Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess infection?


  • This topic is locked This topic is locked
30 replies to this topic

#1 purplemon

purplemon

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 18 July 2013 - 03:49 PM

Desktop computer was shutting down randomly. I thought it might be a temp issue; I downloaded Speedfan and got some malware (Sweetpacks and more).

 

 Downloaded new version of Rkill and it listed symptoms of ZEROACCESS in the log. RKill log following the DDS.txt

 

Current symptoms:

Unable to run or reinstall Malwarebytes; I get the run time error 372: failed to load control from ieframe.dll

 

Windows firewall is disabled and won’t open.

 

IE8 opens and closes quickly. Firefox will connect, but I’ve disconnected the network connection.

 

Can’t open desktop programs by left clicking desktop shortcuts.  Must right click to open programs. 

 

Help, please.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Me at 16:08:30 on 2013-07-18
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\WINDOWS\system32\lxeecoms.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Lexmark Pro700 Series\lxeemon.exe
C:\Program Files\Lexmark Pro700 Series\ezprint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\READIN~2\bar\1.bin\6xbrmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uURLSearchHooks: <No Name>: {421fb3de-4b9f-48e5-abf1-f96f8aaca70a} - c:\program files\readingfanatic_6x\bar\1.bin\6xSrcAs.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Assistant BHO: {2d948797-8fe3-4508-9b6f-4bf349a9ea34} - c:\program files\readingfanatic_6x\bar\1.bin\6xSrcAs.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
BHO: Toolbar BHO: {f149b372-5830-4d88-b8f6-2853d12c1af5} - c:\program files\readingfanatic_6x\bar\1.bin\6xbar.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: ReadingFanatic: {B36151D1-7770-4480-87E4-F89FB54E173D} - c:\program files\readingfanatic_6x\bar\1.bin\6xbar.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: ReadingFanatic: {b36151d1-7770-4480-87e4-f89fb54e173d} - c:\program files\readingfanatic_6x\bar\1.bin\6xbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickGammaLoader] c:\program files\quickgamma\QuickGammaLoader.exe
uRun: [QuickGammaResume] <no file>
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [lxeemon.exe] "c:\program files\lexmark pro700 series\lxeemon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro700 series\ezprint.exe"
mRun: [Lexmark Pro700 Series Fax Server] "c:\program files\lexmark pro700 series\fm3032.exe" /s
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ReadingFanatic Search Scope Monitor] "c:\progra~1\readin~2\bar\1.bin\6xsrchmn.exe" /m=2 /w /h
mRun: [ReadingFanatic_6x Browser Plugin Loader] c:\progra~1\readin~2\bar\1.bin\6xbrmon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: dell.com
Trusted Zone: tdameritrade.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1352388634968
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs= c:\docume~1\alluse~1\applic~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages =  scecli scecli
Hosts: 192.168.1.108 HP001B78D743F9
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-07-17 21:49:57    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-07-17 21:34:08    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-07-17 21:33:44    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-17 21:33:44    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-17 20:41:45    --------    d--h--w-    c:\windows\PIF
2013-07-17 20:35:28    --------    d-----w-    c:\program files\common files\Symantec Shared
2013-07-17 20:35:16    --------    d-----w-    c:\documents and settings\all users\application data\Norton
2013-07-17 20:35:09    --------    d-----w-    c:\documents and settings\me\application data\Delta
2013-07-17 20:35:09    --------    d-----w-    c:\documents and settings\me\application data\BabSolution
2013-07-17 20:35:07    --------    d-----w-    c:\documents and settings\all users\application data\NortonInstaller
2013-07-17 20:35:00    --------    d-----w-    c:\program files\Safe Saver
2013-07-17 19:41:22    --------    d-----w-    c:\program files\Microsoft ActiveSync
2013-07-15 01:27:38    --------    d-----w-    c:\program files\SpeedFan
2013-07-15 01:26:16    33958    ----a-w-    c:\documents and settings\all users\application data\uninstaller.exe
2013-07-15 01:25:41    --------    d-----w-    c:\documents and settings\me\AppData
2013-07-15 01:25:37    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-07-15 01:25:37    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-07-15 01:25:37    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-07-15 01:17:48    0    ----a-w-    c:\windows\system32\TempWmicBatchFile.bat
2013-07-15 01:17:40    --------    d-----w-    c:\documents and settings\me\application data\DSite
2013-07-15 01:17:36    --------    d-----w-    c:\documents and settings\me\application data\Babylon
2013-06-21 13:23:47    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-21 13:23:45    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M  ====================
.
2013-07-15 00:54:50    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-15 00:54:50    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-13 01:48:23    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-13 01:48:17    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-08 03:55:44    385024    ----a-w-    c:\windows\system32\html.iec
2013-06-07 21:56:06    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56:06    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40:45    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-22 15:21:06    4325376    ----a-w-    c:\documents and settings\all users\application data\ReadOnlyInstaller.msi
2013-05-09 04:28:02    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-05-03 01:30:20    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 16:08:37.00 ===============
 

