Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SHEUR4


  • This topic is locked This topic is locked
8 replies to this topic

#1 Brewnmusicman

Brewnmusicman

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 29 April 2013 - 01:22 PM

Seen prior post on sheur4, didn't go past Combofix with following log results.

 

ComboFix 13-04-28.01 - GLENCOE 04/29/2013   8:46.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1983.1026 [GMT -4:00]
Running from: c:\documents and settings\GLENCOE\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\GLENCOE\LOCALS~1\Temp\jna3167829749625435844.tmp
c:\documents and settings\GLENCOE\g2mdlhlpx.exe
c:\documents and settings\GLENCOE\Local Settings\temp\jna3167829749625435844.tmp
c:\documents and settings\GLENCOE\Recent\Thumbs.db
c:\windows\system32\Cache
c:\windows\system32\Cache\1902d2dd08f69afc.fb
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\28dc7187164e2701.fb
c:\windows\system32\Cache\2a06cc4d2aaebefd.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3665b05b6095f51a.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\6235d017cfa9b71b.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\94357315031525be.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ac92830c56a25cb4.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c0e0b2e9407ae2c7.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\f41e1aa7a39643a1.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\drivers\etc\lmhosts
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-28 to 2013-04-29  )))))))))))))))))))))))))))))))
.
.
2013-04-12 11:01 . 2013-04-12 11:01 1072544 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-04-12 11:01 . 2013-04-12 11:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
2013-04-12 11:01 . 2013-04-12 11:01 1072544 ----a-w- c:\windows\system32\nvdrsdb1.bin
2013-04-12 11:00 . 2013-04-12 11:00 -------- d-----w- c:\program files\NVIDIA Corporation
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-11 07:18 . 2011-07-11 06:14 302368 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-03-13 12:46 . 2012-03-30 13:14 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-13 12:46 . 2011-06-17 12:07 73432 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-08 08:36 . 2007-07-27 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2007-07-27 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2007-07-27 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2007-07-27 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2007-07-27 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2007-07-27 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2008-04-01 08:50 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-19 00:30 . 2012-07-11 13:24 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-02-12 00:32 . 2008-09-04 07:46 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2007-07-27 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-08 09:03 . 2013-02-08 09:03 1010464 ----a-w- c:\windows\system32\nvdispco32.dll
2013-02-08 09:03 . 2006-10-31 06:35 19189760 ----a-w- c:\windows\system32\nvoglnt.dll
2013-02-08 09:03 . 2006-10-31 06:35 4494336 ----a-w- c:\windows\system32\nv4_disp.dll
2013-02-08 09:02 . 2013-02-08 09:02 7536640 ----a-w- c:\windows\system32\nvcuda.dll
2013-02-08 09:02 . 2013-02-08 09:02 2581792 ----a-w- c:\windows\system32\nvcuvid.dll
2013-02-08 09:02 . 2013-02-08 09:02 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll
2013-02-08 09:02 . 2013-02-08 09:02 17551360 ----a-w- c:\windows\system32\nvcompiler.dll
2013-02-08 09:02 . 2006-10-31 06:35 2389504 ----a-w- c:\windows\system32\nvapi.dll
2013-02-08 09:02 . 2006-10-31 06:35 12648960 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2013-02-08 09:02 . 2013-02-08 09:02 5967872 ----a-w- c:\windows\system32\nvopencl.dll
2013-02-08 09:02 . 2013-02-08 09:02 1869088 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-11-28 16:43 . 2011-11-01 15:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-02-19 00:30 1929392 ----a-w- c:\program files\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll" [2013-02-19 1929392]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-02-19 1151152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WMEtNQy1FOVZVVy1FVzBWQS1VVTNYTC1GRVc5Ny1PVTZF&inst=NzctNzc0MjIwNDY5LUZMMTArMS1YTzEwKzExLUxJQys4LUREVCsxMTA3Ny1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyRE4rMS1UQk4rMS1VMTArMS1TVDEyRk9JKzEtRjEwVUQrMi1FVUxBKzEtU1QxMkZBUFArMS1TVEYxME0xMkRNKzE&prod=90&ver=2012.0.1834&mid=5cce111eb21f47d19c3ed154d45f19d7-3dc6c30b53df29480c3bfbbb93694492cc6c0cd4" [?]
.
c:\documents and settings\GLENCOE\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
iCPM.lnk - c:\windows\system32\javaw.exe [2012-2-7 174056]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2012-6-5 456704]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^GLENCOE^Start Menu^Programs^Startup^iCPM.lnk]
path=c:\documents and settings\GLENCOE\Start Menu\Programs\Startup\iCPM.lnk
backup=c:\windows\pss\iCPM.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-09-01 06:15 136176 ----a-w- c:\documents and settings\GLENCOE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-05-09 13:46 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BelkinAPMRMI"=3 (0x3)
"BelkinAPMmonitor"=2 (0x2)
"BelkinAPMmanager"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Documents and Settings\\GLENCOE\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 7:30 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 7:23 AM 250080]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 2:14 AM 302368]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [7/11/2012 9:24 AM 33112]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [11/2/2012 4:51 AM 5174392]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [2/18/2013 8:30 PM 968880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
S3 OXSDIDRV_x32;Oxford Semi eSATA Filter (x32);c:\windows\system32\drivers\OXSDIDRV_x32.sys [9/28/2009 9:55 AM 52656]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_x32.sys [5/14/2011 4:15 PM 24880]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BelkinAPMmanager;BelkinAPMmanager;c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager --> c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager [?]
S4 BelkinAPMmonitor;BelkinAPMmonitor;c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor --> c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor [?]
S4 BelkinAPMRMI;BelkinAPMRMI;c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI --> c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 12:46]
.
2013-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2013-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-152049171-725345543-1003Core.job
- c:\documents and settings\GLENCOE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-01 06:15]
.
2013-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-152049171-725345543-1003UA.job
- c:\documents and settings\GLENCOE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-01 06:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.67.222.222 192.168.2.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll
DPF: {7206EAAC-5CFA-43A3-9F61-E27E8E51E42F} - hxxp://adus1.liveblockauctions.com/container_repository/laiexec.cab
FF - ProfilePath - c:\documents and settings\GLENCOE\Application Data\Mozilla\Firefox\Profiles\vtyhyt93.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid={FB207CA5-5723-4CFC-B7F1-F7074FA81603}&mid=5cce111eb21f47d19c3ed154d45f19d7-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=fr&d=2012-06-06 08:32&v=12.1.0.13&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-29 08:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WININET.dll
c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2013-04-29  09:01:34 - machine was rebooted
ComboFix-quarantined-files.txt  2013-04-29 13:01
ComboFix2.txt  2012-01-17 20:29
ComboFix3.txt  2011-05-11 18:44
.
Pre-Run: 351,268,352,000 bytes free
Post-Run: 351,998,722,048 bytes free
.
- - End Of File - - 806166550BEB245ACD44AA43C8F60E4D



