Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton issue/reinstall required/possible malware


  • This topic is locked This topic is locked
7 replies to this topic

#1 rserwin

rserwin

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 30 June 2013 - 03:36 PM

Hi,

 

Had an issue w/ Norton requiring a reinstall; Spybot also found some malware which I removed.  Want to check to make sure I got it all & don't have anything else lurking about.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Scott Erwin at 14:33:44 on 2013-06-30
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3546.2192 [GMT -6:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r203425\STacSV.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\BBSvc.EXE
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\Program Files\Norton Identity Safe\Engine\2013.4.0.10\ccSvcHst.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton Identity Safe\Engine\2013.4.0.10\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Scott Erwin\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyServer = localhost:21320
BHO: GetGo URLCatch: {0315AA2C-10C7-4504-A1C4-F552ABA8A095} - c:\program files\getgo software\getgo download manager\URLCatch.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\engine\20.4.0.40\ips\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - c:\program files\evernote\evernote\EvernoteIE.dll
BHO: Norton Identity Protection: {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - c:\program files\norton identity safe\engine\2013.4.0.10\coieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: uTorrentControl2 Toolbar: {687578B9-7132-4A7A-80E4-30EE31099E03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
TB: GetGo Toolbar: {075BBE29-FEC0-404A-A459-FF58713616FA} - c:\program files\getgo software\getgo download manager\GGToolBand.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4BF3-BC6D-0079707C4389} - c:\program files\norton identity safe\engine\2013.4.0.10\coieplg.dll
TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4bf3-BC6D-0079707C4389} - c:\program files\norton identity safe\engine\2013.4.0.10\coieplg.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x0804 -f video -m logitech -d 13.31.1044.0
StartupFolder: c:\docume~1\scotte~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\scott erwin\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\scotte~1\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Down&load &Link& Us&ing Ge&tGo - c:\program files\getgo software\getgo download manager\GGCatch.htm
IE: &Down&load All &Links& Us&ing Ge&tGo - c:\program files\getgo software\getgo download manager\GGCatchAll.htm
IE: &GetGo Toolbar Search - c:\program files\getgo software\getgo download manager\GGToolBand.dll/MENUSEARCH.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Clip Image - c:\program files\evernote\evernote\\evernoteieres\Clip.html?clipAction=4
IE: Clip selection - c:\program files\evernote\evernote\\evernoteieres\Clip.html?clipAction=3
IE: Clip this page - c:\program files\evernote\evernote\\evernoteieres\Clip.html?clipAction=1
IE: Clip URL - c:\program files\evernote\evernote\\evernoteieres\Clip.html?clipAction=0
IE: New Note - c:\program files\evernote\evernote\\evernoteieres\NewNote.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\program files\evernote\evernote\\evernoteieres\AddNote.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{4700E6A8-D843-40D9-BA3E-09344FD288F2} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - <no file>
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\scott erwin\application data\mozilla\firefox\profiles\ipwzx3ds.default-1353466292687\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\scott erwin\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin1017325.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-05-01 00:23; {F04D2D30-776C-4d02-8627-8E4385ECA58D}; c:\documents and settings\all users\application data\norton\{92622aad-05e8-4459-b256-765ce1e929fb}\nst_2013.3.3.19\coFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1404000.028\SymDS.sys [2013-6-30 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1404000.028\SymEFA.sys [2013-6-30 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_20.4.0.40\definitions\bashdefs\20130522.001\BHDrvx86.sys [2013-6-30 1002072]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\nav\1404000.028\ccSetx86.sys [2013-6-30 134744]
R1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\nst\7dd04000.00a\ccsetx86.sys [2013-6-18 134744]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-11-14 239168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-14 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1404000.028\Ironx86.sys [2013-6-30 175264]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-7 116608]
R2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2012-9-10 12184]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2012-4-12 3057528]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\20.4.0.40\ccSvcHst.exe [2013-6-30 144368]
R2 NCO;Norton Identity Safe;c:\program files\norton identity safe\engine\2013.4.0.10\ccsvchst.exe [2013-6-18 144368]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2010-11-27 398176]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-5-24 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-5-24 1033688]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-3-31 450848]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-5-8 108160]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_20.4.0.40\definitions\ipsdefs\20130402.100\IDSXpx86.sys [2013-6-30 373728]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_20.4.0.40\definitions\virusdefs\20130629.007\naveng.sys [2013-6-30 93272]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_20.4.0.40\definitions\virusdefs\20130629.007\navex15.sys [2013-6-30 1611992]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-5-8 160256]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-5-24 171928]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 Andbus;LGE Android Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2011-9-24 14336]
