Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes potentially malicious website 66.150.14.?? + mbamexe high mem usage


  • This topic is locked This topic is locked
18 replies to this topic

#1 JoBarry

JoBarry

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 09 March 2013 - 12:20 AM

Hi, I am new to this but seem to have a problem with Malwarebytes & I currently cannot standby or sleep my computer.  My mbamservice.exe seems to be running high (~120,000 K mem usage) and every few mins I get a pop-up from Malwarebytes saying: "Successfully blocked access to a potentially malicious website: 66.150.14.?? Type: outgoing" ??=.12, or .40 or .41 or .42.

 

I have seen a post here from someone else who had this same message on Oct 12 2012 http://www.bleepingcomputer.com/forums/t/471136/browsers-trying-to-connect-to-potentially-malicious-websites/

Forum Addict BC Advisor said to download & scan with TDSSkiller. Launch it. Click on change parameters-Select TDLFS file system. Click on "Scan".Please post the LOG report(log file should be in your C drive). Do not change the default options on scan results. Download.  

This found 0 threats.

aswMBR
Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan. After scan finishes,click on Save log
Post the log results here. If you get crashes in normal mode,run it in safemode with networking
Download

Log results attached

ESET online scanner
Install it
Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Note: this said “Another anti-virus software was detected. This may affect the performance and quality of the scan.” It listed: ALWIL Software avast! Free Anti-virus

Microsoft

ESET scan results attached

 

 

Some background info:

I only recently (3 days ago) installed Avast anti-Virus & Malwarebytes.  I had been using AVGfree and my trial expired and it wouldn't let me go back to trial version, so then I installed Avira (4 days ago) and then my computer kept crashing.  I kept having to run in last known good configuration or safe mode and multiple system restores did not fix problem.  So then I uninstalled Avira and was able to install AVGfree but friend told me that there had been some recent problems with that, so tried Avast.  I also run spypot (have done for many years).  Have tried Windows defender & Norton & none of those picked up any problems except Avast which picked up a few things; don't know if this means anything to you: SVC WmdmPmS>??? Threat: Rootkit hidden service

Malwarebytes: PUP.Blabbers + rootkit

I read some stuff on http://forums.malwarebytes.org/index.php?showtopic=123051 from Feb 23 2013 where someone was getting "Successfully blocked access to a potentially malicious website" message but with different webiste.  (31.133.51.245): 66.150.14.?   They were given instructions to run RogueKiller which I followed. I got Bad processes : 0 ¤¤¤  ¤¤¤ Registry Entries : 1 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Following instructions given for people with more than that, I deleted that.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 09 March 2013 - 10:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from one of these locations:
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
 
Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause of infiltration an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
 
Please post the logs and let me know what problem persists.


#3 JoBarry

JoBarry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 09 March 2013 - 02:06 PM

Hi Nasdaq,  thanks for the fast response.  You didn't put the location to download combofix from, but I found it here

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

from someone elses similar inquiry  http://www.bleepingcomputer.com/forums/t/483090/possible-protected-malware-bothering-mbam/?hl=%20potentially%20%20malicious%20%20website

 

I updated to newer version when it prompted me.  I had disabled my Avast Antivirus but it told me that AVG Anti-Virus Free Edition 2013 was detected.  I had removed that a few days ago using Add or Remove Programs & don't know how to get rid of it now.  Please advise.