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:18 AM

Posted 03 May 2013 - 09:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 Brewnmusicman

Brewnmusicman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 03 May 2013 - 01:56 PM

# AdwCleaner v2.300 - Logfile created 05/03/2013 at 14:50:16
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : GLENCOE - DARIN
# Boot Mode : Normal
# Running from : C:\Documents and Settings\GLENCOE\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

Stopped & Deleted : vToolbarUpdater14.2.0

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\GLENCOE\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\GLENCOE\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\GLENCOE\Application Data\Mozilla\Firefox\Profiles\vtyhyt93.default\extensions\avg@toolbar
Folder Deleted : C:\Documents and Settings\GLENCOE\Application Data\Mozilla\Firefox\Profiles\vtyhyt93.default\extensions\staged
Folder Deleted : C:\Documents and Settings\GLENCOE\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search

***** [Registry] *****

Key Deleted : HKCU\Software\alot
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\Description
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={FB207CA5-5723-4CFC-B7F1-F7074FA81603}&mid=5cce111eb21f47d19c3ed154d45f19d7-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=fr&d=2012-06-06 08:32:28&pid=avg&sg=&v=14.2.0.1&sap=nt --> hxxp://www.google.com

-\\ Mozilla Firefox v8.0.1 (en-US)

File : C:\Documents and Settings\GLENCOE\Application Data\Mozilla\Firefox\Profiles\vtyhyt93.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("keyword.URL", "hxxps://isearch.avg.com/search?cid={FB207CA5-5723-4CFC-B7F1-F7074FA81603}&[...]

