Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was infected by Windows Sality


  • This topic is locked This topic is locked
11 replies to this topic

#1 Tyson_08

Tyson_08

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 20 June 2013 - 07:34 AM

My system was infected by windows sality. I used full system scan using avira, AVG Sality Removal tool, Salitykiller, MBAM, MBAR, Sophos Antirootkit, TDSS, etc.
It is now inactive on the system, but there might be files that are still hooked by it somewhere on my hard disk, which went undetected or so. I want to get rid of them without actually formatting my whole drive.
 
I am not able to install avast! or other antivirus' as my system just hangs completely on restarting the next time.
I've formatted my C drive too over the matter, have a 2 Gb ram and nothing on the startup except the normal drivers. Don't know why that is happening... Didn't happen earlier.
 
And, my keyboard continuously types the '+' sign whenever my system starts up, or when I press 'Q', 'U' and especially 'W'.
I don't think its a hardware problem as it stops when I press the backspace key, and yet very rarely, it does not type the '+' sign sometimes. I don't know what it is all about.
 
Also, my DNS changes sometimes randomly, a few websites get blocked, or my net connection just doesn't work, even if its connected. Happens randomly, it might be my connection but that also started happening after my infection last week. My screencast over the typing problem - http://www.screenr.com/06SH
 
 
I'm attaching my Combofix and DDS logs with this post. Looking forward to get this fixed soon... :)
 
Attached File  ComboFix.txt   14.7KB   3 downloads
Attached File  dds.txt   13.45KB   3 downloads
Attached File  attach.txt   9.5KB   2 downloads

