Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware affecting windows


  • This topic is locked This topic is locked
18 replies to this topic

#1 ABComp

ABComp

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 12 December 2012 - 07:08 AM

Malware bytes will not successfully install, throws errors when it gets to the .lnk creation stage of:

CoCreateInstance failed; code 0x80040154.
Class not registered.

vbAccelerator SGrid II Control
Run-time error '0'

At launch, Malware bytes throws the error message:
Malwarebytes Anti-Malware
Run-time error '440':
Automation Error

Control panel options such as administrative tools and internet options will not load

Internet explorer automatically closes on launch

Family friend claims they started experiencing these problems after downloading a screensaver application "iminent"

DDS Log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by HP_Owner at 3:52:17 on 2012-12-12
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Java\jre7\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Umbrella\Umbrella.exe
C:\Program Files\CenturyLink\QuickCare\bin\sprtsvc.exe
C:\Program Files\CenturyLink\QuickCare\bin\tgsrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - <orphaned>
BHO: {11359F4A-B191-42d7-905A-594F8CF0387B} - <orphaned>
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IMinent WebBooster (BHO): {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} - c:\program files\iminent\Iminent.WebBooster.InternetExplorer.dll
BHO: CenturyLink: {A317CB83-299C-4FC8-9ED7-2D64117D98EE} - c:\program files\qwesttoolbar\qwesttoolbarDx.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.6.5825.1100\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Google Dictionary Compression sdch: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: HP view: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: <No Name>: - LocalServer32 - <no file>
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: HP view: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: CenturyLink: {A317CB83-299C-4FC8-9ED7-2D64117D98EE} - c:\program files\qwesttoolbar\qwesttoolbarDx.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [CenturyLinkTouchPointAgent] "c:\program files\centurylink\desktop\CenturyLinkTouchPointAgent.exe" /autostart
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Iminent] c:\program files\iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C"
mRun: [IminentMessenger] c:\program files\iminent\Iminent.Messengers.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE -startup
mRun: [QuickCare] c:\program files\centurylink\quickcare\bin\sprtcmd.exe /P QuickCare
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uPolicies-Explorer: NoDriveTypeAutoRun = dword:157
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - LocalServer32 - <no file>
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02a.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1351321910578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1351312123718
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} - hxxp://gopublic.wspan.com/Scripts/us/DLLs/WSFileIO.cab
DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - hxxp://dictionary.reference.com/tools/toolbar/lexico.cab
TCP: NameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{D31B2582-77A2-4A37-9578-BAFB9F472E32} : DHCPNameServer = 192.168.0.1 205.171.3.25
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-12-06 10:56:03 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-12-06 10:56:02 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-12-06 09:44:40 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-06 09:44:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-06 09:13:40 98816 ----a-w- c:\windows\sed.exe
2012-12-06 09:13:40 256000 ----a-w- c:\windows\PEV.exe
2012-12-06 09:13:40 208896 ----a-w- c:\windows\MBR.exe
2012-12-06 09:04:22 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-12-06 09:04:16 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-11-28 04:31:03 -------- d-----w- C:\438966adcee0c6d7332ecac4
2012-11-27 02:09:21 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-11-27 00:14:57 -------- d-----w- c:\documents and settings\hp_owner\application data\Iminent
2012-11-27 00:14:50 -------- d-----w- c:\documents and settings\all users\application data\Iminent
2012-11-26 23:41:14 -------- d-----w- c:\documents and settings\hp_owner\application data\Toolbar4
2012-11-26 23:41:01 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\Temp
2012-11-26 23:40:31 -------- d-----w- c:\program files\common files\Umbrella
2012-11-26 23:40:21 -------- d-----w- c:\program files\Iminent
2012-11-26 23:39:40 -------- d-----w- c:\program files\Yontoo
2012-11-26 23:39:29 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2012-11-15 09:31:28 -------- d-----w- C:\dbda18cca2edf96d2a070b90
.
==================== Find3M ====================
.
2012-10-27 04:21:04 44032 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\localcontent\attachments\devcon.exe
2012-10-27 04:21:02 307200 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\pchnotify.exe
2012-10-27 04:19:59 102400 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\PCDrAccess.dll
2012-10-27 04:19:56 114688 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\jsharpde\asst_ui.dll
2012-10-27 04:19:55 49152 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\jsharpde\hwinv.dll
2012-10-27 04:19:55 315392 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\jsharpde\pchmsxml.dll
2012-10-27 04:19:52 36864 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\jsharpde\gnu.dll
2012-10-27 04:19:52 126976 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\SearchCtrl.dll
2012-10-27 04:19:50 4096 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\winverifytrustwrapper.dll
2012-10-27 04:19:49 212992 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\jsharpde\jsharpinterp.dll
2012-10-27 04:19:47 307200 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\pchealthplugin.dll
2012-10-27 03:40:20 3645 ----a-w- c:\windows\viassary-hp.reg
2012-10-27 00:49:25 73728 ----a-w- c:\windows\ALCFDRTM.VER
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-18 00:17:08 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-18 00:16:09 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-18 00:15:57 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-18 00:15:56 746984 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 3:53:18.04 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 AM