S3 AndDiag;LGE Android USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2011-9-24 20864]
S3 AndGps;LGE Android USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2011-9-24 19968]
S3 ANDModem;LGE Android USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2011-9-24 24960]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-11-2 83168]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2008-7-29 39424]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-11-29 24576]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 12872]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-11-2 181344]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-5-16 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-5-16 5248]
S4 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2012-3-23 87040]
.
=============== Created Last 30 ================
.
2013-06-30 20:26:25    142496    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-06-30 20:26:25    --------    d-----w-    c:\program files\Symantec
2013-06-30 20:26:25    --------    d-----w-    c:\program files\common files\Symantec Shared
2013-06-30 20:25:44    934488    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\SymEFA.sys
2013-06-30 20:25:44    603224    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\srtsp.sys
2013-06-30 20:25:44    396760    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\symtdi.sys
2013-06-30 20:25:44    367704    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\SymDS.sys
2013-06-30 20:25:44    352344    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\symtdiv.sys
2013-06-30 20:25:44    339544    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\symnets.sys
2013-06-30 20:25:44    32344    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\srtspx.sys
2013-06-30 20:25:44    21400    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\SymELAM.sys
2013-06-30 20:25:44    175264    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\Ironx86.sys
2013-06-30 20:25:43    134744    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\ccSetx86.sys
2013-06-30 20:25:32    14818    ----a-r-    c:\windows\system32\drivers\nav\1404000.028\SymVTcer.dat
2013-06-30 20:25:31    --------    d-----w-    c:\program files\Norton AntiVirus
2013-06-30 20:16:46    --------    d-----w-    c:\documents and settings\all users\application data\PCSettings
2013-06-20 01:47:18    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-20 01:47:08    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-18 11:46:55    134744    ----a-w-    c:\windows\system32\drivers\nst\7dd04000.00a\ccsetx86.sys
2013-06-18 11:46:51    --------    d-----w-    c:\windows\system32\drivers\nst\7DD04000.00A
2013-06-15 03:01:27    --------    d-----w-    c:\documents and settings\scott erwin\local settings\application data\Splashtop
2013-06-15 02:58:21    --------    d-----w-    c:\documents and settings\scott erwin\application data\FileFly
2013-06-15 02:58:21    --------    d-----w-    c:\documents and settings\all users\FileFly
2013-06-12 09:44:36    --------    d-----w-    c:\windows\system32\drivers\nav\1404000.028
2013-06-11 21:07:31    9089416    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-06-11 13:54:21    --------    d-----w-    c:\documents and settings\scott erwin\application data\Intuit
2013-06-10 16:37:02    --------    d-----w-    c:\program files\common files\AnswerWorks 5.0
2013-06-10 16:36:45    4200744    ----a-w-    c:\windows\system32\cdintf400.dll
2013-06-10 16:36:10    --------    d-----w-    c:\program files\common files\Intuit
2013-06-10 16:36:07    --------    d-----w-    c:\program files\Quicken
2013-06-10 16:35:28    --------    d-----w-    c:\documents and settings\all users\application data\Intuit
2013-06-02 03:54:53    --------    d-----w-    c:\program files\Dropbox
.
==================== Find3M  ====================
.
2013-06-13 03:48:23    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-13 03:48:17    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-11 21:07:35    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-11 21:07:35    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-05-07 22:30:06    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-05-07 22:30:05    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-05-07 22:30:05    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-05-07 21:53:29    385024    ------w-    c:\windows\system32\html.iec
2013-05-03 01:30:20    2149888    ------w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17    2028544    ------w-    c:\windows\system32\ntkrnlpa.exe
2013-04-27 20:30:16    796672    ----a-w-    c:\windows\GPInstall.exe
2013-04-10 01:58:42    1722744    ----a-w-    c:\windows\system32\inetclnt.dll
2013-04-10 01:31:19    1876352    ------w-    c:\windows\system32\win32k.sys
2013-04-05 23:12:13    16400    ----a-w-    c:\windows\system32\drivers\LNonPnP.sys
2013-04-04 20:50:32    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-02 14:09:52    4550656    ----a-w-    c:\windows\system32\GPhotos.scr
.
============= FINISH: 14:34:52.21 ===============

