 2012-12-12 13:21 -------- dc----w- c:\documents and settings\owner2
2012-12-12 09:40 . 2012-12-12 09:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-12-12 09:01 . 2012-12-12 09:01 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2012-12-12 04:51 . 2012-12-12 04:51 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Secunia PSI
2012-12-12 00:53 . 2012-12-12 00:53 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-12 20:15 . 2011-12-19 13:20 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 20:15 . 2011-06-05 23:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2004-08-26 16:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41 . 2004-08-26 16:11 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02 . 2004-08-26 16:11 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2004-08-26 16:12 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2004-08-26 16:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2004-08-26 16:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-26 16:11 385024 ----a-w- c:\windows\system32\html.iec
2012-10-30 23:51 . 2012-09-03 22:47 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-30 23:51 . 2012-09-03 22:47 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-30 23:51 . 2012-09-03 22:47 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-30 23:51 . 2012-09-03 22:47 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 23:51 . 2012-09-03 22:47 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-30 23:51 . 2012-09-03 22:47 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-30 23:51 . 2012-09-03 22:47 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 23:51 . 2012-09-03 22:47 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-30 23:51 . 2012-09-03 22:46 41224 ----a-w- c:\windows\avastSS.scr
2012-10-30 23:50 . 2012-09-03 22:46 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-02 18:04 . 2004-08-26 16:12 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 23:54 . 2010-01-10 06:40 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 14:45 . 2009-07-01 14:42 308160 -c--a-w- c:\program files\avast_home_setup.exe
2009-01-20 06:48 . 2009-01-20 06:48 37090648 -c--a-w- c:\program files\AVSDiscCreator.exe
2009-01-20 06:43 . 2009-01-20 05:59 52307672 -c--a-w- c:\program files\AVSVideoConverter.exe
2008-11-15 02:59 . 2008-11-15 02:58 7943541 -c--a-w- c:\program files\FreeYouTubeToMp3Converter.exe
2008-05-05 00:35 . 2008-05-05 00:35 35674728 -c--a-w- c:\program files\Nero-6.6.1.15a.exe
2008-05-04 12:45 . 2008-05-04 12:45 8408102 -c--a-w- c:\program files\vdm_free.exe
2008-04-27 11:50 . 2008-04-27 11:50 45145784 -c--a-w- c:\program files\iss_en_32.exe
2008-02-12 04:10 . 2008-02-12 04:10 7371062 -c--a-w- c:\program files\dvdflick_setup_1.2.2.1.exe
2007-02-19 10:52 . 2007-02-19 10:52 2816504 -c----w- c:\program files\rng.exe
2007-02-19 06:43 . 2007-02-19 06:43 1322913 -c----w- c:\program files\RRNDemo.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2012-7-25 572000]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ctfmon.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\ctfmon.lnk
backup=c:\windows\pss\ctfmon.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileHippo.com]
2010-08-09 12:47 248832 ----a-w- c:\program files\FileHippo.com\UpdateChecker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-05-25 08:25 6595928 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 15:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-12-12 03:44 4763008 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
2007-11-26 18:50 1222984 ----a-w- c:\program files\Webroot\Washer\wwDisp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VETMSGNT"=2 (0x2)
"CAISafe"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\FreeTorrentDownloader\\FreeTorrentDownloader.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [12/19/2011 7:37 AM 14776]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\Owner\My Documents\Downloads\EmsisoftEmergencyKit\Run\a2ddax86.sys [12/12/2012 2:37 PM 17904]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/3/2012 5:47 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/3/2012 5:47 PM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdrv2.sys [8/17/2011 4:17 PM 133120]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 6:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/3/2012 5:47 PM 21256]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [12/19/2011 7:37 AM 21992]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [7/25/2012 3:46 AM 1326176]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [8/14/2007 10:43 AM 618896]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [7/25/2012 3:46 AM 681056]
S2 UsbCoc;Nokia CA-42 Driver Service;c:\windows\system32\drivers\UsbCoc.sys [5/13/2005 10:59 PM 69575]
S3 cpuz134;cpuz134;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-19 20:15]
.
2012-12-12 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-09-03 23:50]
.
2012-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 17:30]
.
2012-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 17:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Advanced SystemCare 5 - c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
MSConfigStartUp-AutoSizer - c:\program files\AutoSizer\AutoSizer.exe
MSConfigStartUp-DriverFinder - c:\program files\DriverFinder\DriverFinder.exe
MSConfigStartUp-InstallIQUpdater - c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe
MSConfigStartUp-SpywareTerminator - c:\program files\Spyware Terminator\SpywareTerminatorShield.exe
MSConfigStartUp-XkUVrlOBtPuSiDp8234A - c:\windows\system32\Cloud AV 2012v121.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-12 16:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-12-12 16:08:18
ComboFix-quarantined-files.txt 2012-12-12 21:08
.
Pre-Run: 122,305,261,568 bytes free
Post-Run: 122,327,257,088 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 28DF321588EDAF8C45AB132F283847A4

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:12 AM

Posted 12 December 2012 - 04:48 PM

That is looking pretty good. There is one remnant (a disabled ctfmon shortcut, commonly associated with REveton ransomware) which we will remove. Please let me know how your computer is behaving now. Do you have any problem left?