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.21.2
Run by Owner at 14:55:15 on 2013-06-20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2009.895 [GMT 5.5:30]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.zone54.com/
mStart Page = hxxp://www.google.com
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft .NET Framework v4 - Slow Windows XP Boot Fix.vbs
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: MaxRecentDocs = dword:18
mPolicies-Explorer: NoSMConfigurePrograms = dword:1
mPolicies-Explorer: NoRecentDocsNetHood = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: MemCheckBoxInRunDlg = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
TCP: Interfaces\{67753E95-6B77-407F-9882-CAC4E9DE693D} : NameServer = 8.8.8.8 8.8.8.8
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SecurityProviders: SecurityProviders = schannel.dll, credssp.dll, digest.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 2iesseps;Vba32 Armour Driver;c:\windows\system32\drivers\2iesseps.sys [2013-6-17 35904]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2013-4-16 14184]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2013-4-16 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2013-4-16 14184]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2013-6-17 18816]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\drivers\BazisVirtualCDBus.sys [2011-6-5 117584]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-6-17 22856]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2011-12-2 33792]
S0 jembqwf;jembqwf; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2013-6-16 1684736]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\owner\locals~1\temp\aswarkrn.sys --> c:\docume~1\owner\locals~1\temp\aswArKrn.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-6-17 35144]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2013-6-18 27064]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2013-6-17 53248]
.
=============== Created Last 30 ================
.
2013-06-19 15:14:28 -------- d-----w- c:\documents and settings\owner\application data\Key Metric Software
2013-06-18 22:28:23 -------- d-----w- c:\documents and settings\owner\application data\Leak Scanner
2013-06-18 12:17:20 -------- d-----w- c:\documents and settings\owner\local settings\application data\VS Revo Group
2013-06-18 12:16:54 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2013-06-18 12:16:54 -------- d-----w- c:\documents and settings\all users\application data\VS Revo Group
2013-06-18 12:16:52 -------- d-----w- c:\program files\VS Revo Group
2013-06-18 11:35:59 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2013-06-18 11:34:59 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2013-06-18 11:33:55 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2013-06-18 11:32:42 45056 -c--a-w- c:\windows\system32\dllcache\icam5com.dll
2013-06-18 11:31:59 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2013-06-18 11:30:59 96640 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2013-06-17 17:23:52 -------- d-----w- c:\documents and settings\owner\local settings\application data\Mozilla
2013-06-17 12:53:43 -------- d-----w- c:\documents and settings\all users\application data\GroupPolicy
2013-06-17 11:16:50 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2013-06-17 11:14:25 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2013-06-17 10:42:18 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-06-17 10:42:11 -------- d--h--w- c:\windows\PIF
2013-06-17 10:25:09 -------- d-----w- c:\documents and settings\owner\local settings\application data\JeS_Consultancy
2013-06-17 10:17:55 -------- d-----w- c:\program files\VirusTotalUploader2
2013-06-17 10:04:55 -------- d-----w- c:\documents and settings\owner\application data\Online Solutions
2013-06-17 09:40:23 53248 ----a-w- c:\windows\system32\zlib.dll
2013-06-17 09:10:37 35904 ----a-w- c:\windows\system32\drivers\2iesseps.sys
2013-06-17 08:21:25 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-17 08:21:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-06-17 08:15:20 -------- d-----w- c:\documents and settings\owner\application data\uTorrent
2013-06-16 23:55:01 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2013-06-16 23:33:01 -------- d-----w- C:\Stinger_Quarantine
2013-06-16 22:40:57 -------- d-sha-r- C:\cmdcons
2013-06-16 22:40:14 98816 ----a-w- c:\windows\sed.exe
2013-06-16 22:40:14 256000 ----a-w- c:\windows\PEV.exe
2013-06-16 22:40:14 208896 ----a-w- c:\windows\MBR.exe
2013-06-16 22:40:12 -------- d-----w- C:\ComboFix
2013-06-16 22:34:08 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2013-06-16 22:32:46 -------- d-----w- c:\documents and settings\all users\application data\COMODO
2013-06-16 21:59:03 -------- d-----w- C:\Quarantine
2013-06-16 21:44:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-06-16 21:42:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-06-16 21:31:29 -------- d-----w- c:\documents and settings\owner\local settings\application data\NPE
2013-06-16 21:31:29 -------- d-----w- c:\documents and settings\all users\application data\Norton