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 PM

Posted 05 July 2013 - 09:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

This proxy may be problematic. Did you set this up?
uProxyServer = localhost:21320
<<<>>>

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 rserwin

rserwin
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 05 July 2013 - 05:24 PM

Hi Nasdaq,

 

Thanks for helping me.

 

1. I am sharing a file (not root) & subfolders to my wireless network so I can move files back and forth between phone, laptop, etc. - would that be the cause of the proxy server you mentioned?

 

2. Ran adwcleaner and JRT w/ no problems, logs are pasted below.

 

3. Combofix started to run, then below the line that says "...on badly infected machines may double..." it displayed "The syntax is not correct" and then did nothing; I stopped it after about 20 min with no log produced.

 

4. Security Check bombed immediately with "Unsupported Operating System!" message (all that was in the log).

 

5. No particular problems to report w/ regards to how the computer is operating, just want to make sure nothing is lurking.

 

Scott

 

 

 

# AdwCleaner v2.304 - Logfile created 07/05/2013 at 15:30:37
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Scott Erwin - BLUEBOMBER
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Scott Erwin\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Scott Erwin\Application Data\Mozilla\Firefox\Profiles\ipwzx3ds.default-1353466292687\searchplugins\Askcom.xml
File Deleted : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\Ian Erwin\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Documents and Settings\Kim Erwin\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Kim Erwin\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Documents and Settings\Kim Erwin\Local Settings\Application Data\uTorrentControl2
Folder Deleted : C:\Documents and Settings\NetworkService\Local Settings\Application Data\uTorrentControl2
Folder Deleted : C:\Documents and Settings\Scott Erwin\Application Data\Mozilla\Firefox\Profiles\ipwzx3ds.default-1353466292687\extensions\toolbar@ask.com
Folder Deleted : C:\Documents and Settings\Scott Erwin\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Scott Erwin\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Documents and Settings\Scott Erwin\Local Settings\Application Data\uTorrentControl2
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\uTorrentControl2
Folder Deleted : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{687578B9-7132-4A7A-80E4-30EE31099E03}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{687578B9-7132-4A7A-80E4-30EE31099E03}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4AAF2A6-F6D1-49A5-BA1A-B20735DF1955}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\uTorrentControl2
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{687578B9-7132-4A7A-80E4-30EE31099E03}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4AAF2A6-F6D1-49A5-BA1A-B20735DF1955}
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2548838
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4FDB1C3C-6F1F-4140-8F6C-C551A0F1F0BF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63DF2DA9-0AD8-42A6-9CF0-F485D9621BB0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\uTorrentControl2 Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{687578B9-7132-4A7A-80E4-30EE31099E03}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D4AAF2A6-F6D1-49A5-BA1A-B20735DF1955}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2BDF3E992C0908741B7C11F4B4E0F775
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6B3BC4CF5ECE1F54BBA174C13A1AB907
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B5BAE2ED018083A4C8DA86D6E3F4B024
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BEABAA33A5E68374DBF197F2A00CD011
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CB61AF52AD64B6B45930BE969F316720
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentControl2 Toolbar
Key Deleted : HKLM\Software\uTorrentControl2
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{687578B9-7132-4A7A-80E4-30EE31099E03}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{687578B9-7132-4A7A-80E4-30EE31099E03}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Documents and Settings\Scott Erwin\Application Data\Mozilla\Firefox\Profiles\ipwzx3ds.default-1353466292687\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");
Deleted : user_pref("extensions.toolbar@ask.com.install-event-fired", true);

File : C:\Documents and Settings\Kim Erwin\Application Data\Mozilla\Firefox\Profiles\0oni0qqy.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");