 

Thanks,

Joanne



#4 JoBarry

JoBarry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 09 March 2013 - 05:51 PM

Hi again, i decided to download AVGfree again so that i could disable it.  Please advise if i should keep both AVG & Avast or just one.  I had a few hiccups along the way (e.g. only disabled antivirus for 10 mins & it took longer & AVG stopped ComboFix) but i managed to get it to run & here is log report:

 

 ComboFix 13-03-09.01 - user 10/03/2013  11:33:08.2.2 - x86

Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3070.2428 [GMT 13:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: AVG Internet Security 2013 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\Cache
c:\windows\system32\Cache\05bef7a91820cbf5.fb
c:\windows\system32\Cache\09e31bf16234a085.fb
c:\windows\system32\Cache\12bcd174057fad04.fb
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\33f98249c6fb1d42.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\6163df528323acc4.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\6efba17bf00608fd.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\b6e0010c11cd5d84.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\d80020a606c14614.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\e840e520b5c8f70e.fb
c:\windows\system32\Cache\ef7f48236c921f46.fb
c:\windows\system32\Cache\f4ceed2b3cfea4fd.fb
c:\windows\system32\Cache\f815cdde09889bac.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\ctfmon(2).exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-09 to 2013-03-09  )))))))))))))))))))))))))))))))
.
.
2013-03-09 22:01 . 2008-04-13 23:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2013-03-09 22:01 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2013-03-09 08:19 . 2013-03-09 08:19 -------- d-----w- c:\documents and settings\user\Application Data\SpeedyComputer
2013-03-09 08:18 . 2013-03-09 09:23 -------- d-----w- c:\program files\Speeding Software
2013-03-08 19:50 . 2013-02-18 14:58 6954968 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{6A4F99BA-3DC5-407D-9B24-701ACF58618F}\mpengine.dll
2013-03-08 04:59 . 2013-03-08 04:59 -------- d-----w- c:\program files\ESET
2013-03-07 21:48 . 2004-03-08 11:00 132880 ----a-w- c:\windows\system32\MSINET.OCX
2013-03-07 02:53 . 2013-03-07 02:53 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2013-03-07 02:53 . 2013-03-07 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-03-07 02:53 . 2013-03-07 02:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-07 02:53 . 2012-12-14 03:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-07 02:09 . 2013-02-28 08:36 29880 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-07 02:09 . 2013-02-28 08:36 368248 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-07 02:09 . 2013-02-28 08:36 49832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-03-07 02:09 . 2013-02-28 08:36 765808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-07 02:09 . 2013-02-28 08:36 62448 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-07 02:09 . 2013-02-28 08:36 163784 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-07 02:09 . 2013-02-28 08:36 49320 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-07 02:09 . 2013-02-28 08:36 66408 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-07 02:09 . 2013-02-28 08:35 228600 ----a-w- c:\windows\system32\aswBoot.exe
2013-03-07 02:08 . 2013-02-28 08:36 41664 ----a-w- c:\windows\avastSS.scr
2013-03-07 02:08 . 2013-03-07 02:08 -------- d-----w- c:\program files\AVAST Software
2013-03-07 02:07 . 2013-03-07 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2013-03-07 02:04 . 2013-03-07 02:07 -------- d-sh--w- c:\documents and settings\user\wc
2013-03-07 02:04 . 2013-03-07 02:05 -------- d-sh--w- c:\documents and settings\user\Application Data\wyUpdate AU
2013-03-07 02:04 . 2013-03-07 02:04 -------- d-----w- c:\program files\Mattlav-Software
2013-03-06 23:53 . 2013-02-18 14:58 6954968 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-03-06 23:05 . 2012-10-22 00:02 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-03-06 23:05 . 2012-10-14 14:48 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-03-06 23:05 . 2012-09-20 14:46 164832 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-03-06 23:05 . 2012-09-20 14:45 19936 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-03-06 23:05 . 2012-11-15 10:33 94048 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2013-03-06 23:05 . 2012-10-01 14:30 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-03-06 23:05 . 2012-09-13 14:05 35552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-03-06 23:05 . 2012-09-20 14:46 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-03-05 19:08 . 2013-03-05 19:08 -------- d-----w- c:\windows\system32\searchplugins