Posted 13 December 2012 - 07:41 PM

I see combofix has been run already

please post the log(s)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 ABComp

ABComp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 14 December 2012 - 06:15 AM

ComboFix 12-12-04.01 - Administrator 12/06/2012 1:18.1.1 - x86 NETWORK
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Owner\WINDOWS
c:\documents and settings\MC CoUrTfIzzLe\WINDOWS
c:\documents and settings\Miss Ashley Anne\WINDOWS
c:\program files\AdVantage
c:\program files\Common Files\WinSoftware
c:\program files\Fast Browser Search
c:\program files\SGPSA
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\SETA1.tmp
c:\windows\SETA7.tmp
c:\windows\SETAB.tmp
c:\windows\system32\ayadd.bak1
c:\windows\system32\ayadd.bak2
c:\windows\system32\ayadd.ini
c:\windows\system32\ayadd.ini2
c:\windows\system32\ayadd.tmp
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ryklooks.ini
c:\windows\system32\SET4A.tmp
c:\windows\system32\SET4B.tmp
c:\windows\system32\SET56.tmp
c:\windows\system32\sp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wt
c:\windows\wt\data.wts
c:\windows\wt\updater\wcmdmgr.exe
c:\windows\wt\updater\wcmdmgrl.exe
c:\windows\wt\updater\wt.ini
c:\windows\wt\webdriver.dll
c:\windows\wt\webdriver\4.1.1\actorobject.dll
c:\windows\wt\webdriver\4.1.1\dx5drv.dll
c:\windows\wt\webdriver\4.1.1\dx7drv.dll
c:\windows\wt\webdriver\4.1.1\objectbundle.dll
c:\windows\wt\webdriver\4.1.1\sound.dll
c:\windows\wt\webdriver\4.1.1\wdcaps.ded
c:\windows\wt\webdriver\4.1.1\wdengine.dll
c:\windows\wt\webdriver\4.1.1\webdriver.dll
c:\windows\wt\webdriver\4.1.1\wthost.exe
c:\windows\wt\webdriver\4.1.1\wthostctl.dll
c:\windows\wt\webdriver\4.1.1\wtmulti.dll
c:\windows\wt\webdriver\4.1.1\wtmulti.jar
c:\windows\wt\webdriver\4.1.1\wtwmplug.ax
c:\windows\wt\webdriver\4.1.1\wtwmplug.ini
c:\windows\wt\webdriver\export.dat
c:\windows\wt\webdriver\jdriver.dll
c:\windows\wt\webdriver\rdriver.dll
c:\windows\wt\webdriver\wildtangent.jar
c:\windows\wt\webdriver\wtdmmp.dll
c:\windows\wt\webdriver\wtdmmpi.jar
c:\windows\wt\webdriver\wtdmmpv.dll
c:\windows\wt\wt3d.dll
c:\windows\wt\wt3d.ini
c:\windows\wt\wtupdates\dmmp\3.0.2.000\files\controlPanel\index.html
c:\windows\wt\wtupdates\dmmp\3.0.2.000\files\update_info\data.wts
c:\windows\wt\wtupdates\dmmp\3.0.2.000\files\wtdmmp.dll
c:\windows\wt\wtupdates\dmmp\3.0.2.000\files\wtdmmpi.jar
c:\windows\wt\wtupdates\dmmp\3.0.2.000\files\wtdmmpv.dll
c:\windows\wt\wtupdates\dmmp\3.0.2.000\install\dmmp.cdanfo
c:\windows\wt\wtupdates\dmmp\3.0.2.000\install\DMMP_Uninstall.cdas
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\controlPanel\index.html
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll
c:\windows\wt\wtupdates\DRM\3.2.0.19\files\wt.sto
c:\windows\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo
c:\windows\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas
c:\windows\wt\wtupdates\Webd\4.1.1\files\actorobject.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\controlPanel\index.html
c:\windows\wt\wtupdates\Webd\4.1.1\files\dx5drv.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\dx7drv.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\jdriver.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\legacy\data.wts
c:\windows\wt\wtupdates\Webd\4.1.1\files\legacy\webdriver.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\legacy\wt3d.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\npWTHost.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\nsIWTHostPlugin.xpt
