Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB virus, desktop.ini, two $recycler.bin Avast will not fix


  • This topic is locked This topic is locked
24 replies to this topic

#1 gotbit

gotbit

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 13 March 2013 - 06:03 PM

Hello, first off I HAD a pc running XP, it fell victim to a mean virus. It got ahold of my Gmail, but I was saved by third-party login safety (i hope). That PC is on slate for a format... Unfortunately I had plugged in my Ipod, and Android phone into said pc before knowing it's infection(both acting up). The phone is of course acting strangely now, as the micro sd card came from the phone. After being told that my info should be fine, I reluctantly decided to try saving over the data to my laptop, ya seems there was probably some hidden files a waiting. Immediately after inserting card reader I am getting desktop.ini s and Avast found two $recycler.bin errors when  scanned but will not touch them, they are not showing in recycle bin even with "hidden folders" and "system folders not recommended" checked.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16470
Run by Owner at 15:24:13 on 2013-03-13
#Option MBR scan  is disabled.
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3573.1984 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Trend Micro AntiVirus *Disabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.msn.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Mobile-based device management] c:\windows\windowsmobile\wmdSync.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1 184.16.33.54
TCP: Interfaces\{48CC912F-951F-40C6-AA19-0AAC190120A8} : DHCPNameServer = 192.168.1.1 184.16.33.54
TCP: Interfaces\{5F0A8F20-B48E-4425-A7C7-C6C1438FC199} : DHCPNameServer = 192.168.1.1 184.16.33.54
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs=     
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\25.0.1364.152\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-3-4 49320]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-2-22 13560]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-2-20 765808]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-2-20 368248]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-2-20 29880]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-2-20 66408]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-2-20 45248]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-14 21504]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-4-18 13336]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-2-15 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-15 36368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-26 179712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-3-4 163784]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-4-16 648456]
.
=============== Created Last 30 ================
.
2013-03-12 19:39:42 6954968 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{653c8280-fea0-436e-8115-e83009703351}\mpengine.dll
2013-03-12 04:29:19 -------- d--h--w- c:\program files\common files\EAInstaller
2013-03-10 21:20:33 -------- d-----w- c:\program files\CCleaner
2013-03-07 17:55:06 -------- d-----w- c:\program files\Origin Games
2013-03-06 22:56:33 -------- d-----w- C:\MGADiagToolOutput
2013-03-06 22:56:33 -------- d-----w- \MGADiagToolOutput
2013-03-04 16:47:14 49320 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-04 16:47:14 163784 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-02 19:16:11 -------- d-----w- C:\_OTL
2013-03-02 19:16:11 -------- d-----w- \_OTL
2013-02-27 02:10:53 -------- d-----w- c:\users\owner\appdata\local\Origin
2013-02-27 02:09:39 -------- d-----w- c:\program files\Origin
2013-02-26 08:42:22 920088 ----a-w- c:\windows\system32\igxpun.exe
2013-02-26 06:35:21 -------- d-----w- c:\windows\system32\x64
2013-02-26 06:20:13 53248 ----a-w- c:\windows\system32\CSVer.dll
2013-02-22 21:27:30 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-02-22 21:27:30 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-02-22 01:17:16 0 --sha-r- \MSDOS.SYS
2013-02-22 01:17:16 0 --sha-r- \IO.SYS
2013-02-21 05:17:35 765808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-02-21 05:17:33 66408 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-02-21 05:16:44 41664 ----a-w- c:\windows\avastSS.scr
2013-02-21 05:16:18 -------- d-----w- c:\programdata\AVAST Software
2013-02-21 05:16:18 -------- d-----w- c:\program files\AVAST Software
2013-02-21 03:24:18 -------- d-----w- c:\program files\Enigma Software Group
2013-02-21 03:23:21 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2013-02-19 19:13:57 -------- d-----w- c:\users\owner\appdata\local\Zemana
2013-02-19 19:13:54 -------- d-----w- c:\program files\AntiLogger
2013-02-15 22:04:52 208448 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2013-02-14 21:38:46 -------- d-----w- c:\program files\Lavalys
2013-02-14 18:47:20 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-14 09:23:35 -------- d-----w- c:\program files\Dell Support Center
2013-02-14 09:22:18 -------- d-----w- C:\temp
2013-02-14 09:22:18 -------- d-----w- \temp
2013-02-14 09:10:25 -------- d-----w- c:\windows\Driver Cache
2013-02-14 09:10:25 -------- d-----w- c:\program files\AVerMedia
2013-02-14 09:03:42 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2013-02-14 05:45:26 -------- d-----w- c:\users\owner\appdata\local\Giant Savings Extension
2013-02-14 05:34:59 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2013-02-14 05:23:55 -------- d-----w- c:\programdata\Origin
2013-02-14 05:23:54 -------- d-----w- c:\programdata\Electronic Arts
2013-02-14 04:11:13 768000 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
2013-02-13 19:36:16 2048512 ----a-w- c:\windows\system32\win32k.sys
2013-02-13 19:36:13 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-13 19:36:13 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-13 19:36:12 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-13 19:36:10 1314816 ----a-w- c:\windows\system32\quartz.dll
2013-02-12 23:51:50 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-02-12 22:18:24 -------- d-----w- c:\program files\FGIcon
2013-02-12 22:18:04 -------- d-----w- c:\programdata\Tarma Installer
.
==================== Find3M  ====================
.
2013-03-12 19:23:40 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-12 19:23:39 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-12 01:57:27 15872 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 01:57:27 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-02 03:38:35 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-02 03:30:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-02 03:30:21 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-02 03:26:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-02 03:26:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-02 03:23:28 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-01-17 09:28:58 232336 ------w- c:\windows\system32\MpSigStub.exe
2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 15:24:43.98 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 PM

