Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit


  • Please log in to reply
14 replies to this topic

#1 TheKorean2908

TheKorean2908

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 20 January 2013 - 06:22 PM

Hello all,

I was instructed to start a new topic with my DDS reports. The previous thread can be found here.

Below is my DDS report and attached is my attach.txt. Any help would be greatly appreciated. Thanks so much for your time!

dds

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 9:19:09 on 2013-01-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1014 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [COMODO Internet Security] c:\program files\comodo\comodo internet security\cistray.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:221
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1357960493140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1358147159125
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{3E9351C9-51CF-4959-A0FD-6680DFE5D193} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{3E9351C9-51CF-4959-A0FD-6680DFE5D193} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 mpa.one.microsoft.com
Hosts: 192.168.1.77 goldenteenet.itsgames.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0sspa0si.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_146.dll
FF - ExtSQL: 2013-01-11 21:47; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0sspa0si.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-01-11 22:04; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0sspa0si.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2013-01-11 22:04; {DDC359D1-844A-42a7-9AA1-88A850A938A8}; c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0sspa0si.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi
FF - ExtSQL: 2013-01-11 22:04; bytubed@cs213.cse.iitk.ac.in; c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0sspa0si.default\extensions\bytubed@cs213.cse.iitk.ac.in
FF - ExtSQL: 2013-01-12 00:01; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: 2013-01-14 06:49; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-1-14 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-1-14 361032]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2012-12-14 18688]
R1 cmdGuard;COMODO Internet Security Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-12-14 583912]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2012-12-14 32976]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-1-14 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-1-14 44808]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2012-12-14 2259392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\comodo\comodo internet security\cmdvirth.exe [2012-12-14 127184]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
.
=============== Created Last 30 ================
.
2013-01-19 03:42:41 -------- d-----w- c:\program files\ESET
2013-01-19 03:19:12 -------- d-----w- c:\documents and settings\administrator\application data\GlarySoft
2013-01-19 03:19:10 -------- d-----w- c:\program files\Glary Utilities
2013-01-19 02:56:15 -------- d-----w- c:\program files\Arena
2013-01-18 20:44:58 -------- d-----w- c:\program files\Maxis
2013-01-18 20:28:21 -------- d-----w- c:\program files\Sports Mogul
2013-01-18 04:50:59 -------- d-----w- c:\program files\EA Games
2013-01-18 04:50:19 225280 ----a-w- c:\program files\common files\installshield\iscript\IScript.dll
2013-01-18 04:50:18 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2013-01-18 04:50:18 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2013-01-18 04:50:17 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2013-01-18 04:34:38 -------- d-----w- c:\program files\Real Lives 2010
2013-01-18 04:33:28 409600 ----a-w- c:\windows\system32\activelock1884.ocx
2013-01-14 11:48:40 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-14 11:45:40 41224 ----a-w- c:\windows\avastSS.scr
2013-01-13 23:31:02 222448 ----a-w- c:\windows\system32\muweb.dll
2013-01-13 23:31:02 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2013-01-13 18:27:02 275696 ----a-w- c:\windows\system32\mucltui.dll
2013-01-13 09:32:34 237072 ------w- c:\windows\system32\MpSigStub.exe
2013-01-13 08:31:24 -------- d-----w- c:\documents and settings\administrator\application data\Windows Search
2013-01-12 15:36:57 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2013-01-12 10:52:11 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2013-01-12 10:52:11 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2013-01-12 10:52:09 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2013-01-12 10:52:08 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2013-01-12 10:52:03 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2013-01-12 10:52:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2013-01-12 10:52:01 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2013-01-12 10:52:00 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2013-01-12 10:50:59 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2013-01-12 10:49:52 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2013-01-12 10:48:45 614400 ----a-w- c:\windows\AutoKMS.exe
2013-01-12 10:45:04 -------- d-----w- c:\windows\Logs
2013-01-12 10:35:24 -------- d-----w- c:\program files\Microsoft Synchronization Services
2013-01-12 10:33:27 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2013-01-12 10:33:27 -------- d-----w- c:\documents and settings\all users\Microsoft
2013-01-12 10:28:59 -------- d-----w- c:\program files\Microsoft Analysis Services
2013-01-12 10:28:47 -------- d-----w- c:\windows\SHELLNEW
2013-01-12 10:27:58 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Microsoft Help
2013-01-12 10:24:33 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PCHealth
2013-01-12 10:24:12 -------- d-----r- c:\program files\Skype
2013-01-12 09:15:48 135168 ----a-w- c:\windows\system32\igfxres.dll
2013-01-12 07:56:39 -------- d-----w- c:\windows\system32\winrm
2013-01-12 07:56:29 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-01-12 07:26:30 -------- d-----w- c:\documents and settings\administrator\local settings\application data\ApplicationHistory
2013-01-12 07:04:58 -------- d-----w- c:\documents and settings\administrator\options
2013-01-12 06:52:20 -------- d-----w- c:\documents and settings\administrator\local settings\application data\WindowsApplication1
2013-01-12 06:47:38 -------- d-----w- c:\documents and settings\administrator\application data\Wise Registry Cleaner
