Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible ZeroAccess infection still around and PC Cleaner Pro


  • This topic is locked This topic is locked
37 replies to this topic

#1 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:14 AM

Posted 31 May 2013 - 08:34 AM

Okay, so I have managed to grab a laptop which I think is infected with ZeroAccess and has PC Cleaner Pro on the desktop. The laptop is running Windows Vista Home Premium. The PC Cleaner Pro says that he has 17,000 or so "errors" which it wants to fix, but wants his e-mail. Luckily he did not give it to them, and there is no banking on this computer (only an e-mail which has already been hacked). Malwarebytes has already remove 19 threats from the computer, some called Trojan.Zaccess (which is related to ZeroAccess I'm pretty sure) and Rogue.WindowsPCDefender (which is related to PC Cleaner Pro probably)

 

 

Here is the DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16483
Run by david at 13:59:55 on 2013-05-31
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3061.1169 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\PROGRA~1\PACKAG~2\bar\1.bin\69barsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Users\david\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\SiteRanker\SiteRankTray.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\PC Cleaners\PCCleaners.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\PackageTracer_69\bar\1.bin\69SrchMn.exe
C:\Program Files\PackageTracer_69\bar\1.bin\69brmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\david\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIGGE.EXE
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\vssvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\RacAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&p2=^AFW^xdm041^YY^gb&ptb=30954D42-B100-4F33-AE42-1D70E013EE73&si=ipackagetracker-2-vrylml
uSearch Bar = Preserve
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uURLSearchHooks: <No Name>: {0696f815-a3a9-490a-bb14-9ec3350b1276} - 
uURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
uURLSearchHooks: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - <orphaned>
uURLSearchHooks: <No Name>: {97ef77e6-97be-4204-a890-2485903c5624} - c:\program files\packagetracer_69\bar\1.bin\69SrcAs.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: <No Name>: {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - c:\program files\siteranker\SiteRank.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ShowBarObj Class: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Toolbar BHO: {87011c4e-fcde-4476-9348-ecf16134fc1f} - c:\program files\packagetracer_69\bar\1.bin\69bar.dll
BHO: Search Assistant BHO: {87eab57c-d0b7-4ca9-8e26-191bfc989e26} - c:\program files\packagetracer_69\bar\1.bin\69SrcAs.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Acer eDataSecurity Management: {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: PackageTracer: {ff343558-d5a5-454a-bdd8-c5c81e179fed} - c:\program files\packagetracer_69\bar\1.bin\69bar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\david\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [EPSON SX125 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatigge.exe /fu "c:\windows\temp\E_S9C2F.tmp" /EF "HKCU"
uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [SetPanel] c:\acer\apanel\APanel.cmd
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\play movie\PMVService.exe"
mRun: [Skytel] Skytel.exe
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [eRecoveryService] <no file>
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMwBaAEMAOQAtAEUASwBBAFIAUwAtADYAUgBXAEcAQQAtAEEAQQBUAEMAVQAtAFYAUAA5AEYATgA"&"inst=NwA3AC0ANAA0ADMAMwA3ADcAOAAyADYALQBUADUALQBVAEMAQQBMAEwAKwAxAC0AVQBDAEEATABMADIAKwAxAC0AR gBQADkAMgArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQQArADIALQBYAE8AOQArADEALQBGADkATQAyACsAMQAtAEQARABUACsAMwAxADcANAAyAC0ARABEADkAMABGACsAMQAtAFMAVAA5ADAARgBBAFAAUAArADEALQBGADkAMABNADEAMgBEAE4AKwAxAC0AVABCACsAMQAtAFUAOQA1ACsAMQAtAEYAOQAwAFQAQgArADIALQBGADkAMABNADEAMgBUAEMAKwAxAC0ARgA5ADAATQAxADIAVABBACsAMQAtAFQATAArADEALQBGADkAMABNADEAMgBSACsAMQAxAC0AVgBJAFAAMQAyACsAMQA"&"prod=90"&"ver=9.0.894
StartupFolder: c:\users\david\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - <orphaned>
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - <orphaned>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1 0.0.0.0
TCP: Interfaces\{9CB379E2-07E9-49D2-B66B-1F69FB0AB131} : DHCPNameServer = 192.168.1.1 0.0.0.0
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\hipu0gvu.default\
FF - prefs.js: browser.search.selectedEngine - My Way
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm016YYgb&ptb=C20B580A-6456-4989-A4E7-49F4538A5ED5&psa=&ind=2012011317&ptnrS=XPxdm016YYgb&si=&st=kwd&n=77ecdb35&searchfor=
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\users\david\appdata\local\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1202122.dll
FF - ExtSQL: !HIDDEN! 2009-09-02 13:26; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-7-9 28552]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-6-27 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-6-27 361032]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2009-4-11 41456]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-6-27 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-6-27 58680]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-6-27 44808]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-25 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-25 701512]
R2 PackageTracer_69Service;PackageTracerService;c:\progra~1\packag~2\bar\1.bin\69barsvc.exe [2013-5-28 42504]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2013-4-18 1227800]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2013-4-18 659992]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-6-28 2666880]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-3-4 428640]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-20 180736]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-25 22856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-5-25 40776]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf_x86.sys [2013-4-18 16024]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-4-19 161384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-05-31 12:57:37 7016152 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7958481d-0bd4-4e6e-af9c-e6e2590f73cd}\mpengine.dll
2013-05-28 11:52:49 -------- d-----w- c:\program files\PackageTracer_69
2013-05-25 16:00:26 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-25 15:55:20 -------- d-----w- c:\program files\VS Revo Group
2013-05-25 15:44:52 -------- d-----w- c:\users\david\appdata\local\Secunia PSI
2013-05-25 15:44:30 -------- d-----w- c:\program files\Secunia
2013-05-25 15:39:46 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-05-25 15:15:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-25 15:15:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-19 11:00:10 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-19 10:47:00 768512 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
2013-05-19 10:47:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-19 10:47:00 149632 ----a-w- c:\program files\internet explorer\sqmapi.dll
2013-05-16 21:40:39 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 21:40:39 37376 ----a-w- c:\windows\system32\cdd.dll
2013-05-16 21:40:30 2049024 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M  ====================
.
2013-05-25 16:00:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 01:06:08 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-18 13:55:52 16024 ----a-w- c:\windows\system32\drivers\psi_mf_x86.sys
2013-04-04 22:11:34 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-04-04 22:02:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-04 22:02:17 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-04-04 21:58:51 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-11 13:25:50 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25:50 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-09 01:28:08 64000 ----a-w- c:\windows\system32\smss.exe
2013-03-08 03:53:50 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 03:52:22 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-03-03 19:07:52 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
============= FINISH: 14:08:09.62 ===============