c:\windows\wt\wtupdates\Webd\4.1.1\files\ObjectBundle.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\rdriver.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\Sound.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\update_info\data.wts
c:\windows\wt\wtupdates\Webd\4.1.1\files\wdcaps.ded
c:\windows\wt\wtupdates\Webd\4.1.1\files\wdengine.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\Webd331.cdanfo
c:\windows\wt\wtupdates\Webd\4.1.1\files\Webd331_fileList.cdas
c:\windows\wt\wtupdates\Webd\4.1.1\files\Webd331_Uninstall.cdas
c:\windows\wt\wtupdates\Webd\4.1.1\files\webdriver.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\wildtangent.jar
c:\windows\wt\wtupdates\Webd\4.1.1\files\wt3d.ini
c:\windows\wt\wtupdates\Webd\4.1.1\files\WTHost.exe
c:\windows\wt\wtupdates\Webd\4.1.1\files\WTHostCtl.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\wtmulti.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\wtmulti.jar
c:\windows\wt\wtupdates\Webd\4.1.1\files\wtvh.dll
c:\windows\wt\wtupdates\Webd\4.1.1\files\wtwmplug.ax
c:\windows\wt\wtupdates\Webd\4.1.1\files\wtwmplug.ini
c:\windows\wt\wtupdates\Webd\4.1.1\install\Webd4_1_1.cdanfo
c:\windows\wt\wtupdates\Webd\4.1.1\install\Webd4_1_1_Uninstall.cdas
c:\windows\wt\wtupdates\wtdmmp\update_info\data.wts
c:\windows\wt\wtupdates\wtupdater\appinfo.dat
c:\windows\wt\wtupdates\wtwebdriver\update_info\data.wts
c:\windows\wt\wtvh.dll
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DOMAINSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2012-11-06 to 2012-12-06 )))))))))))))))))))))))))))))))
.
.
2012-12-06 09:12 . 2012-12-06 09:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-06 09:12 . 2012-09-30 03:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-06 09:04 . 2012-12-06 09:26 -------- d-----w- c:\documents and settings\Administrator
2012-12-06 09:04 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-12-06 09:04 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-11-28 04:31 . 2012-11-28 04:31 -------- d-----w- C:\438966adcee0c6d7332ecac4
2012-11-27 02:09 . 2012-12-06 09:12 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-11-27 00:14 . 2012-11-27 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Iminent
2012-11-26 23:40 . 2012-11-26 23:40 -------- d-----w- c:\program files\Common Files\Umbrella
2012-11-26 23:40 . 2012-11-27 00:14 -------- d-----w- c:\program files\Iminent
2012-11-26 23:39 . 2012-11-26 23:39 -------- d-----w- c:\program files\Yontoo
2012-11-26 23:39 . 2012-11-26 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2012-11-15 09:31 . 2012-11-15 09:31 -------- d-----w- C:\dbda18cca2edf96d2a070b90
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-27 18:35 . 2012-10-27 18:35 8281168 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\BingBar\BBSvc\7.1.391.0oemBingBarSetup-Partner.EXE
2012-10-27 04:21 . 2012-10-27 04:21 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\LocalContent\Attachments\devcon.exe
2012-10-27 04:21 . 2012-10-27 04:21 307200 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchnotify.exe
2012-10-27 04:20 . 2012-10-27 04:20 3072 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchealthde.exe
2012-10-27 04:20 . 2012-10-27 04:20 159744 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