-\\ Google Chrome v26.0.1410.64

File : C:\Documents and Settings\GLENCOE\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.36] : icon_url = "hxxp://isearch.avg.com/favicon.ico",
Deleted [l.39] : keyword = "isearch.avg.com",
Deleted [l.43] : search_url = "hxxp://isearch.avg.com/search?cid={FB207CA5-5723-4CFC-B7F1-F7074FA81603}&mid=5c[...]

*************************

AdwCleaner[S1].txt - [6543 octets] - [03/05/2013 14:50:16]

########## EOF - C:\AdwCleaner[S1].txt - [6603 octets] ##########

 



#4 Brewnmusicman

Brewnmusicman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 03 May 2013 - 02:22 PM

ComboFix 13-05-01.03 - GLENCOE 05/03/2013  15:05:32.5.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1983.1237 [GMT -4:00]
Running from: c:\documents and settings\GLENCOE\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\GLENCOE\LOCALS~1\Temp\jna4754222392336262490.tmp
c:\documents and settings\GLENCOE\Local Settings\temp\jna4754222392336262490.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-03 to 2013-05-03  )))))))))))))))))))))))))))))))
.
.
2013-04-12 11:01 . 2013-04-12 11:01 1072544 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-04-12 11:01 . 2013-04-12 11:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
2013-04-12 11:01 . 2013-04-12 11:01 1072544 ----a-w- c:\windows\system32\nvdrsdb1.bin
2013-04-12 11:00 . 2013-04-12 11:00 -------- d-----w- c:\program files\NVIDIA Corporation
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-11 07:18 . 2011-07-11 06:14 302368 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-03-13 12:46 . 2012-03-30 13:14 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-13 12:46 . 2011-06-17 12:07 73432 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-08 08:36 . 2007-07-27 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2007-07-27 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2007-07-27 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2007-07-27 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2007-07-27 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2007-07-27 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2008-04-01 08:50 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-19 00:30 . 2012-07-11 13:24 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-02-12 00:32 . 2008-09-04 07:46 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2007-07-27 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-08 09:03 . 2013-02-08 09:03 1010464 ----a-w- c:\windows\system32\nvdispco32.dll
2013-02-08 09:03 . 2006-10-31 06:35 19189760 ----a-w- c:\windows\system32\nvoglnt.dll
2013-02-08 09:03 . 2006-10-31 06:35 4494336 ----a-w- c:\windows\system32\nv4_disp.dll
2013-02-08 09:02 . 2013-02-08 09:02 7536640 ----a-w- c:\windows\system32\nvcuda.dll
2013-02-08 09:02 . 2013-02-08 09:02 2581792 ----a-w- c:\windows\system32\nvcuvid.dll
2013-02-08 09:02 . 2013-02-08 09:02 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll
2013-02-08 09:02 . 2013-02-08 09:02 17551360 ----a-w- c:\windows\system32\nvcompiler.dll
2013-02-08 09:02 . 2006-10-31 06:35 2389504 ----a-w- c:\windows\system32\nvapi.dll
2013-02-08 09:02 . 2006-10-31 06:35 12648960 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2013-02-08 09:02 . 2013-02-08 09:02 5967872 ----a-w- c:\windows\system32\nvopencl.dll
2013-02-08 09:02 . 2013-02-08 09:02 1869088 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-11-28 16:43 . 2011-11-01 15:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WMEtNQy1FOVZVVy1FVzBWQS1VVTNYTC1GRVc5Ny1PVTZF&inst=NzctNzc0MjIwNDY5LUZMMTArMS1YTzEwKzExLUxJQys4LUREVCsxMTA3Ny1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyRE4rMS1UQk4rMS1VMTArMS1TVDEyRk9JKzEtRjEwVUQrMi1FVUxBKzEtU1QxMkZBUFArMS1TVEYxME0xMkRNKzE&prod=90&ver=2012.0.1834&mid=5cce111eb21f47d19c3ed154d45f19d7-3dc6c30b53df29480c3bfbbb93694492cc6c0cd4" [?]
.
c:\documents and settings\GLENCOE\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
iCPM.lnk - c:\windows\system32\javaw.exe [2012-2-7 174056]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2012-6-5 456704]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^GLENCOE^Start Menu^Programs^Startup^iCPM.lnk]
path=c:\documents and settings\GLENCOE\Start Menu\Programs\Startup\iCPM.lnk
backup=c:\windows\pss\iCPM.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-09-01 06:15 136176 ----a-w- c:\documents and settings\GLENCOE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-05-09 13:46 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BelkinAPMRMI"=3 (0x3)
"BelkinAPMmonitor"=2 (0x2)
"BelkinAPMmanager"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Documents and Settings\\GLENCOE\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 7:30 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 7:23 AM 250080]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 2:14 AM 302368]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [7/11/2012 9:24 AM 33112]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [11/2/2012 4:51 AM 5174392]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
S3 OXSDIDRV_x32;Oxford Semi eSATA Filter (x32);c:\windows\system32\drivers\OXSDIDRV_x32.sys [9/28/2009 9:55 AM 52656]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_x32.sys [5/14/2011 4:15 PM 24880]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BelkinAPMmanager;BelkinAPMmanager;c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager --> c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager [?]
S4 BelkinAPMmonitor;BelkinAPMmonitor;c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor --> c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor [?]
S4 BelkinAPMRMI;BelkinAPMRMI;c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI --> c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 12:46]
.
2013-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2013-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-152049171-725345543-1003Core.job
- c:\documents and settings\GLENCOE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-01 06:15]
.
2013-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-152049171-725345543-1003UA.job
- c:\documents and settings\GLENCOE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-01 06:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.67.222.222 192.168.2.1
DPF: {7206EAAC-5CFA-43A3-9F61-E27E8E51E42F} - hxxp://adus1.liveblockauctions.com/container_repository/laiexec.cab
FF - ProfilePath - c:\documents and settings\GLENCOE\Application Data\Mozilla\Firefox\Profiles\vtyhyt93.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-03 15:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\WININET.dll
c:\documents and settings\GLENCOE\Application Data\Dropbox\bin\DropboxExt.17.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2013-05-03  15:21:10 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-03 19:21
ComboFix2.txt  2013-04-29 13:01
ComboFix3.txt  2012-01-17 20:29
ComboFix4.txt  2011-05-11 18:44
.
Pre-Run: 352,044,417,024 bytes free
Post-Run: 352,050,171,904 bytes free
.
- - End Of File - - 24E51E25B6B7CEEFCC8B6D3465D209B1
 