 

 

Attached Files


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear

  • Topic Starter

  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:14 AM

Posted 31 May 2013 - 08:35 AM

Here are the Malwarebytes logs:

 

2013/05/28 12:39:09 +0100 DAVID-PC (null) MESSAGE Executing scheduled update:  Daily
2013/05/28 12:39:16 +0100 DAVID-PC david MESSAGE Starting protection
2013/05/28 12:39:16 +0100 DAVID-PC david MESSAGE Protection started successfully
2013/05/28 12:39:16 +0100 DAVID-PC david MESSAGE Starting IP protection
2013/05/28 12:39:25 +0100 DAVID-PC david ERROR Scheduled update failed:  Host not found failed with error code 0
2013/05/28 12:39:32 +0100 DAVID-PC david MESSAGE IP Protection started successfully
2013/05/28 16:51:31 +0100 DAVID-PC david MESSAGE Executing scheduled update:  Daily
2013/05/28 16:51:36 +0100 DAVID-PC david ERROR Scheduled update failed:  Host not found failed with error code 0
2013/05/28 16:51:44 +0100 DAVID-PC david MESSAGE Starting protection
2013/05/28 16:51:44 +0100 DAVID-PC david MESSAGE Protection started successfully
2013/05/28 16:51:44 +0100 DAVID-PC david MESSAGE Starting IP protection
2013/05/28 16:51:53 +0100 DAVID-PC david MESSAGE IP Protection started successfully
2013/05/28 22:17:52 +0100 DAVID-PC david MESSAGE Starting protection
2013/05/28 22:17:53 +0100 DAVID-PC david MESSAGE Protection started successfully
2013/05/28 22:17:53 +0100 DAVID-PC david MESSAGE Starting IP protection
2013/05/28 22:18:05 +0100 DAVID-PC david MESSAGE IP Protection started successfully
2013/05/28 23:19:51 +0100 DAVID-PC david IP-BLOCK 78.140.143.48 (Type: outgoing, Port: 50914, Process: avastsvc.exe)
2013/05/28 23:19:52 +0100 DAVID-PC david IP-BLOCK 78.140.143.48 (Type: outgoing, Port: 50915, Process: avastsvc.exe)
2013/05/28 23:21:20 +0100 DAVID-PC david IP-BLOCK 64.111.214.2 (Type: outgoing, Port: 51122, Process: avastsvc.exe)
2013/05/28 23:21:20 +0100 DAVID-PC david IP-BLOCK 64.111.214.2 (Type: outgoing, Port: 51123, Process: avastsvc.exe)
 
