Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious files deleted by ComboFix.


  • This topic is locked This topic is locked
5 replies to this topic

#1 JustGeorge

JustGeorge

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 10 April 2013 - 06:20 PM

Hi and thanks in advance for your help. I may be a little paranoic but better to be safe that sorry. Today, out of nowwhere when I tried to play Minecraft I started to receive "Could not create the virtual machine" error. I have been playing Minecraft with no problems until today. After several forums fixes tries I decided to run ComboFix as several users suggested it may be related to malware (I know, haven't read the Preparation Guide at the time). ComboFix deleted several files from the PC (name of the files can be seen in the log of ComboFix I will post). Now I just want to make sure my PC is safe or if there are any other malicious files on it. As 

 

Note: The problem with Java/Minecraft still occurring after ComboFix scan.

 

Again, thanks for your help.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.17.2
Run by George at 2:05:06 on 2013-04-11
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1166 [GMT 3:00]
.
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9488E0FA-F058-4673-850E-E755F112BABC}
FW:  *Enabled*
FW: ZoneAlarm Free Firewall Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Steam] "d:\games\steam\steam.exe" -silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [ZoneAlarm] c:\program files\checkpoint\zonealarm\zatray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1365454326211
TCP: Interfaces\{13D3329C-4545-4DE4-ADC7-F289A4541A70} : NameServer = 193.231.252.1 213.154.124.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\george\application data\mozilla\firefox\profiles\2exulbyp.default\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-04-09 01:25; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; c:\program files\checkpoint\zaforcefield\TrustChecker
FF - ExtSQL: 2013-04-09 03:04; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\george\application data\mozilla\firefox\profiles\2exulbyp.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2013-04-09 08:35; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\george\application data\mozilla\firefox\profiles\2exulbyp.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2013-4-10 622616]
R1 gzflt;gzflt;c:\windows\system32\drivers\gzflt.sys [2013-4-10 162976]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2013-1-29 527848]
R2 gzserv;Bitdefender Antivirus Free Edition;c:\program files\bitdefender\antivirus free edition\gzserv.exe [2013-4-10 27136]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-11-22 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-11-22 497320]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2013-4-10 447208]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-4-9 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-4-9 701512]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2013-4-9 1691480]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-4-9 22856]
.
=============== Created Last 30 ================
.
2013-04-10 22:29:50    --------    d-sha-r-    C:\cmdcons
2013-04-10 22:28:23    256000    ----a-w-    c:\windows\PEV.exe
2013-04-10 22:28:23    208896    ----a-w-    c:\windows\MBR.exe
2013-04-10 22:28:22    98816    ----a-w-    c:\windows\sed.exe
2013-04-10 21:34:10    --------    d-----w-    c:\documents and settings\george\application data\.minecraft
2013-04-10 21:20:35    143872    ----a-w-    c:\windows\system32\javacpl.cpl
2013-04-10 21:20:04    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-10 21:01:17    --------    d-----w-    c:\windows\system32\appmgmt
2013-04-10 08:37:37    --------    d-----w-    c:\documents and settings\george\local settings\application data\Identities
