Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PEinStream Rootkit


  • Please log in to reply
8 replies to this topic

#1 hereandnow

hereandnow

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 19 January 2013 - 06:15 PM

Hello -

I would really appreciate your help.

I have not seen this particular rootkit listed anywhere.

I have tried several rootkit/antivirus cleaners and my sense is that the computer seems to be getting more infected not less. Though some of the rootkit cleaners detected Windows items that were infected it was Comodo Cleaning Essentials (CCE) that identified it as the PEinStream rootkit. It indicated the rootkit was removed in a later scan but other programs suggested malware activity may still be occurring.

The actual issues with the computer have been minor so far. I do not remember what caused me to become alarmed but I was concerned enough to run several programs. Small things I have noticed since then: the machine hung up and displayed a small patch of blue on the desktop, almost like flowers, just once. I do not remember if this is a normal part of Windows but as the program was almost finished booting up into Windows a dos/run window appeared and a system32.exe.command was executed. Another small item: when I ran the DDS program the first time there was a message in the taskbar which said that the program "did not do a damn thing" - or something to that effect. Part of the program itself?

There was a rootkit identified and several issues that have been found in the system. There were also two minor advertising bugs PUP this morning - maybe dialers?- not adware - which seemed to clean up easily. I could not find the which program or log for them. I also have a GMER and RootkitRepeal report. If you want these I can upload send them to you also.


Pasted below is the first DDS report and I have attached the second one to this message. Also attached is the Comodo report,

Thank you so much.


-----------------------------------------------------
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by E at 16:57:14 on 2013-01-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1347 [GMT -5:00]
.
AV: ZoneAlarm Free Firewall Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Wise\Wise Care 365\WiseTray.exe
C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Advanced SystemCare 6] "c:\program files\iobit\advanced systemcare 6\ASCTray.exe" /AutoStart
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342632085903
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1354680788437
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.5.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{CA51E49D-E4D0-4783-AFD4-A3BFCAB8C825} : DHCPNameServer = 192.168.1.1 71.252.0.12
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.52\installer\setup.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\e\application data\mozilla\firefox\profiles\lhp9mv6r.default\
FF - prefs.js: browser.search.selectedEngine - hxxp://www.google.com/search
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\browser\nppdf32(2).dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - ExtSQL: 2012-12-11 02:24; browserprotect@browserprotect.com; c:\documents and settings\e\application data\mozilla\firefox\profiles\lhp9mv6r.default\extensions\browserprotect@browserprotect.com.xpi
FF - ExtSQL: 2012-12-11 02:24; donottrackplus@abine.com; c:\documents and settings\e\application data\mozilla\firefox\profiles\lhp9mv6r.default\extensions\donottrackplus@abine.com
FF - ExtSQL: 2012-12-11 02:25; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\documents and settings\e\application data\mozilla\firefox\profiles\lhp9mv6r.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2012-12-11 02:25; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\e\application data\mozilla\firefox\profiles\lhp9mv6r.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2012-12-11 02:25; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; c:\documents and settings\e\application data\mozilla\firefox\profiles\lhp9mv6r.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2012-12-11 02:25; {E6C1199F-E687-42da-8C24-E7770CC3AE66}; c:\documents and settings\e\application data\mozilla\firefox\profiles\lhp9mv6r.default\extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}.xpi
FF - ExtSQL: 2013-01-18 20:48; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-11-29 14776]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-1-18 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-1-18 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-6-21 526640]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\iobit\advanced systemcare 6\ASCService.exe [2012-11-29 464256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-1-18 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-1-18 44808]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-4-30 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-4-30 497280]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\drivers\rtl8192Ce.sys [2013-1-17 1218280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2012-11-29 821592]
S2 WiseBootAssistant;Wise Boot Assistant;c:\program files\wise\wise care 365\BootTime.exe [2012-11-27 580648]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-7-24 1691480]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2012-10-31 133208]
S4 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2012-10-31 11352]
S4 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-10-31 485808]
SUnknown rpcnetp;rpcnetp; [x]
.
=============== Created Last 30 ================
.
2013-01-19 21:51:12 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2013-01-19 21:23:34 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2013-01-19 01:48:04 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-19 01:47:39 41224 ----a-w- c:\windows\avastSS.scr
2013-01-19 00:15:58 -------- d-sha-r- C:\cmdcons
2013-01-18 23:56:44 616024 ----a-w- c:\windows\system32\COMCTL32.OCX
2013-01-18 23:56:44 -------- d-----w- c:\program files\XP TCPIP Repair
2013-01-18 23:01:26 98816 ----a-w- c:\windows\sed.exe
2013-01-18 23:01:26 256000 ----a-w- c:\windows\PEV.exe
2013-01-18 23:01:26 208896 ----a-w- c:\windows\MBR.exe
2013-01-17 17:49:05 -------- d-----w- C:\CCE_Quarantine
2013-01-17 11:41:06 1218280 ----a-r- c:\windows\system32\drivers\rtl8192Ce.sys
2013-01-17 03:45:24 -------- d-----w- c:\documents and settings\e\application data\SUPERAntiSpyware.com
2013-01-17 03:45:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-17 03:45:15 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-01-17 02:54:05 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-01-17 02:54:05 -------- d-----w- c:\windows\system32\wbem\Repository
2013-01-17 02:49:36 -------- d-----w- c:\program files\common files\xing shared
2013-01-15 09:19:44 -------- d-----w- c:\windows\system32\Adobe
2013-01-15 09:15:03 -------- d-----w- c:\documents and settings\e\application data\RealNetworks
2013-01-15 09:14:11 -------- d-----w- c:\program files\RealNetworks
2013-01-15 09:14:08 -------- d-----w- c:\documents and settings\all users\application data\RealNetworks
2013-01-12 01:11:26 -------- d-----w- c:\documents and settings\e\local settings\application data\Sun
2013-01-03 22:52:28 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.
==================== Find3M ====================
.
2013-01-19 21:18:44 44544 ----a-w- c:\windows\system32\agremove.exe
2013-01-17 03:18:50 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-17 03:18:50 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01:39 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 16:59:08.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 hereandnow