2013-01-12 06:36:31 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2013-01-12 06:31:33 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2013-01-12 05:49:06 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2013-01-12 05:46:23 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2013-01-12 05:44:40 -------- d-----w- c:\windows\ie8updates
2013-01-12 05:44:03 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2013-01-12 05:43:56 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2013-01-12 05:43:56 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2013-01-12 05:43:55 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2013-01-12 05:43:55 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2013-01-12 05:43:51 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2013-01-12 05:43:51 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll
2013-01-12 05:39:33 -------- dc-h--w- c:\windows\ie8
2013-01-12 04:54:06 -------- d-----w- c:\windows\system32\XPSViewer
2013-01-12 04:53:15 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-01-12 04:52:57 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-01-12 04:52:57 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-01-12 04:52:57 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-01-12 04:52:57 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2013-01-12 04:52:57 575488 ------w- c:\windows\system32\xpsshhdr.dll
2013-01-12 04:52:57 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2013-01-12 04:52:57 1676288 ------w- c:\windows\system32\xpssvcs.dll
2013-01-12 04:52:57 117760 ------w- c:\windows\system32\prntvpt.dll
2013-01-12 04:40:38 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Identities
2013-01-12 04:40:31 -------- d-----w- c:\documents and settings\administrator\application data\Windows Desktop Search
2013-01-12 04:39:26 -------- d-----w- c:\program files\Windows Desktop Search
2013-01-12 04:39:25 -------- d-----w- c:\windows\system32\GroupPolicy
2013-01-12 04:34:39 -------- d-----w- c:\program files\Windows Media Connect 2
2013-01-12 04:29:35 -------- d-----w- c:\windows\system32\LogFiles
2013-01-12 04:16:32 -------- d-----w- c:\windows\system32\URTTemp
2013-01-12 04:01:55 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2013-01-12 03:38:21 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2013-01-12 03:38:21 272128 ------w- c:\windows\system32\drivers\bthport.sys
2013-01-12 03:36:31 -------- d-----w- c:\program files\Tracker Software
2013-01-12 03:31:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-01-12 03:31:57 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-12 03:31:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-12 03:31:14 -------- d-----w- c:\program files\VS Revo Group
2013-01-12 03:30:40 -------- d-----w- c:\program files\UltraDefrag
2013-01-12 03:29:02 -------- d-----w- c:\program files\Wise
2013-01-12 03:28:07 -------- d-----w- c:\program files\CCleaner
2013-01-12 03:25:05 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2013-01-12 03:24:58 2192896 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2013-01-12 03:24:57 2027520 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2013-01-12 03:21:10 -------- d-----w- c:\program files\VideoLAN
2013-01-12 03:18:38 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2013-01-12 03:18:02 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2013-01-12 03:18:02 3072 ------w- c:\windows\system32\iacenc.dll
2013-01-12 03:17:19 -------- d-----w- c:\program files\uTorrent
2013-01-12 03:17:00 -------- d-----w- c:\documents and settings\administrator\application data\uTorrent
2013-01-12 03:14:38 -------- d-sh--w- c:\documents and settings\administrator\UserData
2013-01-12 03:12:14 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2013-01-12 03:12:14 -------- d-----w- c:\windows\system32\PreInstall
2013-01-12 03:12:12 -------- d--h--w- c:\windows\$hf_mig$
2013-01-12 03:05:52 -------- d-s---w- c:\documents and settings\all users\application data\Shared Space
2013-01-12 03:04:02 -------- d-----w- c:\documents and settings\all users\application data\Comodo
2013-01-12 03:04:00 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader
2013-01-12 03:03:51 -------- d-----w- c:\program files\COMODO
2013-01-12 03:00:23 466008 ----a-w- c:\windows\system32\drivers\sptd.sys
2013-01-12 03:00:06 -------- d-----w- c:\documents and settings\administrator\application data\DAEMON Tools Lite
2013-01-12 03:00:01 -------- d-----w- c:\program files\DAEMON Tools Lite
2013-01-12 02:59:23 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite
2013-01-12 02:55:05 -------- d-----w- c:\program files\AVAST Software
2013-01-12 02:55:05 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2013-01-12 02:53:12 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-12 02:53:12 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-12 02:46:22 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla
2013-01-12 02:46:17 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-01-12 00:01:59 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2013-01-12 00:00:59 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe
.
==================== Find3M ====================
.
2013-01-12 07:05:33 2234 ----a-w- c:\windows\system32\ud-boot-time.cmd
2012-12-18 19:32:28 32256 ----a-w- c:\windows\system32\udefrag.exe
2012-12-18 19:32:24 8704 ----a-w- c:\windows\system32\hibernate4win.exe
2012-12-18 19:32:22 10240 ----a-w- c:\windows\system32\bootexctrl.exe
2012-12-18 19:32:20 24064 ----a-w- c:\windows\system32\wgx.dll
2012-12-18 19:32:08 94208 ----a-w- c:\windows\system32\lua5.1a.dll
2012-12-18 19:32:00 50176 ----a-w- c:\windows\system32\udefrag.dll
2012-12-18 19:31:58 328192 ----a-w- c:\windows\system32\zenwinx.dll
2012-12-18 19:31:56 380416 ----a-w- c:\windows\system32\defrag_native.exe
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-15 01:45:52 32976 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2012-12-15 01:45:50 583912 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-12-15 01:45:50 18688 ----a-w- c:\windows\system32\drivers\cmderd.sys
2012-12-15 01:45:32 35640 ----a-w- c:\windows\system32\cmdcsr.dll
2012-12-15 01:45:30 350272 ----a-w- c:\windows\system32\guard32.dll
2012-12-15 01:45:14 260304 ----a-w- c:\windows\system32\cmdvrt32.dll
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01:39 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec
2012-10-31 11:33:26 81920 ------w- c:\windows\system32\ieencode.dll
.
============= FINISH: 9:21:07.31 ===============

