Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

botched combofix


  • This topic is locked This topic is locked
36 replies to this topic

#1 mikelinsb

mikelinsb

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 21 January 2013 - 06:21 PM

I was haveing sound and cd/dvd devices not being detected sporadicly, mostly not being detected. Nothing for these entries in device manager. So I ran combofix twice. The first time i closed all windows and turned of the antivirus but not the firewall. It found some stuff but i lost the log by running combofix again. This time I didnt turnoff the antivirus had some other windows open and resulted in a crash-blackscreen. The first time it ran it deleted about six things one I believe was a rootkit. Now I have multiple cascading c and d drives in my c:\ folder. Can I get the log file from the first run, and can i get rid of the cascading drives. can you tell if i wrecked my computer? i was told to post here from another forum

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.11.2
Run by Mike Leppla's PC at 14:39:00 on 2013-01-21
#Option MBR scan is disabled.
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.916 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1355209369987
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect121.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{2E601483-DBF0-4D9B-AA98-23AA90F28C53} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{F770A9AB-B6E8-40ED-97C4-5857F3221DBD} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-15 21504]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-1-25 92216]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 99272]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-11-29 38608]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-22 40776]
S3 WinPhlash;WinPhlash;c:\swsetup\sp52477\swinflash\PhlashNT.sys [2010-3-17 38784]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-01-21 21:06:45 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c9f91c9e-d674-49d9-a0d8-77095193ee78}\mpengine.dll
2013-01-21 00:51:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-01-21 00:51:02 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-01-21 00:50:51 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-01-21 00:02:55 -------- d-----w- c:\program files\SpywareBlaster
2013-01-20 20:26:34 6991832 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-01-20 07:05:11 -------- d-sh--w- C:\$RECYCLE.BIN
2013-01-20 06:41:41 -------- d-s---w- C:\Combo
2013-01-20 06:06:15 -------- d-----w- c:\users\mike leppla's pc\appdata\local\temp
2013-01-20 05:01:27 98816 ----a-w- c:\windows\sed.exe
2013-01-20 05:01:27 256000 ----a-w- c:\windows\PEV.exe
2013-01-20 05:01:27 208896 ----a-w- c:\windows\MBR.exe
2013-01-19 23:00:31 -------- d-----w- c:\program files\Lavalys
2013-01-19 22:56:10 -------- d-----w- c:\users\mike leppla's pc\appdata\local\Zoom_Downloader
2013-01-19 22:38:27 -------- d-----w- c:\program files\OI App Manager
2013-01-19 20:48:05 -------- d-----w- c:\program files\Belarc
2013-01-19 07:05:13 200112 ----a-w- c:\windows\system32\drivers\SynTP.sys
2013-01-19 07:05:13 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2013-01-19 07:05:09 200704 ----a-w- c:\windows\system32\SynCtrl.dll
2013-01-19 02:13:38 -------- d-----w- c:\programdata\{E91883C8-8CDC-46A4-A45F-CB40EB82ED60}
2013-01-16 03:16:21 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-16 03:16:21 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-15 21:47:29 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-13 23:10:53 -------- d-----w- c:\users\mike leppla's pc\appdata\roaming\hpqLog
2013-01-09 19:20:29 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 19:16:56 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 19:16:44 1400832 ----a-w- c:\windows\system32\msxml6.dll
2013-01-03 06:56:31 -------- d-----w- c:\programdata\MiMedia
2013-01-03 06:56:21 -------- d-----w- c:\program files\MiMedia LLC
2012-12-30 08:02:28 -------- d-----w- C:\temp.conexant32
2012-12-29 09:26:04 -------- d-----w- c:\users\mike leppla's pc\appdata\roaming\Strongvault
2012-12-29 09:25:31 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-12-29 09:22:09 -------- d-----w- c:\program files\SIW 2011 Home Edition
2012-12-28 07:03:37 -------- d-----w- c:\users\mike leppla's pc\appdata\local\ElevatedDiagnostics
2012-12-23 23:25:05 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-23 16:35:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-23 16:35:43 293376 ----a-w- c:\windows\system32\atmfd.dll
.
==================== Find3M ====================
.
2013-01-19 07:05:04 163840 ----a-w- c:\windows\system32\SynCOM.dll
2013-01-19 07:05:04 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2013-01-15 21:46:33 859552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-12-23 23:42:58 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-20 16:46:15 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-12-20 16:46:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29:51 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 10:18:17 376320 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 08:26:06 23040 ----a-w- c:\windows\system32\dpnsvr.exe
2012-10-25 11:12:26 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 11:12:26 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 14:41:22.47 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 23 January 2013 - 10:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your best line of action at this time is to restore you computer to a previous date.