Posted 15 March 2013 - 12:54 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
  • Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

    Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ===

    Third party programs if not up to date can be the cause of infiltration an infection.

    Please run this security check for my review.

    Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner
by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • Please post the logs for my review. Let me know what problem persists.


#3 gotbit

gotbit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 15 March 2013 - 08:17 PM

OK, here's the first part, but not without hitchs'... First it did a reboot, dskchk, then combofix came back up, kept working, till a window popped up saying " IAStorIcon.exe-Application Error, Application has generated an exeption that could not be handled. Process ID=0xdb0 (3504), Thread ID=0xcf8 (3320). Click ok to terminate application, or click cancel to debug the application. I chose the latter, errored due to lack of debugger, wrong choice? 
 
 
ComboFix 13-03-15.01 - Owner 03/15/2013  17:36:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3573.2087 [GMT -7:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Trend Micro AntiVirus *Disabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_nr.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\basis_tr.xml
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\IE3SH.exe
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\search_br.bmp
c:\program files\Fast Browser Search\IE\search_de.bmp
c:\program files\Fast Browser Search\IE\search_es.bmp
c:\program files\Fast Browser Search\IE\search_fr.bmp
c:\program files\Fast Browser Search\IE\search_it.bmp
c:\program files\Fast Browser Search\IE\search_pt.bmp
c:\program files\Fast Browser Search\IE\search_ru.bmp
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\Search Guard PlusU
c:\program files\Search Guard PlusU\SGPU.ico
c:\program files\Search Guard PlusU\sgpUpdater.xml
c:\program files\SGPSA
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\users\Owner\%appda~1
c:\users\Owner\%appda~1\Microsoft\Internet Explorer\UserData\index.dat
c:\users\Owner\Documents\~WRL0005.tmp
c:\users\Owner\Documents\~WRL3206.tmp
c:\windows\security\Database\tmp.edb
c:\windows\system32\oem20.inf
c:\windows\system32\YingInstall
c:\windows\system32\YingInstall\409.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-16 to 2013-03-16  )))))))))))))))))))))))))))))))
.
.
2013-03-16 00:45 . 2013-03-16 00:54 -------- d-----w- c:\users\Owner\AppData\Local\temp
2013-03-15 05:46 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{75B21CAE-A243-432B-9D69-DCB8261E998C}\mpengine.dll
2013-03-14 00:50 . 2013-03-14 00:50 -------- d-----w- C:\dimwit
2013-03-12 04:29 . 2013-03-12 04:29 -------- d--h--w- c:\program files\Common Files\EAInstaller
2013-03-10 21:20 . 2013-03-10 21:25 -------- d-----w- c:\program files\CCleaner
2013-03-07 17:55 . 2013-03-13 01:31 -------- d-----w- c:\program files\Origin Games
2013-03-06 22:56 . 2013-03-06 22:56 -------- d-----w- C:\MGADiagToolOutput
2013-03-04 16:47 . 2013-02-28 08:36 163784 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-04 16:47 . 2013-02-28 08:36 49320 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-02 19:16 . 2013-03-02 19:16 -------- d-----w- C:\_OTL
2013-02-27 02:10 . 2013-02-27 02:10 -------- d-----w- c:\users\Owner\AppData\Local\Origin
2013-02-27 02:09 . 2013-02-27 02:10 -------- d-----w- c:\program files\Origin
2013-02-26 08:42 . 2008-02-12 04:13 920088 ----a-w- c:\windows\system32\igxpun.exe
2013-02-26 06:35 . 2013-02-26 06:35 -------- d-----w- c:\windows\system32\x64
2013-02-26 06:20 . 2011-04-16 00:00 53248 ----a-w- c:\windows\system32\CSVer.dll
2013-02-22 21:28 . 2013-02-22 21:28 -------- d-----w- c:\users\Owner\AppData\Roaming\LavasoftStatistics
2013-02-22 21:27 . 2013-02-22 21:27 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-02-22 21:27 . 2013-02-22 21:27 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-02-21 05:17 . 2013-02-28 08:36 368248 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-02-21 05:17 . 2013-02-28 08:36 29880 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-02-21 05:17 . 2013-02-28 08:36 765808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-02-21 05:17 . 2013-02-28 08:36 62448 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-02-21 05:17 . 2013-02-28 08:36 49832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-02-21 05:17 . 2013-02-28 08:36 66408 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-02-21 05:16 . 2013-02-28 08:36 41664 ----a-w- c:\windows\avastSS.scr
2013-02-21 05:16 . 2013-02-28 08:35 228600 ----a-w- c:\windows\system32\aswBoot.exe
2013-02-21 05:16 . 2013-02-21 05:16 -------- d-----w- c:\programdata\AVAST Software
2013-02-21 05:16 . 2013-02-21 05:16 -------- d-----w- c:\program files\AVAST Software
2013-02-21 03:24 . 2013-02-21 03:24 -------- d-----w- c:\program files\Enigma Software Group
