Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown virus has disabled malwarebytes, short cuts and won't allow IE to start


  • Please log in to reply
52 replies to this topic

#1 Butterbeans2

Butterbeans2

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 10 March 2013 - 10:37 PM

Hello,

I'm new to the forum and hope to get some help as I somehow got infected.  I have down loaded and ran RKill, Unhide, Spybot, tdsskiller, and done a full scan with MSE all which have failed to identify any threats.   Malwarebytes will not load but is still in C drive program file. Chameleon will start, but after the driver is loaded and it says it is killing malicious processes I get a "run-time Error 372 failed to load control 'WebBrowser' from ieframe.dll"   Upon trying to down load Tweaking.com it stopped with Error "could not uninstall shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com\ Windows Repair(All in One).lnk"  Upon trying a second time the firefox browser went crazy and would have tried to down load hundreds of the program until I had to shut the browser down without it loading the program.  Ihave also lost the ability to do screen shots.

IE will not open from the desktop and I am also unable to save any of the down loads to the desktops as these windows don't come up.

Unfortunately I failed to make a copy of my registry after I did a reinstall of the OS when I had a HDD failure a couple of months ago(it was not a HDD virus).  Start up seems normal and I can boot to safe mode and have the recovery console is present.  I did try to restore the computer to 3 days prior to noticing that IE didn't work without it changing the present status of things.  I rarely use IE as a browser so Idon't know how long I have had this virus.

CPU: HP Media Center 2005 32 bit Windows  XP SP3 Home Edition

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:31 PM

Posted 11 March 2013 - 09:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from one of these locations:
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
 
Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause of infiltration an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
 
Please post the logs and let me know what problem persists.


#3 Butterbeans2

Butterbeans2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 11 March 2013 - 11:13 AM

Thanks for the response nasdaq.  I tried to download combofix with antiviral disabled.  After it down loaded it got to the autorun screen and then after 2 minutes the machine stallled out.  I did not touch the mouse and let it run for 30 minutes, as it said on badly infected machines it could take up to twice the 10 minutes it should take to complete the scan. I had noted the clock time, which froze at 2 minutes after autourn started.  I had to reboot as the mouse would not close anything out. The program is listed in my download folder as well as just below components in my C:\Drive when exploring my folders.  I tried again to open it from the download folder and got the same results.  I was able to run the other two and had done the adware yesterday before asking for help.  Here are the two note pad logs.

 

Results of screen317's Security Check version 0.99.61  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.70.0.1100  
 CCleaner     
 Java 7 Update 13  
 Java version out of Date!
 Adobe Flash Player     11.6.602.171  
 Adobe Reader XI  
 Mozilla Firefox (19.0)
 Mozilla Thunderbird (17.0.3)
 Google Chrome 25.0.1364.97  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 22% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

 

# AdwCleaner v2.114 - Logfile created 03/10/2013 at 01:47:18
# Updated 05/03/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : HP_Administrator - HOME
# Boot Mode : Normal
# Running from : C:\Documents and Settings\HP_Administrator\My Documents\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****

Found : BringMeSports_1cService
Found : Updater Service for StartNow Toolbar

***** [Files / Folders] *****

File Found : C:\Documents and Settings\All Users\Start Menu\Programs\eBay.lnk
File Found : C:\user.js
Folder Found : C:\Documents and Settings\All Users\Application Data\APN
Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Found : C:\Documents and Settings\All Users\Application Data\WeCareReminder
Folder Found : C:\Documents and Settings\HP_Administrator\Application Data\Bandoo
Folder Found : C:\Documents and Settings\HP_Administrator\Application Data\PriceGong
Folder Found : C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Ilivid Player
Folder Found : C:\Program Files\BringMeSports_1c
Folder Found : C:\Program Files\Conduit

