Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zero Access?


  • This topic is locked This topic is locked
17 replies to this topic

#1 DaltonW47

DaltonW47

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 05 June 2013 - 03:31 PM

Getting redirects on IE8 that shows the text of my last Google request (just the search terms - no results).  The address of the page is an IP address only (no url).  Have checked browser options for proxy - shows no proxy.

 

Ran Malware Bytes - removed several trojans from C:\recycler.

 

Ran RogueKiller (Scan only) - Showed Zero Acess (Max++).  Did not understand instructions for removal so I left as is. 

 

MSE does not appear to be operating.  When I try a manual start, I get the following:

 

C:\Program Files\Microsoft Security Client\msseces.exe

The file can not be accessed by the system.

 

When I try to check the Windows Firewall from the Control Panel I get the following:

 

Due to an unidentified problem, Windows cannot display Windows Firewall settings.

 

 

The DDS.txt log is below and the attach.txt log is attached.

 

Thanks,

 

Dalton

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.5.1
Run by Eileen at 15:13:56 on 2013-06-05
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1260 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\Bin\ImApp.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [Cobian Backup 10] "c:\program files\cobian backup 10\Cobian.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1297351588234
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{671964BF-9A37-43DD-AD7C-88A03562AE7E} : DHCPNameServer = 192.168.254.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\eileen\application data\mozilla\firefox\profiles\gvszodq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mg3.mail.yahoo.com/dc/launch?.gx=1&.rand=absfj158afbos
FF - plugin: c:\documents and settings\eileen\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\npjpi170_05.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 195296]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-12-21 67584]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\eileen\locals~1\temp\mfe_rr.sys --> c:\docume~1\eileen\locals~1\temp\mfe_rr.sys [?]
S4 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-4-18 2666880]
.
=============== Created Last 30 ================
.
2013-06-03 11:38:11 7016152 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{89222be1-7b36-476d-b27a-e3f4c12b598d}\mpengine.dll
2013-06-02 11:38:19 7016152 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-05-30 16:51:31 -------- d-----w- C:\sr
2013-05-30 16:50:54 -------- d-----w- C:\mvf
2013-05-10 07:57:26 187456 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2013-05-10 07:57:26 187456 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-05-22 11:55:28 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-22 11:55:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 19:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 15:14:58.65 ===============
 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 06 June 2013 - 09:52 AM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 DaltonW47

DaltonW47
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 06 June 2013 - 03:10 PM

Ran FRST as requested.  Log below and addition.txt is attached.

 

Thanks,

 

Dalton

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-06-2013 01
Ran by Eileen (administrator) on 06-06-2013 15:07:52
Running from C:\Documents and Settings\Eileen\Desktop\MW Removal
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(CobianSoft, Luis Cobian) C:\Program Files\Cobian Backup 10\cbVSCService.exe
(Microsoft Corporation) C:\WINDOWS\eHome\ehRecvr.exe
(Microsoft Corporation) C:\WINDOWS\eHome\ehSched.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
(Luis Cobian, CobianSoft) C:\Program Files\Cobian Backup 10\Cobian.exe
(Luis Cobian, CobianSoft) C:\Program Files\Cobian Backup 10\cbInterface.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2569616 2010-07-25] (CANON INC.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947152 2013-01-27] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
HKCU\...\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c [366024 2011-11-15] (IncrediMail, Ltd.)
HKCU\...\Run: [Cobian Backup 10] "C:\Program Files\Cobian Backup 10\Cobian.exe" [421376 2010-09-23] (Luis Cobian, CobianSoft)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
PDF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
PDF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
PDF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 02 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 03 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 04 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 05 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 06 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 07 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 08 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 09 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 10 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 11 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 12 mswsock.dll [152864] (Apple Inc.)
Winsock: Catalog9 13 mswsock.dll [152864] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\gvszodq2.default
FF Homepage: hxxp://us.mg3.mail.yahoo.com/dc/launch?.gx=1&.rand=absfj158afbos
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.5.1 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.5.1 - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @unity3d.com/UnityPlayer - C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Mozilla Framework Assistant - C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\gvszodq2.default\Extensions\{012c995f-e8f9-43b2-b940-21279261e20a}
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\gvszodq2.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}