2012-10-27 04:20 . 2012-10-27 04:20 77824 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\FDIWrapper.dll
2012-10-27 04:20 . 2012-10-27 04:20 26572 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\INV16.dll
2012-10-27 04:20 . 2012-10-27 04:20 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\ScDmi.dll
2012-10-27 04:20 . 2012-10-27 04:20 69632 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\msxmlwrapper.dll
2012-10-27 04:20 . 2012-10-27 04:20 49152 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCHI18N.dll
2012-10-27 04:20 . 2012-10-27 04:20 139264 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\ContentUpdater.exe
2012-10-27 04:20 . 2012-10-27 04:20 110592 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\DSAPI4.dll
2012-10-27 04:20 . 2012-10-27 04:20 98304 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PluginCtrl.dll
2012-10-27 04:20 . 2012-10-27 04:20 287310 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\HPBasicDetection.dll
2012-10-27 04:20 . 2012-10-27 04:20 69632 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\msxmlwrapper.dll
2012-10-27 04:20 . 2012-10-27 04:20 114688 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\ZipLib.dll
2012-10-27 04:20 . 2012-10-27 04:20 5632 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\GUI.dll
2012-10-27 04:20 . 2012-10-27 04:20 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchapi.dll
2012-10-27 04:20 . 2012-10-27 04:20 434176 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\motivede.dll
2012-10-27 04:20 . 2012-10-27 04:20 315392 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchmsxml.dll
2012-10-27 04:20 . 2012-10-27 04:20 77824 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\WinVerifyTrust.dll
2012-10-27 04:20 . 2012-10-27 04:20 344064 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\api.dll
2012-10-27 04:20 . 2012-10-27 04:20 24576 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pcdapi.dll
2012-10-27 04:20 . 2012-10-27 04:20 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\util.dll
2012-10-27 04:20 . 2012-10-27 04:20 282624 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\clientutil52.dll
2012-10-27 04:20 . 2012-10-27 04:20 356352 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\client_motkt.dll
2012-10-27 04:20 . 2012-10-27 04:20 28672 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\InetWrap.dll
2012-10-27 04:19 . 2012-10-27 04:19 102400 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCDrAccess.dll
2012-10-27 04:19 . 2012-10-27 04:19 114688 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\asst_ui.dll
2012-10-27 04:19 . 2012-10-27 04:19 49152 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\hwinv.dll
2012-10-27 04:19 . 2012-10-27 04:19 315392 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchmsxml.dll
2012-10-27 04:19 . 2012-10-27 04:19 36864 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\gnu.dll
2012-10-27 04:19 . 2012-10-27 04:19 126976 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\SearchCtrl.dll
2012-10-27 04:19 . 2012-10-27 04:19 4096 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\winverifytrustwrapper.dll
2012-10-27 04:19 . 2012-10-27 04:19 212992 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\jsharpinterp.dll
2012-10-27 04:19 . 2012-10-27 04:19 307200 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchealthplugin.dll