ComboFix whould have create a restore point before removing anything.

See if you can restore it.

http://windows.microsoft.com/en-CA/windows-vista/System-Restore-frequently-asked-questions

Then post a fresh DDS Log for my review.

#3 mikelinsb

mikelinsb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 23 January 2013 - 04:29 PM

ok



#4 mikelinsb

mikelinsb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 23 January 2013 - 06:19 PM

Attached File  attach.txt   9.22KB   0 downloadshere are the dds logs. And, when you say "print this topic" do you mean to print every reply and response in the corespondance?

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.11.2
Run by Mike Leppla's PC at 14:35:53 on 2013-01-23
#Option MBR scan is disabled.
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.920 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Windows\system32\java.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HPService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSC] "c:\program files\microsoft security client\mssecex.exe" -hide -runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1355209369987
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect121.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{2E601483-DBF0-4D9B-AA98-23AA90F28C53} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{F770A9AB-B6E8-40ED-97C4-5857F3221DBD} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-15 21504]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-1-25 92216]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 99272]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-22 40776]
S3 WinPhlash;WinPhlash;c:\swsetup\sp52477\swinflash\PhlashNT.sys [2010-3-17 38784]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-01-23 22:29:49 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f94867d2-a1fb-4fb3-9073-c000706e6f35}\mpengine.dll
2013-01-23 21:55:36 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-01-21 00:51:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-01-21 00:50:51 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-01-21 00:02:55 -------- d-----w- c:\program files\SpywareBlaster
2013-01-20 07:05:11 -------- d-----w- C:\$RECYCLE(1).BIN
2013-01-20 06:41:41 -------- d-s---w- C:\Combo
2013-01-20 06:06:15 -------- d-----w- c:\users\mike leppla's pc\appdata\local\temp(62)
2013-01-19 23:00:31 -------- d-----w- c:\program files\Lavalys
2013-01-19 22:56:10 -------- d-----w- c:\users\mike leppla's pc\appdata\local\Zoom_Downloader
2013-01-19 22:38:27 -------- d-----w- c:\program files\OI App Manager
2013-01-19 20:48:05 -------- d-----w- c:\program files\Belarc
2013-01-19 07:05:13 200112 ----a-w- c:\windows\system32\drivers\SynTP.sys
2013-01-19 07:05:13 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2013-01-19 07:05:09 200704 ----a-w- c:\windows\system32\SynCtrl.dll
2013-01-19 02:13:38 -------- d-----w- c:\programdata\{E91883C8-8CDC-46A4-A45F-CB40EB82ED60}
2013-01-16 03:16:21 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-16 03:16:21 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-15 21:47:29 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-13 23:10:53 -------- d-----w- c:\users\mike leppla's pc\appdata\roaming\hpqLog
2013-01-09 19:20:29 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 19:16:56 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 19:16:44 1400832 ----a-w- c:\windows\system32\msxml6.dll
2013-01-03 06:56:31 -------- d-----w- c:\programdata\MiMedia
2013-01-03 06:56:21 -------- d-----w- c:\program files\MiMedia LLC
2012-12-30 08:02:28 -------- d-----w- C:\temp.conexant32
2012-12-29 09:26:04 -------- d-----w- c:\users\mike leppla's pc\appdata\roaming\Strongvault
2012-12-29 09:25:31 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-12-29 09:22:09 -------- d-----w- c:\program files\SIW 2011 Home Edition
2012-12-28 07:03:37 -------- d-----w- c:\users\mike leppla's pc\appdata\local\ElevatedDiagnostics
.
==================== Find3M ====================
.
2013-01-19 07:05:04 163840 ----a-w- c:\windows\system32\SynCOM.dll
2013-01-19 07:05:04 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2013-01-15 21:46:33 859552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-12-23 23:42:58 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-20 16:46:15 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-12-20 16:46:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29:51 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 10:18:17 376320 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 08:26:06 23040 ----a-w- c:\windows\system32\dpnsvr.exe
.
============= FINISH: 14:38:28.83 ===============

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 24 January 2013 - 09:18 AM

And, when you say "print this topic" do you mean to print every reply and response in the corespondance?


Just print my instructions in each post. It may not be always required. You decide.

Did you restore the System as I previously requested.

You submitted the same DDS log. Can I see a fresh log after your restore.