hereandnow
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 19 January 2013 - 06:30 PM

Unless it is a hidden file, it does not seem as if the DDS attachment made it to the forum server successfully. Just in case, I will upload again. I am also adding the GMER and RootRepeal reports.

Thanks!

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:59 PM

Posted 21 January 2013 - 11:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#4 hereandnow

hereandnow
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 21 January 2013 - 05:19 PM

I have run the three programs you linked in your e-mail and posted their logs below. The PEinStream rootkit was still in the system as of last night with only 3 entries in the CCE scan as opposed to 15 or so in previous nights. Again, CCE found it and indicated that the infection had been cleaned. Of the several I tried CCE was the only antivirus/antimalware that indicated an infection. SuperAntiSpyWare did find a Trojan last night but the log was not kept for some reason so I do not have its name.

Yesterday I was receiving messages on my cellphone to sign back into my e-mail accounts. I was not required to actually put in my account information or password. This may have been a coincidence. As of today I can still sign into my e-mail accounts and there has not been any other unusual activity.

Thanks again for your help.

ComboFix 13-01-21.04 - E 01/21/2013 16:15:45.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1427 [GMT -5:00]
Running from: c:\documents and settings\E\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: ZoneAlarm Free Firewall Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-21 to 2013-01-21 )))))))))))))))))))))))))))))))
.
.
2013-01-19 19:25 . 2013-01-19 19:25 -------- d-----w- c:\program files\7-Zip
2013-01-19 01:48 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-01-19 01:48 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-01-19 01:48 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-19 01:48 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-01-19 01:48 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-01-19 01:48 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2013-01-19 01:48 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2013-01-19 01:48 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2013-01-19 01:47 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2013-01-19 01:47 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-01-18 23:56 . 2013-01-18 23:56 -------- d-----w- c:\program files\XP TCPIP Repair
2013-01-18 23:56 . 2008-11-13 15:26 616024 ----a-w- c:\windows\system32\COMCTL32.OCX
2013-01-17 17:49 . 2013-01-20 23:18 -------- d-----w- C:\CCE_Quarantine
2013-01-17 11:41 . 2011-06-23 08:02 1218280 ----a-r- c:\windows\system32\drivers\rtl8192Ce.sys
2013-01-17 03:45 . 2013-01-17 03:45 -------- d-----w- c:\documents and settings\E\Application Data\SUPERAntiSpyware.com
2013-01-17 03:45 . 2013-01-17 03:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-17 03:45 . 2013-01-17 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2013-01-17 02:54 . 2013-01-17 02:54 -------- d-----w- c:\windows\system32\wbem\Repository
2013-01-17 02:49 . 2013-01-17 02:49 -------- d-----w- c:\program files\Common Files\xing shared
2013-01-15 09:19 . 2013-01-17 02:49 -------- d-----w- c:\windows\system32\Adobe
2013-01-15 09:15 . 2013-01-15 09:15 -------- d-----w- c:\documents and settings\E\Application Data\RealNetworks
2013-01-15 09:14 . 2013-01-17 02:49 -------- d-----w- c:\program files\RealNetworks
2013-01-15 09:14 . 2013-01-15 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\RealNetworks
2013-01-14 19:44 . 2013-01-14 19:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2013-01-12 01:11 . 2013-01-12 01:11 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Sun
2013-01-12 01:04 . 2013-01-12 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2013-01-03 22:52 . 2013-01-19 03:30 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-21 21:03 . 2012-07-10 19:04 44544 ----a-w- c:\windows\system32\agremove.exe
2013-01-17 03:18 . 2012-07-24 14:57 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-17 03:18 . 2012-07-24 14:57 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-16 12:23 . 2008-04-14 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2008-04-14 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2008-04-14 12:00 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02 . 2008-04-14 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2012-07-14 00:17 . 2012-07-18 17:39 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2012-11-23 3262816]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-08-26 39408]