***** [Registry] *****

Key Found : HKCU\Software\BringMeSports_1c
Key Found : HKCU\Software\IB Updater
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\Iminent
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{06B5B051-1D05-443D-822F-39AB0D05F018}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1631550F-191D-4826-B069-D9439253D926}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{336D0C35-8A85-403A-B9D2-65C292C39087}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CC53BD19-7B23-43B0-AB7C-0E06C708CCED}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F653D037-97FA-4755-98C1-7F382EEB59A7}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{002D1BA6-4766-4D7D-82B8-F49439C66F97}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06B5B051-1D05-443D-822F-39AB0D05F018}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1631550F-191D-4826-B069-D9439253D926}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{336D0C35-8A85-403A-B9D2-65C292C39087}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC53BD19-7B23-43B0-AB7C-0E06C708CCED}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F653D037-97FA-4755-98C1-7F382EEB59A7}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKCU\Software\PriceGong
Key Found : HKCU\Software\SmartBar
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\wecarereminder
Key Found : HKCU\Software\WiseConvert
Key Found : HKCU\Software\Zugo
Key Found : HKLM\Software\Babylon
Key Found : HKLM\Software\Bandoo
Key Found : HKLM\Software\BringMeSports_1c
Key Found : HKLM\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644}
Key Found : HKLM\SOFTWARE\Classes\AppID\{3A188115-B81B-48F2-A958-F974C8F3F309}
Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Found : HKLM\SOFTWARE\Classes\AppID\BandooCore.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\SMBarBroker.EXE
Key Found : HKLM\SOFTWARE\Classes\BandooCore.BandooCore
Key Found : HKLM\SOFTWARE\Classes\BandooCore.BandooCore.1
Key Found : HKLM\SOFTWARE\Classes\BandooCore.ResourcesMngr
Key Found : HKLM\SOFTWARE\Classes\BandooCore.ResourcesMngr.1
Key Found : HKLM\SOFTWARE\Classes\BandooCore.SettingsMngr
Key Found : HKLM\SOFTWARE\Classes\BandooCore.SettingsMngr.1
Key Found : HKLM\SOFTWARE\Classes\BandooCore.StatisticMngr
Key Found : HKLM\SOFTWARE\Classes\BandooCore.StatisticMngr.1
Key Found : HKLM\SOFTWARE\Classes\BringMeSports_1c.PseudoTransparentPlugin
Key Found : HKLM\SOFTWARE\Classes\BringMeSports_1c.PseudoTransparentPlugin.1
Key Found : HKLM\SOFTWARE\Classes\BringMeSports_1c.RadioSettings
Key Found : HKLM\SOFTWARE\Classes\BringMeSports_1c.RadioSettings.1
Key Found : HKLM\SOFTWARE\Classes\BringMeSports_1c.SkinLauncher
Key Found : HKLM\SOFTWARE\Classes\BringMeSports_1c.SkinLauncher.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{0A8CC25D-66FF-41DF-B3B4-416079EF8F87}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{13119113-0854-469D-807A-171568457991}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1856A7BD-DE8C-488B-AA7A-5682D13166FC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{33119133-0854-469D-807A-171568457991}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{39AE4193-9636-4786-A7E8-D0BED697CDF3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5489857C-D16B-4F23-A322-9F3D3423DC6D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5DC6445C-89CE-4895-9EEE-79449A453700}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6285C254-4465-4F8B-A009-5F42AB02C291}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{716F0A7A-66F8-4C51-9EF2-BE22E0EA2F00}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{74CEF9D2-506A-4BC6-B577-4F6505317FBA}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{779A6469-E20C-4517-9D59-394EE65E216C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{82C7004A-078E-468C-9C0F-2243618FF7CB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{8E74A826-02AC-4EDF-8827-7CFDE086FB48}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A1912AF6-DFE3-48B1-BDFE-9A65259AC702}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B299D84A-69A5-4433-9A79-51EF2BB7841F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B8CBCB5A-9192-4122-B3DE-BD139320EC09}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BC61CA7A-6B81-47EC-B62D-AE1A236CADB9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC53BD19-7B23-43B0-AB7C-0E06C708CCED}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D31FF80A-322D-4343-99BD-158557C460B2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D424710B-AF83-49A6-9F26-033E0CF794B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F0C8CCC2-BAAA-4236-AD0A-22B5A401B9EF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F653D037-97FA-4755-98C1-7F382EEB59A7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Key Found : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Key Found : HKLM\SOFTWARE\Classes\Interface\{06DE5702-44CF-4B79-B4EF-3DDF653358F5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Key Found : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Key Found : HKLM\SOFTWARE\Classes\Interface\{120927BF-1700-43BC-810F-FAB92549B390}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Key Found : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1F52A5FA-A705-4415-B975-88503B291728}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Found : HKLM\SOFTWARE\Classes\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3436BC13-C898-4775-B1EA-BA224587010D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3E720453-B472-4954-B7AA-33069EB53906}
Key Found : HKLM\SOFTWARE\Classes\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84}
Key Found : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Key Found : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Key Found : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Key Found : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
Key Found : HKLM\SOFTWARE\Classes\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{78CE34FD-F6D4-4866-B79C-A37268D06A04}
Key Found : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Key Found : HKLM\SOFTWARE\Classes\Interface\{80904944-C726-4C7D-A452-3FFF2A882095}