File : C:\Documents and Settings\Ian Erwin\Application Data\Mozilla\Firefox\Profiles\si4ryvtr.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");

*************************

AdwCleaner[S1].txt - [11686 octets] - [05/07/2013 15:30:37]

########## EOF - C:\AdwCleaner[S1].txt - [11747 octets] ##########
 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by Scott Erwin on Fri 07/05/2013 at 15:42:43.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7096D1FB-FC57-4FC3-82A9-9A9E972370AD}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\Scott Erwin\Local Settings\Application Data\splashtop"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 07/05/2013 at 15:46:49.57
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 PM

Posted 06 July 2013 - 06:48 AM

1. I am sharing a file (not root) & subfolders to my wireless network so I can move files back and forth between phone, laptop, etc. - would that be the cause of the proxy server you mentioned?

Could be. Lets just keep in the back of our minds for now.

===

3. Combofix started to run, then below the line that says "...on badly infected machines may double..." it displayed "The syntax is not correct"

This error was corrected yesterday. Remove you current version of Combofix.exe and download a the latest version.
===

4. Security Check bombed immediately with "Unsupported Operating System!" message (all that was in the log).

Restart the computer normall and run the tool one more time. Post the log if you can.
===

#5 rserwin

rserwin
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 06 July 2013 - 09:02 AM

Hi Nasdaq,

 

All steps executed w/out issues, logs are below.  Thanks again!

 

Scott

 

 

