Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security Pro


  • This topic is locked This topic is locked
14 replies to this topic

#1 EricMaher

EricMaher

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 30 June 2013 - 12:13 PM

Hello,

 

I have a Dell Latitude D630 that I am running Windows XP SP3 off of.  I have been recently infected with the Interne Security Pro virus. 

 

Here is my log from completing a full scan using MalwareBytes:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.27.09

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Eric Maher :: ERIC-47D4EC6508 [administrator]

6/27/2013 7:27:08 PM
mbam-log-2013-06-27 (19-27-08).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 439998
Time elapsed: 1 hour(s), 38 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Internet Security (Trojan.Fakealert) -> Data: C:\Documents and Settings\All Users\Application Data\tdefender.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$6ce7c39fabe8b5c63fa0a796c7fbd960\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 12
C:\Documents and Settings\All Users\Application Data\tdefender.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1844237615-884357618-682003330-1003\$6ce7c39fabe8b5c63fa0a796c7fbd960\n (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric Maher\Local Settings\temp\37.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$6ce7c39fabe8b5c63fa0a796c7fbd960\n (Rootkit.0Access) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$6ce7c39fabe8b5c63fa0a796c7fbd960\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$6ce7c39fabe8b5c63fa0a796c7fbd960\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$6ce7c39fabe8b5c63fa0a796c7fbd960\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1844237615-884357618-682003330-1003\$R6C8E9313 (Trojan.Downloader.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric Maher\Templates\6o4v7yr6ikfw18072u (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric Maher\Local Settings\temp\6o4v7yr6ikfw18072u (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\6o4v7yr6ikfw18072u (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric Maher\Local Settings\Application Data\6o4v7yr6ikfw18072u (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)
 

 

 

After restarting the computer in normal mode, I ran RKill, and no processes were reported terminated. I am not sure if I still have the virus, and any help would be much appreciated.  Thank you in advance.

 

Eric



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 30 June 2013 - 12:51 PM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 EricMaher

EricMaher
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 02 July 2013 - 08:54 AM

Hi Marius,

 

I have been trying to run Combofix.  It reached "Stage 50," and was deleting certain files, but the computer froze before it could finish.  Now, the computer won't fully boot.  When I try to boot it in both Normal or Safe Mode with Networking, the computer freezes. 

 

Best,

 

Eric



#4 EricMaher

EricMaher
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 02 July 2013 - 09:13 AM

Please disregard that last post.  I was able to get the computer started.  Once Combofix runs, I will post the log.



#5 EricMaher

EricMaher
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 02 July 2013 - 11:00 AM

Marius, 

 

Here is the Combofix Log.  Once the computer started up, there were no problems this time. 

 

ComboFix 13-07-02.02 - Eric Maher 07/02/2013  10:11:30.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3582.3113 [GMT -4:00]
Running from: c:\documents and settings\Eric Maher\My Documents\Downloads\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-02 to 2013-07-02  )))))))))))))))))))))))))))))))
.
.
2013-06-24 01:42 . 2013-06-24 01:42    --------    d-sh--w-    c:\documents and settings\LocalService\IETldCache
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-27 00:57 . 2011-12-11 03:42    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2013-04-27 00:57 . 2011-12-11 03:42    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2013-04-04 18:50 . 2011-10-13 19:29    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-04-27 295512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54    551296    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Eric Maher^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Eric Maher\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Eric Maher^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\Eric Maher\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Eric Maher^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Eric Maher\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56    1230704    -c--a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 05:40    421160    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06    254696    -c--a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-09 03:01    3905408    ----a-w-    c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdate"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ADVService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"gupdatem"=3 (0x3)
"!SASCORE"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [3/6/2013 2:21 AM 39056]
R3 NETwLx32;    Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [10/26/2010 12:37 PM 6607744]
S3 TUSB1150;Airties WUS-300 USB Wireless Adapter (TNETW1450);c:\windows\system32\DRIVERS\tusb1150.sys --> c:\windows\system32\DRIVERS\tusb1150.sys [?]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-20 01:18    1165776    ----a-w-    c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2013-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 16:19]
.
2013-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 16:19]
.
2013-04-29 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2013-03-06 06:23]
.
2013-07-02 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-03-06 06:21]
.
2013-06-12 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-03-06 06:21]
.
2013-07-02 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-02 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-06-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-02 c:\windows\Tasks\User_Feed_Synchronization-{B3A88925-84AD-42AC-A5C2-33D30BD3C10B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wired.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Eric Maher\Application Data\Mozilla\Firefox\Profiles\ovkwek9q.default\
FF - prefs.js: browser.search.selectedEngine - Creative Commons
FF - prefs.js: browser.startup.homepage - hxxp://toughmudder.com/training-prep/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bc0cf19dd-0f0d-42cc-9c9b-5713b1a1b0f0%7D&mid=edf025a22bd047d1ad33d1683655bdcd-4bec42129821878972222251a0f89ccb74494ba0&ds=AVG&v=8.0.0.34.1&lang=en&pr=fr&d=2011-10-14%2009%3A12%3A23&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-02 10:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2013-07-02  10:53:37
ComboFix-quarantined-files.txt  2013-07-02 14:53
.
Pre-Run: 199,395,176,448 bytes free
Post-Run: 200,601,772,032 bytes free
.
- - End Of File - - 415B880BF62CED35B3ED5A3E9026BBE9
8F558EB6672622401DA993E1E865C861
 

Best,

 

Eric



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 03 July 2013 - 01:24 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 EricMaher

EricMaher
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 05 July 2013 - 09:48 PM

Hello,

 

The Combofix scan is not running because it says "The syntax of the command is incorrect."

 

Best,

 

Eric



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 06 July 2013 - 05:34 AM

Please delete combofix.exe and download a new copy.