2013-06-16 21:02:15 205072 ------w- c:\windows\system32\drivers\tmcomm.sys
2013-06-16 21:02:14 135952 ------w- c:\windows\system32\drivers\tmrkb.sys
2013-06-16 21:01:25 7475200 ------w- c:\windows\system32\rmslt.nt
2013-06-16 20:56:58 -------- d-----w- c:\program files\stinger
2013-06-16 20:35:42 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2013-06-16 19:57:05 -------- d-----w- c:\documents and settings\owner\application data\NVIDIA
2013-06-16 19:56:19 -------- d-----w- c:\documents and settings\all users\application data\BlueStacksSetup
2013-06-16 19:21:35 -------- d-----w- c:\documents and settings\owner\application data\TeamViewer
2013-06-16 19:21:24 -------- d-----w- c:\program files\TeamViewer
2013-06-16 18:54:31 94112 ------w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-16 17:26:52 -------- d-----w- c:\windows\ERUNT
2013-06-16 17:26:49 -------- d-----w- C:\JRT
2013-06-16 13:15:45 -------- d-----w- c:\windows\ie8updates
2013-06-16 11:17:34 -------- d-----w- c:\windows\$hf_mig$
2013-06-16 11:15:11 2193536 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2013-06-16 11:15:10 2070144 -c--a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2013-06-16 11:02:34 -------- d-----w- c:\program files\Paint.NET
2013-06-16 11:02:31 -------- d-----w- c:\documents and settings\owner\local settings\application data\Paint.NET
2013-06-16 11:00:44 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2013-06-16 11:00:44 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2013-06-16 11:00:44 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2013-06-16 11:00:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2013-06-16 11:00:43 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2013-06-16 11:00:42 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2013-06-16 11:00:42 2005504 -c----w- c:\windows\system32\dllcache\iertutil.dll
2013-06-16 11:00:42 11112960 -c----w- c:\windows\system32\dllcache\ieframe.dll
.
==================== Find3M ====================
.
2013-06-16 05:40:10 861088 ------w- c:\windows\system32\npDeployJava1.dll
2013-06-16 05:40:10 782240 ------w- c:\windows\system32\deployJava1.dll
2013-06-15 19:28:26 1074636 ------w- c:\windows\system32\nvdrsdb0.bin
2013-06-15 19:28:26 1 ------w- c:\windows\system32\nvdrssel.bin
2013-06-15 19:28:24 1074636 ------w- c:\windows\system32\nvdrsdb1.bin
2013-05-07 22:30:06 920064 ------w- c:\windows\system32\wininet.dll
2013-05-07 22:30:05 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53:29 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30:20 2149888 ------w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17 2028544 ------w- c:\windows\system32\ntkrnlpa.exe
2013-04-15 20:19:19 3186 ------w- c:\windows\system32\presetup.cmd
2013-04-15 20:19:19 28672 ------w- c:\windows\system32\setupold.exe
2013-04-15 20:18:23 5632 ------w- c:\windows\system32\drivers\mv64xxmm.sys
2013-04-15 20:18:23 14184 ------w- c:\windows\system32\drivers\mvxxmm.sys
2013-04-15 20:18:23 14184 ------w- c:\windows\system32\drivers\mv61xxmm.sys
2013-04-15 20:16:01 1614848 ------w- c:\windows\system32\sfcfiles.dll
2013-04-15 20:12:26 361600 ------w- c:\windows\system32\drivers\tcpip.sys
2013-04-15 20:12:26 218624 ------w- c:\windows\system32\uxtheme.dll
2013-04-15 20:12:19 990208 ------w- c:\windows\system32\syssetup.dll
2013-04-10 01:31:19 1876352 ------w- c:\windows\system32\win32k.sys
2013-04-09 11:20:00 71048 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-09 11:20:00 691592 ------w- c:\windows\system32\FlashPlayerApp.exe
2013-04-04 18:00:00 112640 ------w- c:\windows\system32\ff_vfw.dll
.
============= FINISH: 14:55:47.84 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 16/06/2013 10:55:09
System Uptime: 20/06/2013 14:22:07 (0 hours ago)
.
Motherboard: Intel Corporation | | DG41RQ
Processor: Intel® Core™2 Duo CPU E7500 @ 2.93GHz | J2E1 | 2933/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 59 GiB total, 39.393 GiB free.
D: is FIXED (NTFS) - 78 GiB total, 1.327 GiB free.
E: is FIXED (NTFS) - 78 GiB total, 3.844 GiB free.
F: is FIXED (NTFS) - 83 GiB total, 4.989 GiB free.
G: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_2E32&SUBSYS_D6138086&REV_03\3&11583659&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_2E32&SUBSYS_D6138086&REV_03\3&11583659&0&10
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_D6138086&REV_01\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_D6138086&REV_01\3&11583659&0&FB
Service:
.
Class GUID:
Description:
Device ID: ROOT\LEGACY_BEEP\XX_AMSINT32_XX
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_BEEP\XX_AMSINT32_XX
Service: amsint32
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
µTorrent
7-Zip 9.20
Adobe Acrobat X Pro - English, Russian
Adobe Shockwave Player 12.0
Alt-Tab Task Switcher Powertoy for Windows XP
ApexDC++ 1.5.6
BitLocker To Go Reader
CCleaner
ClearType Tuning Control Panel Applet
ContextConsole Shell Extension (x86-32)
FileASSASSIN
Google Chrome
Google Update Helper
HashCheck Shell Extension (x86-32)
HijackThis 1.99.1
Hotfix for Windows XP (KB971276-v3)
Java 7 Update 21
Java Auto Updater
K-Lite Mega Codec Pack 9.8.5