2013/05/25 16:16:49 +0100 DAVID-PC david MESSAGE Executing scheduled update:  Daily
2013/05/25 16:16:57 +0100 DAVID-PC david MESSAGE Starting protection
2013/05/25 16:16:57 +0100 DAVID-PC david MESSAGE Protection started successfully
2013/05/25 16:16:57 +0100 DAVID-PC david MESSAGE Starting IP protection
2013/05/25 16:17:42 +0100 DAVID-PC david MESSAGE IP Protection started successfully
2013/05/25 16:17:42 +0100 DAVID-PC david MESSAGE Starting database refresh
2013/05/25 16:17:42 +0100 DAVID-PC david MESSAGE Stopping IP protection
2013/05/25 16:17:45 +0100 DAVID-PC david MESSAGE IP Protection stopped successfully
2013/05/25 16:17:50 +0100 DAVID-PC david MESSAGE Scheduled update executed successfully:  database updated from version v2013.04.04.07 to version v2013.05.25.05
2013/05/25 16:17:54 +0100 DAVID-PC david MESSAGE Database refreshed successfully
2013/05/25 16:17:54 +0100 DAVID-PC david MESSAGE Starting IP protection
2013/05/25 16:18:05 +0100 DAVID-PC david MESSAGE IP Protection started successfully
2013/05/25 16:20:39 +0100 DAVID-PC david DETECTION C:\ProgramData\lsass.exe Trojan.Delf QUARANTINE
2013/05/25 16:20:44 +0100 DAVID-PC david DETECTION c:\programdata\lsass.exe Trojan.Delf QUARANTINE
2013/05/25 16:20:44 +0100 DAVID-PC david ERROR Quarantine failed:  SDKQuarantine failed with error code 2
2013/05/25 16:21:08 +0100 DAVID-PC david DETECTION c:\programdata\lsass.exe Trojan.Delf QUARANTINE
2013/05/25 16:21:08 +0100 DAVID-PC david ERROR Quarantine failed:  SDKQuarantine failed with error code 2
2013/05/25 16:22:48 +0100 DAVID-PC david IP-BLOCK 85.159.233.9 (Type: outgoing, Port: 64403, Process: avastsvc.exe)
2013/05/25 16:22:48 +0100 DAVID-PC david IP-BLOCK 85.159.233.9 (Type: outgoing, Port: 64404, Process: avastsvc.exe)
2013/05/25 16:38:13 +0100 DAVID-PC david MESSAGE Starting protection
2013/05/25 16:38:14 +0100 DAVID-PC david MESSAGE Protection started successfully
2013/05/25 16:38:14 +0100 DAVID-PC david MESSAGE Starting IP protection
2013/05/25 16:38:24 +0100 DAVID-PC david MESSAGE IP Protection started successfully
2013/05/25 22:13:58 +0100 DAVID-PC david MESSAGE Starting protection
2013/05/25 22:13:59 +0100 DAVID-PC david MESSAGE Protection started successfully
2013/05/25 22:13:59 +0100 DAVID-PC david MESSAGE Starting IP protection
2013/05/25 22:14:07 +0100 DAVID-PC david MESSAGE IP Protection started successfully
2013/05/25 22:24:45 +0100 DAVID-PC david MESSAGE Starting protection
2013/05/25 22:24:45 +0100 DAVID-PC david MESSAGE Protection started successfully
2013/05/25 22:24:45 +0100 DAVID-PC david MESSAGE Starting IP protection
2013/05/25 22:24:56 +0100 DAVID-PC david MESSAGE IP Protection started successfully
2013/05/25 22:51:10 +0100 DAVID-PC david IP-BLOCK 64.111.214.2 (Type: outgoing, Port: 50215, Process: avastsvc.exe)
2013/05/25 22:51:11 +0100 DAVID-PC david IP-BLOCK 64.111.214.2 (Type: outgoing, Port: 50216, Process: avastsvc.exe)
 