2013-03-05 19:08 . 2013-03-05 19:08 -------- d-----w- c:\windows\system32\Extensions
2013-03-05 19:05 . 2013-03-05 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2013-03-05 19:04 . 2013-03-05 19:04 -------- d-----w- c:\documents and settings\user\Application Data\SecureSearch
2013-03-05 01:47 . 2013-03-05 01:47 -------- d-----w- c:\documents and settings\user\Application Data\DSite
2013-03-04 02:53 . 2013-03-04 02:53 -------- d-----w- c:\documents and settings\user\Application Data\LavasoftStatistics
2013-03-04 02:22 . 2013-03-04 02:22 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-03-04 02:22 . 2013-03-04 02:22 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-03-04 02:17 . 2011-11-16 14:21 354816 ----a-w- c:\windows\system32\winhttp.dll
2013-03-04 02:08 . 2013-03-05 18:48 -------- d-----w- c:\program files\Windows Defender
2013-03-04 02:05 . 2013-03-05 18:49 -------- d-----w- c:\program files\Microsoft Download Manager
2013-03-02 22:19 . 2013-03-02 22:19 -------- d-----w- c:\windows\system32\wbem\Repository
2013-02-24 05:43 . 2013-03-05 18:50 -------- d-sh--w- c:\documents and settings\user\UserData
2013-02-24 05:42 . 2013-02-24 05:42 -------- d-----w- c:\program files\Garmin GPS Plugin
2013-02-24 05:42 . 2013-02-24 05:42 -------- d-----w- c:\program files\Garmin
2013-02-24 05:41 . 2013-02-24 05:45 -------- d-----w- c:\documents and settings\user\Application Data\Garmin
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-27 18:46 . 2012-04-03 22:24 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-27 18:46 . 2011-06-07 00:30 71024 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-26 03:55 . 2003-03-31 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-16 12:28 . 2010-09-17 11:28 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-07 01:19 . 2003-03-31 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2002-08-29 01:04 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2003-03-31 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2003-03-31 12:00 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2003-03-31 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-12-26 20:16 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2012-12-26 20:16 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-12-26 20:16 . 2003-03-31 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-12-24 06:40 . 2009-08-17 07:05 385024 ----a-w- c:\windows\system32\html.iec
2012-12-16 12:23 . 2003-03-31 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-02-28 08:35 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-17 06:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-17 06:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-17 06:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-17 06:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EADM"="c:\program files\Origin\Origin.exe" [2013-02-25 3494992]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-18 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
"NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-11 483422]
"tcnz_McciTrayApp"="c:\program files\tcnz\McciTrayApp.exe" [2011-11-17 1559040]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2012-10-19 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2012-10-29 1315400]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-02-28 4767304]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-10 3147384]
"vProt"="c:\program files\AVG SafeGuard toolbar\vprot.exe" [2013-03-09 1101488]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Croteam\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\serious sam 3\\Bin\\Sam3.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\serious sam 3\\Bin\\sam3_unrestricted.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis 2\\bin32\\Crysis2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [7/03/2013 3:09 p.m. 49320]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [7/03/2013 3:09 p.m. 163784]