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable - x86 8.0.50727.6229
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.7497
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219.436
Microsoft Visual C++ 2012 Redistributable - x86 11.0.51106.1
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.51106
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.51106
Mozilla Firefox (3.6.28)
NVIDIA Control Panel 301.42
NVIDIA Graphics Driver 301.42
NVIDIA Install Application
NVIDIA nView 136.27
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0213
NVIDIA Update 1.8.15
NVIDIA Update Components
Paint.NET v3.5.10
Realtek High Definition Audio Driver
Revo Uninstaller Pro 3.0.5
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2839229)
Skype Click to Call
Skype 6.5
Sophos Anti-Rootkit 1.5.23
SumatraPDF 2.2.1
swMSM
TeamViewer 8
Unlocker 1.9.1
User Profile Hive Cleanup Service
VirusTotal Uploader 2.0
VLC media player 2.0.7
WebFldrs XP
WinCDEmu
Windows PowerShell™ 1.0
WinRAR 5.00 beta 5 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
19/06/2013 20:56:09, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
18/06/2013 19:22:47, error: Dhcp [1002] - The IP address lease 192.168.1.216 for the Network Card with network address 00270E2232CA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
18/06/2013 18:56:14, error: Dhcp [1002] - The IP address lease 169.254.204.10 for the Network Card with network address 00270E2232CA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
18/06/2013 18:52:20, error: Dhcp [1002] - The IP address lease 169.254.204.10 for the Network Card with network address 00270E2232CA has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
18/06/2013 18:40:36, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.216 with the system having network hardware address 00:21:9B:CE:46:9C. Network operations on this system may be disrupted as a result.
17/06/2013 23:46:16, error: Dhcp [1002] - The IP address lease 192.168.0.140 for the Network Card with network address 00270E2232CA has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
17/06/2013 23:41:55, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.140 with the system having network hardware address D0:27:88:10:3D:42. Network operations on this system may be disrupted as a result.
17/06/2013 16:23:02, error: System Error [1003] - Error code 10000050, parameter1 badea000, parameter2 00000000, parameter3 80509a63, parameter4 00000000.
17/06/2013 16:23:00, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: jembqwf
17/06/2013 16:08:32, error: Service Control Manager [7022] - The IPv6 Helper Service service hung on starting.
17/06/2013 16:07:21, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
17/06/2013 06:23:43, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
17/06/2013 06:20:11, error: Service Control Manager [7034] - The BlueStacks Log Rotator Service service terminated unexpectedly. It has done this 1 time(s).
17/06/2013 06:16:43, error: Service Control Manager [7023] - The BlueStacks Android Service service terminated with the following error: An exception occurred in the service when handling the control request.
17/06/2013 06:02:22, error: PlugPlayManager [11] - The device Root\LEGACY_SMR322\0000 disappeared from the system without first being prepared for removal.
17/06/2013 06:01:15, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SMR322.SYS' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
17/06/2013 05:04:18, error: Service Control Manager [7034] - The User Profile Hive Cleanup service terminated unexpectedly. It has done this 1 time(s).
17/06/2013 05:04:04, error: Service Control Manager [7034] - The Skype C2C Service service terminated unexpectedly. It has done this 1 time(s).
17/06/2013 04:43:34, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
17/06/2013 04:43:25, error: Service Control Manager [7000] - The mbamswissarmy service failed to start due to the following error: The system cannot find the path specified.
17/06/2013 04:21:55, error: Dhcp [1008] - Your computer was unable to initialize a Network Interface attached to the system. The error code is: A device attached to the system is not functioning. .
17/06/2013 04:13:55, error: PlugPlayManager [11] - The device Root\LEGACY_UNLOCKERDRIVER5\0000 disappeared from the system without first being prepared for removal.
17/06/2013 04:13:55, error: PlugPlayManager [11] - The device Root\LEGACY_AMSINT32\0000 disappeared from the system without first being prepared for removal.
17/06/2013 02:19:20, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
17/06/2013 02:19:20, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
16/06/2013 11:12:10, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
16/06/2013 10:55:18, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
16/06/2013 10:53:35, error: DCOM [10005] - DCOM got error "%1083" attempting to start the service wuauserv with arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D}
16/06/2013 01:34:46, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume F:.
.
==== End Of File ===========================