========================== Services (Whitelisted) =================

S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] ()
R2 cbVSCService; C:\Program Files\Cobian Backup 10\cbVSCService.exe [67584 2010-09-23] (CobianSoft, Luis Cobian)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] ()
S3 NetSvc; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [147456 2004-11-19] (Intel® Corporation)
S4 JavaQuickStarterService; "C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe" -service -config "C:\Program Files\Oracle\JavaFX 2.1 Runtime\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

R3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [1502208 2006-02-09] (ATI Technologies Inc.)
R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
R3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1047816 2005-11-16] (SigmaTel, Inc.)
S4 Abiosdsk; No ImagePath
S4 abp480n5; No ImagePath
S4 adpu160m; No ImagePath
S4 Aha154x; No ImagePath
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 amsint; No ImagePath
S4 asc; No ImagePath
S4 asc3350p; No ImagePath
S4 asc3550; No ImagePath
S4 Atdisk; No ImagePath
S4 cd20xrnt; No ImagePath
S4 CmdIde; No ImagePath
S4 Cpqarray; No ImagePath
U4 dac2w2k; No ImagePath
S4 dac960nt; No ImagePath
S4 dpti2o; No ImagePath
S4 hpn; No ImagePath
S4 i2omp; No ImagePath
S4 ini910u; No ImagePath
S4 IntelIde; No ImagePath
S3 MFE_RR; \??\C:\DOCUME~1\Eileen\LOCALS~1\Temp\mfe_rr.sys [x]
S4 mraid35x; No ImagePath
S4 perc2; No ImagePath
S4 perc2hib; No ImagePath
S4 ql1080; No ImagePath
S4 Ql10wnt; No ImagePath
S4 ql12160; No ImagePath
S4 ql1240; No ImagePath
S4 ql1280; No ImagePath
S4 Simbad; No ImagePath
S4 Sparrow; No ImagePath
S4 symc810; No ImagePath
S4 symc8xx; No ImagePath
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S4 TosIde; No ImagePath
S4 ultra; No ImagePath
S4 ViaIde; No ImagePath

==================== NetSvcs (Whitelisted) ===================

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2013-06-06 15:07 - 2013-06-06 15:07 - 00000000 ____D C:\FRST
2013-06-05 15:15 - 2013-06-05 15:15 - 00015584 ____A C:\Documents and Settings\Eileen\Desktop\attach.txt
2013-06-05 15:15 - 2013-06-05 15:14 - 00007946 ____A C:\Documents and Settings\Eileen\Desktop\dds.txt
2013-06-05 14:44 - 2013-06-05 14:44 - 00003012 ____A C:\Documents and Settings\Eileen\Desktop\RKreport[2]_D_06052013_02d1444.txt
2013-06-05 14:42 - 2013-06-05 14:42 - 00002454 ____A C:\Documents and Settings\Eileen\Desktop\RKreport[1]_S_06052013_02d1442.txt
2013-06-05 14:36 - 2013-06-05 14:44 - 00000000 ____D C:\Documents and Settings\Eileen\Desktop\RK_Quarantine
2013-06-05 10:28 - 2013-06-05 10:28 - 00001203 ____A C:\AdwCleaner[S2].txt
2013-06-05 10:26 - 2013-06-05 10:27 - 00001138 ____A C:\AdwCleaner[R2].txt
2013-06-05 10:26 - 2013-06-05 10:26 - 00632031 ____A C:\Documents and Settings\Eileen\Desktop\AdwCleaner.exe
2013-05-30 11:51 - 2013-05-30 11:51 - 00000000 ____D C:\sr
2013-05-30 11:50 - 2013-05-30 11:50 - 00000000 ____D C:\mvf
2013-05-22 06:51 - 2013-05-22 06:50 - 00090112 ____A C:\Windows\Minidump\Mini052213-01.dmp
2013-05-19 20:35 - 2013-05-19 20:35 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-19 20:05 - 2013-05-19 20:08 - 00011224 ____A C:\Windows\KB2829530-IE8.log
2013-05-19 19:55 - 2013-05-19 19:56 - 00005309 ____A C:\Windows\KB2847204-IE8.log
2013-05-19 19:54 - 2013-05-19 19:55 - 00006350 ____A C:\Windows\KB2820197.log
2013-05-19 19:54 - 2013-05-19 19:54 - 00000000 __HDC C:\Windows\$NtUninstallKB2820197$
2013-05-19 19:42 - 2013-05-19 19:42 - 00000000 __HDC C:\Windows\$NtUninstallKB2829361$
2013-05-19 18:53 - 2013-05-19 19:43 - 00009652 ____A C:\Windows\KB2829361.log