2013-04-10 07:05:07    74072    ----a-w-    c:\windows\system32\XAPOFX1_5.dll
2013-04-10 07:05:07    527192    ----a-w-    c:\windows\system32\XAudio2_7.dll
2013-04-10 07:05:05    239960    ----a-w-    c:\windows\system32\xactengine3_7.dll
2013-04-10 07:05:03    2106216    ----a-w-    c:\windows\system32\D3DCompiler_43.dll
2013-04-10 07:05:02    1868128    ----a-w-    c:\windows\system32\d3dcsx_43.dll
2013-04-10 07:05:01    248672    ----a-w-    c:\windows\system32\d3dx11_43.dll
2013-04-10 07:05:00    470880    ----a-w-    c:\windows\system32\d3dx10_43.dll
2013-04-10 07:03:58    2297552    ----a-w-    c:\windows\system32\d3dx9_26.dll
2013-04-10 07:03:14    --------    d-----w-    c:\windows\Logs
2013-04-10 03:42:54    241992    ----a-w-    c:\windows\system32\drivers\avchv.sys
2013-04-10 03:39:38    622616    ----a-w-    c:\windows\system32\drivers\avc3.sys
2013-04-10 03:39:38    447208    ----a-w-    c:\windows\system32\drivers\avckf.sys
2013-04-10 03:37:32    343456    ----a-w-    c:\windows\system32\drivers\trufos.sys
2013-04-10 03:37:24    162976    ----a-w-    c:\windows\system32\drivers\gzflt.sys
2013-04-09 18:39:57    --------    d-----w-    c:\documents and settings\george\application data\NVIDIA
2013-04-09 06:13:09    --------    d-----w-    c:\program files\common files\Steam
2013-04-09 05:28:55    --------    d-----w-    c:\windows\system32\Lang
2013-04-09 03:00:20    6272    -c--a-w-    c:\windows\system32\dllcache\splitter.sys
2013-04-09 03:00:20    6272    ----a-w-    c:\windows\system32\drivers\splitter.sys
2013-04-09 03:00:10    83072    -c--a-w-    c:\windows\system32\dllcache\wdmaud.sys
2013-04-09 03:00:10    83072    ----a-w-    c:\windows\system32\drivers\wdmaud.sys
2013-04-09 02:59:39    52864    -c--a-w-    c:\windows\system32\dllcache\dmusic.sys
2013-04-09 02:59:39    52864    ----a-w-    c:\windows\system32\drivers\DMusic.sys
2013-04-09 02:59:08    56576    -c--a-w-    c:\windows\system32\dllcache\swmidi.sys
2013-04-09 02:59:08    56576    ----a-w-    c:\windows\system32\drivers\swmidi.sys
2013-04-09 02:58:35    142592    -c--a-w-    c:\windows\system32\dllcache\aec.sys
2013-04-09 02:58:35    142592    ----a-w-    c:\windows\system32\drivers\aec.sys
2013-04-09 02:58:13    172416    -c--a-w-    c:\windows\system32\dllcache\kmixer.sys
2013-04-09 02:58:13    172416    ----a-w-    c:\windows\system32\drivers\kmixer.sys
2013-04-09 02:57:42    2944    -c--a-w-    c:\windows\system32\dllcache\drmkaud.sys
2013-04-09 02:57:42    2944    ----a-w-    c:\windows\system32\drivers\drmkaud.sys
2013-04-09 02:57:31    60800    -c--a-w-    c:\windows\system32\dllcache\sysaudio.sys
2013-04-09 02:57:31    60800    ----a-w-    c:\windows\system32\drivers\sysaudio.sys
2013-04-09 02:57:21    7552    -c--a-w-    c:\windows\system32\dllcache\mskssrv.sys
2013-04-09 02:57:21    7552    ----a-w-    c:\windows\system32\drivers\MSKSSRV.sys
2013-04-09 02:57:11    4992    -c--a-w-    c:\windows\system32\dllcache\mspqm.sys
2013-04-09 02:57:11    4992    ----a-w-    c:\windows\system32\drivers\MSPQM.sys
2013-04-09 02:57:04    5376    -c--a-w-    c:\windows\system32\dllcache\mspclock.sys
2013-04-09 02:57:04    5376    ----a-w-    c:\windows\system32\drivers\MSPCLOCK.sys
2013-04-09 02:56:20    --------    d-----w-    c:\windows\system32\RTCOM
2013-04-09 02:56:16    4096    -c--a-w-    c:\windows\system32\dllcache\ksuser.dll
2013-04-09 02:56:16    4096    ----a-w-    c:\windows\system32\ksuser.dll
2013-04-09 02:56:16    146048    -c--a-w-    c:\windows\system32\dllcache\portcls.sys
2013-04-09 02:56:16    146048    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-04-09 02:56:15    60160    -c--a-w-    c:\windows\system32\dllcache\drmk.sys
2013-04-09 02:56:15    60160    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-04-09 02:56:15    129536    ----a-w-    c:\windows\system32\ksproxy.ax