2013-02-21 03:23 . 2013-02-21 03:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2013-02-19 19:13 . 2013-02-19 19:14 -------- d-----w- c:\users\Owner\AppData\Local\Zemana
2013-02-19 19:13 . 2013-02-21 19:41 -------- d-----w- c:\program files\AntiLogger
2013-02-15 22:04 . 2013-02-15 22:04 208448 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2013-02-14 21:38 . 2013-02-14 21:38 -------- d-----w- c:\program files\Lavalys
2013-02-14 18:48 . 2013-02-14 18:48 -------- d-----w- c:\program files\SystemRequirementsLab
2013-02-14 18:48 . 2013-02-14 18:48 -------- d-----w- c:\users\Owner\AppData\Roaming\SystemRequirementsLab
2013-02-14 18:48 . 2013-02-14 18:48 -------- d-----w- c:\windows\Sun
2013-02-14 18:47 . 2013-02-14 18:46 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-14 18:45 . 2013-02-14 18:45 -------- d-----w- c:\programdata\McAfee
2013-02-14 09:23 . 2013-02-14 09:50 -------- d-----w- c:\program files\Dell Support Center
2013-02-14 09:22 . 2013-02-14 09:51 -------- d-----w- C:\temp
2013-02-14 09:10 . 2013-02-14 09:12 -------- d-----w- c:\windows\Driver Cache
2013-02-14 09:10 . 2013-02-14 09:10 -------- d-----w- c:\program files\AVerMedia
2013-02-14 09:03 . 2007-11-16 22:37 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2013-02-14 05:45 . 2013-02-14 18:51 -------- d-----w- c:\users\Owner\AppData\Local\Giant Savings Extension
2013-02-14 05:45 . 2013-02-14 05:45 -------- d-----w- c:\users\Owner\AppData\Roaming\0T1F0D1F2W1G1I1F1T1Q
2013-02-14 05:34 . 2009-09-05 01:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2013-02-14 05:24 . 2013-02-14 06:06 -------- d-----w- c:\users\Owner\AppData\Roaming\Origin
2013-02-14 05:23 . 2013-02-27 03:19 -------- d-----w- c:\programdata\Origin
2013-02-14 05:23 . 2013-03-12 05:48 -------- d-----w- c:\programdata\Electronic Arts
2013-02-14 04:11 . 2013-01-08 22:01 768000 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-12 19:23 . 2012-07-09 04:49 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-12 19:23 . 2012-07-09 04:49 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-17 09:28 . 2009-10-02 20:50 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-05 05:26 . 2013-02-13 19:36 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-05 05:26 . 2013-02-13 19:36 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-04 11:28 . 2013-02-13 19:36 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-04 01:38 . 2013-02-13 19:36 2048512 ----a-w- c:\windows\system32\win32k.sys
2012-12-16 13:12 . 2012-12-29 01:07 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-29 01:07 293376 ----a-w- c:\windows\system32\atmfd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-02-28 08:35 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-02-28 4767304]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^StartUp^Adobe Media Player.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^StartUp^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-18 19:08 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 20:29 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-02-02 09:00 36864 ----a-w- c:\windows\OEM02Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-07 01:10 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
2008-07-29 22:28 1398024 ----a-w- c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-06-01 00:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2011-08-05 20:29 159456 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2910388343-3669961354-4034591298-1000]
"EnableNotificationsRef"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2910388343-3669961354-4034591298-1001]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
WindowsMobile REG_MULTI_SZ   wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ   WcesComm RapiMgr
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-15 03:21 1629648 ----a-w- c:\program files\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-09 19:23]
.
2013-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-25 05:10]
.
2013-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-25 05:10]
.
2013-03-16 c:\windows\Tasks\User_Feed_Synchronization-{9DE2A930-5BF7-466C-A033-6CDC69CE178C}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 184.16.33.54
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-AntiLogger - c:\program files\AntiLogger\AntiLogger.exe
MSConfigStartUp-APSDaemon - c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-IAAnotif - c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-Windows Mobile Device Center - c:\windows\WindowsMobile\wmdc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-15 17:53
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
c:\program files\DellTPad\Apntex.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-03-15  17:58:44 - machine was rebooted
ComboFix-quarantined-files.txt  2013-03-16 00:58
.
Pre-Run: 195,104,665,600 bytes free
Post-Run: 195,261,169,664 bytes free
.
- - End Of File - - B4118AFEAE9C721A29228463158402AF