2012-10-27 03:40 . 2005-02-17 00:36 3645 ----a-w- c:\windows\viassary-hp.reg
2012-10-27 00:49 . 2005-05-10 07:26 73728 ----a-w- c:\windows\ALCFDRTM.VER
2012-10-22 08:37 . 2004-08-04 11:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2004-08-04 11:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-18 00:17 . 2003-04-10 23:04 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-18 00:16 . 2012-08-11 03:45 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-18 00:15 . 2012-08-11 03:45 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-18 00:15 . 2012-08-11 03:45 746984 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A317CB83-299C-4FC8-9ED7-2D64117D98EE}]
2011-04-20 17:29 81920 ----a-w- c:\program files\qwesttoolbar\qwesttoolbarDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A317CB83-299C-4FC8-9ED7-2D64117D98EE}"= "c:\program files\qwesttoolbar\qwesttoolbarDx.dll" [2011-04-20 81920]
.
[HKEY_CLASSES_ROOT\clsid\{a317cb83-299c-4fc8-9ed7-2d64117d98ee}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 2742272]
"CenturyLinkTouchPointAgent"="c:\program files\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" [2012-03-08 46720]
"QuickCare"="c:\program files\CenturyLink\QuickCare\bin\sprtcmd.exe" [2011-06-07 206120]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2012-08-24 336992]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-22 91520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"Iminent"="c:\program files\Iminent\Iminent.exe" [2012-11-22 1073784]
"IminentMessenger"="c:\program files\Iminent\Iminent.Messengers.exe" [2012-11-22 884344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-17 180269]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-09-30 766536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\windows\system32\tuaievhl.exe"= c:\windows\system32\tua
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Iminent\\Iminent.exe"=
"c:\\Program Files\\Iminent\\Iminent.Messengers.exe"=
.
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.391.0\BBSvc.exe [x]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
R2 SProtection;SProtection;c:\program files\Common Files\Umbrella\Umbrella.exe [x]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\CenturyLink\QuickCare\bin\sprtsvc.exe [x]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\CenturyLink\QuickCare\bin\tgsrvc.exe [x]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.391.0\SeaPort.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 06:15]
.
2012-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02a.cab
DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} - hxxp://gopublic.wspan.com/Scripts/us/DLLs/WSFileIO.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-vtsqn - vtsqn.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-06 01:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Iminent = c:\program files\Iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C"????????????????????????????????????????????????????????????????????????????????????
IminentMessenger = c:\program files\Iminent\Iminent.Messengers.exe????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1776)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
Completion time: 2012-12-06 01:40:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-06 09:40
.
Pre-Run: 108,586,373,120 bytes free
Post-Run: 109,003,014,144 bytes free
.
- - End Of File - - ECB012F87F556E1CA5E6838260448B78