2013-04-09 02:24:11    --------    d-----w-    c:\program files\VideoLAN
2013-04-09 02:08:56    --------    d-----w-    c:\documents and settings\george\local settings\application data\Sun
2013-04-09 01:45:46    --------    d-----w-    c:\program files\utorrent
2013-04-09 01:43:38    --------    d-----w-    c:\documents and settings\george\application data\uTorrent
2013-04-09 01:07:17    --------    d-----w-    c:\program files\CCleaner
2013-04-09 01:03:50    --------    d-----w-    c:\windows\pss
2013-04-09 00:23:57    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-04-09 00:23:57    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-04-09 00:16:00    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-09 00:15:59    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-09 00:06:09    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2013-04-09 00:06:09    --------    d-----w-    c:\documents and settings\all users\application data\Spybot - Search & Destroy
.
==================== Find3M  ====================
.
2013-04-08 21:41:55    1083296    ----a-w-    c:\windows\system32\nvdrsdb0.bin
2013-04-08 21:41:55    1    ----a-w-    c:\windows\system32\nvdrssel.bin
2013-04-08 21:41:49    1083296    ----a-w-    c:\windows\system32\nvdrsdb1.bin
2013-04-04 11:50:32    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-03-29 18:42:40    5444680    ----a-w-    c:\windows\system32\drivers\RtkHDAud.sys
2013-03-27 13:57:08    79432    ----a-w-    c:\windows\system32\RtkCoInstIIXP.dll
2013-03-15 05:47:17    892704    ----a-w-    c:\windows\system32\nvdispgenco3231422.dll
2013-03-15 05:47:17    7745536    ----a-w-    c:\windows\system32\nvcuda.dll
2013-03-15 05:47:17    65536    ----a-w-    c:\windows\system32\OpenCL.dll
2013-03-15 05:47:17    6074368    ----a-w-    c:\windows\system32\nvopencl.dll
2013-03-15 05:47:17    4079104    ----a-w-    c:\windows\system32\nv4_disp.dll
2013-03-15 05:47:17    2733344    ----a-w-    c:\windows\system32\nvcuvid.dll
2013-03-15 05:47:17    2490368    ----a-w-    c:\windows\system32\nvapi.dll
2013-03-15 05:47:17    1995552    ----a-w-    c:\windows\system32\nvcuvenc.dll
2013-03-15 05:47:17    19689472    ----a-w-    c:\windows\system32\nvoglnt.dll
2013-03-15 05:47:17    17551360    ----a-w-    c:\windows\system32\nvcompiler.dll
2013-03-15 05:47:17    10713024    ----a-w-    c:\windows\system32\drivers\nv4_mini.sys
2013-03-15 05:47:17    1012512    ----a-w-    c:\windows\system32\nvdispco3231422.dll
2013-03-15 02:57:16    54272    ----a-w-    c:\windows\system32\nvwddi.dll
2013-03-15 02:57:14    223008    ----a-w-    c:\windows\system32\nvmctray.dll
2013-03-15 02:57:14    156960    ----a-w-    c:\windows\system32\nvsvc32.exe
2013-03-15 02:57:13    15668512    ----a-w-    c:\windows\system32\nvcpl.dll
2013-03-15 02:57:11    144160    ----a-w-    c:\windows\system32\nvcolor.exe
2013-03-12 11:58:34    20143688    ----a-w-    c:\windows\RTHDCPL.EXE
2013-03-08 08:36:22    293376    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-07 01:32:25    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-03-05 12:37:20    891976    ----a-w-    c:\windows\system32\RTSndMgr.CPL
2013-03-02 02:06:31    916480    ----a-w-    c:\windows\system32\wininet.dll
2013-03-02 02:06:30    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-03-02 01:08:47    385024    ------w-    c:\windows\system32\html.iec
2013-02-27 07:56:51    2067456    ----a-w-    c:\windows\system32\mstscax.dll
2013-02-12 00:32:23    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-06 10:48:44    81920    ------w-    c:\windows\system32\ieencode.dll
2013-01-26 03:55:44    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-16 13:02:38    2079816    ----a-w-    c:\windows\RtlExUpd.dll
.
============= FINISH:  2:06:02.00 ===============
 