Key Found : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Key Found : HKLM\SOFTWARE\Classes\Interface\{89B7AE32-9C52-41D6-A64D-14D7BDEC9C58}
Key Found : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Key Found : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Key Found : HKLM\SOFTWARE\Classes\Interface\{8E9CF769-3D3B-40EB-9E2D-76E7A205E4D2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{991AAC62-B100-47CE-8B75-253965244F69}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Key Found : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FF871E51-2655-4D06-AED5-745962A96B32}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Found : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar
Key Found : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar.1
Key Found : HKLM\SOFTWARE\Classes\toolband.fh_hookeventsink
Key Found : HKLM\SOFTWARE\Classes\toolband.fh_hookeventsink.1
Key Found : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem
Key Found : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_dialogeventshandler
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_dialogeventshandler.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_launcher
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_launcher.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_printmanager
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_printmanager.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_printdialogcallback
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_printdialogcallback.1
Key Found : HKLM\SOFTWARE\Classes\toolband.tbtoolband
Key Found : HKLM\SOFTWARE\Classes\toolband.tbtoolband.1
Key Found : HKLM\SOFTWARE\Classes\toolband.useroptions
Key Found : HKLM\SOFTWARE\Classes\toolband.useroptions.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.BandObject
Key Found : HKLM\SOFTWARE\Classes\Toolbar.BandObject.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3196716
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3201318
Key Found : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject
Key Found : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{0F2C9A6B-A0ED-4189-B086-C0E76D80EB91}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1265AE6E-5141-468B-AB11-67ECE832F5E8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{256B342B-85A7-4E4E-AA2E-101CDDEF5EFD}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2D9B1B31-D034-4738-8F6E-40F0AFCC742C}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4CD73219-4D3F-46EE-AC3E-768E2A2AB056}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6A751D61-7A6B-4999-BFD0-ADF01A40F6F2}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{71E326B6-2DC3-40B7-93D8-3CEDA9C83F53}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{92364364-56B2-4C54-AAE3-A7D03A30C023}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A50C4254-A6A2-48CB-A2D0-C5E0A53FD965}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A66EEC44-AA6D-4AF2-BF75-490E2CA17AE9}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{BDFCF196-0622-41CF-BDA6-D1CDB44AB5E9}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{F6C482A5-17AE-43D3-A6AC-52A70674283C}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Key Found : HKLM\Software\IB Updater
Key Found : HKLM\Software\Iminent
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{00E7EC3E-CC58-46DC-9C48-E18BC492BCCF}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{164EA1FC-B0A0-4202-8C65-E4BA4D54A3AE}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1856A7BD-DE8C-488B-AA7A-5682D13166FC}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3436BC13-C898-4775-B1EA-BA224587010D}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4E1D-BDD0-1E9C9B7799CC}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7F000001-DB8E-F89C-2FEC-49BF726F8C12}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89B7AE32-9C52-41D6-A64D-14D7BDEC9C58}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CB26D84F-BC4C-485A-B9BB-8B847A7E3189}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48D2-9061-8BBD4899EB08}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4FDE-B055-AE7B0F4CF080}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA460720-7B38-421D-981C-66F0AE288FB9}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BringMeSports_1cbar Uninstall
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\mywebsearch bar uninstall
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{002D1BA6-4766-4D7D-82B8-F49439C66F97}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F653D037-97FA-4755-98C1-7F382EEB59A7}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0A8CC25D-66FF-41DF-B3B4-416079EF8F87}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6087829B-114F-42A1-A72B-B4AEDCEA4E5B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6285C254-4465-4F8B-A009-5F42AB02C291}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{82C7004A-078E-468C-9C0F-2243618FF7CB}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B8CBCB5A-9192-4122-B3DE-BD139320EC09}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{BC61CA7A-6B81-47EC-B62D-AE1A236CADB9}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F0C8CCC2-BAAA-4236-AD0A-22B5A401B9EF}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0238BBE24EA3A70408B81E4BB89C15E5
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29799DE249E7DBC459FC6C8F07EB8375
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BringMeSports_1cbar Uninstall
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP
Key Found : HKLM\SOFTWARE\MozillaPlugins\@BringMeSports_1c.com/Plugin
Key Found : HKLM\Software\Tarma Installer
Key Found : HKLM\Software\WiseConvert
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{5911488E-9D1E-40EC-8CBB-06B231CC153F}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CC53BD19-7B23-43B0-AB7C-0E06C708CCED}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform [FunWebProducts]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [BringMeSports Search Scope Monitor]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [BringMeSports_1c Browser Plugin Loader]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [1cffxtbr@BringMeSports_1c.com]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0 (en-US)

