Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC acting up


  • This topic is locked This topic is locked
9 replies to this topic

#1 sadj2885

sadj2885

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 14 May 2013 - 02:40 PM

Malwarebytes doesnt run, when i try to update it, it says Definitions missing or corrupted. Ran Superantispyware, ccleaner and combofix, none have found anyhting other than tracking cookies.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 15:34:40 on 2013-05-14
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3575.3114 [GMT -4:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TriActive\MicroAgent\bin\ma.exe
C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bergenregional.com
uInternet Connection Wizard,ShellNext = hxxp://www.bergenregional.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: UseDefaultTile = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: akamai.net
Trusted Zone: bergenregional.com
Trusted Zone: berkscredit.com
Trusted Zone: caretrackeronline.com
Trusted Zone: collaborationcompass.com
Trusted Zone: crothall.com
Trusted Zone: docline.gov
Trusted Zone: epocrates.com
Trusted Zone: ghginteractive.com
Trusted Zone: gotoassist.com
Trusted Zone: hdsmith.com
Trusted Zone: intersourcing.com
Trusted Zone: keaneapp
Trusted Zone: knstest
Trusted Zone: Mckesson.com
Trusted Zone: medmanagement.com
Trusted Zone: medmanagement.com
Trusted Zone: microsoft.com
Trusted Zone: morrisontoday.com
Trusted Zone: newsolutionsinc.com
Trusted Zone: njmmis.com
Trusted Zone: partestweb
Trusted Zone: parweb
Trusted Zone: rhapsody
Trusted Zone: ultipro.com
Trusted Zone: we-care-4-clients.com
Trusted Zone: windowsupdate.com
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
Trusted Zone: akamai.net
Trusted Zone: bergenregional.com
Trusted Zone: berkscredit.com
Trusted Zone: caretrackeronline.com
Trusted Zone: collaborationcompass.com
Trusted Zone: crothall.com
Trusted Zone: docline.gov
Trusted Zone: epocrates.com
Trusted Zone: ghginteractive.com
Trusted Zone: gotoassist.com
Trusted Zone: hdsmith.com
Trusted Zone: intersourcing.com
Trusted Zone: keaneapp
Trusted Zone: knstest
Trusted Zone: Mckesson.com
Trusted Zone: medmanagement.com
Trusted Zone: medmanagement.com
Trusted Zone: microsoft.com
Trusted Zone: morrisontoday.com
Trusted Zone: newsolutionsinc.com
Trusted Zone: njmmis.com
Trusted Zone: partestweb
Trusted Zone: parweb
Trusted Zone: rhapsody
Trusted Zone: ultipro.com
Trusted Zone: we-care-4-clients.com
Trusted Zone: windowsupdate.com
Trusted Zone: XLTek.com
DPF: {032C5CBC-2272-438F-AC73-38EA92AF19BD} - hxxp://69.233.234.229:9090/mpeg4/WebViewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {933C7E9B-A02B-41AC-A3BF-1C46926CBDAC} - hxxp://10.99.13.23/hrs/download/Setup.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP2-12243/webex/ieatgpc.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 10.99.13.200 10.99.13.202
TCP: Interfaces\{6F3C7144-6126-4922-8B99-57103B8F4309} : DHCPNameServer = 10.99.13.200 10.99.13.202
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-7 119024]
R2 ccmsetup;ccmsetup;c:\windows\system32\ccmsetup\ccmsetup.exe [2011-5-5 271224]
R2 MA;TriActive MicroAgent;c:\program files\triactive\microagent\bin\ma.exe [2012-5-23 1576960]
R2 PRTGProbeService;PRTG Probe Service;c:\program files\prtg network monitor\PRTG Probe.exe [2012-5-3 3839248]
R2 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files\rosettastoneltdservices\RosettaStoneLtdController.exe [2008-9-16 352312]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-5-13 40776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 PRTGCoreService;PRTG Core Server Service;c:\program files\prtg network monitor\PRTG Server.exe [2012-5-3 4357904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WPRO_41_2001;WinPcap Packet Driver (WPRO_41_2001);c:\windows\system32\drivers\wpro_41_2001.sys --> c:\windows\system32\drivers\WPRO_41_2001.sys [?]
S4 ParagonUpdateService;ParagonUpdateService;c:\windows\system32\ParagonUpdateService.exe [2013-2-15 8704]
.
=============== Created Last 30 ================
.
2013-05-14 19:34:33    172032    ----a-w-    c:\windows\system32\igfxres.dll
2013-05-14 18:05:26    98816    ----a-w-    c:\windows\sed.exe
2013-05-14 18:05:26    256000    ----a-w-    c:\windows\PEV.exe
2013-05-14 18:05:26    208896    ----a-w-    c:\windows\MBR.exe
2013-05-14 16:24:57    92416    -c--a-w-    c:\windows\system32\dllcache\mga.sys
2013-05-14 16:23:55    19456    -c--a-w-    c:\windows\system32\dllcache\agt0804.dll
2013-05-14 16:06:46    --------    d-----w-    c:\windows\Installer
2013-05-14 16:06:23    24661    -c--a-w-    c:\windows\system32\dllcache\spxcoins.dll
2013-05-14 16:06:23    24661    ----a-w-    c:\windows\system32\spxcoins.dll
2013-05-14 16:06:23    13312    -c--a-w-    c:\windows\system32\dllcache\irclass.dll
2013-05-14 16:06:23    13312    ----a-w-    c:\windows\system32\irclass.dll
2013-05-14 16:06:06    16535    ----a-r-    c:\windows\SET101.tmp
2013-05-14 16:06:04    1088840    ----a-r-    c:\windows\SETF5.tmp
2013-05-14 16:06:02    1296669    ----a-r-    c:\windows\SETF2.tmp
2013-05-14 15:08:20    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-05-14 14:34:27    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-05-13 16:31:42    --------    d---a-w-    C:\REQ
2013-05-13 16:18:03    --------    d--h--w-    c:\windows\PIF
2013-05-13 16:12:11    --------    d-----w-    C:\New Folder (3)
2013-05-13 15:52:58    --------    d-----w-    c:\program files\Clear Read-Only
2013-05-13 15:41:09    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-05-13 15:41:08    --------    d-----w-    c:\documents and settings\administrator\application data\Malwarebytes
2013-05-13 15:40:57    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-05-13 15:40:30    --------    d-----w-    C:\New Folder (2)
2013-05-13 12:35:34    --------    d-----w-    c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2013-05-13 12:35:11    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-05-13 12:35:10    --------    d-----w-    c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-05-10 22:03:32    --------    d-----w-    c:\windows\ccmsetup
2013-05-01 20:17:51    119600    ----a-w-    c:\windows\system32\Windows-KB841290-x86-ENU.exe
2013-04-22 18:18:06    --------    d-----w-    c:\program files\Paragon1120
.
==================== Find3M  ====================
.
2013-03-13 01:36:42    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 01:36:42    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-02-28 17:36:19    8704    ----a-w-    c:\windows\system32\ParagonUpdateService.exe
2013-02-15 16:27:10    5270256    ----a-w-    c:\windows\uninst.exe
.
============= FINISH: 15:34:47.06 ===============
 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 AM