 

 

 

 

ComboFix Log:

 

 

ComboFix 13-04-10.02 - George 04/11/2013   1:32.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1222 [GMT 3:00]
Running from: c:\documents and settings\George\My Documents\Downloads\ComboFix.exe
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9488E0FA-F058-4673-850E-E755F112BABC}
FW:  *Enabled* {9488E0FA-F058-4673-850E-E755F112BABC}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\1365457763.bdinstall.bin
c:\documents and settings\All Users\Application Data\1365563690.bdinstall.bin
c:\documents and settings\All Users\Application Data\1365563731.2368.bin
c:\documents and settings\All Users\Application Data\1365563731.2536.bin
c:\documents and settings\All Users\Application Data\1365563731.2796.bin
c:\documents and settings\All Users\Application Data\1365563731.4004.bin
c:\documents and settings\All Users\Application Data\1365564250.1320.bin
c:\documents and settings\All Users\Application Data\1365564250.2220.bin
c:\documents and settings\All Users\Application Data\1365564250.3100.bin
c:\documents and settings\All Users\Application Data\1365564250.3356.bin
c:\documents and settings\All Users\Application Data\1365565007.bdinstall.bin
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-10 to 2013-04-10  )))))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 08:36 . 2008-04-14 04:42    293376    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2008-04-13 23:54    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2008-04-14 04:42    916480    ----a-w-    c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2008-04-14 04:42    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-03-02 02:06 . 2008-04-14 04:41    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-03-02 01:25 . 2008-04-14 00:00    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2008-04-13 23:07    385024    ------w-    c:\windows\system32\html.iec
2013-02-12 00:32 . 2008-04-13 23:26    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-06 10:48 . 2013-02-06 10:48    81920    ------w-    c:\windows\system32\ieencode.dll
2013-01-26 03:55 . 2008-04-14 04:42    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-03-27 02:18 . 2013-04-09 00:01    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Steam"="d:\games\Steam\steam.exe" [2013-03-29 1631144]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-03-15 15668512]
"NvMediaCenter"="NvMCTray.dll" [2013-03-15 223008]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-03-15 1982312]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-01-29 73832]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"RTHDCPL"="RTHDCPL.EXE" [2013-03-12 20143688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\utorrent\\uTorrent.exe"=
"d:\\Games\\Steam\\Steam.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\dota 2 beta\\dota.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\Stalker Call of Pripyat\\Stalker-COP.exe"=
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [4/10/2013 6:39 AM 622616]
R1 gzflt;gzflt;c:\windows\system32\drivers\gzflt.sys [4/10/2013 6:37 AM 162976]
R2 gzserv;Bitdefender Antivirus Free Edition;c:\program files\Bitdefender\Antivirus Free Edition\gzserv.exe [4/10/2013 6:39 AM 27136]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/22/2012 5:33 PM 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/22/2012 5:33 PM 497320]
R3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [4/10/2013 6:39 AM 447208]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [4/9/2013 1:28 AM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/9/2013 1:28 AM 701512]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/9/2013 5:55 AM 1691480]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/9/2013 1:28 AM 22856]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - APPMGMT
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
.
------- Supplementary Scan -------
.
TCP: Interfaces\{13D3329C-4545-4DE4-ADC7-F289A4541A70}: NameServer = 193.231.252.1 213.154.124.1
FF - ProfilePath - c:\documents and settings\George\Application Data\Mozilla\Firefox\Profiles\2exulbyp.default\
FF - ExtSQL: 2013-04-09 01:25; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - ExtSQL: 2013-04-09 03:04; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\George\Application Data\Mozilla\Firefox\Profiles\2exulbyp.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2013-04-09 08:35; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\George\Application Data\Mozilla\Firefox\Profiles\2exulbyp.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ISW - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-11 01:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(836)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2013-04-11  01:49:33
ComboFix-quarantined-files.txt  2013-04-10 22:49
.
Pre-Run: 67,049,906,176 bytes free
Post-Run: 67,087,568,896 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut
.
- - End Of File - - F95A3CC71F09E079F5802B4E0A190235
 