ComboFix 13-07-06.03 - Scott Erwin 07/06/2013   7:32.6.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3546.1658 [GMT -6:00]
Running from: c:\documents and settings\Scott Erwin\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ian Erwin\My Documents\~WRL3740.tmp
c:\documents and settings\Scott Erwin\Application Data\yuvcodecs-1.3.exe
c:\documents and settings\Scott Erwin\WINDOWS
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-06 to 2013-07-06  )))))))))))))))))))))))))))))))
.
.
2013-07-05 21:42 . 2013-07-05 21:42    --------    d-----w-    c:\windows\ERUNT
2013-07-05 21:42 . 2013-07-05 21:42    --------    d-----w-    C:\JRT
2013-06-30 20:26 . 2013-06-30 20:32    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2013-06-30 20:26 . 2013-06-30 20:26    142496    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-06-30 20:26 . 2013-06-30 20:26    --------    d-----w-    c:\program files\Symantec
2013-06-30 20:25 . 2013-06-30 20:25    --------    d-----w-    c:\program files\Norton AntiVirus
2013-06-30 20:16 . 2013-06-30 20:16    --------    d-----w-    c:\documents and settings\All Users\Application Data\PCSettings
2013-06-20 01:47 . 2013-06-13 03:35    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-20 01:47 . 2013-06-13 03:48    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-18 11:46 . 2013-06-18 11:46    --------    d-----w-    c:\windows\system32\drivers\NST\7DD04000.00A
2013-06-15 02:58 . 2013-06-15 02:58    --------    d-----w-    c:\documents and settings\Scott Erwin\Application Data\FileFly
2013-06-15 02:58 . 2013-06-15 02:58    --------    d-----w-    c:\documents and settings\All Users\FileFly
2013-06-12 09:44 . 2013-06-30 21:54    --------    d-----w-    c:\windows\system32\drivers\NAV\1404000.028
2013-06-11 21:07 . 2013-06-11 21:07    9089416    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-06-11 13:54 . 2013-06-11 13:54    --------    d-----w-    c:\documents and settings\Scott Erwin\Application Data\Intuit
2013-06-10 16:37 . 2013-06-10 16:37    --------    d-----w-    c:\program files\Common Files\AnswerWorks 5.0
2013-06-10 16:36 . 2013-04-10 01:58    4200744    ----a-w-    c:\windows\system32\cdintf400.dll
2013-06-10 16:36 . 2013-06-10 16:36    --------    d-----w-    c:\program files\Common Files\Intuit
2013-06-10 16:36 . 2013-06-10 16:36    --------    d-----w-    c:\program files\Quicken
2013-06-10 16:35 . 2013-06-10 16:35    --------    d-----w-    c:\documents and settings\All Users\Application Data\Intuit
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-13 03:48 . 2012-05-12 01:53    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-13 03:48 . 2011-09-15 12:55    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-11 21:07 . 2012-04-13 11:01    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-11 21:07 . 2011-06-08 11:41    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2008-04-25 16:16    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2008-04-25 16:16    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2008-04-25 16:16    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2008-04-25 16:16    385024    ------w-    c:\windows\system32\html.iec
2013-05-03 01:30 . 2008-04-25 16:16    2149888    ------w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01    2028544    ------w-    c:\windows\system32\ntkrnlpa.exe
2013-04-27 20:30 . 2013-04-27 20:30    796672    ----a-w-    c:\windows\GPInstall.exe
2013-04-10 01:58 . 2013-04-10 01:58    1722744    ----a-w-    c:\windows\system32\inetclnt.dll
2013-04-10 01:31 . 2008-04-25 16:16    1876352    ------w-    c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\documents and settings\Scott Erwin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\documents and settings\Scott Erwin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\documents and settings\Scott Erwin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\documents and settings\Scott Erwin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-05-24 4760816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-08 150040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-08 200704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2013-05-16 3830224]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2012-01-18 465944]
.
c:\documents and settings\Scott Erwin\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Scott Erwin\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2013-5-22 1089888]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-06 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-08 07:12    10536    ----a-w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Documents and Settings\\Scott Erwin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Amazon\\Utilities\\Amazon Music Importer\\Amazon Music Importer.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Documents and Settings\\Kim Erwin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Calibre2\\calibre.exe"=
"c:\\Program Files\\Eye-Fi\\Helper\\EyeFiHelper.exe"=
"c:\\Program Files\\Applian Technologies\\Replay Media Catcher 5\\aria2c.exe"=
"c:\\Program Files\\Applian Technologies\\Replay Media Catcher 5\\qtCopy.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1404000.028\SymDS.sys [6/30/2013 2:25 PM 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1404000.028\SymEFA.sys [6/30/2013 2:25 PM 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.4.0.40\Definitions\BASHDefs\20130702.001\BHDrvx86.sys [7/2/2013 11:31 AM 1002072]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1404000.028\ccSetx86.sys [6/30/2013 2:25 PM 134744]
R1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NST\7DD04000.00A\ccsetx86.sys [6/18/2013 5:46 AM 134744]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [11/14/2011 9:24 PM 239168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/14/2009 2:22 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1404000.028\Ironx86.sys [6/30/2013 2:25 PM 175264]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/7/2010 3:26 PM 116608]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [10/13/2011 6:21 PM 249648]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [9/10/2012 7:51 PM 12184]
R2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [4/12/2012 2:32 AM 3057528]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe [6/30/2013 2:25 PM 144368]