Posted 16 May 2013 - 09:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===

    Third party programs if not up to date can be the cause of infiltration an infection.

    Please run this security check for my review.

    Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  • ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

  • Please paste the logs in your next reply, DO NOT ATTACH THEM
    Let me know what problem persists.


#3 sadj2885

sadj2885
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 16 May 2013 - 09:41 AM

Hi nasdaq,

 

Thanks for assisting me. I have noticed since my first post that all files and folders have been set to read only and I cannot remove the attribute. This would explain some of the issues that the computer has been having. RogueKiller found a few files that it removed or replaced, but this has not fixed the issue. Logs have been pasted below.

 

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 05/16/2013 10:13:32
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[Services][Rans.Gendarm] HKLM\[...]\ControlSet001\Services\ParagonUpdateService ("C:\WINDOWS\system32\ParagonUpdateService.exe") [-] -> FOUND
[Services][Rans.Gendarm] HKLM\[...]\ControlSet002\Services\ParagonUpdateService ("C:\WINDOWS\system32\ParagonUpdateService.exe") [-] -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : Rans.Gendarm ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725016GLA380 +++++
--- User ---
[MBR] cbd142fb25ae3f21283a2a3b492d5996
[BSP] 6cc0c1d0a4fa6e9b34b8e6e01b2e9383 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: USB 2.0 USB Flash Drive USB Device +++++
--- User ---
[MBR] 566e4ce2aaab807a903a45caea1d6724
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 3863 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05162013_02d1013.txt >>
RKreport[1]_S_05162013_02d1013.txt


 

 

 Results of screen317's Security Check version 0.99.63  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Disabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.75.0.1300  
 PC TuneUp Maestro   
 Java™ 6 Update 17  
 Java version out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 23% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

 

 

 

# AdwCleaner v2.300 - Logfile created 05/16/2013 at 10:18:50
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - MIS_10_01
# Boot Mode : Normal
# Running from : C:\Documents and Settings\administrator\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [811 octets] - [16/05/2013 10:18:50]

########## EOF - C:\AdwCleaner[R1].txt - [870 octets] ##########
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 AM

Posted 16 May 2013 - 12:24 PM

Run the RogueKiller tool and used the Delete function.