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 AM

Posted 14 December 2012 - 07:19 AM

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 ABComp

ABComp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 14 December 2012 - 08:29 PM

Thanks so much for all your help!
JRT and AdwCleaner ran successfully. Logs attached.

At launch, Malware bytes is still throwing the error messages:

Title: vbAccelerator SGrid II Control
Message: Run-time error '0'

Followed by:

Title: Malwarebytes Anti-Malware
Message: Run-time error '440':
Automation Error

The program does not launch

I uninstalled it through add/remove programs and reinstalled, with the same error message

Internet explorer is still automatically closing on launch so I am unable to do the online scanner from ESET (All of these messages have been posted from a different PC)

Also worth noting, the Control panel options such as administrative tools and internet options will still not load, as if the shortcut to the processes has been corrupted.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.1.4 (12.14.2012:2)
OS: Microsoft Windows XP x86
Ran by HP_Owner on Fri 12/14/2012 at 16:54:36.07
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] viewpoint manager service
Successfully deleted: [Service] viewpoint manager service



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\iminent
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\iminentmessenger
Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}
Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\hbtools"
Successfully deleted: [Registry Key] "hkey_current_user\software\iminent"
Successfully deleted: [Registry Key] "hkey_current_user\software\shopperreports"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\bho.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\iminent.webbooster.internetexplorer.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\yontooieclient.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\axmetastream.metastreamctl"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\axmetastream.metastreamctl.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\axmetastream.metastreamctlsecondary"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\axmetastream.metastreamctlsecondary.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.business.tinyfying.downloadargs"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.business.tinyfying.linktopromoteargs"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.business.tinyfying.rawdataargs"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.business.tinyfying.tinyurlargs"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.business.tinyfying.virallinkargs"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.clientcallback"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.contractbase"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.addtousercontentcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.checkloginstatuscommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.cleancachecommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.gameovercallback"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.getcreditcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.getinstallationcontextcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.getloginstatuscommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.getloginstatusresult"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.getvariablecommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.getvariableresult"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.installationcontextresult"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.loadcontentcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.loadcontentcommandresult"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.logincommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.loginstatuschangedcallback"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.logoutcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.mergeidentitycommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.myaccountcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.playcontentcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.postcontentcallback"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.recycleviewscommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.setvariablecommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.showbrowserwindowcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.showcontrolcentercommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.showpluginwindowcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.usercontentchangedcallback"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.variablechangedcallback"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.warmupcommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.datacontracts.welcomecommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.servercommand"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.communication.serverresult"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.lightcontent"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.lighturi"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminent.mediator.mediatorserviceproxy"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminentwebbooster.activecontenthandle.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminentwebbooster.activecontenthandler"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminentwebbooster.browserhelperobject"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminentwebbooster.browserhelperobject.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminentwebbooster.scriptextender"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminentwebbooster.scriptextender.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminentwebbooster.tinyurlhandler"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\iminentwebbooster.tinyurlhandler.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\yontooieclient.api"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\yontooieclient.api.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\freeze.com"