==================== One Month Modified Files and Folders ========

2013-06-06 15:07 - 2013-06-06 15:07 - 00000000 ____D C:\FRST
2013-06-06 15:07 - 2012-11-17 10:49 - 00000000 ____D C:\Documents and Settings\Eileen\Desktop\MW Removal
2013-06-05 17:32 - 2013-03-30 18:42 - 00020801 ____A C:\Windows\setupapi.log
2013-06-05 17:32 - 2013-03-14 03:05 - 00000692 ____A C:\Windows\setupact.log
2013-06-05 17:14 - 2012-11-17 14:58 - 00000159 ____A C:\Windows\wiadebug.log
2013-06-05 17:14 - 2012-11-17 14:58 - 00000048 ____A C:\Windows\wiaservc.log
2013-06-05 17:14 - 2010-12-21 15:33 - 00000062 __ASH C:\Documents and Settings\Eileen\Local Settings\desktop.ini
2013-06-05 17:14 - 2010-12-21 15:32 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-06-05 17:14 - 2010-12-21 15:32 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-05 17:14 - 2010-12-21 15:29 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-06-05 17:14 - 2010-12-21 15:22 - 00000000 ____D C:\Windows\Registration
2013-06-05 15:32 - 2012-11-17 14:57 - 00022886 ____A C:\Windows\SchedLgU.Txt
2013-06-05 15:32 - 2012-11-17 14:54 - 01826709 ____A C:\Windows\WindowsUpdate.log
2013-06-05 15:32 - 2010-12-21 15:33 - 00000178 ___SH C:\Documents and Settings\Eileen\ntuser.ini
2013-06-05 15:15 - 2013-06-05 15:15 - 00015584 ____A C:\Documents and Settings\Eileen\Desktop\attach.txt
2013-06-05 15:14 - 2013-06-05 15:15 - 00007946 ____A C:\Documents and Settings\Eileen\Desktop\dds.txt
2013-06-05 15:11 - 2011-09-28 11:24 - 00000000 ___SD C:\Documents and Settings\Eileen\My Documents\My PageManager
2013-06-05 14:44 - 2013-06-05 14:44 - 00003012 ____A C:\Documents and Settings\Eileen\Desktop\RKreport[2]_D_06052013_02d1444.txt
2013-06-05 14:44 - 2013-06-05 14:36 - 00000000 ____D C:\Documents and Settings\Eileen\Desktop\RK_Quarantine
2013-06-05 14:42 - 2013-06-05 14:42 - 00002454 ____A C:\Documents and Settings\Eileen\Desktop\RKreport[1]_S_06052013_02d1442.txt
2013-06-05 14:29 - 2012-11-13 23:07 - 00000000 __HDC C:\Windows\$NtUninstallKB2727528$
2013-06-05 10:54 - 2010-12-21 16:31 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-05 10:53 - 2011-11-09 20:56 - 00001324 ____A C:\Windows\System32\d3d9caps.dat
2013-06-05 10:28 - 2013-06-05 10:28 - 00001203 ____A C:\AdwCleaner[S2].txt
2013-06-05 10:27 - 2013-06-05 10:26 - 00001138 ____A C:\AdwCleaner[R2].txt
2013-06-05 10:26 - 2013-06-05 10:26 - 00632031 ____A C:\Documents and Settings\Eileen\Desktop\AdwCleaner.exe
2013-06-02 14:56 - 2011-02-13 16:08 - 00000000 ____D C:\Documents and Settings\Eileen\Application Data\PrimoPDF
2013-06-02 13:55 - 2010-12-22 06:40 - 00002483 ____A C:\Documents and Settings\Eileen\Desktop\Microsoft Word.lnk
2013-05-31 03:00 - 2010-12-21 04:43 - 00000000 ____D C:\Windows\repair
2013-05-30 11:51 - 2013-05-30 11:51 - 00000000 ____D C:\sr
2013-05-30 11:50 - 2013-05-30 11:50 - 00000000 ____D C:\mvf
2013-05-22 07:13 - 2004-08-10 07:00 - 00002206 ____A C:\Windows\System32\wpa.dbl
2013-05-22 06:55 - 2012-07-27 08:38 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-22 06:55 - 2012-04-11 04:32 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-22 06:55 - 2011-06-20 15:02 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-05-22 06:51 - 2011-11-13 07:36 - 00000000 ____D C:\Windows\Minidump