BC AdBot (Login to Remove)

 


#2 TheKorean2908

TheKorean2908
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 20 January 2013 - 06:24 PM

Apologies for the double-post. I forgot to add the attachment. Thank you.

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 22 January 2013 - 09:30 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#4 TheKorean2908

TheKorean2908
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 23 January 2013 - 06:55 AM

Thanks for the reply!

Attached are the requested logs, I hope they help!

ComboFix: Attached File  ComboFix.txt   10.3KB   8 downloads
Security Check: Attached File  checkup.txt   903bytes   4 downloads
AdwCleaner: Attached File  AdwCleanerR1.txt   985bytes   2 downloads

Thank you again, and I hope to hear from you soon!

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 23 January 2013 - 10:10 AM

Looking good.

Any remaining issues?

#6 TheKorean2908

TheKorean2908
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 23 January 2013 - 06:14 PM

For whatever reason, whatever open program I have runs at 100% CPU. For instance, if I'm running Firefox, it runs at 100% CPU. If I'm running VLC Media Player, it runs at 100% CPU. I have no idea why, but it's a recent development. I originally posted just in the Windows XP section of the forum, because I figured it wasn't a malware problem, but it was moved by a moderator to the "Am I Infected?" section.

This problem occurred on two different machines after a complete format on both, so I figured it was some sort of software configuration, maybe Comodo and Avast not getting along.

I don't know. Do you suggest I post in the Windows XP forum again?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 24 January 2013 - 09:12 AM

Results of screen317's Security Check version 0.99.57
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!


I do not see any trace of Comodo.

I would remove it if it's installed.

How is it now?

#8 TheKorean2908

TheKorean2908
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 26 January 2013 - 12:39 AM

I had uninstalled it prior to running these tests. I figured it might solve the situation, so I wouldn't have to post again. However, the uninstalling Comodo did not fix the problem...

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 26 January 2013 - 09:09 AM

Download this Process Explorer tool.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
RUN IT AND TRY to find the Process / file that is draining your CPU.
Instructions on the help file.

#10 TheKorean2908

TheKorean2908
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 28 January 2013 - 12:44 AM

After running Process Explorer, I am still unable to find the source of the slow PC speed... I apologize. Upon opening the program, it tells me that any program I have open (Firefox, VLC, etc.) is using 100% CPU. However, like the Task Manager, after a brief moment, it tells me that the computer is at 0% CPU, like it's trying to hide it, yet even with it or the Task Manager open, the slowdown persists...

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 28 January 2013 - 09:16 AM

Run this scan.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


#12 TheKorean2908

TheKorean2908
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 31 January 2013 - 04:00 AM

Apologies that it's taken me so long to respond. The slowdown has gotten significantly worse. It has almost completely paralyzed the machine. I had to do the ESET scan in Safe Mode with Networking. The results are below:

C:\System Volume Information\_restore{64898938-1FF9-4087-8FD6-F740C2371005}\RP30\A0006526.exe Win32/HackKMS application
C:\WINDOWS\AutoKMS.exe Win32/HackKMS application

For whatever reason (and it could just be my imagination), but it only seems to be remotely responsive when I'm moving the mouse... Either way, like I said before, this has occurred on two different machines, both after a complete format and re-installation of Windows XP. This is roughly the same software I've been using for years, and this is the first time I've ever had any kind of issue...

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 31 January 2013 - 07:42 AM

The item removed by ESET was in the System Restore folder.

Could it be a driver issue?

Secunia Personal Software Inspector (PSI)
http://secunia.com/vulnerability_scanning/personal/
Secunia PSI is a security scanner which identifies programs that are insecure and need updates.
If interested in security I would download the tool and run it.

#14 TheKorean2908

TheKorean2908
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 31 January 2013 - 11:54 PM

After running Secunia, it found no programs that needed updates.

It's possible that it could be a driver issue. I used DriverPack Solution to install my drivers. It's never given me a hard time before.

If you don't think that this is malware, do you recommend I post in a different section?

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:00 PM

Posted 01 February 2013 - 10:59 AM

I would check for the latest driver for my mouse and Graphics card.

Are you up to date on the Microsoft updates?

Run this scan and see what you can find/fix

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users