Edited by gotbit, 15 March 2013 - 08:57 PM.


#4 gotbit

gotbit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 15 March 2013 - 09:03 PM

 Results of screen317's Security Check version 0.99.61  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
avast! Antivirus        
Trend Micro AntiVirus   
 Antivirus up to date!  (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 CCleaner     
 Adobe Reader 8  
 Adobe Reader XI  
 Google Chrome 25.0.1364.152  
 Google Chrome 25.0.1364.172  
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 


#5 gotbit

gotbit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 15 March 2013 - 09:13 PM

# AdwCleaner v2.114 - Logfile created 03/15/2013 at 19:06:13
# Updated 05/03/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Owner - PUTER
# Boot Mode : Normal
# Running from : C:\Users\Owner\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Owner\AppData\Roaming\iWin
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
Key Deleted : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16470
 
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://www.fastbrowsersearch.com/new-tab/?v=18&tid={00000000-0000-0000-0000-000000000000} --> hxxp://www.google.com
 
*************************
 
AdwCleaner[S1].txt - [1690 octets] - [15/03/2013 19:06:13]
 
########## EOF - C:\AdwCleaner[S1].txt - [1750 octets] ##########


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 PM

Posted 16 March 2013 - 07:21 AM

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old versions of the Reader using the Add/Remove Programs applet if present.
Adobe Reader 8
Adobe Reader XI

====

then combofix came back up, kept working, till a window popped up saying " IAStorIcon.exe-Application Error

This is comming from this run key.