2013-05-22 06:50 - 2013-05-22 06:51 - 00090112 ____A C:\Windows\Minidump\Mini052213-01.dmp
2013-05-19 20:49 - 2010-12-21 15:21 - 00000000 ____D C:\Windows\Microsoft.NET
2013-05-19 20:35 - 2013-05-19 20:35 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-19 20:35 - 2010-12-21 16:25 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-19 20:28 - 2010-12-21 04:49 - 00286904 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-19 20:08 - 2013-05-19 20:05 - 00011224 ____A C:\Windows\KB2829530-IE8.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00073075 ____A C:\Windows\iis6.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00068018 ____A C:\Windows\FaxSetup.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00032516 ____A C:\Windows\ocgen.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00031037 ____A C:\Windows\tsoc.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00022560 ____A C:\Windows\comsetup.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00020632 ____A C:\Windows\msmqinst.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00013662 ____A C:\Windows\ntdtcsetup.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00011913 ____A C:\Windows\netfxocm.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00007579 ____A C:\Windows\plusoc.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00004730 ____A C:\Windows\MedCtrOC.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00003762 ____A C:\Windows\ocmsn.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00003718 ____A C:\Windows\ehOCGen.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00003421 ____A C:\Windows\tabletoc.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00003399 ____A C:\Windows\msgsocm.log
2013-05-19 20:08 - 2013-03-14 03:05 - 00001374 ____A C:\Windows\imsins.log
2013-05-19 20:08 - 2013-03-14 03:04 - 00009404 ____A C:\Windows\updspapi.log
2013-05-19 20:04 - 2010-12-21 04:50 - 00502150 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-19 19:56 - 2013-05-19 19:55 - 00005309 ____A C:\Windows\KB2847204-IE8.log
2013-05-19 19:56 - 2013-03-14 03:05 - 00001374 ____A C:\Windows\imsins.BAK
2013-05-19 19:55 - 2013-05-19 19:54 - 00006350 ____A C:\Windows\KB2820197.log
2013-05-19 19:54 - 2013-05-19 19:54 - 00000000 __HDC C:\Windows\$NtUninstallKB2820197$
2013-05-19 19:54 - 2010-12-21 16:24 - 00000000 ___HD C:\Windows\$hf_mig$
2013-05-19 19:44 - 2010-12-21 17:18 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-19 19:43 - 2013-05-19 18:53 - 00009652 ____A C:\Windows\KB2829361.log
2013-05-19 19:42 - 2013-05-19 19:42 - 00000000 __HDC C:\Windows\$NtUninstallKB2829361$
2013-05-19 18:47 - 2011-06-21 22:17 - 00000000 ____D C:\Program Files\Common Files\Adobe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== End Of Log ============================

 



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 06 June 2013 - 06:42 PM

Please do this next:

icon11.gif  Go to this page and download Malwarebytes Anti-Rootkit (MBAR)

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • MBAR will create logs that you will find in the same folder you found MBAR.exe.  Please post those for me to review.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 DaltonW47

DaltonW47
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 07 June 2013 - 02:21 AM

Ran MBAR as requested.