"Advanced SystemCare 6"="c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2012-09-25 490880]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 4763008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-06-21 73392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2011-10-14 20064872]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-08-10 296096]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-04-30 738944]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-12-25 4474832]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [11/29/2012 2:38 PM 14776]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/18/2013 8:48 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/18/2013 8:48 PM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 1:54 PM 116608]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\IObit\Advanced SystemCare 6\ASCService.exe [11/29/2012 2:36 PM 464256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/18/2013 8:48 PM 21256]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [11/29/2012 2:38 PM 821592]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/30/2012 2:05 PM 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/30/2012 2:05 PM 497280]
R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [1/20/2013 7:36 PM 246816]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [1/20/2013 7:36 PM 30408]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\drivers\rtl8192Ce.sys [1/17/2013 6:41 AM 1218280]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [1/20/2013 7:36 PM 16248]
S2 WiseBootAssistant;Wise Boot Assistant;c:\program files\Wise\Wise Care 365\BootTime.exe [11/27/2012 2:30 PM 580648]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/24/2012 6:46 AM 1691480]
S4 kl2;kl2;c:\windows\system32\drivers\kl2.sys [10/31/2012 12:12 PM 11352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-17 03:05 1606760 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-24 03:18]
.
2013-01-21 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-01-19 23:50]
.
2013-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-22 03:49]
.
2013-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-22 03:49]
.
2013-01-21 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-484763869-329068152-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2013-01-17 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-484763869-329068152-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2013-01-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-484763869-329068152-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2012-12-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-484763869-329068152-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2013-01-21 c:\windows\Tasks\SmartDefragUpdate.job
- c:\program files\IObit\Smart Defrag 2\AutoUpdate.exe [2012-11-29 16:06]
.
2013-01-21 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2012-11-29 16:06]
.
2012-11-30 c:\windows\Tasks\Wise Care 365 PC Checkup Task.job
- c:\program files\Wise\Wise Care 365\WiseCare365.exe [2012-11-27 19:51]
.
2013-01-21 c:\windows\Tasks\Wise Care 365.job
- c:\program files\Wise\Wise Care 365\WiseTray.exe [2012-11-27 22:24]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
FF - ProfilePath - c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\
FF - prefs.js: browser.search.selectedEngine - hxxp://www.google.com/search
FF - ExtSQL: 2012-12-11 02:24; browserprotect@browserprotect.com; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\browserprotect@browserprotect.com.xpi
FF - ExtSQL: 2012-12-11 02:24; donottrackplus@abine.com; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\donottrackplus@abine.com
FF - ExtSQL: 2012-12-11 02:25; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2012-12-11 02:25; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2012-12-11 02:25; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2012-12-11 02:25; {E6C1199F-E687-42da-8C24-E7770CC3AE66}; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}.xpi
FF - ExtSQL: 2013-01-18 20:48; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-21 16:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(772)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(3160)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-01-21 16:23:09
ComboFix-quarantined-files.txt 2013-01-21 21:23
ComboFix2.txt 2013-01-19 12:45
ComboFix3.txt 2013-01-19 00:51
ComboFix4.txt 2013-01-19 00:30
.
Pre-Run: 60,570,775,552 bytes free
Post-Run: 60,563,750,912 bytes free
.
- - End Of File - - CA9542D9CD27110F5628094FCCB17214