Attached Files



BC AdBot (Login to Remove)

 


#2 JustGeorge

JustGeorge
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 10 April 2013 - 06:49 PM

I realised I may have missed some information. The PC comes after a format and reintall of Windows after I was infected with something that took away my privileges as a user and administrator on Windows 7.

 

Also ( I don't know if this helps or not, it may also sound noobish) but I always have two network connections, one that says "limited or no connectivity" and the active one (everytime i connect to Internet using my ISP PPPoE the pop-up saying Limited or no connectivity" appears, even though i have access to internet.)

 

A few days ago after a Spybot scan the program found and deleted 5 adware programs, unfortunately I can't remember their name (i couldn't find the log, don't know if i saved it).

 

I don't know if this is normal or not but I have 6200 access attempts blocked by the ZoneAlarm firewall in I believe 3 days after installing it without intensely utilising the net. Hope i covered everything and sorry, I'll try to be more acurrate in the next posts.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 AM

Posted 12 April 2013 - 08:39 AM

For your connectivity issue, try this.

Start, All Programs, Accessories, Command Prompt. Type with an Enter after each line in the code box:


ipconfig /flushdns

netsh winsock reset catalog

netsh int ip reset reset.log

===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
Keep me posted.

#4 JustGeorge

JustGeorge
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 15 April 2013 - 04:25 AM

Ok, i tried the advises you gave me about the connection problem and it seemed like it was resolved but after a restart the connection icon still appears in my taskbar tray. Please let me know if I did something wrong or if I should try something else.

 

 

Anyway, here is the Security Check log (NOTE: The link from your post lead me to a page that is blocked by my antivirus, BitDefender Antivirus Free Edition as malware content, had to download it from bleepingcomputer.com):

 

 

 Results of screen317's Security Check version 0.99.62  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Bitdefender Antivirus Free Edition   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Java 7 Update 17  
 Adobe Flash Player     11.6.602.180  
 Adobe Reader XI  
 Mozilla Firefox (20.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Bitdefender Antivirus Free Edition gzserv.exe  
 Bitdefender Antivirus Free Edition gziface.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 CheckPoint ZoneAlarm vsmon.exe  
 CheckPoint ZoneAlarm zatray.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 20% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

 

And the Adware log:

 

 

 

# AdwCleaner v2.200 - Logfile created 04/15/2013 at 12:15:11
# Updated 02/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : George - COMPUTER_1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\George\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Documents and Settings\George\Application Data\Mozilla\Firefox\Profiles\2exulbyp.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [918 octets] - [15/04/2013 11:57:28]
AdwCleaner[S1].txt - [979 octets] - [15/04/2013 11:58:21]
AdwCleaner[S2].txt - [825 octets] - [15/04/2013 12:15:11]

########## EOF - C:\AdwCleaner[S2].txt - [884 octets] ##########
 

 

 

   Thanks again for your time and help, and please let me know what else I can do.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 AM

Posted 15 April 2013 - 08:18 AM

Defrag your Hard disk if it's not a Solid State Disk.

As for you connection problem I think you will be better served in this topic.
Networking forum
http://www.bleepingcomputer.com/forums/forum21.html
A more experienced helper in that field will help your better than I can.

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:38 AM

Posted 21 April 2013 - 08:19 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users