Post the new log.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 6 Update 17

Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
http://www.benedelman.org/images/iac-jan13/ask-iac-011613-small.png
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Run the DDS tool again and post a fresh log for my review.

Let me know if the problem persists.

#5 sadj2885

sadj2885
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 16 May 2013 - 12:51 PM

Sorry, must have posted the incorrect log for RougueKiller earlier. Here is the new one. I did do the delete the first time, but it did not help. I also removed Java and Adobe until this gets fixed.

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Remove -- Date : 05/16/2013 13:47:29
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725016GLA380 +++++
--- User ---
[MBR] cbd142fb25ae3f21283a2a3b492d5996
[BSP] 6cc0c1d0a4fa6e9b34b8e6e01b2e9383 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: USB 2.0 USB Flash Drive USB Device +++++
--- User ---
[MBR] 566e4ce2aaab807a903a45caea1d6724
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 3863 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_05162013_02d1347.txt >>
RKreport[1]_S_05162013_02d1346.txt ; RKreport[2]_D_05162013_02d1347.txt


 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 13:47:53 on 2013-05-16
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3575.3054 [GMT -4:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\TriActive\MicroAgent\bin\ma.exe
C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bergenregional.com
uDefault_Page_URL = hxxp://www.bergenregional.com
uInternet Connection Wizard,ShellNext = hxxp://www.bergenregional.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: UseDefaultTile = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: akamai.net
Trusted Zone: bergenregional.com
Trusted Zone: berkscredit.com
Trusted Zone: caretrackeronline.com
Trusted Zone: collaborationcompass.com
Trusted Zone: crothall.com
Trusted Zone: docline.gov
Trusted Zone: epocrates.com
Trusted Zone: ghginteractive.com
Trusted Zone: gotoassist.com
Trusted Zone: hdsmith.com
Trusted Zone: intersourcing.com
Trusted Zone: keaneapp
Trusted Zone: knstest
Trusted Zone: Mckesson.com
Trusted Zone: medmanagement.com
Trusted Zone: medmanagement.com
Trusted Zone: microsoft.com
Trusted Zone: morrisontoday.com
Trusted Zone: newsolutionsinc.com
Trusted Zone: njmmis.com
Trusted Zone: partestweb
Trusted Zone: parweb
Trusted Zone: rhapsody
Trusted Zone: ultipro.com
Trusted Zone: we-care-4-clients.com
Trusted Zone: windowsupdate.com
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
Trusted Zone: akamai.net
Trusted Zone: bergenregional.com
Trusted Zone: berkscredit.com
Trusted Zone: caretrackeronline.com
Trusted Zone: collaborationcompass.com
Trusted Zone: crothall.com
Trusted Zone: docline.gov
Trusted Zone: epocrates.com
Trusted Zone: ghginteractive.com
Trusted Zone: gotoassist.com
Trusted Zone: hdsmith.com
Trusted Zone: intersourcing.com
Trusted Zone: keaneapp
Trusted Zone: knstest
Trusted Zone: Mckesson.com
Trusted Zone: medmanagement.com
Trusted Zone: medmanagement.com
Trusted Zone: microsoft.com
Trusted Zone: morrisontoday.com
Trusted Zone: newsolutionsinc.com
Trusted Zone: njmmis.com
Trusted Zone: partestweb
Trusted Zone: parweb
Trusted Zone: rhapsody
Trusted Zone: ultipro.com
Trusted Zone: we-care-4-clients.com
Trusted Zone: windowsupdate.com
Trusted Zone: XLTek.com
DPF: {032C5CBC-2272-438F-AC73-38EA92AF19BD} - hxxp://69.233.234.229:9090/mpeg4/WebViewer.cab
DPF: {933C7E9B-A02B-41AC-A3BF-1C46926CBDAC} - hxxp://10.99.13.23/hrs/download/Setup.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP2-12243/webex/ieatgpc.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 10.99.13.200 10.99.13.202
TCP: Interfaces\{6F3C7144-6126-4922-8B99-57103B8F4309} : DHCPNameServer = 10.99.13.200 10.99.13.202
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccmsetup;ccmsetup;c:\windows\system32\ccmsetup\ccmsetup.exe [2011-5-5 271224]
R2 MA;TriActive MicroAgent;c:\program files\triactive\microagent\bin\ma.exe [2012-5-23 1576960]
R2 PRTGProbeService;PRTG Probe Service;c:\program files\prtg network monitor\PRTG Probe.exe [2012-5-3 3839248]