R2 NCO;Norton Identity Safe;c:\program files\Norton Identity Safe\Engine\2013.4.0.10\ccsvchst.exe [6/18/2013 5:46 AM 144368]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 11:07 AM 35088]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [11/27/2010 12:55 AM 398176]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [5/24/2013 6:59 PM 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [5/24/2013 6:59 PM 1033688]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/31/2011 11:11 PM 450848]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/8/2009 3:58 AM 108160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/4/2013 7:15 AM 106656]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.4.0.40\Definitions\IPSDefs\20130705.001\IDSXpx86.sys [7/5/2013 2:18 PM 373728]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [5/8/2009 3:58 AM 160256]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [10/21/2011 4:23 PM 196176]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [5/24/2013 6:59 PM 171928]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 6:45 PM 161384]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 Andbus;LGE Android Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [9/24/2011 9:24 AM 14336]
S3 AndDiag;LGE Android USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [9/24/2011 9:24 AM 20864]
S3 AndGps;LGE Android USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [9/24/2011 9:24 AM 19968]
S3 ANDModem;LGE Android USB Modem;c:\windows\system32\drivers\lgandmodem.sys [9/24/2011 9:24 AM 24960]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [11/2/2012 8:43 PM 83168]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [7/29/2008 3:09 PM 39424]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [11/29/2011 8:03 PM 24576]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 12872]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [11/2/2012 8:43 PM 181344]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [5/16/2009 7:05 AM 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [5/16/2009 7:05 AM 5248]
S4 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [3/23/2012 2:25 PM 87040]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 21:07]
.
2013-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2013-07-05 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-05-25 16:58]
.
2013-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-27 18:50]
.
2013-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-27 18:50]
.
2013-07-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2711413373-85637788-2482939975-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]
.
2013-07-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2711413373-85637788-2482939975-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]
.
2013-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2711413373-85637788-2482939975-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]
.
2013-07-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2711413373-85637788-2482939975-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]
.
2013-07-03 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-05-25 16:57]
.
2013-07-02 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-05-25 16:58]
.
2013-06-23 c:\windows\Tasks\SyncBack Ian's Document Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-16 22:42]
.
2013-07-05 c:\windows\Tasks\SyncBack KeePass (Kim).job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-16 22:42]
.
2013-07-05 c:\windows\Tasks\SyncBack KeePass (Scott).job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-16 22:42]
.
2013-07-05 c:\windows\Tasks\SyncBack KeePass.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-16 22:42]
.
2013-06-23 c:\windows\Tasks\SyncBack Kim's Document Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-16 22:42]
.
2013-06-23 c:\windows\Tasks\SyncBack Scott's Document Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-16 22:42]
.
2013-06-23 c:\windows\Tasks\SyncBack Shared Documents Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-05-16 22:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:21320
IE: &Down&load &Link& Us&ing Ge&tGo - c:\program files\GetGo Software\GetGo Download Manager\GGCatch.htm
IE: &Down&load All &Links& Us&ing Ge&tGo - c:\program files\GetGo Software\GetGo Download Manager\GGCatchAll.htm
IE: &GetGo Toolbar Search - c:\program files\GetGo Software\GetGo Download Manager\GGToolBand.dll/MENUSEARCH.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Clip Image - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: New Note - c:\program files\Evernote\Evernote\\EvernoteIERes\NewNote.html
TCP: DhcpNameServer = 192.168.0.1
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Scott Erwin\Application Data\Mozilla\Firefox\Profiles\ipwzx3ds.default-1353466292687\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-LBTWlgn - (no file)
Notify-SDWinLogon - SDWinLogon.dll
AddRemove-Dungeon Keeper II - c:\program files\Bullfrog\Dungeon Keeper 2\Uninst.isu
AddRemove-{302A1E2E-DD58-4673-BC99-9CC10EC2637A} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{302A1~1\Setup.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-06 07:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NCO]
"ImagePath"="\"c:\program files\Norton Identity Safe\Engine\2013.4.0.10\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files\Norton Identity Safe\Engine\2013.4.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'winlogon.exe'(6012)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2013-07-06  07:51:11
ComboFix-quarantined-files.txt  2013-07-06 13:50
.
Pre-Run: 17,029,591,040 bytes free
Post-Run: 17,008,361,472 bytes free
.
- - End Of File - - 46E882DC6FD7A13191A235E91055B2C1
7B53936AFA31AA818DDEE1F13C3004E3
 

 

 

 

 

 Results of screen317's Security Check version 0.99.68  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Norton AntiVirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Out of date Spybot installed!
 Spybot - Search & Destroy 1.4
 Spybot - Search & Destroy
 SUPERAntiSpyware Free Edition   
 Malwarebytes Anti-Malware version 1.75.0.1300  
 JavaFX 2.1.1    
 Java 7 Update 25  
 Java SE Development Kit 7 Update 7
 Adobe Flash Player     11.7.700.224  
 Adobe Reader 10.1.7 Adobe Reader out of Date!  
 Mozilla Firefox (22.0)
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe
 Spybot Teatimer.exe is disabled!
 Norton AntiVirus Engine 20.4.0.40 ccSvcHst.exe
 MediaMall MediaMallServer.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 PM

Posted 06 July 2013 - 09:43 AM

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

===

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===

#7 rserwin

rserwin
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 06 July 2013 - 12:50 PM

Nasdaq,

 

All steps completed.  Thanks very much for your help!

 

Scott



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 PM

Posted 07 July 2013 - 06:56 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users