"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe"
Read about it.
http://www.qwhatis.com/what-is-iastoricon/

Are you having any difficulties with this program?

Any other issues with this computer?

#7 gotbit

gotbit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 16 March 2013 - 11:36 AM

Not sure if I am having problems with that program, don't think i was before... Only other thing I can see at this moment is that my WAN card errors and crashes laptop periodically. I reinstalled drivers and believe it has stopped.

 

 

Adobe Reader installation error Adobe Reader installation error

Setup has detected that you already have a more functional product installed. Setup will now terminate.

 

I do want to try and fix my desktop next, will start a new thread on it of course. Question for ya, Are you familiar with "new service would allow parents to control their children's online activity" in my services.msc? I have about as many of those as microsoft services, another site said it's a loss format, what is your opinion? Last question regarding the desktop, what is a safe way to back up music, photos, videos so I don't transfer virus?


Edited by gotbit, 16 March 2013 - 12:41 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 PM

Posted 16 March 2013 - 12:45 PM

What is wrong with your desktop?

Question for ya, Are you familiar with "new service would allow parents to control their children's online activity" in my services.msc? I have about as many of those as microsoft services, another site said it's a loss format, what is your opinion?

This looks like some remnant items from an infection.

Run this tool and will see what it finds.

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.

Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
====

#9 gotbit

gotbit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 16 March 2013 - 01:47 PM

Sorry I don't want there to be any confusion, that is my other computer, deciding whether I should attack it again next, or find a safe way to save data then reformat...

 

 

 

This happened on the laptop today...

 

 

just bluescreen-crashed-reboot.

 

 

Product
Windows
 
Problem
Shut down unexpectedly
 
Date
3/16/2013 1:44 PM
 
Status
Report Sent
 
Problem signature
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033
 
Files that help describe the problem (some files may no longer be available)
Mini031613-01.dmp
sysdata.xml
Version.txt
 
Extra information about the problem
BCCode: 1000008e
BCP1: C0000005
BCP2: 824FE82A
BCP3: BE2E1A44
BCP4: 00000000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Server information: 361ec2ed-e78e-4e75-8073-e09750935b8f

Edited by gotbit, 16 March 2013 - 06:19 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 PM

Posted 17 March 2013 - 07:11 AM

You should start a new topic in the Windows Vista forum
http://www.bleepingcomputer.com/forums/forum72.html

for this second computer. We do not service two computer on one topic.
Too confusing.

#11 gotbit

gotbit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 17 March 2013 - 11:08 AM

roger, next item "to do"?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 PM

Posted 17 March 2013 - 12:50 PM

See my post No 8, for this computer.

#13 gotbit

gotbit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 17 March 2013 - 02:17 PM

RogueKiller V8.5.3 [Mar 16 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 03/17/2013 12:16:01
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[64] : NtCreateKey @ 0x8263B0D0 -> HOOKED (Unknown @ 0x8B954FA0)
SSDT[72] : NtCreateProcess @ 0x826DDD71 -> HOOKED (Unknown @ 0x8B9541E0)
SSDT[73] : NtCreateProcessEx @ 0x826DDDBC -> HOOKED (Unknown @ 0x8B9544A0)
SSDT[78] : NtCreateThread @ 0x826DDBA4 -> HOOKED (Unknown @ 0x8B955E00)
SSDT[123] : NtDeleteKey @ 0x825FE71F -> HOOKED (Unknown @ 0x8B955520)
SSDT[126] : NtDeleteValueKey @ 0x825F9CC0 -> HOOKED (Unknown @ 0x8B9557E0)
SSDT[165] : NtLoadDriver @ 0x825B7DEE -> HOOKED (Unknown @ 0x8B956140)
SSDT[194] : NtOpenProcess @ 0x8266CF3E -> HOOKED (Unknown @ 0x8B954A20)
SSDT[324] : NtSetValueKey @ 0x8262A382 -> HOOKED (Unknown @ 0x8B955260)
SSDT[334] : NtTerminateProcess @ 0x8263D0D3 -> HOOKED (Unknown @ 0x8B954CE0)
SSDT[358] : NtWriteVirtualMemory @ 0x826598CD -> HOOKED (Unknown @ 0x8B955C60)
SSDT[382] : NtCreateThreadEx @ 0x82667F79 -> HOOKED (Unknown @ 0x8B955FA0)
SSDT[383] : NtCreateUserProcess @ 0x82615BD2 -> HOOKED (Unknown @ 0x8B954760)
 