R2 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files\rosettastoneltdservices\RosettaStoneLtdController.exe [2008-9-16 352312]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-5-13 40776]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 PRTGCoreService;PRTG Core Server Service;c:\program files\prtg network monitor\PRTG Server.exe [2012-5-3 4357904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WPRO_41_2001;WinPcap Packet Driver (WPRO_41_2001);c:\windows\system32\drivers\wpro_41_2001.sys --> c:\windows\system32\drivers\WPRO_41_2001.sys [?]
.
=============== Created Last 30 ================
.
2013-05-14 19:34:33    172032    ----a-w-    c:\windows\system32\igfxres.dll
2013-05-14 18:05:26    98816    ----a-w-    c:\windows\sed.exe
2013-05-14 18:05:26    256000    ----a-w-    c:\windows\PEV.exe
2013-05-14 18:05:26    208896    ----a-w-    c:\windows\MBR.exe
2013-05-14 16:24:57    92416    -c--a-w-    c:\windows\system32\dllcache\mga.sys
2013-05-14 16:23:55    19456    -c--a-w-    c:\windows\system32\dllcache\agt0804.dll
2013-05-14 16:06:46    --------    d-sh--w-    c:\windows\Installer
2013-05-14 16:06:23    24661    -c--a-w-    c:\windows\system32\dllcache\spxcoins.dll
2013-05-14 16:06:23    24661    ----a-w-    c:\windows\system32\spxcoins.dll
2013-05-14 16:06:23    13312    -c--a-w-    c:\windows\system32\dllcache\irclass.dll
2013-05-14 16:06:23    13312    ----a-w-    c:\windows\system32\irclass.dll
2013-05-14 16:06:06    16535    ----a-r-    c:\windows\SET101.tmp
2013-05-14 16:06:04    1088840    ----a-r-    c:\windows\SETF5.tmp
2013-05-14 16:06:02    1296669    ----a-r-    c:\windows\SETF2.tmp
2013-05-14 15:08:20    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-05-14 14:34:27    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-05-13 16:31:42    --------    d---a-w-    C:\REQ
2013-05-13 16:18:03    --------    d--h--w-    c:\windows\PIF
2013-05-13 16:12:11    --------    d-----w-    C:\New Folder (3)
2013-05-13 15:52:58    --------    d-----w-    c:\program files\Clear Read-Only
2013-05-13 15:41:09    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-05-13 15:41:08    --------    d-----w-    c:\documents and settings\administrator\application data\Malwarebytes
2013-05-13 15:40:57    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-05-13 15:40:30    --------    d-----w-    C:\New Folder (2)
2013-05-10 22:03:32    --------    d-----w-    c:\windows\ccmsetup
2013-05-01 20:17:51    119600    ----a-w-    c:\windows\system32\Windows-KB841290-x86-ENU.exe
2013-04-22 18:18:06    --------    d-----w-    c:\program files\Paragon1120
.
==================== Find3M  ====================
.
2013-03-13 01:36:42    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 01:36:42    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-02-28 17:36:19    8704    ----a-w-    c:\windows\system32\ParagonUpdateService.exe
.
============= FINISH: 13:48:37.60 ===============
 


Edited by sadj2885, 16 May 2013 - 12:52 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 AM

Posted 17 May 2013 - 07:01 AM

Malwarebytes doesnt run, when i try to update it, it says Definitions missing or corrupted


Remove MBAM using the Add/Remove programs list and re-install it.

Keep me posted.

#7 sadj2885

sadj2885
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 17 May 2013 - 07:48 AM

Removed MBAM and reinstalled, still experiencing the same issue.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 AM

Posted 17 May 2013 - 10:30 AM

1. Download and run mbam-clean.exe from here.
http://www.malwarebytes.org/mbam-clean.exe

This will remove the current version of Malwarebytes and make a pop-up notification appear that might say “This utility will remove all components of Malwarebytes Anti-Malware from your system. Are you sure you want to continue?”, click Yes. (please allow it restart your computer system)
===

2. After the computer restarts, temporarily disconnect from the Internet and disable your Anti-Virus and install the latest version of Malwarebytes’ Anti-Malware you recently downloaded.

#9 sadj2885

sadj2885
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 17 May 2013 - 10:40 AM

Thansk for all your help, nasdaq. I have decided it would just be easier to reinstall Windows at this point and start fresh. I appreciate the help. Thanks again.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 AM

Posted 17 May 2013 - 10:42 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users