Successfully deleted: [Registry Key] "hkey_local_machine\software\iminent"
Successfully deleted: [Registry Key] "hkey_local_machine\software\metastream"
Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\active setup\installed components\{03f998b2-0e00-11d3-a498-00104b6eb52e}"
Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\active setup\installed components\{1b00725b-c455-4de6-bfb6-ad540ad427cd}"
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{a09ab6eb-31b5-454c-97ec-9b294d92ee2a}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{a09ab6eb-31b5-454c-97ec-9b294d92ee2a}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{bffed5ca-8bdf-47cc-aed0-23f4e6d77732}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{bffed5ca-8bdf-47cc-aed0-23f4e6d77732}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}



~~~ Files

Successfully deleted: [File] "C:\chromehplog.txt"



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\iminent"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\tarma installer"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\trymedia"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\viewpoint"
Successfully deleted: [Folder] "C:\Documents and Settings\HP_Owner\Application Data\iminent"
Successfully deleted: [Folder] "C:\Documents and Settings\HP_Owner\Application Data\toolbar4"
Successfully deleted: [Folder] "C:\Documents and Settings\HP_Owner\Local Settings\Application Data\visi_coupon"
Successfully deleted: [Folder] "C:\Program Files\iminent"
Successfully deleted: [Folder] "C:\Program Files\trymedia"
Failed to delete: [Folder] "C:\Program Files\viewpoint"
Successfully deleted: [Folder] "C:\Program Files\yontoo"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\hot deals"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/14/2012 at 17:00:25.81
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 AM

Posted 14 December 2012 - 08:35 PM

Please run the following:

Please download the ESET services repair tool, extract the file to your desktop.
  • Double-click ServicesRepair.exe,
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • a log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply



NEXT



Please download Windows Repair (all in one) from here

Install the program then run it

Go to step 2 and allow it to run Disk check

Posted Image

Once that is done then go to step 3 and allow it to run SFC

Posted Image

On the the Start Repairs tab => Click the Start

Posted Image

Click on the select all check box and then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.


NEXT


  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer (very important).
  • Download and run this utility.
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 ABComp

ABComp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 15 December 2012 - 03:52 AM

Thanks for the speedy reply! :busy:

ESET Services repair ran successfully, log posted below

Unfortunately I am getting similar results with Tweaking.com's windows repair tool as with malware bytes. The program fails to create the .lnk files at the end of installation and after attempting to run the Repair_Windows shortcut manually the program throws the following error in a pop-up window:

Title: PcWinTech Custom Tabs
Body: Run-time error '9':

Subscript out of range

I did not run the mbam removal utility as I am expecting similar results.

Log Opened: 2012-12-15 @ 00:36:51
00:36:51 - -----------------
00:36:51 - | Begin Logging |
00:36:51 - -----------------
00:36:51 - Fix started on a WIN_XP X86 computer
00:36:51 - Prep in progress. Please Wait.
00:36:58 - Prep complete
00:36:58 - Repairing Services Now. Please wait...

The operation completed successfully
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\XP\BITS.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Enum>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.

The operation completed successfully
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\XP\SharedAccess.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Enum>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Setup>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.

The operation completed successfully
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\XP\wscsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Enum>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.

The operation completed successfully
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\XP\wuauserv.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Enum>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.
00:37:07 - Services Repair Complete.
00:37:30 - Reboot Initiated

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 AM

Posted 15 December 2012 - 09:39 AM

Please try running both from Safe mode with Networking:

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with networking
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 ABComp

ABComp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 17 December 2012 - 06:17 AM

Sorry for the delay,

Malwarebytes still throws the error in safe mode, same story with the tweaking.com utility.

Internet Explorer will continue to automatically close at launch even in safe mode with networking.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 AM

Posted 17 December 2012 - 09:30 AM

please run the following:

  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    Posted Image
  • Next click on the ShortcutsFix
    Posted Image
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 ABComp

ABComp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 18 December 2012 - 07:34 AM

Program ran successfully, logs posted below:

RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : HP_Owner [Admin rights]
Mode : Scan -- Date : 12/18/2012 04:15:58