Malwarebytes' Anti-Malware 1.41
Database version: 2859
Windows 6.0.6001 Service Pack 1
26/09/2009 09:18:05
mbam-log-2009-09-26 (09-18-05).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 176743
Time elapsed: 3 hour(s), 6 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows PC Defender (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=118&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
Folders Infected:
C:\Users\david\AppData\Roaming\Windows PC Defender (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
C:\ProgramData\WPCDSys (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
Files Infected:
C:\Users\david\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\76BP4GUE\setup_build8_118[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\david\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LU4LP5VR\setup_build8_118[2].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\david\AppData\Roaming\Windows PC Defender\Instructions.ini (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
C:\ProgramData\WPCDSys\wpcd.cfg (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
C:\Users\david\Desktop\Windows PC Defender.lnk (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
C:\Users\david\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PC Defender.lnk (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
C:\Users\david\AppData\Roaming\Microsoft\Windows\Start Menu\Windows PC Defender.lnk (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
C:\Users\david\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Windows PC Defender.lnk (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
C:\ProgramData\f9f0b00\WPf9f0.exe (Rogue.WindowsPCDefender) -> Quarantined and deleted successfully.
 
Malwarebytes' Anti-Malware 1.44
Database version: 3761
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
19/02/2010 16:35:47
mbam-log-2010-02-19 (16-35-47).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 195178
Time elapsed: 56 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\david\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\76BP4GUE\player[1].exe (Trojan.TDSS) -> Quarantined and deleted successfully.
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
Database version: v2013.05.25.05
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
david :: DAVID-PC [administrator]
Protection: Enabled
25/05/2013 16:18:03
mbam-log-2013-05-25 (16-18-03).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 237938
Time elapsed: 16 minute(s), 41 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\david\AppData\Local\{73fd23ff-1501-a948-1de6-6b099b1cd9b3}\n. -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Users\david\AppData\Local\Temp\wpbt0.dll (Trojan.Ransom.fms) -> Quarantined and deleted successfully.
C:\Users\david\rnd0312.tmp (Trojan.Winlock) -> Quarantined and deleted successfully.
(end)

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,375 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:14 PM

Posted 31 May 2013 - 09:19 AM

Greetings Sarah and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear

  • Topic Starter

  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:14 AM

Posted 31 May 2013 - 09:23 AM

Good to see you Gary, I am so appreciative of you helping me. I have a FRST and Additions logs which shows indications of ZeroAccess and other malware. Shall I post them for you to review?


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,375 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:14 PM

Posted 31 May 2013 - 09:37 AM

Hi Sarah,

Thank you for patiently waiting while I reviewed the information you provided. Here are our first steps I would like us to take. Please do this.

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • AdwCleaner log
  • Junkware log
  • Combofix log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,375 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:14 PM

Posted 31 May 2013 - 09:38 AM

Sorry, we cross posted. Let's see what Combofix does first.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear

  • Topic Starter

  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:14 AM

Posted 31 May 2013 - 09:43 AM

Okay, I shall run each of the programs and then paste the results in here. I'll post each one after I have done it, as I have as I have a feeling Combofix may take a while


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear

  • Topic Starter

  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:14 AM

Posted 31 May 2013 - 09:52 AM

Here is the AdwCleaner log:

# AdwCleaner v2.301 - Logfile created 05/31/2013 at 15:43:29
# Updated 16/05/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : david - DAVID-PC
# Boot Mode : Normal
# Running from : C:\Users\david\Downloads\AdwCleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Deleted : C:\Program Files\SiteRanker
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SiteRanker
Folder Deleted : C:\Users\david\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\david\AppData\LocalLow\SiteRanker
Folder Deleted : C:\Users\david\AppData\Roaming\Mozilla\Firefox\Profiles\hipu0gvu.default\extensions\69ffxtbr@PackageTracer_69.com
Folder Deleted : C:\Users\david\AppData\Roaming\Mozilla\Firefox\Profiles\n1zh5afm.default\extensions\69ffxtbr@PackageTracer_69.com
Folder Deleted : C:\Windows\Installer\{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5D79F641-C168-40DF-A32F-BACEA7509E75}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C98D5B61-B0EA-4D48-9839-1079D352D880}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04D2B915-19FF-41E9-994D-95DC898BEA43}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D79F641-C168-40DF-A32F-BACEA7509E75}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C98D5B61-B0EA-4D48-9839-1079D352D880}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{04D2B915-19FF-41E9-994D-95DC898BEA43}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0696F815-A3A9-490A-BB14-9EC3350B1276}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{13119113-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{33119133-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5D79F641-C168-40DF-A32F-BACEA7509E75}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C98D5B61-B0EA-4D48-9839-1079D352D880}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F02C0832-C85C-4B93-8C6F-9DF20121A10D}
Key Deleted : HKLM\SOFTWARE\Classes\IMsiDe1egate.Application.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{04D2B915-19FF-41E9-994D-95DC898BEA43}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F02C0832-C85C-4B93-8C6F-9DF20121A10D}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{0696F815-A3A9-490A-BB14-9EC3350B1276}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D3D233D5-9F6D-436C-B6C7-E63F77503B30}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16483
 
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&p2=^AFW^xdm041^YY^gb&ptb=30954D42-B100-4F33-AE42-1D70E013EE73&si=ipackagetracker-2-vrylml --> hxxp://www.google.com
 
-\\ Mozilla Firefox v21.0 (en-GB)
 
File : C:\Users\david\AppData\Roaming\Mozilla\Firefox\Profiles\hipu0gvu.default\prefs.js
 
Deleted : user_pref("extensions.TelevisionFanatic.openSearchURL", "hxxp://search.mywebsearch.com/mywebsearch/o[...]
Deleted : user_pref("keyword.URL", "hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm016YYgb&ptb[...]
 
-\\ Google Chrome v27.0.1453.94
 
File : C:\Users\david\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [6515 octets] - [31/05/2013 15:43:29]
 
########## EOF - C:\AdwCleaner[S1].txt - [6575 octets] ##########

 

When I rebooted, Avast! Antivirus wanted to update so I am letting it do that before I run JRT. PC Cleaner Pro is still on the desktop, not that AdwCleaner really deals with that. Avast! has updated from version 7-something to the newest 8 one and is restarting the computer (I have a feeling that Avast! hadn't been updated for a while, but I do not know for sure).


Edited by xXToffeeXx, 31 May 2013 - 09:53 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,375 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:14 PM

Posted 31 May 2013 - 10:06 AM

OK, you can wait and post everything at once. A bit more efficient that way.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear

  • Topic Starter

  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:14 AM

Posted 31 May 2013 - 10:15 AM

Hmm, the system tray icons seem to have disappeared so I'm not sure how to disable the anti-virus (Avast!) without it. Combofix has detected Avast! running so I'm not sure what to do.

 

I can provide a screenshot of what it looks like if you want.


Edited by xXToffeeXx, 31 May 2013 - 10:16 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,375 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:14 PM

Posted 31 May 2013 - 10:19 AM

Go into Task Manager and stop all Avast processes as best you can then go ahead and run Combofix.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear

  • Topic Starter

  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:14 AM

Posted 31 May 2013 - 10:24 AM

When I tried to end AvastUI.exe (the only Avast! process) it said "Operation could not be completed. Access is denied". Should I carry on with running Combofix, or uninstall Avast!?


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,375 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:14 PM

Posted 31 May 2013 - 10:53 AM

Go ahead and run Combofix.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear

  • Topic Starter

  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:14 AM

Posted 31 May 2013 - 11:03 AM

Okay, running it now. Will post back when I have run Combofix.

 

Oh, and here is the JRT log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by david on 31/05/2013 at 15:58:31.99
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\siteranker
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{08AB7C83-BB0B-423E-B1D0-FB7D6B4016CB}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\pc1data"
Failed to delete: [Folder] "C:\Users\david\AppData\Roaming\pc cleaners"
Successfully deleted: [Folder] "C:\Users\david\AppData\Roaming\pcpro"
Successfully deleted: [Folder] "C:\Users\david\appdata\locallow\televisionfanatic"
Successfully deleted: [Folder] "C:\Users\david\appdata\locallow\televisionfanaticei"
Failed to delete: [Folder] "C:\Program Files\pc cleaners"
Successfully deleted: [Folder] "C:\Program Files\televisionfanatic"
Successfully deleted: [Folder] "C:\Program Files\televisionfanaticei"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\pc cleaners"
 