ComboFix 13-06-18.02 - Owner 20/06/2013 17:01:38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2009.1503 [GMT 5.5:30]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\CCleaner\cc_update.exe
c:\program files\CCleaner\TrayApp.exe
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\AMMYY\hr
c:\documents and settings\All Users\Application Data\AMMYY\hr3
c:\documents and settings\All Users\Application Data\AMMYY\settings3.bin
c:\windows\system\VB40032.DLL
c:\windows\system32\config\systemprofile\DELA56.tmp
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\ShellExt\CmdOpen.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSINT32
-------\Service_amsint32
.
.
((((((((((((((((((((((((( Files Created from 2013-05-20 to 2013-06-20 )))))))))))))))))))))))))))))))
.
.
2013-06-16 23:33 . 2013-06-16 23:57 -------- d-----w- C:\Stinger_Quarantine
2013-06-16 21:59 . 2013-06-16 21:59 -------- d-----w- C:\Quarantine
2013-06-16 17:26 . 2013-06-16 17:26 -------- d-----w- C:\JRT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-07 22:30 . 2013-03-02 02:05 920064 ------w- c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2013-03-02 02:05 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2013-03-02 02:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2013-03-02 01:08 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30 . 2013-03-07 01:35 2149888 ------w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2013-03-07 00:53 2028544 ------w- c:\windows\system32\ntkrnlpa.exe
2013-04-15 20:19 . 2013-04-15 20:19 3186 ------w- c:\windows\system32\presetup.cmd
2013-04-15 20:19 . 2013-04-15 20:19 28672 ------w- c:\windows\system32\setupold.exe
2013-04-15 20:18 . 2013-04-15 20:18 5632 ------w- c:\windows\system32\drivers\mv64xxmm.sys
2013-04-15 20:18 . 2013-04-15 20:18 14184 ------w- c:\windows\system32\drivers\mvxxmm.sys
2013-04-15 20:18 . 2013-04-15 20:18 14184 ------w- c:\windows\system32\drivers\mv61xxmm.sys
2013-04-15 20:16 . 2013-04-15 20:16 1614848 ------w- c:\windows\system32\sfcfiles.dll
2013-04-15 20:15 . 2009-11-27 17:23 17920 ------w- c:\windows\system32\msyuv.dll
2013-04-15 20:15 . 2009-11-27 16:28 8704 ------w- c:\windows\system32\tsbyuv.dll
2013-04-15 20:15 . 2009-11-27 16:28 48128 ------w- c:\windows\system32\iyuv_32.dll
2013-04-15 20:15 . 2008-04-22 17:03 483328 ------w- c:\windows\system32\wzcsvc.dll
2013-04-15 20:15 . 2008-04-14 03:42 294912 ------w- c:\windows\system32\msh263.drv
2013-04-15 20:15 . 2008-04-14 03:42 52736 ------w- c:\windows\system32\wzcsapi.dll
2013-04-15 20:15 . 2008-04-14 03:42 35328 ------w- c:\windows\system32\pid.dll
2013-04-15 20:15 . 2008-04-14 03:42 15360 ------w- c:\windows\system32\pjlmon.dll
2013-04-15 20:15 . 2008-04-14 03:41 20992 ------w- c:\windows\system32\hid.dll
2013-04-15 20:15 . 2008-04-14 03:41 52224 ------w- c:\windows\system32\dmutil.dll
2013-04-15 20:15 . 2008-04-14 03:41 47104 ------w- c:\windows\system32\cnbjmon.dll
2013-04-15 20:15 . 2008-04-13 22:30 30080 ------w- c:\windows\system32\drivers\modem.sys
2013-04-15 20:15 . 2008-04-13 22:26 12288 ------w- c:\windows\system32\drivers\tunmp.sys
2013-04-15 20:15 . 2008-04-13 22:26 14592 ------w- c:\windows\system32\drivers\ndisuio.sys
2013-04-15 20:15 . 2008-04-13 22:21 61824 ------w- c:\windows\system32\drivers\nic1394.sys
2013-04-15 20:15 . 2008-04-13 22:21 60800 ------w- c:\windows\system32\drivers\arp1394.sys
2013-04-15 20:15 . 2008-04-13 22:16 25344 ------w- c:\windows\system32\drivers\sonydcam.sys