Try the script with the new combofix.exe


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 EricMaher

EricMaher
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 06 July 2013 - 03:59 PM

Marius,

 

Here is the Combofix log. Thank you for all your help thus far.

 

ComboFix 13-07-07.01 - Eric Maher 07/06/2013  16:44:06.5.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3582.3028 [GMT -4:00]
Running from: c:\documents and settings\Eric Maher\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric Maher\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-06 to 2013-07-06  )))))))))))))))))))))))))))))))
.
.
2013-06-24 01:42 . 2013-06-24 01:42    --------    d-sh--w-    c:\documents and settings\LocalService\IETldCache
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-27 00:57 . 2011-12-11 03:42    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2013-04-27 00:57 . 2011-12-11 03:42    348160    ----a-w-    c:\windows\system32\msvcr71.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-04-27 295512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54    551296    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Eric Maher^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Eric Maher\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Eric Maher^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\Eric Maher\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Eric Maher^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Eric Maher\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56    1230704    -c--a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 05:40    421160    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06    254696    -c--a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-09 03:01    3905408    ----a-w-    c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdate"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ADVService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"gupdatem"=3 (0x3)
"!SASCORE"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [3/6/2013 2:21 AM 39056]
R3 NETwLx32;    Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [10/26/2010 12:37 PM 6607744]
S3 TUSB1150;Airties WUS-300 USB Wireless Adapter (TNETW1450);c:\windows\system32\DRIVERS\tusb1150.sys --> c:\windows\system32\DRIVERS\tusb1150.sys [?]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-20 01:18    1165776    ----a-w-    c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2013-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 16:19]
.
2013-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 16:19]
.
2013-04-29 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2013-03-06 06:23]
.
2013-07-06 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-03-06 06:21]
.
2013-06-12 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-03-06 06:21]
.
2013-07-06 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-06 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-06-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1844237615-884357618-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-06 c:\windows\Tasks\User_Feed_Synchronization-{B3A88925-84AD-42AC-A5C2-33D30BD3C10B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wired.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\documents and settings\Eric Maher\Application Data\Mozilla\Firefox\Profiles\ovkwek9q.default\
FF - prefs.js: browser.search.selectedEngine - Creative Commons
FF - prefs.js: browser.startup.homepage - hxxp://toughmudder.com/training-prep/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-06 16:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(864)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2013-07-06  16:53:06
ComboFix-quarantined-files.txt  2013-07-06 20:52
ComboFix2.txt  2013-07-02 14:53
.
Pre-Run: 200,594,374,656 bytes free
Post-Run: 200,604,372,992 bytes free
.
- - End Of File - - AD414CD018257F13B2ECD08C9C5D8159
8F558EB6672622401DA993E1E865C861
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 08 July 2013 - 03:28 AM

Looks good!

 

 

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 EricMaher

EricMaher
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 09 July 2013 - 11:11 PM

Here is the ESET log.  As of right now, the computer appears to be running okay.

 

C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\azrqoynbzhizmejxpfdcrxth.exe.vir    a variant of Win32/Redyms.AB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\fdtfkbscxtlc.exe.vir    a variant of Win32/Injector.ABPG trojan
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\fuaavojxdymrqaq.exe.vir    Win32/Spy.Agent.OAV trojan
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\yndscwlxrpamhxwiqvr.exe.vir    Win32/LockScreen.AKU trojan
 

Thank you,

 

Eric



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 10 July 2013 - 02:02 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Scan with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 EricMaher

EricMaher
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 11 July 2013 - 05:59 PM

Hello,

 

Here is the Adware Log:

 

# AdwCleaner v2.305 - Logfile created 07/11/2013 at 18:50:11
# Updated 11/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Eric Maher - ERIC-47D4EC6508
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Eric Maher\My Documents\Downloads\adwcleaner(1).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\SpeedMaxPc
Folder Deleted : C:\Documents and Settings\Eric Maher\Application Data\DriverCure
Folder Deleted : C:\Documents and Settings\Eric Maher\Application Data\SpeedMaxPc
Folder Deleted : C:\Documents and Settings\Eric Maher\Local Settings\Application Data\Vuze_Remote
Folder Deleted : C:\Documents and Settings\NetworkService\Local Settings\Application Data\Vuze_Remote

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\SpeedMaxPC
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\SpeedMaxPC

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Documents and Settings\Eric Maher\Application Data\Mozilla\Firefox\Profiles\ovkwek9q.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e7ix5pn7.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v27.0.1453.116

File : C:\Documents and Settings\Eric Maher\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [3004 octets] - [11/07/2013 18:50:11]

########## EOF - C:\AdwCleaner[S1].txt - [3064 octets] ##########
 

 

 

Here is the Security Check Log:

 

 Results of screen317's Security Check version 0.99.68  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java™ 6 Update 29  
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Flash Player     11.1.102.55  
 Mozilla Firefox 21.0 Firefox out of Date!  
 Google Chrome 27.0.1453.110  
 Google Chrome 27.0.1453.116  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 1%
````````````````````End of Log``````````````````````
 

 

Thank you!



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 12 July 2013 - 03:12 AM

Then your system is all clean now! :)

 

 

Internet Explorer out of date

Your version of Internet Explorer is outdated.

 

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer ( Java 7 Update 4 ) and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.

After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

 

Adobe Flash Player out of date

Your Adobe flash player is outdated. We will fix this.

  • Get the actual player from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

 

Mozilla Firefox out of date

Your Firefox browser is outdated. Please follow these instructions to update it:

  • Get the actual firefox from here.
  • Run setup and follow the instructions on your monitor.
  • Report any problems you have with the update.

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 16 July 2013 - 02:07 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users