 
 
~~~ FireFox
 
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\64ffxtbr@televisionfanatic.com
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\siteranker@siteranker.com
Successfully deleted the following from C:\Users\david\AppData\Roaming\mozilla\firefox\profiles\hipu0gvu.default\prefs.js
 
user_pref("extensions.64ffxtbr@TelevisionFanatic.com.install-event-fired", true);
user_pref("extensions.TelevisionFanatic.prevKwdEnabled", true);
user_pref("extensions.TelevisionFanatic.prevKwdURL", "");
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 31/05/2013 at 16:03:57.00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


Edited by xXToffeeXx, 31 May 2013 - 11:04 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear

  • Topic Starter

  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:14 AM

Posted 31 May 2013 - 11:21 AM

Well, Combofix ran fast. Perhaps because of the lack of documents and pictures on this laptop, but it deleted a lot of stuff for sure.

 

Combofix log:

 

ComboFix 13-05-31.02 - david 31/05/2013  17:03:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3061.1584 [GMT 1:00]
Running from: c:\users\david\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\0tbpw.pad
c:\users\david\AppData\Roaming\.#
c:\users\david\AppData\Roaming\.#\MBX@134C@372990.###
c:\users\david\AppData\Roaming\.#\MBX@134C@3729C0.###
c:\users\david\AppData\Roaming\.#\MBX@134C@3729F0.###
c:\users\david\AppData\Roaming\.#\MBX@13F0@17A2990.###
c:\users\david\AppData\Roaming\.#\MBX@13F0@17A29C0.###
c:\users\david\AppData\Roaming\.#\MBX@13F0@17A29F0.###
c:\users\david\AppData\Roaming\.#\MBX@1404@1BB2990.###
c:\users\david\AppData\Roaming\.#\MBX@1404@1BB29C0.###
c:\users\david\AppData\Roaming\.#\MBX@1404@1BB29F0.###
c:\users\david\AppData\Roaming\.#\MBX@1624@17C2990.###
c:\users\david\AppData\Roaming\.#\MBX@1624@17C29C0.###
c:\users\david\AppData\Roaming\.#\MBX@1624@17C29F0.###
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.tmp
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\cid.exe
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\CLSV.exe
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\ddv.drv
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\dudl.sys
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\eb.drv
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\exec.dll
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\FS.tmp
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\FW.drv
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\FW.tmp
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\hymt.tmp
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\pal.exe
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\runddl.sys
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.sys
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\sld.drv
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\sld.exe
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\snl2w.drv
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\tjd.dll
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys
c:\users\david\AppData\Roaming\Microsoft\Windows\Recent\tjd.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-28 to 2013-05-31  )))))))))))))))))))))))))))))))
.
.
2013-05-31 16:13 . 2013-05-31 16:14 -------- d-----w- c:\users\david\AppData\Local\temp
2013-05-31 16:13 . 2013-05-31 16:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-31 16:13 . 2013-05-31 16:13 -------- d-----w- c:\users\user\AppData\Local\temp
2013-05-31 14:58 . 2013-05-31 14:58 -------- d-----w- c:\windows\ERUNT
2013-05-31 14:58 . 2013-05-31 14:58 -------- d-----w- C:\JRT
2013-05-31 14:51 . 2013-05-09 08:59 174664 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-05-31 14:51 . 2013-05-09 08:59 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-05-31 14:08 . 2013-05-31 14:08 -------- d-----w- C:\FRST
2013-05-31 12:57 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7958481D-0BD4-4E6E-AF9C-E6E2590F73CD}\mpengine.dll
2013-05-28 11:52 . 2013-05-28 11:52 -------- d-----w- c:\program files\PackageTracer_69
2013-05-25 16:00 . 2013-05-25 16:00 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-25 15:55 . 2013-05-25 15:55 -------- d-----w- c:\program files\VS Revo Group
2013-05-25 15:44 . 2013-05-25 15:44 -------- d-----w- c:\users\david\AppData\Local\Secunia PSI
2013-05-25 15:44 . 2013-05-25 15:44 -------- d-----w- c:\program files\Secunia
2013-05-25 15:43 . 2013-05-25 15:43 -------- d-----w- c:\program files\Common Files\Skype
2013-05-25 15:15 . 2013-05-25 15:15 --------
d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-25 15:15 . 2013-04-04 13:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-19 11:00 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-19 10:47 . 2013-04-04 22:47 149632 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2013-05-19 10:47 . 2013-04-04 22:00 768512 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2013-05-19 10:47 . 2013-04-04 21:57 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-16 21:40 . 2013-04-15 14:20 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 21:40 . 2013-04-13 10:56 37376 ----a-w- c:\windows\system32\cdd.dll