Results of screen317's Security Check version 0.99.57
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Please wait while WMIC is being installed.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
Z
o
n
e
A
l
a
r
m
ECHO is off.
F
r
e
ECHO is off.
F
i
r
e
w
a
l
ECHO is off.
A
n
t
i
v
i
r
u
s
ECHO is off.
a
v
a
s
t
!
ECHO is off.
A
n
t
i
v
i
r
u
s
ECHO is off.
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
CCleaner
Wise Disk Cleaner 7.69
Wise Registry Cleaner 7.54
Adobe Reader 10.1.5 Adobe Reader out of Date!
Mozilla Firefox 14.0.1 Firefox out of Date!
Google Chrome 23.0.1271.97
Google Chrome 24.0.1312.52
````````Process Check: objlist.exe by Laurent````````
IObit IObit Malware Fighter IMFsrv.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm zatray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````



# AdwCleaner v2.107 - Logfile created 01/21/2013 at 16:35:06
# Updated 21/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : E - N-B5967D9241E24
# Boot Mode : Normal
# Running from : C:\Documents and Settings\E\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

-\\ Google Chrome v24.0.1312.52

*************************

AdwCleaner[R1].txt - [687 octets] - [21/01/2013 16:35:06]

########## EOF - C:\AdwCleaner[R1].txt - [746 octets] ##########

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:59 PM

Posted 22 January 2013 - 08:15 AM

Open notepad and copy/paste the text in the quote box below into it:

Firefox::
FF - ExtSQL: 2012-12-11 02:24; browserprotect@browserprotect.com; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\browserprotect@browserprotect.com.xpi


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

===
Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

===

This item in the AdwCleaner is the Zone Alarm toolbar.

***** [Registry] *****

Key Found : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}


If you do not use it you can remove it running the Delete option.

HOW TO.

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..
===

Please post the ComboFix log and let me know what problem persists.

#6 hereandnow

hereandnow
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 23 January 2013 - 02:59 PM

ComboFix 13-01-21.04 - E 01/23/2013 13:19:37.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1513 [GMT -5:00]
Running from: c:\documents and settings\E\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\E\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: ZoneAlarm Free Firewall Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\browserprotect@browserprotect.com.xpi
.
.
((((((((((((((((((((((((( Files Created from 2012-12-23 to 2013-01-23 )))))))))))))))))))))))))))))))
.
.
2013-01-19 19:25 . 2013-01-19 19:25 -------- d-----w- c:\program files\7-Zip
2013-01-19 01:48 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-01-19 01:48 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-01-19 01:48 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-19 01:48 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-01-19 01:48 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-01-19 01:48 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2013-01-19 01:48 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2013-01-19 01:48 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2013-01-19 01:47 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2013-01-19 01:47 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-01-18 23:56 . 2013-01-18 23:56 -------- d-----w- c:\program files\XP TCPIP Repair
2013-01-18 23:56 . 2008-11-13 15:26 616024 ----a-w- c:\windows\system32\COMCTL32.OCX
2013-01-17 17:49 . 2013-01-20 23:18 -------- d-----w- C:\CCE_Quarantine
2013-01-17 11:41 . 2011-06-23 08:02 1218280 ----a-r- c:\windows\system32\drivers\rtl8192Ce.sys
2013-01-17 03:45 . 2013-01-17 03:45 -------- d-----w- c:\documents and settings\E\Application Data\SUPERAntiSpyware.com
2013-01-17 03:45 . 2013-01-21 22:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-17 03:45 . 2013-01-17 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2013-01-17 02:54 . 2013-01-17 02:54 -------- d-----w- c:\windows\system32\wbem\Repository
2013-01-17 02:49 . 2013-01-17 02:49 -------- d-----w- c:\program files\Common Files\xing shared
2013-01-15 09:19 . 2013-01-17 02:49 -------- d-----w- c:\windows\system32\Adobe
2013-01-15 09:15 . 2013-01-15 09:15 -------- d-----w- c:\documents and settings\E\Application Data\RealNetworks
2013-01-15 09:14 . 2013-01-17 02:49 -------- d-----w- c:\program files\RealNetworks
2013-01-15 09:14 . 2013-01-15 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\RealNetworks
2013-01-14 19:44 . 2013-01-14 19:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2013-01-12 01:11 . 2013-01-12 01:11 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Sun
2013-01-12 01:04 . 2013-01-12 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2013-01-03 22:52 . 2013-01-19 03:30 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-23 18:10 . 2012-07-10 19:04 44544 ----a-w- c:\windows\system32\agremove.exe