#6 mikelinsb

mikelinsb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 24 January 2013 - 04:16 PM

Attached File  attach.txt   9.23KB   0 downloadsYes I did a system restore and then posted the dds logs. the point I restored to i guessed to be the combofix restore point i discerned this by the date on the restore point nothing mentioned combofix in my list of restore points. But i think this was the correct restore point - all the references to combofix and cascading c and d drives were removed after restore. Then I ran the dds program. I dont understand what happened those logs should be from after system restore. but I will run it again. Here it isDDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.11.2
Run by Mike Leppla's PC at 13:08:07 on 2013-01-24
#Option MBR scan is disabled.
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.837 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Windows\system32\java.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HPService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSC] "c:\program files\microsoft security client\mssecex.exe" -hide -runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1355209369987
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect121.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{2E601483-DBF0-4D9B-AA98-23AA90F28C53} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-15 21504]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-1-25 92216]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 99272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-22 40776]
S3 WinPhlash;WinPhlash;c:\swsetup\sp52477\swinflash\PhlashNT.sys [2010-3-17 38784]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-01-23 23:23:19 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{535cccd2-5c09-41ba-851b-d2c484e8074b}\mpengine.dll
2013-01-23 22:29:49 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-01-21 00:51:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-01-21 00:50:51 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-01-21 00:02:55 -------- d-----w- c:\program files\SpywareBlaster
2013-01-20 07:05:11 -------- d-----w- C:\$RECYCLE(1).BIN
2013-01-20 06:41:41 -------- d-s---w- C:\Combo
2013-01-20 06:06:15 -------- d-----w- c:\users\mike leppla's pc\appdata\local\temp(62)
2013-01-19 23:00:31 -------- d-----w- c:\program files\Lavalys
2013-01-19 22:56:10 -------- d-----w- c:\users\mike leppla's pc\appdata\local\Zoom_Downloader
2013-01-19 22:38:27 -------- d-----w- c:\program files\OI App Manager
2013-01-19 20:48:05 -------- d-----w- c:\program files\Belarc
2013-01-19 07:05:13 200112 ----a-w- c:\windows\system32\drivers\SynTP.sys
2013-01-19 07:05:13 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2013-01-19 07:05:09 200704 ----a-w- c:\windows\system32\SynCtrl.dll
2013-01-19 02:13:38 -------- d-----w- c:\programdata\{E91883C8-8CDC-46A4-A45F-CB40EB82ED60}
2013-01-16 03:16:21 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-16 03:16:21 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-15 21:47:29 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-13 23:10:53 -------- d-----w- c:\users\mike leppla's pc\appdata\roaming\hpqLog
2013-01-09 19:20:29 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 19:16:56 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 19:16:44 1400832 ----a-w- c:\windows\system32\msxml6.dll
2013-01-03 06:56:31 -------- d-----w- c:\programdata\MiMedia
2013-01-03 06:56:21 -------- d-----w- c:\program files\MiMedia LLC
2012-12-30 08:02:28 -------- d-----w- C:\temp.conexant32
2012-12-29 09:26:04 -------- d-----w- c:\users\mike leppla's pc\appdata\roaming\Strongvault
2012-12-29 09:25:31 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-12-29 09:22:09 -------- d-----w- c:\program files\SIW 2011 Home Edition
2012-12-28 07:03:37 -------- d-----w- c:\users\mike leppla's pc\appdata\local\ElevatedDiagnostics
.
==================== Find3M ====================
.
2013-01-19 07:05:04 163840 ----a-w- c:\windows\system32\SynCOM.dll
2013-01-19 07:05:04 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2013-01-15 21:46:33 859552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-12-23 23:42:58 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-20 16:46:15 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-12-20 16:46:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29:51 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 10:18:17 376320 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 08:26:06 23040 ----a-w- c:\windows\system32\dpnsvr.exe
.
============= FINISH: 13:10:20.26 ===============
.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 25 January 2013 - 10:12 AM

No malware was found on your latest DDS log.

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review.

Please let me know what problem persists.

#8 mikelinsb

mikelinsb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 26 January 2013 - 03:05 AM

the problems that exist other than the sound and cd/dvd issue i described in the first post, are repeated windows and internet explorer freezing, not responding and shutting down. Also when i ran the first combofix it found some six things. i was just begging to do researh on the first entry and it looked like some kind of root kit. But maybe that was from some animalware program on my computer or some other program. Here are the logs you requested.

Results of screen317's Security Check version 0.99.57
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Java 7 Update 11
Adobe Reader 8
Adobe Reader XI
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````



Results of screen317's Security Check version 0.99.57
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Java 7 Update 11
Adobe Reader 8
Adobe Reader XI
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 26 January 2013 - 09:14 AM

Remove this old version of Adobe Reader 8 using the Add/Remove Programs applet.

===

No AdwCleaner log posted. You did howeve post the Security Check twice.

===


Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.

Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

====

#10 mikelinsb

mikelinsb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 26 January 2013 - 03:52 PM

hello forum addict

I searched for Adobe Reader 8, its not in control panel/programs and features (vista). Adobe Reader XI is listed in control panel/programs and features and also has a shortcut in the start menu. I tried to access the file location of Adobe Reader XI from the startmenu/properties but the file location is greyed out. Doing a start/search for Adobe Reader XI only comes up with the start menu reference. I was hoping if i could get to the file location of Adobe Reader Xi, i could find a reference to Adobe Reader 8. as it stands i dont know where adobe reader 8 is so I cant uninstall. maybe you could shed some light on this. Here is the AdwCleaner log. Can you tell me how to find out what those keys stand for in the AdwCleaner log below?

# AdwCleaner v2.108 - Logfile created 01/25/2013 at 23:16:36
# Updated 24/01/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Mike Leppla's PC - MIKELEPPLAS-PC
# Boot Mode : Normal
# Running from : C:\Users\Mike Leppla's PC\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Found : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1961 octets] - [25/01/2013 23:16:36]

########## EOF - C:\AdwCleaner[R1].txt - [2021 octets] ##########






#11 mikelinsb

mikelinsb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 26 January 2013 - 04:30 PM

here is the roguekiller report



RogueKiller V8.4.3 [Jan 26 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Mike Leppla's PC [Admin rights]
Mode : Scan -- Date : 01/26/2013 13:23:29
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[TASK][SUSP PATH] OAS Integration : C:\Users\Mike Leppla's PC\AppData\Local\Temp\MATS-Temp\IXPkuz51ipw.hnv\MATSWiz.exe -url "hxxps://support.microsoft.com/oas/default.aspx?tenant=FixMe&enval=&attach=C%3A%5CUsers%5CMIKELE%7E1%5CAppData%5CLocal%5CTemp%5CMATS-Temp%5CResults%5Clatest.cab&prdesc=Codec" -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : C:\Users\Mike Leppla's PC\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Users\Mike Leppla's PC\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHY2160BH ATA Device +++++
--- User ---
[MBR] 65cccb5a89640e37dd9e7001b35bb589
[BSP] 1c18e065a470aef3f4ccaa97422a5411 : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 140474 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 287692020 | Size: 12150 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_01262013_02d1323.txt >>
RKreport[1]_S_01262013_02d1323.txt







#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 27 January 2013 - 08:58 AM

Download Revo Uninstaller and remove any programs you are having difficulties in completing the removal using the Add/Remove Programs list.

http://majorgeeks.com/Revo_Uninstaller_d5706.html

Remove any reference to Reader 8.

The other one is the latest and should not be removed.
===

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..
===

Run RogueKiller again and click Scan
Delete all items found under these two section.

REGISTRY SECTION

FILE SECTION


click Delete on the right hand column under Options

Restart the computer normally.

===

Run the RogueKiller tool scan normally and post a fresh log.

===

Run ComboFix.exe normally and post a fresh log for my review.
You may be prompted to update the program. Please do.

Please let me know of any remaining issues with this computer.

#13 mikelinsb

mikelinsb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 29 January 2013 - 01:44 AM

is there any way i can find out what adwcleaner found and who installed them. Or was i suppose to look each one up in the registry? but i cant look them up now because they are deleted as per the ladwcleaner og posted at the end of this post. I believe acrobat reader 8 was succsesfully deleted using revo uninstaller but while exploring the autorun manager tab in that program I noticed two programs that were suspicious.both have a status of invalid one is, mssecex.exe -hide -runkey, the other is jusched.exe. Can you tell me if these are bad? I spent some time on mssecex.exe and couldnt fiqure much out other than its likely bad. Here is the adwcleaner log after delete.ill send the Roquekiller and combofix logs in a further post.
# AdwCleaner v2.109 - Logfile created 01/28/2013 at 22:13:44
# Updated 26/01/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Mike Leppla's PC - MIKELEPPLAS-PC
# Boot Mode : Normal
# Running from : C:\Users\Mike Leppla's PC\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [2090 octets] - [25/01/2013 23:16:36]
AdwCleaner[R2].txt - [2414 octets] - [28/01/2013 22:09:14]
AdwCleaner[R3].txt - [2474 octets] - [28/01/2013 22:11:50]
AdwCleaner[S1].txt - [355 octets] - [28/01/2013 22:13:15]
AdwCleaner[S2].txt - [2500 octets] - [28/01/2013 22:13:44]

########## EOF - C:\AdwCleaner[S2].txt - [2560 octets] ##########





#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 29 January 2013 - 02:53 PM

