Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected again, some programs won't open.


  • This topic is locked This topic is locked
7 replies to this topic

#1 karolinap

karolinap

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 09 May 2013 - 10:44 AM

Mod edit: Merged 3 posts and moved to proper forum for DDS logs, Virus, Trojan, Spyware, and Malware Removal Logs   ~~ boopme            

 

 

A couple exe programs automatically downloaded on my computer. I found the files and deleted them. At first I couldn't open any document or files. Now I can, but adobe reader will not open and roguekiller will not open. Everything else works. I ran malware bytes and anti spyware and nothing was found. I also ran adwcleaner and everything appears to be clean. 
 
I tried to uninstall all my adobe programs, but I am having issues removing adobe active X. It says I must close svchost and IE. IE isn't open. There are a few svchosts.exe running in task manager.
 
 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_22
Run by Caroline at 10:25:15 on 2013-05-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2217 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Laser App Enterprise\uformagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sharp\Sharpdesk\Indexer.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Morningstar\Principia\put.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Caroline\My Documents\Downloads\RogueKiller.exe
C:\Documents and Settings\Caroline\My Documents\Downloads\RogueKiller.exe
C:\Documents and Settings\Caroline\My Documents\Downloads\RogueKiller.exe
C:\Documents and Settings\Caroline\My Documents\Downloads\RogueKiller.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://citrix.mutualfundstore.com/vpn/index.html
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {89867A4A-BDEE-4259-964A-B8E87C4892F3} - <orphaned>
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {D5233FCD-D258-4903-89B8-FB1568E7413D} - 
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [LaserAppUpdate] "c:\program files\laser app enterprise\uformagent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Lake] rundll32.exe "c:\documents and settings\caroline\local settings\application data\lake\udyoesvq.dll",RatingSetupUIW
uRun: [pEventServ] rundll32.exe "c:\documents and settings\caroline\application data\peventserv\pEventServ.dll",oleMobileppm ClipMapSvcs
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SharpTray.exe] "c:\program files\sharp\sharpdesk\SharpTray.exe"
mRun: [FtpServer.exe] "c:\program files\sharp\sharpdesk\FtpServer.exe" -usedefault
mRun: [IndexTray.exe] "c:\program files\sharp\sharpdesk\IndexTray.exe" /n
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\caroline\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\princi~1.lnk - c:\program files\morningstar\principia\schedupd.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - 
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: sp-server
Trusted Zone: tmfs-crm01
Trusted Zone: vcrm
Trusted Zone: vsp
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1365082303046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{C5F811C2-EC0A-4C25-98B5-AB49B32D9AA1} : DHCPNameServer = 192.168.0.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - c:\program files\sharp\sharpdesk\ExplorerExtensions.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\caroline\application data\mozilla\firefox\profiles\j320v88p.default-1366037848363\
FF - plugin: c:\documents and settings\caroline\local settings\application data\citrix\plugins\97\npappdetector.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 195296]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2012-6-19 24064]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-4-25 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-8-24 168616]
S0 aypdbvwf;aypdbvwf;c:\windows\system32\drivers\utgrmc.sys --> c:\windows\system32\drivers\utgrmc.sys [?]
S0 cerc6;cerc6; [x]
S0 syobbip;syobbip;c:\windows\system32\drivers\mncrxfrk.sys --> c:\windows\system32\drivers\mncrxfrk.sys [?]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2010-1-20 81920]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2011-2-24 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2011-2-24 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2011-2-24 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2011-2-24 10368]
.
=============== Created Last 30 ================
.
2013-05-09 15:24:46 -------- d-----w- C:\RK_Quarantine
2013-05-09 14:04:05 6906960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0aa43299-0391-4352-91e4-a8dc3ea8c767}\mpengine.dll
2013-05-08 20:42:15 -------- d-----w- c:\program files\Caroline
2013-05-08 19:18:50 15616 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2013-05-08 18:53:55 -------- d-----w- c:\documents and settings\caroline\application data\Ifkodo
2013-05-08 08:13:15 6906960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-04-23 17:46:19 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2013-04-23 17:45:03 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2013-04-23 17:45:03 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2013-04-23 17:45:03 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2013-04-23 17:45:03 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2013-04-23 17:45:03 2004992 -c----w- c:\windows\system32\dllcache\iertutil.dll
2013-04-23 17:45:03 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2013-04-23 17:45:03 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll
2013-04-23 16:38:25 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2013-04-23 16:36:54 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-04-23 16:35:32 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2013-04-23 16:32:30 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-23 16:32:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-23 16:28:56 2193408 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2013-04-23 16:28:56 2149888 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2013-04-23 16:28:55 2028544 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2013-04-23 16:28:54 2070016 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2013-04-23 15:53:59 79872 -c--a-w- c:\windows\system32\dllcache\iislog51.dll
2013-04-23 15:52:57 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-04-23 15:35:27 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2013-04-23 15:35:27 24661 ----a-w- c:\windows\system32\spxcoins.dll
2013-04-23 15:35:27 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2013-04-23 15:35:27 13312 ----a-w- c:\windows\system32\irclass.dll
2013-04-23 15:35:18 16535 ----a-r- c:\windows\SET13A.tmp
2013-04-23 15:35:16 1088840 ----a-r- c:\windows\SET12E.tmp
2013-04-23 15:35:14 1296669 ----a-r- c:\windows\SET12B.tmp
2013-04-20 22:08:31 -------- d-----w- C:\Temp
2013-04-20 22:05:42 -------- d-sh--w- C:\$RECYCLE.BIN
2013-04-20 12:39:27 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-04-17 18:46:57 -------- d-----w- c:\documents and settings\caroline\application data\5245d20e-03f5-483f-8f84-d12abd430efead
2013-04-12 14:17:04 26520 ----a-w- c:\program files\mozilla firefox\plugin-hang-ui.exe
2013-04-12 14:15:59 920472 ----a-w- c:\program files\mozilla firefox\firefox.exe
2013-04-12 14:14:57 107512 ----a-r- c:\program files\mozilla firefox\data\disk2\setup.exe
2013-04-12 14:14:52 107512 ----a-r- c:\program files\mozilla firefox\data\disk1\setup.exe
2013-04-12 14:14:38 45056 ----a-r- c:\program files\mozilla firefox\data\disk1\brolink\Brolink0.exe
2013-04-12 14:14:37 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2013-04-12 14:14:36 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2013-04-12 14:14:36 116120 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2013-04-12 14:14:35 74136 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2013-04-12 14:14:35 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2013-04-12 14:14:34 19352 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
.
==================== Find3M  ====================
.
2013-05-09 15:08:44 848 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-17 19:10:47 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-17 19:10:47 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:30 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08:47 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-21 19:06:25 81920 ------w- c:\windows\system32\ieencode.dll
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
============= FINISH: 10:27:16.79 ===============
 