2013-04-15 20:15 . 2008-04-13 22:15 15872 ------w- c:\windows\system32\drivers\usbintel.sys
2013-04-15 20:15 . 2008-04-13 22:15 25728 ------w- c:\windows\system32\drivers\usbcamd2.sys
2013-04-15 20:15 . 2008-04-13 22:15 25600 ------w- c:\windows\system32\drivers\usbcamd.sys
2013-04-15 20:15 . 2008-04-13 22:10 80128 ------w- c:\windows\system32\drivers\parport.sys
2013-04-15 20:15 . 2008-04-13 22:09 4352 ------w- c:\windows\system32\drivers\swenum.sys
2013-04-15 20:15 . 2008-04-13 22:09 23040 ------w- c:\windows\system32\drivers\mouclass.sys
2013-04-15 20:15 . 2008-04-13 22:06 15488 ------w- c:\windows\system32\drivers\mssmbios.sys
2013-04-15 20:15 . 2008-04-13 22:06 63744 ------w- c:\windows\system32\drivers\mf.sys
2013-04-15 20:15 . 2008-04-13 22:01 37760 ------w- c:\windows\system32\drivers\amdk7.sys
2013-04-15 20:15 . 2008-04-13 22:01 37376 ------w- c:\windows\system32\drivers\amdk6.sys
2013-04-15 20:15 . 2008-04-13 22:01 36736 ------w- c:\windows\system32\drivers\crusoe.sys
2013-04-15 20:15 . 2008-04-13 22:01 42752 ------w- c:\windows\system32\drivers\p3.sys
2013-04-15 20:15 . 2008-04-13 22:01 35840 ------w- c:\windows\system32\drivers\processr.sys
2013-04-15 20:15 . 2001-08-17 20:37 77891 ------w- c:\windows\system32\usrmlnka.exe
2013-04-15 20:15 . 2001-08-17 20:37 69700 ------w- c:\windows\system32\usrshuta.exe
2013-04-15 20:15 . 2001-08-17 20:37 61508 ------w- c:\windows\system32\usrprbda.exe
2013-04-15 20:15 . 2001-08-17 20:36 55296 ------w- c:\windows\system32\dvdplay.exe
2013-04-15 20:15 . 2001-08-17 20:36 3200 ------w- c:\windows\system32\wowfax.dll
2013-04-15 20:15 . 2001-08-17 20:36 13824 ------w- c:\windows\system32\wowfaxui.dll
2013-04-15 20:15 . 2001-08-17 20:36 86073 ------w- c:\windows\system32\usrfaxa.dll
2013-04-15 20:15 . 2001-08-17 20:36 77890 ------w- c:\windows\system32\usrdpa.dll
2013-04-15 20:15 . 2001-08-17 20:36 77883 ------w- c:\windows\system32\usrrtosa.dll
2013-04-15 20:15 . 2001-08-17 20:36 69699 ------w- c:\windows\system32\usrcoina.dll
2013-04-15 20:15 . 2001-08-17 20:36 61500 ------w- c:\windows\system32\usrcntra.dll
2013-04-15 20:15 . 2001-08-17 20:36 53305 ------w- c:\windows\system32\usrlbva.dll
2013-04-15 20:15 . 2001-08-17 20:36 49211 ------w- c:\windows\system32\usrvpa.dll
2013-04-15 20:15 . 2001-08-17 20:36 49211 ------w- c:\windows\system32\usrsdpia.dll
2013-04-15 20:15 . 2001-08-17 20:36 49209 ------w- c:\windows\system32\usrv80a.dll
2013-04-15 20:15 . 2001-08-17 20:36 45116 ------w- c:\windows\system32\usrvoica.dll
2013-04-15 20:15 . 2001-08-17 20:36 41019 ------w- c:\windows\system32\usrsvpia.dll
2013-04-15 20:15 . 2001-08-17 20:36 323641 ------w- c:\windows\system32\usrdtea.dll
2013-04-15 20:15 . 2001-08-17 20:36 102457 ------w- c:\windows\system32\usrv42a.dll
2013-04-15 20:15 . 2001-08-17 20:36 8192 ------w- c:\windows\system32\streamci.dll
2013-04-15 20:15 . 2001-08-17 20:36 72192 ------w- c:\windows\system32\sprio800.dll
2013-04-15 20:15 . 2001-08-17 20:36 70656 ------w- c:\windows\system32\sprio600.dll
2013-04-15 20:15 . 2001-08-17 20:36 69632 ------w- c:\windows\system32\spnike.dll
2013-04-15 20:15 . 2001-08-17 20:36 157696 ------w- c:\windows\system32\paqsp.dll
2013-04-15 20:15 . 2001-08-17 20:36 147968 ------w- c:\windows\system32\mdwmdmsp.dll
2013-04-15 20:15 . 2001-08-17 12:06 21376 ------w- c:\windows\system32\drivers\tsbvcap.sys
2013-04-15 20:15 . 2001-08-17 11:57 12160 ------w- c:\windows\system32\drivers\fsvga.sys