RKILL LOG

Rkill 2.5.6 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 07/18/2013 12:52:26 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * ALERT: ZEROACCESS rootkit symptoms found!

     * C:\Documents and Settings\Me\Local Settings\Application Data\{f6565384-77a6-98ce-d892-efc931cc6b8b}\ [ZA Dir]
     * C:\Documents and Settings\Me\Local Settings\Application Data\{f6565384-77a6-98ce-d892-efc931cc6b8b}\@ [ZA File]
     * C:\Documents and Settings\Me\Local Settings\Application Data\{f6565384-77a6-98ce-d892-efc931cc6b8b}\L\ [ZA Dir]
     * C:\Documents and Settings\Me\Local Settings\Application Data\{f6565384-77a6-98ce-d892-efc931cc6b8b}\U\ [ZA Dir]
     * C:\WINDOWS\Installer\{f6565384-77a6-98ce-d892-efc931cc6b8b}\ [ZA Dir]
     * C:\WINDOWS\Installer\{f6565384-77a6-98ce-d892-efc931cc6b8b}\@ [ZA File]
     * C:\WINDOWS\Installer\{f6565384-77a6-98ce-d892-efc931cc6b8b}\L\ [ZA Dir]
     * C:\WINDOWS\Installer\{f6565384-77a6-98ce-d892-efc931cc6b8b}\U\ [ZA Dir]

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\2.1.72.22__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.72.22_x-ww_a742e49 [Dir]
     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.0.335.0__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.0.335.0_x-ww_29a6be0d [Dir]
     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.1.31.0__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.1.31.0_x-ww_8b778a47 [Dir]
     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\2.1.72.22__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.22_x-ww_c5eae641 [Dir]
     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.0.335.0__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.0.335.0_x-ww_e51d7605 [Dir]
     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.1.31.0__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.1.31.0_x-ww_46ee423f [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv4\v4.0_4.0.66.0__3ff6b78e2989595a => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv4_3ff6b78e2989595a_4.0.66.0_x-ww_7acf93b2 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv4\v4.0_4.0.78.0__3ff6b78e2989595a => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv4_3ff6b78e2989595a_4.0.78.0_x-ww_aa528373 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\v4.0_4.0.66.0__3ff6b78e2989595a => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_3ff6b78e2989595a_4.0.66.0_x-ww_d938aa2c [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\v4.0_4.0.78.0__3ff6b78e2989595a => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_3ff6b78e2989595a_4.0.78.0_x-ww_8bb99ed [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic

 * SharedAccess [Missing ImagePath]