File : C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pjjvd1ez.default-1358485096234\prefs.js

Found : user_pref("{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}.ScriptData_WSG_blackList", "form=CONTLB|babsrc=too[...]
Found : user_pref("{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}.ScriptData_WSG_referrer", "hxxp://us.yhs4.search.y[...]
Found : user_pref("{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}.ScriptData_WSG_temp_referer", "hxxp://us.yhs4.sear[...]
Found : user_pref("{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}.ScriptData_WSG_whiteList", "{\"search.babylon.com\[...]

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3xb7u74o.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.97

File : C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [25401 octets] - [10/03/2013 01:47:18]

########## EOF - C:\AdwCleaner[R1].txt - [25462 octets] ##########


 



#4 Butterbeans2

Butterbeans2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 11 March 2013 - 11:41 AM

Just for the record to be up to date I reran adware cleaner and also the delete portion and here is the log:

# AdwCleaner v2.114 - Logfile created 03/11/2013 at 12:31:35
# Updated 05/03/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : HP_Administrator - HOME
# Boot Mode : Normal
# Running from : C:\Documents and Settings\HP_Administrator\My Documents\Downloads\adwcleaner(1).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0 (en-US)

File : C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pjjvd1ez.default-1358485096234\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3xb7u74o.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.97

File : C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [25532 octets] - [10/03/2013 02:47:18]
AdwCleaner[R2].txt - [1489 octets] - [11/03/2013 12:21:44]
AdwCleaner[R3].txt - [27085 octets] - [11/03/2013 12:23:56]
AdwCleaner[R4].txt - [1610 octets] - [11/03/2013 12:31:14]
AdwCleaner[S1].txt - [26332 octets] - [10/03/2013 02:48:35]
AdwCleaner[S2].txt - [1541 octets] - [11/03/2013 12:31:35]

########## EOF - C:\AdwCleaner[S2].txt - [1601 octets] ##########
 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:31 PM

Posted 11 March 2013 - 02:00 PM

Run this tool instead of ComboFix.
Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop. 
 
 
Quit all running programs.
 
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
 
Click Scan to scan the system. 
When the scan completes > Close out the program > Don't Fix anything!
 
Don't run any other options, they're not all bad!!!!!!!
 
Post back the report which should be located on your desktop.
====
Secure your system by updating 3rd party programs.
 
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
 
Be careful not to install malware posing as Java update!
Important read this blog.
 
Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
 
How to disable Java in your browsers
 
You can manually check your present version and update as recommended.
 
If present remove the old version(s) of Java using the Add/Remove Programs applet.
 
Java 7 Update 13 
 
Java 7 update 10 introduced important new security controls
You can read about it here.
 
Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===


#6 Butterbeans2

Butterbeans2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 11 March 2013 - 02:50 PM

I can't update Java as the windows installer isn't working. 

RK log:

RogueKiller V8.5.2 [Mar  9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : HP_Administrator [Admin rights]
Mode : Scan -- Date : 03/11/2013 15:46:14
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] arservice.exe -- C:\WINDOWS\arservice.exe [7] -> KILLED [TermProc]
[SUSP PATH] arpwrmsg.exe -- C:\WINDOWS\arpwrmsg.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 13 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : wXW5Sp4VdJimub (C:\Documents and Settings\All Users\Application Data\wXW5Sp4VdJimub.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3217568500-915994851-3009536150-1007[...]\Run : wXW5Sp4VdJimub (C:\Documents and Settings\All Users\Application Data\wXW5Sp4VdJimub.exe) -> FOUND
[TASK][SUSP PATH] RegSERVO.job : C:\Documents and Settings\HP_Administrator\Desktop\REGSERVO\RegSERVO.exe -t [x] -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-00WWPA0 +++++
--- User ---
[MBR] 4ea289df8fc5de50b4a67bd66c4ff58f
[BSP] b409da533a10c19e40ffa4c096dccee2 : Toshiba MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 468269 Mo
1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 959032305 | Size: 8660 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 976768065 | Size: 2 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 976773152 | Size: 0 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03112013_02d1546.txt >>
RKreport[1]_S_03112013_02d1546.txt
 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:31 PM

Posted 12 March 2013 - 07:41 AM

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)
 
[RUN][SUSP PATH] HKCU\[...]\Run : wXW5Sp4VdJimub (C:\Documents and Settings\All Users\Application Data\wXW5Sp4VdJimub.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3217568500-915994851-3009536150-1007[...]\Run : wXW5Sp4VdJimub (C:\Documents and Settings\All Users\Application Data\wXW5Sp4VdJimub.exe) -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
Now click Delete on the right hand column under Options
 
Post back the report which should be located on your desktop.
===
 
Run ComboFix and post the log is you can.