Bad processes : 2
[SUSP PATH] ALCWZRD.EXE -- C:\WINDOWS\ALCWZRD.EXE -> KILLED [TermProc]
[SUSP PATH] CenturyLinkTouchPointAgent.exe -- C:\Program Files\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe -> KILLED [TermProc]

Registry Entries : 8
[RUN][SUSP PATH] HKLM\[...]\Run : CenturyLinkTouchPointAgent ("C:\Program Files\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" /autostart) -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver : [LOADED]

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 3dc3d9e0aa18521eb7d02496049107ab
[BSP] 7ae3bf8eef3920dbb6ed349be0233cf7 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7788 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 15951600 | Size: 182990 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_12182012_02d0415.txt >>
RKreport[1]_S_12182012_02d0415.txt


RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : HP_Owner [Admin rights]
Mode : Remove -- Date : 12/18/2012 04:28:19

Bad processes : 2
[SUSP PATH] ALCWZRD.EXE -- C:\WINDOWS\ALCWZRD.EXE -> KILLED [TermProc]
[SUSP PATH] CenturyLinkTouchPointAgent.exe -- C:\Program Files\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe -> KILLED [TermProc]

Registry Entries : 8
[RUN][SUSP PATH] HKLM\[...]\Run : CenturyLinkTouchPointAgent ("C:\Program Files\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" /autostart) -> DELETED
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver : [LOADED]

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 3dc3d9e0aa18521eb7d02496049107ab
[BSP] 7ae3bf8eef3920dbb6ed349be0233cf7 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7788 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 15951600 | Size: 182990 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_12182012_02d0428.txt >>
RKreport[1]_S_12182012_02d0415.txt ; RKreport[2]_D_12182012_02d0428.txt


RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : HP_Owner [Admin rights]
Mode : Shortcuts HJfix -- Date : 12/18/2012 04:31:05

Bad processes : 2
[SUSP PATH] ALCWZRD.EXE -- C:\WINDOWS\ALCWZRD.EXE -> KILLED [TermProc]
[SUSP PATH] CenturyLinkTouchPointAgent.exe -- C:\Program Files\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe -> KILLED [TermProc]

Driver : [LOADED]

File attributes restored:
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 6 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 143 / Fail 0
My documents: Success 15 / Fail 15
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 354 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\CdRom1 -- 0x5 --> Skipped
[G:] \Device\Harddisk1\DP(1)0-0+7 -- 0x2 --> Restored
[H:] \Device\Harddisk2\DP(1)0-0+8 -- 0x2 --> Restored
[I:] \Device\Harddisk3\DP(1)0-0+9 -- 0x2 --> Restored
[J:] \Device\Harddisk4\DP(1)0-0+a -- 0x2 --> Restored
[K:] \Device\SCDEmu\SCDEmuCd0 -- 0x5 --> Skipped
[L:] \Device\Harddisk5\DP(1)0-0+c -- 0x2 --> Restored

Finished : << RKreport[3]_SC_12182012_02d0431.txt >>
RKreport[1]_S_12182012_02d0415.txt ; RKreport[2]_D_12182012_02d0428.txt ; RKreport[3]_SC_12182012_02d0431.txt

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 AM

Posted 18 December 2012 - 10:50 AM

Please run the following:

  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer (very important).
  • Download and run this utility.
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here.


let me know if you are now able to run MBAM

let me know if there are any other issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 ABComp

ABComp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 19 December 2012 - 07:55 AM

Uninstalled Malwarebytes and successfully ran removal utility.

Unfortunately it threw the same errors during installation at the end, during the stage in which it creates the .lnk files to the desktop / startup menu
After launching the mbam.exe - the same errors listed in the original post get thrown, and the process svchost.exe under the system user will jump to >90% cpu usage. After clicking through the errors mbam.exe will terminate and svchost.exe returns to normal.

In testing random applications on the computer, I've noticed pretty much any shortcut will fail to execute. From the desktop screen the shortcuts appear to fade slightly and nothing ever launches. I was successfully able to launch adobe reader, outlook express, and Ifran-viewer, but only by manually navigating to the executable.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 AM

Posted 19 December 2012 - 08:25 AM

try running the following:

Note: Vista and Windows 7 users need to right click on the file and choose Run as administrator


then run the following:


Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 ABComp

ABComp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 24 December 2012 - 03:33 AM

Both programs ran successfully, logs pasted below:

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/23/2012 01:05:27 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\system32\hphmon06.exe (PID: 2084) [WD-HEUR]
* C:\windows\system\hpsysdrv.exe (PID: 2104) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 12/23/2012 01:06:05 PM
Execution time: 0 hours(s), 0 minute(s), and 38 seconds(s)






Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 12/23/2012 01:06:40 PM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 146630 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 12204 files processed.

Processing the G:\ drive
Finished processing the G:\ drive. 0 files processed.

Processing the H:\ drive
Finished processing the H:\ drive. 0 files processed.

Processing the I:\ drive
Finished processing the I:\ drive. 0 files processed.

Processing the J:\ drive
Finished processing the J:\ drive. 0 files processed.

Processing the L:\ drive
Finished processing the L:\ drive. 116 files processed.

The C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 12/24/2012 12:26:02 AM
Execution time: 11 hours(s), 19 minute(s), and 21 seconds(s)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users