#5 Brewnmusicman

Brewnmusicman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 03 May 2013 - 02:24 PM

 Results of screen317's Security Check version 0.99.63 
Windows XP Service Pack 3 x86  
Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled! 
AVG Anti-Virus Free Edition 2012  
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.60.0.1800 
CCleaner    
Java™ 6 Update 30 
Java 7 Update 7 
Java version out of Date!
Adobe Flash Player  11.6.602.180 
Adobe Reader 10.1.5 Adobe Reader out of Date! 
Mozilla Firefox (8.0.1)
````````Process Check: objlist.exe by Laurent```````` 
AVG avgwdsvc.exe
AVG avgtray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 3%
````````````````````End of Log``````````````````````
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:18 AM

Posted 04 May 2013 - 07:01 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.

Old versions....

Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
http://www.benedelman.org/images/iac-jan13/ask-iac-011613-small.png
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Summary: Adobe has released security updates for Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.275 and earlier versions for Linux, Adobe Flash Player 11.1.115.48 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===


Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Please let me know if the problem persists.

#7 Brewnmusicman

Brewnmusicman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 06 May 2013 - 12:28 PM

Thank you so much for your assistance nasdaq.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:18 AM

Posted 06 May 2013 - 12:46 PM

Glad we could help.

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:18 AM

Posted 06 May 2013 - 12:46 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users