Msseces.Exe
http://www.addictivetips.com/windows-tips/what-is-msseces-exe-msmpeng-exe-process-and-why-they-are-running/

jusched.exe
Checks with Sun's Java updates site to see if newer Java versions are available. Visit http://java.sun.com or just run the Java Plug-In Control Panel
http://www.systemlookup.com/Startup/5048-jusched_exe.html


is there any way i can find out what adwcleaner found and who installed them. Or was i suppose to look each one up in the registry? but i cant look them up now because they are deleted as per the adwcleaner log


The only way I know is to check for these strings in Google. It might give you some clues. Must are installed by 3rd party software and are linked to Browsing Objects installed with out your concent.

on all these keys
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}

Search Google, for example:
761F6A83-F007-49E4-8EAC-CDB6808EF06Fetc...

Please Just let me know of any issues with this computer.

#15 mikelinsb

mikelinsb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 30 January 2013 - 12:48 AM

Hello Forum Addict

Thankyou for responding to my questions. I have some more I hope you dont mind, if so, say so, and I'll quit. Here goes, the actual name of the program is Mssecex.exe and not Mssecec.exe, could you offer any info on the former. The other question I had about Mssecex.exe and Jusched.exe was that in Revo uninstaller - Tools - Autorun, in the status column of this page both programs are listed as INVALID. How does that impact on the operation of these programs? are they still working? or do they need to be uninstalled and reinstalled? can you offer any info on this. The paths are C:\program files\microsoft security client\mssecex.exe -hide -runkey and C:\program files\java\jre7\bin\jusched.exe.

I ran Roguekiller deleting the registry and files. I do believe my computer speeded up quite a bit after that. It only seem to lag at a couple of websites that i could tell. But I have some questions about the log. ....



[TASK][SUSP PATH] OAS Integration : C:\Users\Mike Leppla's PC\AppData\Local\Temp\MATS-Temp\IXPkuz51ipw.hnv\MATSWiz.exe -url "hxxps://support.microsoft.com/oas/default.aspx?tenant=FixMe&enval=&attach=C%3A%5CUsers%5CMIKELE%7E1%5CAppData%5CLocal%5CTemp%5CMATS-Temp%5CResults%5Clatest.cab&prdesc=Codec" -> FOUND

Can you decipher what does [TASK]{SUSP PATH] refer to maybe task and its suspected path? and the rest is some kind of masked code? was this ZERO ACCESS? What is hxxps? and what lanquage is it? What does this line of code do?



[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Again what is HJ SMENU and HJ DESK, why is there a gap between HKCU\[..]\Advanced, what does Start_ShowMyGames and Start_ShowPrinters refer to. What is \NewStartPanel and the signifigance of the (0) and (1). Where these entries made by Zero access and if so what do they do?



[ZeroAccess][FOLDER] U : C:\Users\Mike Leppla's PC\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Users\Mike Leppla's PC\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L --> FOUND

Was this the main folder for the malware?




127.0.0.1 localhost
::1 localhost

Is "::1 local host" a valid entry in my hosts file? if so what does it do?




+++++ PhysicalDrive0: FUJITSU MHY2160BH ATA Device +++++
--- User ---
[MBR] 65cccb5a89640e37dd9e7001b35bb589
[BSP] 1c18e065a470aef3f4ccaa97422a5411 : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 140474 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 287692020 | Size: 12150 Mo
User = LL1 ... OK!
User = LL2 ... OK!


I did some reading and found that if LL1 and LL2 comback ok I think it means there was no hidden partition. It also looks like 0 is the active C and D drive and I [xxx etc is the rescue drive and there both clean I think. And I suppose the master boot record is clean too. But what is [BSP] and what is the signifigance of HP tatooed MBR Code?



Lastly here is the Roguekiller report after the deletions. And there was no Combofix available at Bleepingcomputer. I tried to download it at Majorgeeks and it wouldnt go thru to the page. Im waiting for your instructions



RogueKiller V8.4.3 [Jan 26 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Mike Leppla's PC [Admin rights]
Mode : Scan -- Date : 01/29/2013 20:25:45
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHY2160BH ATA Device +++++
--- User ---
[MBR] 65cccb5a89640e37dd9e7001b35bb589
[BSP] 1c18e065a470aef3f4ccaa97422a5411 : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 140474 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 287692020 | Size: 12150 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[5]_S_01292013_02d2025.txt >>
RKreport[1]_S_01262013_02d1323.txt ; RKreport[3]_D_01292013_02d2018.txt ; RKreport[4]_D_01292013_02d2020.txt ; RKreport[5]_S_01292013_02d2025.txt











0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users