 * ERSvc => "C:\WINDOWS\system32\ersvc.dll" [Incorrect ServiceDLL]
 * wscsvc => "C:\WINDOWS\system32\wscsvc.dll" [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\drivers\mqac.sys : 91,776 : 06/22/2009 07:48 AM : eee50bf24caeedb515a8f3b22756d3bb [NoSig]
 +-> C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqac.sys : 72,960 : 07/06/2007 05:52 AM : d92fce6729ee150a15a7cdbc433f390e [Pos Repl]
 +-> C:\WINDOWS\$hf_mig$\KB971032\SP2QFE\mqac.sys : 91,776 : 06/22/2009 07:30 AM : 9229e191fe206628be17d1e67a5faed9 [Pos Repl]
 +-> C:\WINDOWS\$NtUninstallKB971032$\mqac.sys : 72,960 : 07/06/2007 06:05 AM : 157a32ddc6a019a4e31b19d604d2f127 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\mqac.sys : 92,544 : 04/13/2008 02:39 PM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\mqac.sys : 91,776 : 06/22/2009 07:48 AM : eee50bf24caeedb515a8f3b22756d3bb [Pos Repl]

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
                              
  192.168.1.108  HP001B78D743F9

Program finished at: 07/18/2013 12:55:19 PM
Execution time: 0 hours(s), 2 minute(s), and 52 seconds(s)
 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 19 July 2013 - 12:41 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 purplemon

purplemon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 19 July 2013 - 08:00 AM

Thank you for your help with this.

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 3487670272, free: 2603528192

Downloaded database version: v2013.07.19.05
Downloaded database version: v2013.07.15.01
Initializing...
------------ Kernel report ------------
     07/19/2013 08:07:42
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
speedfan.sys
Mup.sys
giveio.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\MarvinBus.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\ssmdrv.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\avkmgr.sys
\SystemRoot\system32\DRIVERS\avipbb.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\atiok3x2.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\avgntflt.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\StarOpen.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR10
Upper Device Object: 0xffffffff8a116970
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000008b\
Lower Device Object: 0xffffffff89fd3ea0
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR4
Upper Device Object: 0xffffffff8b3c5ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007d\
Lower Device Object: 0xffffffff8b274ea0
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b4b1ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff8b4f6d98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b4b1ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b4e4e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b4b1ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b4b6250, DeviceName: \Device\0000006d\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b4f6d98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 41AB2316

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 112392

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 112455  Numsec = 969715530
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Other (0xdb)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 969844050  Numsec = 6924015

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8b3c5ab8, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b3b4540, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b3c5ab8, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b274ea0, DeviceName: \Device\0000007d\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: A4B57300

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 976768002

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff8a116970, DeviceName: \Device\Harddisk2\DR10\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a09eb30, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a116970, DeviceName: \Device\Harddisk2\DR10\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89fd3ea0, DeviceName: \Device\0000008b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR10\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 73696420

Partition information:

    Partition 0 type is Other (0x20)
    Partition is INVALID!!!
    Partition starts at LBA: 1919950958  Numsec = 544437093

    Partition 1 type is Other (0x6b)
    Partition is INVALID!!!
    Partition starts at LBA: 1330184202  Numsec = 538976288

    Partition 2 type is Other (0x53)
    Partition is INVALID!!!
    Partition starts at LBA: 538989391  Numsec = 1398362912

    Partition 3 type is Other (0x49)
    Partition is ACTIVE.
    Partition starts at LBA: 1394627663  Numsec = 21337
    Partition is not bootable

Disk Size: 1051721728 bytes
Sector size: 512 bytes

Done!
Infected: c:\WINDOWS\Installer\{f6565384-77a6-98ce-d892-efc931cc6b8b}\@ --> [Backdoor.0Access]
Infected: c:\Documents and Settings\Me\Local Settings\Application Data\{f6565384-77a6-98ce-d892-efc931cc6b8b}\@ --> [Backdoor.0Access]
Infected: c:\WINDOWS\Installer\{f6565384-77a6-98ce-d892-efc931cc6b8b}\L --> [Backdoor.0Access]
Infected: c:\WINDOWS\Installer\{f6565384-77a6-98ce-d892-efc931cc6b8b}\U --> [Backdoor.0Access]
Scan finished
=======================================


Removal queue found; removal started
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_112455_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_r.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_2_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_2_3_1394627663_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_2_r.mbam...
Removal finished
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 20 July 2013 - 04:39 AM

Fix with Malwarebytes Anti-Rootkit

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 purplemon

purplemon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 20 July 2013 - 09:17 PM

I ran the MBAR Clean-up once;  the log is below.