2013-01-17 03:18 . 2012-07-24 14:57 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-17 03:18 . 2012-07-24 14:57 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-16 12:23 . 2008-04-14 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2008-04-14 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2008-04-14 12:00 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02 . 2008-04-14 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2012-07-14 00:17 . 2012-07-18 17:39 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2012-11-23 3262816]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-08-26 39408]
"Advanced SystemCare 6"="c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2012-09-25 490880]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 4763008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-06-21 73392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2011-10-14 20064872]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-08-10 296096]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-04-30 738944]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-12-25 4474832]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [11/29/2012 2:38 PM 14776]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/18/2013 8:48 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/18/2013 8:48 PM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 1:54 PM 116608]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\IObit\Advanced SystemCare 6\ASCService.exe [11/29/2012 2:36 PM 464256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/18/2013 8:48 PM 21256]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [11/29/2012 2:38 PM 821592]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/30/2012 2:05 PM 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/30/2012 2:05 PM 497280]
R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [1/20/2013 7:36 PM 246816]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [1/20/2013 7:36 PM 30408]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\drivers\rtl8192Ce.sys [1/17/2013 6:41 AM 1218280]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [1/20/2013 7:36 PM 16248]
S2 WiseBootAssistant;Wise Boot Assistant;c:\program files\Wise\Wise Care 365\BootTime.exe [11/27/2012 2:30 PM 580648]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/24/2012 6:46 AM 1691480]
S4 kl2;kl2;c:\windows\system32\drivers\kl2.sys [10/31/2012 12:12 PM 11352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-17 03:05 1606760 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-24 03:18]
.
2013-01-23 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-01-19 23:50]
.
2013-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-22 03:49]
.
2013-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-22 03:49]
.
2013-01-23 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-484763869-329068152-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2013-01-17 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-484763869-329068152-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2013-01-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-484763869-329068152-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2012-12-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-484763869-329068152-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2013-01-23 c:\windows\Tasks\SmartDefragUpdate.job
- c:\program files\IObit\Smart Defrag 2\AutoUpdate.exe [2012-11-29 16:06]
.
2013-01-23 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2012-11-29 16:06]
.
2012-11-30 c:\windows\Tasks\Wise Care 365 PC Checkup Task.job
- c:\program files\Wise\Wise Care 365\WiseCare365.exe [2012-11-27 19:51]
.
2013-01-23 c:\windows\Tasks\Wise Care 365.job
- c:\program files\Wise\Wise Care 365\WiseTray.exe [2012-11-27 22:24]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
FF - ProfilePath - c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\
FF - prefs.js: browser.search.selectedEngine - hxxp://www.google.com/search
FF - ExtSQL: 2012-12-11 02:24; browserprotect@browserprotect.com; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\browserprotect@browserprotect.com.xpi
FF - ExtSQL: 2012-12-11 02:24; donottrackplus@abine.com; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\donottrackplus@abine.com
FF - ExtSQL: 2012-12-11 02:25; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2012-12-11 02:25; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2012-12-11 02:25; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2012-12-11 02:25; {E6C1199F-E687-42da-8C24-E7770CC3AE66}; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}.xpi
FF - ExtSQL: 2013-01-18 20:48; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-23 13:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(772)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2013-01-23 13:27:34
ComboFix-quarantined-files.txt 2013-01-23 18:27
ComboFix2.txt 2013-01-21 21:23
ComboFix3.txt 2013-01-19 12:45
ComboFix4.txt 2013-01-19 00:51
ComboFix5.txt 2013-01-23 18:18
.
Pre-Run: 60,277,706,752 bytes free
Post-Run: 60,272,750,592 bytes free
.
- - End Of File - - EFAECA2E0F4D60333B3334C680E4F650

# AdwCleaner v2.107 - Logfile created 01/23/2013 at 14:09:42
# Updated 21/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : E - N-B5967D9241E24
# Boot Mode : Normal
# Running from : C:\Documents and Settings\E\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

-\\ Google Chrome v24.0.1312.52

*************************

AdwCleaner[R1].txt - [814 octets] - [21/01/2013 16:35:06]