2013-04-15 20:15 . 2001-08-17 11:52 18688 ------w- c:\windows\system32\drivers\cdaudio.sys
2013-04-15 20:15 . 2001-08-17 11:24 12032 ------w- c:\windows\system32\drivers\riodrv.sys
2013-04-15 20:15 . 2001-08-17 11:24 12032 ------w- c:\windows\system32\drivers\rio8drv.sys
2013-04-15 20:15 . 2001-08-17 11:24 12032 ------w- c:\windows\system32\drivers\nikedrv.sys
2013-04-15 20:15 . 2001-08-17 11:24 11776 ------w- c:\windows\system32\drivers\cpqdap01.sys
2013-04-15 20:12 . 2013-04-15 20:12 361600 ------w- c:\windows\system32\drivers\tcpip.sys
2013-04-15 20:12 . 2013-04-15 20:12 218624 ------w- c:\windows\system32\uxtheme.dll
2013-04-15 20:12 . 2013-04-15 20:12 990208 ------w- c:\windows\system32\syssetup.dll
2013-04-10 01:31 . 2013-03-02 01:31 1876352 ------w- c:\windows\system32\win32k.sys
2013-04-09 11:20 . 2013-04-09 11:20 71048 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-09 11:20 . 2013-04-09 11:20 691592 ------w- c:\windows\system32\FlashPlayerApp.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2013-04-15 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2013-04-15 . DAC4E275E303D29FC9F807655B748413 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-15 15504192]
"NvMediaCenter"="NvMCTray.dll" [2012-05-15 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-05-15 1634112]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft .NET Framework v4 - Slow Windows XP Boot Fix.vbs [2013-1-19 873]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2011-01-30 13:15 821144 ------w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 15:32 932288 ------w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\uTorrent\\uTorrent.exe"=
.
R0 2iesseps;Vba32 Armour Driver;c:\windows\system32\drivers\2iesseps.sys [17/06/2013 14:40 35904]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [16/04/2013 01:48 14184]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [16/04/2013 01:48 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [16/04/2013 01:48 14184]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [17/06/2013 16:46 18816]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\drivers\BazisVirtualCDBus.sys [05/06/2011 01:44 117584]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [17/06/2013 13:51 22856]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [02/12/2011 22:20 33792]
S0 jembqwf;jembqwf; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/06/2013 01:00 1684736]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\Owner\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\Owner\LOCALS~1\Temp\aswArKrn.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [17/06/2013 16:12 35144]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [18/06/2013 17:46 27064]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [17/06/2013 16:44 53248]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zone54.com/
mStart Page = hxxp://www.google.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: Interfaces\{67753E95-6B77-407F-9882-CAC4E9DE693D}: NameServer = 8.8.8.8 8.8.8.8
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-BlueStacks Agent - c:\program files\BlueStacks\HD-Agent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-20 17:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-20 17:06:48
ComboFix-quarantined-files.txt 2013-06-20 11:36
.
Pre-Run: 41,980,375,040 bytes free
Post-Run: 41,938,853,888 bytes free
.
- - End Of File - - D6C918441C43E71DAC3F71A8074CF9C6
8F558EB6672622401DA993E1E865C861

