Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus help


  • This topic is locked This topic is locked
8 replies to this topic

#1 cindibueno

cindibueno

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 22 April 2013 - 10:28 AM

I believe I have a virus. I first noticed on my home page the names on my icons had disappeared, then all my file names were gone.  Then a few weeks later my main profile became corrupted.  I have run AVG free, Glaryis utilities, Sophos Virus Removal, Combofix, and Unhide.  None of these have worked.  I can't access anything that requires an administrator, even though I am logged on with an administrative profile.  Also can't access most properties, control panel functions, or regedit.  Please help!!

 

Mod Edit: Moved from Vista to Am I Infected. ~bloopie


Edited by bloopie, 22 April 2013 - 11:01 AM.


BC AdBot (Login to Remove)

 


#2 zbd

zbd

  • Members
  • 390 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 22 April 2013 - 08:36 PM

I'd try system restore to before the problem started.

 

If that doesn't work, I'd uninstall all other anti-virus programs and use MSE.

http://windows.microsoft.com/en-us/windows/security-essentials-download

 

I'd get a good firewall like Comodo.

http://www.majorgeeks.com/Comodo_Personal_Firewall__d5033.html

 

I'd also stay away from Glary's utilities and combofix unless you're an expert.


Edited by zbd, 22 April 2013 - 08:38 PM.


#3 cindibueno

cindibueno
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 25 April 2013 - 08:50 PM

I have deleted all of the anti- virus software on my PC and installed MSE and Comodo but that still has not helped.  I tried to run the command SFC \scannow and a white window flashes on my screen but closes immediately and does not run the command.


Edited by cindibueno, 25 April 2013 - 08:58 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:21 AM

Posted 25 April 2013 - 09:04 PM

Hello were you successful in running ComboFix and have that log? If so post it here with your first post.

Virus, Trojan, Spyware, and Malware Removal Logs         


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 cindibueno

cindibueno
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 26 April 2013 - 01:25 PM