AdwCleaner[S1].txt - [748 octets] - [23/01/2013 14:09:42]

########## EOF - C:\AdwCleaner[S1].txt - [807 octets] ##########


Notes:

IObit Boot Scan

Registry Key Modification detected on restart: ctfmon.exe
After AdwCleaner reboot: Toolbar notifier registered a request to change the toolbar away from Google upon computer/browser start.

Also, I found this folder on C root drive:"f07b8f70c81df48d4e" with subfolders:amd64 & i386. Among other files was filepipileproc.dll in the amd64 folder. Unsure if this is an issue or not.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:59 PM

Posted 23 January 2013 - 04:58 PM

One step at a time.

How is the computer performing?

Any remaining issues?

#8 hereandnow

hereandnow
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 24 January 2013 - 12:56 PM

My computer runs about average, clocking slightly faster and then much slower on boot up according to Wise Care - for example. The computer returned 11 PEinStream virus traces and a MsConfig change during a CCE run last night. There are subtle changes that would be hard to definitely pin on the rootkit. IE has shown an increased need (quantity) to ask about my whether I am comfortable moving between secure and non-secure surfing zones. Sometimes when I have not begun any new action.

Another coincidence is my password keeper which has become corrupt. A first. I have been suspicious of the Zone Alarm firewall and did an uninstall-reinstall in case that might repair any theoretical holes in that program. I was unable to click onto the Zone Alarm link until rebooting into safe mode.

I am also including a Combofix-quarantine log. I am unsure if this is just from the last Combofix. I appreciate the step by step approach. I do want you to also have the best data available.

So, to answer your question, the computer runs generally OK, the same, except is small ways as described above. Not to move many steps ahead of you but it is starting to feel like the level of subtle but undiminished infestation is starting to suggest a hard drive wipe. What are your thoughts? I do appreciate your ongoing help and patience.

====== System Information ======

Computer Name: N-B5967D9241E24

Log on User: E

Memory Size: 1.99 GB.

Windows Directory: C:\WINDOWS

Windows Version: Xp (32bit)

CCE Version: 2.5.242177.201



Virus database version: 1



[21:46:12] Scan started.

====== Cleanup results ======

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP92\A0042765.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP92\A0042805.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP92\A0042884.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP92\A0042929.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP92\A0043071.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP93\A0043458.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP94\A0043606.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP94\A0043659.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP94\A0043686.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

C:\System Volume Information\_restore{E3EB1F26-9E4B-4808-ABC5-EDE19030DFC3}\RP94\A0043722.exe:BAK Rootkit.HiddenFile.PEinStream HIDDENFILE Clean OK

Global|User MSCONFIG SYSCHANGE Repair OK

---------------------------------------------------
ComboFix-quarantined-files
2013-01-23 18:19:26 . 2013-01-23 18:19:26 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2013-01-19 12:44:24 . 2013-01-19 12:44:24 90 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ISW.reg.dat
2013-01-19 00:19:19 . 2013-01-23 18:23:11 6,301 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-01-18 23:01:17 . 2013-01-23 18:18:00 306 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-12-11 07:05:22 . 2012-12-11 07:24:53 47,822 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\browserprotect@browserprotect.com.xpi.vir
2012-08-29 21:40:13 . 2012-12-08 01:30:33 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\lmhosts.vir
2008-04-14 12:00:00 . 2008-04-14 12:00:00 588,800 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.exe.vir
2008-04-14 12:00:00 . 2008-04-14 12:00:00 26,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir
2008-04-11 12:03:48 . 2008-04-11 12:03:48 562,688 ----a-w- C:\Qoobox\Quarantine\C\Install.exe.vir
2003-02-21 10:16:08 . 2003-02-21 10:16:08 49,152 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTEMP\regtlib.exe.vir

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:59 PM

Posted 24 January 2013 - 02:07 PM

ComboFix-quarantined-files are save in this folder in case we need to restore some of them.
This is not our case.
====

Also, I found this folder on C root drive:"f07b8f70c81df48d4e" with subfolders:amd64 & i386. Among other files was filepipileproc.dll in the amd64 folder. Unsure if this is an issue or not.

The amd64 & i386 folder is the backup folder created when you the operating files were installed.


I did find one bad item in the ComboFix log which will remove.

===


Open notepad and copy/paste the text in the quote box below into it:

Firefox::
FF - ExtSQL: 2012-12-11 02:24; browserprotect@browserprotect.com; c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\lhp9mv6r.default\extensions\browserprotect@browserprotect.com.xpi:



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users