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: SAMSUNG HM320JI +++++
--- User ---
[MBR] 3d85a0b020b9058ff75132f8d150e582
[BSP] 162060bb474056eae6dde76395768ebf : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21133312 | Size: 292364 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 619896832 | Size: 2560 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[1]_S_03172013_02d1216.txt >>
RKreport[1]_S_03172013_02d1216.txt


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 PM

Posted 18 March 2013 - 07:56 AM

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)
 
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
 
Now click Delete on the right hand column under Options
 
Post back the report which should be located on your desktop.
 
What are the remaining issues with this computer?


#15 gotbit

gotbit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 18 March 2013 - 10:50 AM

Windows Defender "Application failed to initialize: 0x800106ba. Aproblem caused this program's service to stop. To start the service, restart your computer or search Help and Support for how to start a service manually." Not sure if there are any remaining issues beyond that...
 
 
 
RogueKiller V8.5.3 [Mar 16 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Remove -- Date : 03/18/2013 08:40:48
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[64] : NtCreateKey @ 0x8260B0D0 -> HOOKED (Unknown @ 0x8B6A2000)
SSDT[72] : NtCreateProcess @ 0x826ADD71 -> HOOKED (Unknown @ 0x8B6A1240)
SSDT[73] : NtCreateProcessEx @ 0x826ADDBC -> HOOKED (Unknown @ 0x8B6A1500)
SSDT[78] : NtCreateThread @ 0x826ADBA4 -> HOOKED (Unknown @ 0x8B6A2E60)
SSDT[123] : NtDeleteKey @ 0x825CE71F -> HOOKED (Unknown @ 0x8B6A2580)
SSDT[126] : NtDeleteValueKey @ 0x825C9CC0 -> HOOKED (Unknown @ 0x8B6A2840)
SSDT[165] : NtLoadDriver @ 0x82587DEE -> HOOKED (Unknown @ 0x8B6A31A0)
SSDT[194] : NtOpenProcess @ 0x8263CF3E -> HOOKED (Unknown @ 0x8B6A1A80)
SSDT[324] : NtSetValueKey @ 0x825FA382 -> HOOKED (Unknown @ 0x8B6A22C0)
SSDT[334] : NtTerminateProcess @ 0x8260D0D3 -> HOOKED (Unknown @ 0x8B6A1D40)
SSDT[358] : NtWriteVirtualMemory @ 0x826298CD -> HOOKED (Unknown @ 0x8B6A2CC0)
SSDT[382] : NtCreateThreadEx @ 0x82637F79 -> HOOKED (Unknown @ 0x8B6A3000)
SSDT[383] : NtCreateUserProcess @ 0x825E5BD2 -> HOOKED (Unknown @ 0x8B6A17C0)
 
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: SAMSUNG HM320JI +++++
--- User ---
[MBR] 3d85a0b020b9058ff75132f8d150e582
[BSP] 162060bb474056eae6dde76395768ebf : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21133312 | Size: 292364 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 619896832 | Size: 2560 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[3]_D_03182013_02d0840.txt >>
RKreport[1]_S_03172013_02d1216.txt ; RKreport[2]_S_03182013_02d0837.txt ; RKreport[3]_D_03182013_02d0840.txt

Edited by gotbit, 18 March 2013 - 11:07 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users