Here's the adwcleaner report
 
 
# AdwCleaner v2.300 - Logfile created 05/09/2013 at 09:37:06
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Caroline - THE-50667A04ED8
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Caroline\My Documents\adwcleaner.exe
# Option [Search]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Found : C:\Documents and Settings\Caroline\Local Settings\Application Data\PackageAware
 
***** [Registry] *****
 
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v20.0.1 (en-US)
 
File : C:\Documents and Settings\Caroline\Application Data\Mozilla\Firefox\Profiles\j320v88p.default-1366037848363\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v26.0.1410.64
 
File : C:\Documents and Settings\Caroline\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [1408 octets] - [09/05/2013 09:37:06]
AdwCleaner[S1].txt - [361 octets] - [17/04/2013 14:44:30]
AdwCleaner[S2].txt - [396 octets] - [17/04/2013 14:46:49]
 
########## EOF - C:\AdwCleaner[R1].txt - [1586 octets] ##########
 
UPDATE
 
I ran tdsskiller and a rootkit was found. I am now able to run RogueKiller and open Adobe. I ran roguekiller and it found a few things. Here's the report: 
 
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Caroline [Admin rights]
Mode : Remove -- Date : 05/09/2013 11:51:27
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 3 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Caroline\Local Settings\Application Data\Lake\udyoesvq.dll [x] -> UNLOADED
[DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : C:\Documents and Settings\Caroline\Local Settings\Application Data\Lake\udyoesvq.dll [x] -> KILLED [TermProc]
[DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : C:\Documents and Settings\Caroline\Application Data\pEventServ\pEventServ.dll [x] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Lake (rundll32.exe "C:\Documents and Settings\Caroline\Local Settings\Application Data\Lake\udyoesvq.dll",RatingSetupUIW) [x] -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : pEventServ (rundll32.exe "C:\Documents and Settings\Caroline\Application Data\pEventServ\pEventServ.dll",oleMobileppm ClipMapSvcs) [x] -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-20[...]\Run : Adobe CSx Manager (C:\Documents and Settings\NetworkService\Application Data\5245d20e-03f5-483f-8f84-d12abd430efead\defffdabdefead.exe) [-] -> DELETED
[TASK][SUSP PATH] Security Center Update - 1203677473.job : C:\Documents and Settings\Caroline\Application Data\Ifkodo\zazesu.exe  -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST3320418AS +++++
--- User ---
[MBR] 03e557f2a2b7c9d833ebfaecf17092cf
[BSP] d70be290b98a79d156a2df3543938e3d : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 94 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 192780 | Size: 305140 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_D_05092013_02d1151.txt >>
RKreport[1]_S_05092013_02d1138.txt ; RKreport[2]_D_05092013_02d1151.txt