Edited by Oh My, 24 June 2013 - 02:25 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:56 AM

Posted 24 June 2013 - 02:24 PM

Greetings Tyson_08 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:56 AM

Posted 24 June 2013 - 03:43 PM

Greetings,

Thank you again for your patience. Please do this for me.

===================================================

Running TDSSKiller with Changed Parameters

--------------------
  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now

2012081514h0118.png

  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue

tds6.jpg

  • Click Reboot computer
  • Please zip and attach in your reply the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)
===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:filefind
tcpip.sys
sfcfiles.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • TDSSKiller log (zipped)
  • SystemLook log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Tyson_08

Tyson_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 25 June 2013 - 09:59 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 20:28 on 25/06/2013 by Owner
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "tcpip.sys"
C:\WINDOWS\system32\drivers\tcpip.sys ------- 361600 bytes [20:12 15/04/2013] [20:12 15/04/2013] 474D3DCCB57DEFCD917311EEC47204B9
 
Searching for "sfcfiles.dll"
C:\WINDOWS\system32\sfcfiles.dll ------- 1614848 bytes [20:16 15/04/2013] [20:16 15/04/2013] DAC4E275E303D29FC9F807655B748413
 
-= EOF =-
 
I am attaching the TDSS log in a zipped file:

Attached File  TDSSKiller.2.8.16.0_25.06.2013_20.21.27_log.txt.zip   34.64KB   1 downloads



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:56 AM

Posted 25 June 2013 - 01:39 PM

Greetings,

Thank you for the information. Please run SystemLook again as follows:

===================================================

SystemLook by jpshortstuff

--------------------
  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:filefind
tcpip.*
sfcfiles.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • SystemLook log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Tyson_08

Tyson_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 June 2013 - 05:11 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 15:40 on 26/06/2013 by Owner
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "tcpip.*"
C:\Qoobox\Quarantine\Registry_backups\tcpip.reg --a---- 6834 bytes [22:43 16/06/2013] [11:33 20/06/2013] FBAADA0A6F8BEBA4C9D2582DADDF1FCB
C:\WINDOWS\Help\tcpip.chm ------- 50586 bytes [12:00 14/04/2008] [12:00 14/04/2008] 24FC18A9ED0AA561C5F5DC295F9AA9F2
C:\WINDOWS\system32\drivers\tcpip.sys ------- 361600 bytes [20:12 15/04/2013] [20:12 15/04/2013] 474D3DCCB57DEFCD917311EEC47204B9
 
Searching for "sfcfiles.*"
C:\WINDOWS\system32\sfcfiles.dll ------- 1614848 bytes [20:16 15/04/2013] [20:16 15/04/2013] DAC4E275E303D29FC9F807655B748413
 
-= EOF =-


#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:56 AM

Posted 26 June 2013 - 09:09 AM

Do you have a Windows XP installation disk?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Tyson_08

Tyson_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 June 2013 - 09:25 AM

Yes, I do have it, inserted in my DVD-Rom (It's a modded build though).

I need to get rid of the inactive but infected files on my system too... :)



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:56 AM

Posted 26 June 2013 - 10:15 AM

Not sure exactly what your modified build is. Strange you do not have any Service Pack copies on your computer.

Do you have any other computers running XP Pro?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Tyson_08

Tyson_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 June 2013 - 10:46 AM

Nope, this is the only one.

I'm using Windows XP Professional SP3 (32-bit) - Black Edition 2013.4.16.



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:56 AM

Posted 29 June 2013 - 03:28 PM

Greetings,

Although we have communicated via Personal Message I have not heard a response.

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:56 AM

Posted 01 July 2013 - 03:35 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users