#8 Butterbeans2

Butterbeans2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 12 March 2013 - 11:32 AM

RogueKiller V8.5.2 [Mar  9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : HP_Administrator [Admin rights]
Mode : Remove -- Date : 03/12/2013 12:11:04
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[TASK][SUSP PATH] RegSERVO.job : C:\Documents and Settings\HP_Administrator\Desktop\REGSERVO\RegSERVO.exe -t [x] -> DELETED
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableCMD (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableCMD (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-00WWPA0 +++++
--- User ---
[MBR] 4ea289df8fc5de50b4a67bd66c4ff58f
[BSP] b409da533a10c19e40ffa4c096dccee2 : Toshiba MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 468269 Mo
1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 959032305 | Size: 8660 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 976768065 | Size: 2 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 976773152 | Size: 0 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_D_03122013_02d1211.txt >>
RKreport[1]_S_03112013_02d1546.txt ; RKreport[2]_S_03122013_02d0943.txt ; RKreport[3]_S_03122013_02d1119.txt ; RKreport[4]_D_03122013_02d1211.txt
 



#9 Butterbeans2

Butterbeans2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 12 March 2013 - 12:40 PM

unable to run comboFix.  As before, when it gets to autorun it stalls and I have to reboot the machine.  I have tried in safe mode with same results. 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:31 PM

Posted 12 March 2013 - 01:19 PM

 
Delete your current version of ComboFix.exe file.
 
Download ComboFix from any of the links below but rename it to svchost.exe before saving it to your desktop. <- Important.
 
==================================
 

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

 
Double click on the renamed ComboFix.exe & follow the prompts. 
 

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. 

 

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  •  

 
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
 

RcAuto1.gif

 
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
 
whatnext.png
 
Click on Yes, to continue scanning for malware.
 
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
 
Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Do not mouse click combofix's window while it's running. That may cause it to stall
====


#11 Butterbeans2

Butterbeans2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 12 March 2013 - 06:12 PM

I deleted the old ComboFix and then downloaded a new version from link 1.  I renamed in and ran it whereupon when it got to autorun it ran for about 45 seconds and then disappeared.  It was not shown in Task Manager.  I tried again with the same results. 

If this will help, I am unable to down load to my desk top as I get no window asking where to save after downloading.  The downloads are only present in a folder called "downloads" in 'Bobs Documents' (I am Bob).  This is where I changed the name of the ComboFix file after downloading it.  This location is also where I have to opem downloads.  I Don't know if this helps, but after the ComboFix disappeared I was not able to connect to my ISP until I rebooted, although the mouse worked and the machine was not completely locked as previously when trying to run comboFix.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:31 PM

Posted 13 March 2013 - 09:01 AM

Lets try to run ComboFix one more time.



#13 Butterbeans2

Butterbeans2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 13 March 2013 - 10:51 AM

Same results as yesterday.  It updated before I ran it as svc.exe file.  Next deleted and re downloaded and got same result.  2-3 min into autorun scanning for infected files the window disappears and disables my ISP.  I have mouse functions after autorun disappears, which before running Rogue Killer I did not have after comboFix would stop running.  Before, I had to manually reboot and now was able to reboot with the mouse which was necessary to reconnect with my ISP.  I reran Rogue Killer and [HJPOL] HKCU\[...]\System : disableregistrytools (0) was found once again and deleted. That was the only thing it found.  I ran Combofix immediately after the Rogue Killer deletion. 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:31 PM

Posted 13 March 2013 - 01:21 PM

Run RKill and let see what process will be killed.



#15 Butterbeans2

Butterbeans2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 13 March 2013 - 01:40 PM

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/13/2013 02:35:58 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * c:\windows\system\hpsysdrv.exe (PID: 3816) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\drivers\mqac.sys [NoSig]
 +-> C:\WINDOWS\$hf_mig$\KB971032\SP2QFE\mqac.sys : 91,776 : 06/22/2009 00:30 AM : 9229e191fe206628be17d1e67a5faed9 [Pos Repl]
 +-> C:\WINDOWS\$NtUninstallKB971032$\mqac.sys : 72,960 : 08/09/2004 05:00 PM : db07b0088cdfd20c2a22e675120ede34 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\mqac.sys : 92,544 : 04/13/2008 02:39 PM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\mqac.sys : 91,776 : 06/22/2009 02:48 AM : eee50bf24caeedb515a8f3b22756d3bb [Pos Repl]

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 03/13/2013 02:37:16 PM
Execution time: 0 hours(s), 1 minute(s), and 18 seconds(s)
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users