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [7/03/2013 12:05 p.m. 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [7/03/2013 12:05 p.m. 177376]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/03/2013 12:05 p.m. 35552]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [5/12/2012 4:39 p.m. 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [5/12/2012 4:39 p.m. 40648]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [4/03/2013 3:22 p.m. 13560]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/03/2013 3:09 p.m. 765808]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/03/2013 3:09 p.m. 368248]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [7/03/2013 12:05 p.m. 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [7/03/2013 12:05 p.m. 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/03/2013 12:05 p.m. 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/03/2013 12:05 p.m. 164832]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [10/03/2013 10:23 a.m. 31576]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [5/12/2012 4:39 p.m. 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [5/12/2012 4:39 p.m. 185032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/03/2013 3:09 p.m. 29880]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [7/03/2013 3:09 p.m. 66408]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [22/10/2012 1:05 p.m. 196664]
R2 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [5/12/2012 4:38 p.m. 69192]
R2 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [5/12/2012 4:38 p.m. 23624]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [7/03/2013 3:53 p.m. 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/03/2013 3:53 p.m. 682344]
R2 vToolbarUpdater14.0.1;vToolbarUpdater14.0.1;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe [10/03/2013 10:23 a.m. 945328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/03/2013 3:53 p.m. 21104]
S1 SBRE;SBRE; [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [15/11/2012 11:34 p.m. 5814904]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 2:28 p.m. 160944]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 7:19 p.m. 13592]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service; [x]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 a.m. 11336]
S3 cpuz134;cpuz134; [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [24/08/2009 10:27 a.m. 47360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-09 04:50 1630672 ----a-w- c:\program files\Google\Chrome\Application\25.0.1364.160\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 18:46]
.
2013-03-09 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-03-07 08:36]
.
2013-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 22:09]
.
2013-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 22:09]
.
2013-03-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 06:20]
.
2013-03-09 c:\windows\Tasks\RegClean Pro_DEFAULT.job
- c:\program files\RegClean Pro\RegCleanPro.exe [2012-07-22 02:25]
.
2013-03-05 c:\windows\Tasks\RegClean Pro_UPDATES.job
- c:\program files\RegClean Pro\RegCleanPro.exe [2012-07-22 02:25]
.
2013-03-09 c:\windows\Tasks\SpeedMaxPc Registration3.job
- c:\program files\Common Files\SpeedMaxPc\UUS3\UUS3.dll [2011-12-12 22:43]
.
2013-01-20 c:\windows\Tasks\SpeedMaxPc Update3.job
- c:\program files\Common Files\SpeedMaxPc\UUS3\Update3.exe [2011-12-12 22:43]
.
2013-01-20 c:\windows\Tasks\SpeedMaxPc.job
- c:\program files\SpeedMaxPc\SpeedMaxPc\SpeedMaxPc.exe [2012-11-19 19:20]
.
2013-03-09 c:\windows\Tasks\User_Feed_Synchronization-{FA4C7268-EA9F-4061-A510-56C501A9FFA4}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 16:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securesearch.lavasoft.com/?source=f439e2c0&tbp=homepage&toolbarid=adawaretb&v=2_5&u=76D5CB7B5375D265F349F8513408CB51
mStart Page = about:blank
IE: Search the Web
TCP: DhcpNameServer = 192.168.1.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\14.0.1\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-10 11:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1606980848-1482476501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\creaton*oft.com]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1606980848-1482476501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\creditsƒarchonl*ne.com]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"*"=dword:00000004
.
[HKEY_USERS\S-1-5-21-1606980848-1482476501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cree-av*de]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"*"=dword:00000004
.
[HKEY_USERS\S-1-5-21-1606980848-1482476501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cree-av*de\www]
"*"=dword:00000004
.
[HKEY_USERS\S-1-5-21-1606980848-1482476501-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:39,06,0f,05,1d,ce,bc,ad,e1,5a,ae,d0,18,75,61,5f,aa,92,10,82,0b,
   93,ec,da,b7,45,18,eb,0a,32,de,12,db,6a,16,19,0f,19,d5,c2,b7,7b,df,81,8f,63,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinTrust\TrustPr*viders\Software Publisher]
"$DLL"=expand:"%SystemRoot%\\system32\\SoftPub.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(932)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2013-03-10  11:43:41
ComboFix-quarantined-files.txt  2013-03-09 22:43
.
Pre-Run: 106,565,197,824 bytes free
Post-Run: 106,513,899,520 bytes free
.
- - End Of File - - B609B75EF124AB7D4FC7B4EB5C42603F