 

First Log:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org

Database version: v2013.06.06.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Eileen :: EW-NEWDELLE510 [administrator]

6/6/2013 7:48:54 PM
mbar-log-2013-06-06 (19-48-54).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 216425
Time elapsed: 1 hour(s), 7 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

 

Clicked Cleanup and rebooted after complete.

 

2nd MBAR Scan

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org

Database version: v2013.06.06.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Eileen :: EW-NEWDELLE510 [administrator]

6/6/2013 10:54:12 PM
mbar-log-2013-06-06 (22-54-12).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 216412
Time elapsed: 1 hour(s), 6 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 



#6 DaltonW47

DaltonW47
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 07 June 2013 - 10:04 AM

Browser redirects appear to have stopped. Still cannot start MSE (Same message). Windows Firewall can now be started and stopped.

Some progress!

Thanks,

Dalton

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 07 June 2013 - 11:00 PM

Please do this next:

icon11.gif  Download ComboFix from the link below:
Link 1

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

  • Once the Microsoft Windows Recovery Console is installed click on Yes[/b], to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 DaltonW47

DaltonW47
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 08 June 2013 - 06:58 AM

Downloaded Combofix and ran.  It reported that MS Security Essentials was active.  I could not find MSE in the processes section of the Task Manager and I could not activate the user interface.  I clicked OK and got a warning abour running Combofix with MSE active.  I clicked OK and after creating a recovery point, the scan ran through Stage 50.  Got the message "Deleting files", then d:\install.exe.  System then hung - left idle for 10 minutes then used Task Manager to restart (all icons were gone from the desktop) and the taskbar was not visible.   Could not find Combofix log.



#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 08 June 2013 - 09:44 AM

Please try running it from the Safe Mode.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 DaltonW47

DaltonW47
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 08 June 2013 - 11:19 AM

Ran CF in safe mode. CF reported that MSE was active. I had removed MSE using MSCONFIG before I booted into safe mode. CF ran to completion. Log below. As a side note, when I activated IE8 to post this reply, I got the message "Internet Explorer is not your default browser ......" and then several prompts advising that I was leaving a secure connection........ Are these a result of CF scan?