 

Notes on the computer's behavior:

 

Microsoft firewall now functions

 

Can not open programs by double clicking the desktop short cut, however I can open programs by right clicking desktop shortcut and then clicking open from the dialog box

 

I am able to open desktop Powerpoint or Excel files by double clicking the shortcut.

 

Microsoft office programs have disappeared from the program list, but will open when a file icon is double clicked.

 

The computer doesn't shut down properly, I usually have to click shutdown twice

 

The program shortcuts in the task bar are still missing

 

Below is the MBAR log after the Clean-up.

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.19.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Me :: CHRIS [administrator]

7/20/2013 5:28:54 PM
mbar-log-2013-07-20 (17-28-54).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 308645
Time elapsed: 32 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 21 July 2013 - 08:18 AM

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 purplemon

purplemon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 21 July 2013 - 08:42 PM

Down loaded and ran combofix; it had to download or repair Microsoft Windows Recovery Console.

 

My desktop icons are back to the normal order. The computer seems to shut down properly.

I still can not open a program by double clicking the desktop icon (right click and OPEN will open the programs.  IE 8 won't run. MS Office programs are still functional, but don't appear in the task bar (they were there before the infection) or in the All Programs list.

 

ComboFix 13-07-20.03 - Me 07/21/2013  12:12:45.1.4 - x86
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\ReadOnlyInstaller.msi
c:\documents and settings\All Users\Application Data\uninstaller.exe
c:\documents and settings\All Users\SPL2C.tmp
c:\documents and settings\All Users\SPLFA.tmp
c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
c:\documents and settings\Me\D610_A06.EXE
c:\documents and settings\Me\g2mdlhlpx.exe
c:\documents and settings\Me\My Documents\~WRL1028.tmp
c:\documents and settings\Me\My Documents\~WRL1107.tmp
c:\documents and settings\Me\My Documents\~WRL1739.tmp
c:\documents and settings\Me\My Documents\~WRL2047.tmp
c:\documents and settings\Me\My Documents\~WRL2576.tmp
c:\documents and settings\Me\My Documents\~WRL3001.tmp
c:\documents and settings\Me\My Documents\~WRL3555.tmp
c:\documents and settings\Me\wax20e.exe
c:\documents and settings\Me\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\53d5e5f7cc8db4d9.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\service
c:\windows\system32\service\03112010_TIS17_SfFniAU.log
c:\windows\system32\service\09032010_TIS17_SfFniAU.log
c:\windows\system32\service\09112010_TIS17_SfFniAU.log
c:\windows\system32\service\12122010_TIS17_SfFniAU.log
c:\windows\system32\service\15042010_TIS17_SfFniAU.log
c:\windows\system32\service\15102010_TIS17_SfFniAU.log
c:\windows\system32\service\18032010_TIS17_SfFniAU.log
c:\windows\system32\service\28032010_TIS17_SfFniAU.log
c:\windows\system32\SET1A5.tmp
c:\windows\system32\SET1B1.tmp
E:\Autorun.inf
E:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-21 to 2013-07-21  )))))))))))))))))))))))))))))))
.
.
2013-07-19 12:07 . 2013-07-20 22:02    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-17 21:33 . 2013-07-17 21:38    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-17 21:33 . 2013-04-04 18:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-17 20:41 . 2013-07-17 20:41    --------    d--h--w-    c:\windows\PIF
2013-07-17 20:35 . 2013-07-17 20:35    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2013-07-17 20:35 . 2013-07-17 20:38    --------    d-----w-    c:\documents and settings\All Users\Application Data\Norton
2013-07-17 20:35 . 2013-07-17 20:35    --------    d-----w-    c:\documents and settings\Me\Application Data\BabSolution
2013-07-17 20:35 . 2013-07-17 20:35    --------    d-----w-    c:\documents and settings\Me\Application Data\Delta
2013-07-17 20:35 . 2013-07-17 20:35    --------    d-----w-    c:\program files\Safe Saver
2013-07-17 19:41 . 2013-07-17 19:41    --------    d-----w-    c:\program files\Microsoft ActiveSync
2013-07-17 19:32 . 2013-07-17 19:32    --------    d-----r-    C:\MSOCache
2013-07-15 01:27 . 2013-07-19 12:26    --------    d-----w-    c:\program files\SpeedFan