Edited by boopme, 09 May 2013 - 07:33 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:16 AM

Posted 12 May 2013 - 09:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

  • Please download ComboFix from one of these locations:
    Link 1
    Link 2
    IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    RcAuto1.gif
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
    Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

    Do not mouse click ComboFix's window while it's running. That may cause it to stall

    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ===

    Third party programs if not up to date can be the cause of infiltration an infection.

    Please run this security check for my review.

    Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  • ===

    Please paste the logs in your next reply, DO NOT ATTACH THEM
    Let me know what problem persists.


#3 karolinap

karolinap
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 14 May 2013 - 12:53 PM

My computer seems to be running great.  I ran Roguekiller and adwcleaner. I'm a little hesitant to download combofix. This is not my personal computer, it's a work computer. Are there any risks with running combofix?

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Caroline [Admin rights]
Mode : Scan -- Date : 05/13/2013 10:18:24
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST3320418AS +++++
--- User ---
[MBR] 03e557f2a2b7c9d833ebfaecf17092cf
[BSP] d70be290b98a79d156a2df3543938e3d : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 94 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 192780 | Size: 305140 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_S_05132013_02d1018.txt >>
RKreport[1]_S_05102013_02d0833.txt ; RKreport[2]_S_05132013_02d1018.txt
 

 

# AdwCleaner v2.300 - Logfile created 05/13/2013 at 10:22:15
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Caroline - THE-50667A04ED8
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Caroline\My Documents\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Deleted : C:\Documents and Settings\Caroline\Local Settings\Application Data\PackageAware
 
***** [Registry] *****
 
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v20.0.1 (en-US)
 
File : C:\Documents and Settings\Caroline\Application Data\Mozilla\Firefox\Profiles\j320v88p.default-1366037848363\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v26.0.1410.64
 
File : C:\Documents and Settings\Caroline\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R3].txt - [1655 octets] - [13/05/2013 10:19:03]
AdwCleaner[R4].txt - [1774 octets] - [13/05/2013 10:20:21]
AdwCleaner[S1].txt - [361 octets] - [17/04/2013 14:44:30]
AdwCleaner[S2].txt - [396 octets] - [17/04/2013 14:46:49]
AdwCleaner[S3].txt - [351 octets] - [13/05/2013 10:19:26]
AdwCleaner[S4].txt - [1713 octets] - [13/05/2013 10:22:15]
 
########## EOF - C:\AdwCleaner[S4].txt - [1773 octets] ##########


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:16 AM

Posted 15 May 2013 - 07:08 AM

There is always some risks, it the computer is running well let it go.

Let have a look at this.

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#5 karolinap

karolinap
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 15 May 2013 - 10:33 AM

Results of screen317's Security Check version 0.99.63  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date! (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java™ 6 Update 22  
 Java version out of Date! 
 Adobe Reader XI  
 Mozilla Firefox (20.0.1) 
 Google Chrome 26.0.1410.43  
 Google Chrome 26.0.1410.64  
 Google Chrome plugins...  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 


#6 karolinap

karolinap
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 15 May 2013 - 11:29 AM

I ran a complete scan  this morning on SuperAntiSpyware and a trojan gen.alureon was detected. One thing I did notice is SuperAntiSpyware is finding a lot of adware/tracking cookies, which I thought was weird since I use google incognito or private browsing. Today there is a lot more than usual. I ran the scan again and it found an additional 141 adware threats even though I already ran a scan this morning. That's unusually high, but maybe it's because I forgot to switch to incognito today.

 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:16 AM

Posted 21 May 2013 - 10:00 AM

Sorry for this long delay. If you still need help let me know.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:16 AM

Posted 27 May 2013 - 08:08 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users