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ctfmon.lnk]


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 process8

process8
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 12 December 2012 - 05:32 PM

Here it is, Elise.

I also ran Msconfig and ctfmon (or whatever it was) is no longer on the startup list, checked or unchecked. it's just gone. :)

Here's the log:

ComboFix 12-12-10.01 - Owner 12/12/2012 17:17:35.18.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.470 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: eTrust EZ AntiSpyware *Disabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-12 to 2012-12-12 )))))))))))))))))))))))))))))))
.
.
2012-12-12 22:11 . 2012-12-12 22:11 -------- dc----w- C:\ComboFix1
2012-12-12 20:15 . 2012-12-12 20:15 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-12-12 13:21 . 2012-12-12 13:21 -------- dc----w- c:\documents and settings\owner2
2012-12-12 09:40 . 2012-12-12 09:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-12-12 09:01 . 2012-12-12 09:01 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2012-12-12 04:51 . 2012-12-12 04:51 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Secunia PSI
2012-12-12 00:53 . 2012-12-12 00:53 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-12 20:15 . 2011-12-19 13:20 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 20:15 . 2011-06-05 23:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2004-08-26 16:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41 . 2004-08-26 16:11 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02 . 2004-08-26 16:11 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2004-08-26 16:12 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2004-08-26 16:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2004-08-26 16:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-26 16:11 385024 ----a-w- c:\windows\system32\html.iec
2012-10-30 23:51 . 2012-09-03 22:47 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-30 23:51 . 2012-09-03 22:47 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-30 23:51 . 2012-09-03 22:47 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-30 23:51 . 2012-09-03 22:47 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 23:51 . 2012-09-03 22:47 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-30 23:51 . 2012-09-03 22:47 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-30 23:51 . 2012-09-03 22:47 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 23:51 . 2012-09-03 22:47 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-30 23:51 . 2012-09-03 22:46 41224 ----a-w- c:\windows\avastSS.scr
2012-10-30 23:50 . 2012-09-03 22:46 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-02 18:04 . 2004-08-26 16:12 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 23:54 . 2010-01-10 06:40 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 14:45 . 2009-07-01 14:42 308160 -c--a-w- c:\program files\avast_home_setup.exe
2009-01-20 06:48 . 2009-01-20 06:48 37090648 -c--a-w- c:\program files\AVSDiscCreator.exe
2009-01-20 06:43 . 2009-01-20 05:59 52307672 -c--a-w- c:\program files\AVSVideoConverter.exe
2008-11-15 02:59 . 2008-11-15 02:58 7943541 -c--a-w- c:\program files\FreeYouTubeToMp3Converter.exe
2008-05-05 00:35 . 2008-05-05 00:35 35674728 -c--a-w- c:\program files\Nero-6.6.1.15a.exe
2008-05-04 12:45 . 2008-05-04 12:45 8408102 -c--a-w- c:\program files\vdm_free.exe
2008-04-27 11:50 . 2008-04-27 11:50 45145784 -c--a-w- c:\program files\iss_en_32.exe
2008-02-12 04:10 . 2008-02-12 04:10 7371062 -c--a-w- c:\program files\dvdflick_setup_1.2.2.1.exe
2007-02-19 10:52 . 2007-02-19 10:52 2816504 -c----w- c:\program files\rng.exe
2007-02-19 06:43 . 2007-02-19 06:43 1322913 -c----w- c:\program files\RRNDemo.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2012-7-25 572000]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileHippo.com]
2010-08-09 12:47 248832 ----a-w- c:\program files\FileHippo.com\UpdateChecker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-05-25 08:25 6595928 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 15:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-12-12 03:44 4763008 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
2007-11-26 18:50 1222984 ----a-w- c:\program files\Webroot\Washer\wwDisp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VETMSGNT"=2 (0x2)
"CAISafe"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\FreeTorrentDownloader\\FreeTorrentDownloader.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [12/19/2011 7:37 AM 14776]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\Owner\My Documents\Downloads\EmsisoftEmergencyKit\Run\a2ddax86.sys [12/12/2012 2:37 PM 17904]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/3/2012 5:47 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/3/2012 5:47 PM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdrv2.sys [8/17/2011 4:17 PM 133120]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 6:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/3/2012 5:47 PM 21256]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [12/19/2011 7:37 AM 21992]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [7/25/2012 3:46 AM 1326176]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [8/14/2007 10:43 AM 618896]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [7/25/2012 3:46 AM 681056]
S2 UsbCoc;Nokia CA-42 Driver Service;c:\windows\system32\drivers\UsbCoc.sys [5/13/2005 10:59 PM 69575]
S3 cpuz134;cpuz134;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-19 20:15]
.
2012-12-12 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-09-03 23:50]
.
2012-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 17:30]
.
2012-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 17:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-12 17:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-12-12 17:26:53
ComboFix-quarantined-files.txt 2012-12-12 22:26
ComboFix2.txt 2012-12-12 21:08
.
Pre-Run: 122,293,448,704 bytes free
Post-Run: 122,320,941,056 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 5C6C63C36F52091CA5D8655AF54D5CDA

#15 process8

process8
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 12 December 2012 - 05:35 PM

And to answer your previous question, my computer is now running like a Rolex thanks to you. :)

Edited by process8, 12 December 2012 - 05:35 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users