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1803 [GMT -5:00]
Running from: c:\documents and settings\Eileen\Desktop\MW Removal\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2013-05-08 to 2013-06-08 )))))))))))))))))))))))))))))))
.
.
2013-06-07 00:48 . 2013-06-07 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-06 20:07 . 2013-06-06 20:07 -------- d-----w- C:\FRST
2013-06-03 11:38 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89222BE1-7B36-476D-B27A-E3F4C12B598D}\mpengine.dll
2013-06-02 11:38 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-30 16:51 . 2013-05-30 16:51 -------- d-----w- C:\sr
2013-05-30 16:50 . 2013-05-30 16:50 -------- d-----w- C:\mvf
2013-05-10 07:57 . 2013-05-10 07:57 187456 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2013-05-10 07:57 . 2013-05-10 07:57 187456 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-22 11:55 . 2012-04-11 09:32 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-22 11:55 . 2011-06-20 20:02 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 15:28 . 2012-12-20 19:43 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-16 22:17 . 2004-08-10 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-10 12:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 19:50 . 2010-12-21 21:25 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2011-11-15 366024]
"Cobian Backup 10"="c:\program files\Cobian Backup 10\Cobian.exe" [2010-09-23 421376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Eileen^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\Eileen\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Eileen^Start Menu^Programs^Startup^ScreenHunter 5.1 Free.lnk]
path=c:\documents and settings\Eileen\Start Menu\Programs\Startup\ScreenHunter 5.1 Free.lnk
backup=c:\windows\pss\ScreenHunter 5.1 Free.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2013-05-10 07:57 37960 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2013-01-27 17:11 947152 ----a-we c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
2003-07-07 16:29 729088 ----a-r- c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 18:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-12-21 21:35 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wisdom-soft ScreenHunter 5.1 Free]
2010-08-08 02:40 5324800 ----a-w- c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gupdatem"=3 (0x3)
"AdobeActiveFileMonitor5.0"=2 (0x2)
"TeamViewer7"=2 (0x2)
"Web Assistant Updater"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe"=
.
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [12/21/2010 5:09 PM 67584]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\Eileen\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\Eileen\LOCALS~1\Temp\mfe_rr.sys [?]
S4 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [4/18/2012 9:34 AM 2666880]
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 11:55]
.
2012-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 21:35]
.
2012-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 21:35]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\documents and settings\Eileen\Application Data\Mozilla\Firefox\Profiles\gvszodq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mg3.mail.yahoo.com/dc/launch?.gx=1&.rand=absfj158afbos
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-UnityWebPlayer - c:\documents and settings\Eileen\Local Settings\Application Data\Unity\WebPlayer\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-08 11:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1364589140-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-08 11:03:16
ComboFix-quarantined-files.txt 2013-06-08 16:03
.
Pre-Run: 106,759,643,136 bytes free
Post-Run: 110,958,534,656 bytes free
.
- - End Of File - - 790ABEFE1F0BEF156F8DEDC36CF5E73A
8F558EB6672622401DA993E1E865C861

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 09 June 2013 - 12:28 AM

That browser behavior is a result of running ComboFix - it restores several settings back to their defaults.  Is MSE running now?


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 DaltonW47

DaltonW47
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 09 June 2013 - 06:34 AM

MSE, firewall and browser all appeat to be back to normal operation.

Thanks,

Dalton

#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 09 June 2013 - 10:33 AM

Great!  Please do this next:

icon11.gif   Download AdwCleaner from  here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • AdwCleaner log
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 DaltonW47

DaltonW47
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 09 June 2013 - 02:59 PM

Ran ADWCleaner and ESET as requested. Logs below.

Thanks!!

# AdwCleaner v2.303 - Logfile created 06/09/2013 at 12:31:42
# Updated 08/06/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Eileen - EW-NEWDELLE510
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Eileen\Desktop\MW Removal\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6.23 (en-US)

File : C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\gvszodq2.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3252 octets] - [23/11/2012 10:50:18]
AdwCleaner[R2].txt - [1138 octets] - [05/06/2013 10:26:35]
AdwCleaner[R3].txt - [1312 octets] - [09/06/2013 12:27:45]
AdwCleaner[S1].txt - [3226 octets] - [23/11/2012 10:50:36]
AdwCleaner[S2].txt - [1203 octets] - [05/06/2013 10:28:07]
AdwCleaner[S3].txt - [1247 octets] - [09/06/2013 12:31:42]

########## EOF - C:\AdwCleaner[S3].txt - [1307 octets] ##########

ESET.TXT
C:\Documents and Settings\Eileen\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\6\1b916d46-1fe0da25 a variant of Java/Exploit.Agent.OLP trojan

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 09 June 2013 - 09:48 PM

Other than that ESET detection your logs are looking good!  I have some final housekeeing for you to tend to that will also remove that last threat ESET picked up:

icon11.gif  Your Adobe reader needs to be updated.  Please visit Adobe's site and grab the newest version.  Be sure to watch for and uncheck any boxes offering to install other software.

icon11.gif  Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.  Please go to www.java.com and press the "Free Java Download" button near the center of the page.  Follow the prompts to install the latest version.

icon11.gif  Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run.  Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif  Delete the following tools along with any other logs you saved from our work:
  • DDS
  • FRST (You may also delete the c:\FRST folder)
  • MBAR
  • AdwCleaner

icon11.gif  Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't,  manually reboot to ensure a complete clean

icon11.gif  Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated.  Scan with them at least weekly.
  • Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users