ComboFix 13-04-26.01 - Arnold 04/26/2013  12:57:35.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1916.758 [GMT -5:00]
Running from: c:\users\Arnold\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-26 to 2013-04-26  )))))))))))))))))))))))))))))))
.
.
2013-04-26 17:28 . 2013-04-26 17:28 60872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7788469-0A0C-4BCE-B984-D72D4C1B86B1}\offreg.dll
2013-04-26 17:15 . 2013-04-26 17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-26 17:15 . 2013-04-04 19:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-26 14:53 . 2013-04-26 14:53 -------- d-----w- c:\program files\HitmanPro
2013-04-26 14:50 . 2013-04-26 14:53 -------- d-----w- c:\programdata\HitmanPro
2013-04-26 13:55 . 2013-04-26 14:26 -------- d-----w- C:\MGtools
2013-04-26 03:51 . 2013-04-26 03:51 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7788469-0A0C-4BCE-B984-D72D4C1B86B1}\MpKsl6699ef87.sys
2013-04-25 20:16 . 2013-04-10 01:08 6906960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7788469-0A0C-4BCE-B984-D72D4C1B86B1}\mpengine.dll
2013-04-24 11:20 . 2013-04-24 11:21 -------- d-s---w- c:\programdata\Shared Space
2013-04-24 11:18 . 2013-04-24 11:18 -------- d-----w- c:\program files\COMODO
2013-04-24 11:18 . 2013-04-24 11:37 -------- d-----w- c:\programdata\Comodo
2013-04-24 11:18 . 2013-04-24 11:18 -------- d-----w- c:\programdata\Comodo Downloader
2013-04-24 03:17 . 2013-04-10 01:08 6906960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-24 01:48 . 2013-04-24 01:48 706640 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{47DDC6C6-CA92-495D-AF25-017C467B25D5}\gapaengine.dll
2013-04-24 01:38 . 2013-04-24 01:39 -------- d-----w- c:\program files\Microsoft Security Client
2013-04-24 01:38 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2013-04-24 01:32 . 2013-04-24 01:32 -------- d-----w- c:\users\Arnold\AppData\Roaming\Malwarebytes
2013-04-24 01:10 . 2013-04-24 01:10 -------- d-----w- c:\users\Arnold\AppData\Local\MFAData
2013-04-23 03:09 . 2013-04-23 03:10 115 ----a-w- c:\windows\DeleteOnReboot.bat
2013-04-22 13:02 . 2013-04-22 13:02 -------- d-----w- c:\users\Arnold\AppData\Roaming\TuneUp Software
2013-04-22 01:30 . 2013-04-22 01:30 -------- d-----w- c:\programdata\Sophos
2013-04-18 23:01 . 2013-04-18 23:01 84928 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-04-15 23:38 . 2013-04-15 23:38 43216 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-04-15 23:38 . 2013-04-15 23:38 582960 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-04-15 23:38 . 2013-04-15 23:38 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-04-15 23:38 . 2013-04-15 23:38 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-04-15 23:38 . 2013-04-15 23:38 348584 ----a-w- c:\windows\system32\guard32.dll
2013-04-15 23:38 . 2013-04-15 23:38 40656 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-04-15 23:38 . 2013-04-15 23:38 276688 ----a-w- c:\windows\system32\cmdvrt32.dll
2013-04-13 18:22 . 2013-04-24 01:35 -------- d-----w- c:\programdata\Foresight Software
2013-04-13 16:08 . 2013-04-13 16:08 -------- d-----w- c:\users\Arnold\AppData\Roaming\GlarySoft
2013-04-13 02:18 . 2013-04-13 02:18 -------- d-----w- c:\users\Arnold\AppData\Roaming\RealNetworks
2013-04-13 02:06 . 2013-04-13 02:06 -------- d-----w- c:\users\Default\AppData\Roaming\Kodak
2013-04-13 02:06 . 2013-04-13 20:17 -------- d-----w- c:\users\TEMP.Cindi-PC.004
2013-04-10 04:07 . 2013-03-05 01:40 2049024 ----a-w- c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-26 14:26 . 2013-04-26 13:55 255139 ----a-w- C:\MGlogs.zip
2013-04-02 10:33 . 2009-10-02 22:15 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-13 08:46 . 2012-07-13 14:31 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-13 08:46 . 2011-12-27 00:59 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-16 07:37 . 2013-02-16 07:39 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-16 07:37 . 2013-02-16 07:40 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-02-16 07:37 . 2010-07-27 23:38 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-12 01:57 . 2013-03-23 18:51 15872 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 01:57 . 2013-03-23 18:51 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-06 13:42 . 2013-02-06 13:42 83864 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2013-02-05 08:54 . 2010-02-28 05:44 37344 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2013-02-05 08:54 . 2010-02-28 05:44 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2013-01-31 08:19 . 2013-02-15 19:20 181344 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-03-07 21:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-03-07 21:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-03-07 21:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-03-07 21:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-04-15 3012816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WNA1100 Genie.lnk - c:\program files\NETGEAR\WNA1100\WNA1100.exe [2013-1-20 8247264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SophosVirusRemovalTool]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2012-02-01 23:59 446392 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS6ServiceManager]
2012-02-22 18:33 1073312 ----a-w- c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 03:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 15:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2013-04-04 19:50 887432 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-22 18:49 13539872 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-22 18:49 92704 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2008-05-22 18:49 526880 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 11:26 4874240 ------w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 15:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 18:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2010-05-20 20:27 762736 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000va.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 75161209
*NewlyCreated* - MPKSL6699EF87
*Deregistered* - 75161209
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ   BthServ
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-10 09:02 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-13 08:46]
.
2013-04-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1218040005-2861035627-41675107-1004Core.job
- c:\users\Logan Devine\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-24 22:47]
.
2013-04-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1218040005-2861035627-41675107-1004UA.job
- c:\users\Logan Devine\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-24 22:47]
.
2013-04-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-15 14:19]
.
2013-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-19 21:50]
.
2013-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-19 21:50]
.
2013-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1218040005-2861035627-41675107-1000Core.job
- c:\users\Cindi\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-01 06:03]
.
2013-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1218040005-2861035627-41675107-1000UA.job
- c:\users\Cindi\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-01 06:03]
.
2013-04-26 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\programdata\HP Photo Creations\MessageCheck.exe [2011-11-16 10:11]
.
2013-03-27 c:\windows\Tasks\HPCeeScheduleForCindi.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-03-04 20:10]
.
2013-04-26 c:\windows\Tasks\User_Feed_Synchronization-{606EEAB4-569E-490C-8951-E2D0876A22BC}.job
- c:\windows\system32\msfeedssync.exe [2013-04-10 08:51]
.
2013-04-26 c:\windows\Tasks\User_Feed_Synchronization-{917598F2-FCA3-4F3E-8E70-6D1F045FE257}.job
- c:\windows\system32\msfeedssync.exe [2013-04-10 08:51]
.
2013-04-26 c:\windows\Tasks\User_Feed_Synchronization-{B5E265C7-CCB9-4ACD-92E5-1633F505749F}.job
- c:\windows\system32\msfeedssync.exe [2013-04-10 08:51]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{C1736926-337A-430E-B68C-A5EAAC1E6DBD}.job
- c:\windows\system32\msfeedssync.exe [2013-04-10 08:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{1547CE06-41DB-40AE-BD77-B88BA6CCEB35}: NameServer = 8.26.56.26,156.154.70.22
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-vProt - c:\program files\AVG Secure Search\vprot.exe
MSConfigStartUp-FBSSA - c:\program files\SGPSA\ie3sh.exe
MSConfigStartUp-vProt - c:\program files\AVG Secure Search\vprot.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-26 13:17
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\guard32.dll
.
Completion time: 2013-04-26  13:21:54
ComboFix-quarantined-files.txt  2013-04-26 18:21
ComboFix2.txt  2013-04-22 13:36
.
Pre-Run: 305,066,655,744 bytes free
Post-Run: 305,082,675,200 bytes free
.
- - End Of File - - BCFF59923A3FA66180B0FDD2F0F818B7


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:21 AM

Posted 27 April 2013 - 07:11 PM

Hello were you successful in running ComboFix and have that log? If so post it here

 

Virus, Trojan, Spyware, and Malware Removal Logs           with your first post.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 cindibueno

cindibueno
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 27 April 2013 - 07:16 PM

The post above is the combofix log

 


Edited by cindibueno, 27 April 2013 - 07:19 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:21 AM

Posted 27 April 2013 - 07:22 PM

Yes the CF log needs to be posted here

 

Virus, Trojan, Spyware, and Malware Removal Logs        <<<--- Click me

 

I need you to repost, if I move it you will not get reply notifications.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:21 AM

Posted 27 April 2013 - 07:50 PM

Perfect...

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 2 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users