#5 JoBarry

JoBarry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 09 March 2013 - 08:43 PM

fyi I had trouble starting my computer after shutting it down - I am unable to standby or sleep computer & when I tried to start it it went black and I tried again & it came up with screen to run safe mode etc and I tried last known good configuration and that did not work so then I tried safe mode.  It started but I couldn't do much & was going to do system restore but then it did a re-start ok.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 10 March 2013 - 09:02 AM

 
Please advise if i should keep both AVG & Avast 
I would remove Avast. 
 
 
I am unable to standby or sleep computer
Make sure that these functions are disable. There may be a problem with your Power options.
 
Make sure you have the correct version of the system files.
 
From the Start menu, select Run. 
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow) 
Select the OK button. 
Follow the prompts throughout the System File Checker process. 
Reboot the computer when System File Checker completes.
===
 
If you get any error message from the operating system please note it and post it in your next reply.
 
Let me know what problem persists.


#7 JoBarry

JoBarry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 11 March 2013 - 03:19 AM

I have removed Avast & tried to run the sfc /scannow but it kept giving me Windows File Protection messages asking me to insert my Windows XP Home Edition CD-Rom and i can't find it.  I have a back-up copy of my hard drive from last year so it might just be easier to go back to that I think.  Still can't standby or sleep.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 11 March 2013 - 09:01 AM

Try the fix on this page.

 

http://www.pcworld.com/article/205562/no_sleep_standby_hibernation.html



#9 JoBarry

JoBarry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 11 March 2013 - 05:20 PM

Hi Nasdaq, I tried the things on that page. Firstly devmgmt.msc,  showed that yes, I does have ACPI multiprocessor PC (& I knew that my computer was capable of sleep & standby since it was able to do that before I installed Avira & Avast anti-virus software).  I am quite sure that I have not changed these since installing Avast & Avira.

 

I actually think it is the malwarebytes software that is the problem – should I uninstall that also?

 

But, following on the steps from that site above ...  When I follow those powercfg.cpl instructions for windows XP, I do not get the screens that that article said I should get, I get this one that does not have any hibernate tab & the advanced tab does not have the power buttons box (pics attached).

 

When I then rebooted & pressed F2 for setup, the System Setup screen Poer tab showed the following:

After Browser Failure    <Stay Off>

Wake on LAN from S5  <Power on>

ACPI Suspend State     <S3 State>

EIST                                 <Enable>

Wake System from S5  <Disable>

 

I pressed F9 (= Setup Defaults) then when it showed "Load Defaults? (Y/N) I pressed Y & it did not change anything but I exited saving changes anyway just in case it made a difference - but it didn't.

 

I don't think I have installed any graphics drivers - not sure if i installed anything with Avira or Avast.  Any other ideas?

 

Thanks,

Joanne.



#10 JoBarry

JoBarry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 11 March 2013 - 07:08 PM

Hi again, i uninstalled malwarebytes just to see if that made any difference - it didn't.  I still have problems when I shut down as well.  If i do restart it starts fine.  If I do shutdown, then when I go to start it it seems to be starting up then screen just goes black or it gives the safe mode option & i start it in the last known good configuration.  If it goes black, I do a manual shutdown pressing & holding in the on/off button until it shuts down.  If i then push start it sometimes goes to safe mode options screen or sometimes just starts ok after doing manual shutdown.  Quite frustrating tho since it takes a while to get it up & running & then I can't standby or sleep it.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 12 March 2013 - 08:41 AM

 
Run this Avira removal tool.
 
Keep me posted.


#12 JoBarry

JoBarry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 12 March 2013 - 06:27 PM

assume it is this one since it was highlighted/shaded? Avira AntiVir Removal Tool (Delphi-Virus W32/Induc.A)



#13 JoBarry

JoBarry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 12 March 2013 - 08:43 PM

Said no malware found in memory



#14 JoBarry

JoBarry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 13 March 2013 - 04:12 AM

I ran the other one too (top one) and that said same thing.

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:35 PM

Posted 13 March 2013 - 09:13 AM


 
Lets find out if you have an other copy of this powercfg.cpl file.
 
Please download SystemLook from one of the links below and save it to your Desktop.
 
If your operating system is 64 bit download this tool:
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
:filefind
powercfg.cpl
 
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt
 
 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users