2013-05-16 21:40 . 2013-04-09 01:36 2049024 ----a-w- c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-25 21:14 . 2010-06-24 10:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-25 16:00 . 2012-02-07 15:47 71048 ----a-w-
c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 08:59 . 2012-06-27 14:32 368944 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-05-09 08:59 . 2012-06-27 14:32 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-05-09 08:59 . 2012-06-27 14:31 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-05-09 08:59 . 2012-06-27 14:32 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-05-09 08:59 . 2012-06-27 14:31 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-05-09 08:59 . 2012-06-27 14:32 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-05-09 08:58 . 2012-06-27 14:31 41664 ----a-w- c:\windows\avastSS.scr
2013-05-09 08:58 . 2012-06-27 14:31 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-05-02 01:06 . 2009-10-03 10:52 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-18 13:55 . 2013-04-18 13:55 16024 ----a-w- c:\windows\system32\drivers\psi_mf_x86.sys
2013-03-11 13:25 . 2013-04-09 21:43 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25 . 2013-04-09 21:43 3551080
----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45 . 2013-04-09 21:43 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-09 01:28 . 2013-04-09 21:43 64000 ----a-w- c:\windows\system32\smss.exe
2013-03-08 03:53 . 2013-04-09 21:43 376320
----a-w- c:\windows\system32\winsrv.dll
2013-03-08 03:52 . 2013-04-09 21:43 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-03-03 19:07 . 2013-04-09 21:43 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-11 5296128]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 525360]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-04 768520]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
"PC Cleaners"="c:\program files\PC Cleaners\PCCleaners.exe" [2012-11-01 55841592]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-01 190808]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"PackageTracer Search Scope Monitor"="c:\progra~1\PACKAG~2\bar\1.bin\69srchmn.exe" [2013-05-28 44784]
"PackageTracer_69 Browser Plugin Loader"="c:\progra~1\PACKAG~2\bar\1.bin\69brmon.exe" [2013-05-28 30096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"C50BFE1E-29E4-4BCD-8C03-5F2FB00285D3"="start" [X]
"aswAhAScr.dll"="c:\program files\AVAST Software\Avast\aswRegSvr.exe" [2013-05-09 51880]
"aswasOutExt.dll"="c:\program files\AVAST Software\Avast\aswRegSvr.exe" [2013-05-09 51880]
.
c:\users\david\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-20 535336]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2013-4-18 563224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^david^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ctfmon.lnk]
path=c:\users\david\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
backup=c:\windows\pss\ctfmon.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2013-04-04 13:50 887432
----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWRVRT
*NewlyCreated* - ASWVMM
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-25 16:00]
.
2013-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-24 12:45]
.
2013-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-24 12:45]
.
2013-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4037396673-1708992470-2302252894-1001Core.job
- c:\users\david\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-04 17:20]
.
2013-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4037396673-1708992470-2302252894-1001UA.job
- c:\users\david\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-04 17:20]
.
2013-04-28 c:\windows\Tasks\pc-dis-upd.job
- c:\program files\PC Cleaners\PCCleaners.exe [2012-11-01 10:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://en.us.acer.yahoo.com
TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
FF - ProfilePath - c:\users\david\AppData\Roaming\Mozilla\Firefox\Profiles\hipu0gvu.default\
FF - prefs.js: browser.search.selectedEngine - My Way
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - ExtSQL: !HIDDEN! 2009-09-02 13:26; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
SafeBoot-83873824.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-{FCC69FAA-CFE4-D17D-BBEF-2C34C9495D9D} - c:\users\david\AppData\Roaming\Edmaa\wosyxea.exe
AddRemove-{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}_is1 - c:\program files\SiteRanker\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-31 17:14
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2013-05-31  17:17:48
ComboFix-quarantined-files.txt  2013-05-31 16:17
.
Pre-Run: 27,646,324,736 bytes free
Post-Run: 30,594,019,328 bytes free
.
- - End Of File - - A4DC358458353EF19C074BE4F0135B08

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users