2013-07-15 01:25 . 2013-07-15 01:25    --------    d-----w-    c:\documents and settings\Me\AppData
2013-07-15 01:25 . 2011-05-13 23:17    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-07-15 01:25 . 2011-05-13 23:17    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-07-15 01:25 . 2011-05-13 23:17    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-07-15 01:17 . 2013-07-15 01:17    0    ----a-w-    c:\windows\system32\TempWmicBatchFile.bat
2013-07-15 01:17 . 2013-07-15 01:17    --------    d-----w-    c:\documents and settings\Me\Application Data\DSite
2013-07-15 01:17 . 2013-07-15 01:17    --------    d-----w-    c:\documents and settings\Me\Application Data\Babylon
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-15 00:54 . 2012-04-25 17:42    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-15 00:54 . 2011-09-27 17:54    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-13 01:48 . 2012-09-17 20:41    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-13 01:48 . 2011-02-10 22:10    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-13 01:48 . 2013-06-21 13:23    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-13 01:35 . 2013-06-21 13:23    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-08 03:55 . 2004-08-11 22:00    385024    ----a-w-    c:\windows\system32\html.iec
2013-06-07 21:56 . 2004-08-11 22:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2004-08-11 22:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2004-08-11 22:00    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2004-08-11 22:00    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-08-31 17:40    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-09 04:28 . 2006-10-19 01:47    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-05-03 01:30 . 2008-08-31 17:40    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-08-31 17:40    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickGammaLoader"="c:\program files\QuickGamma\QuickGammaLoader.exe" [2011-03-11 100352]
"Akamai NetSession Interface"="c:\documents and settings\Me\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-06-05 4489472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-05-08 18680424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"lxeemon.exe"="c:\program files\Lexmark Pro700 Series\lxeemon.exe" [2011-01-24 770728]
"EzPrint"="c:\program files\Lexmark Pro700 Series\ezprint.exe" [2011-01-24 148280]
"Lexmark Pro700 Series Fax Server"="c:\program files\Lexmark Pro700 Series\fm3032.exe" [2009-10-01 316072]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-06-27 345144]
"ReadingFanatic Search Scope Monitor"="c:\progra~1\READIN~2\bar\1.bin\6xsrchmn.exe" [2013-01-28 42536]
"ReadingFanatic_6x Browser Plugin Loader"="c:\progra~1\READIN~2\bar\1.bin\6xbrmon.exe" [2013-01-28 30096]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-20 22:06    10536    ----a-w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ----a-w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IntuitUpdateService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Me\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1114:TCP"= 1114:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxeeserv.exe [2010-04-14 193192]
R2 ReadingFanatic_6xService;ReadingFanaticService;c:\progra~1\READIN~2\bar\1.bin\6xbarsvc.exe [2013-01-28 42504]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-03-01 161384]
R3 SQTECH913D;Photo Frame;c:\windows\system32\Drivers\Capt8080.sys [2007-01-08 27280]
R4 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2013-06-27 589368]
R4 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-03-29 37352]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2013-06-27 84024]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2012-08-23 13672]
S2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe [2010-04-14 598696]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
HPService    REG_MULTI_SZ       HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-25 00:54]
.
2013-07-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-07-21 c:\windows\Tasks\Safe Saver-chromeinstaller.job
- c:\program files\Safe Saver\Safe Saver-chromeinstaller.exe [2013-07-17 20:35]
.
2013-07-21 c:\windows\Tasks\Safe Saver-codedownloader.job
- c:\program files\Safe Saver\Safe Saver-codedownloader.exe [2013-07-17 20:35]
.
2013-07-21 c:\windows\Tasks\Safe Saver-enabler.job
- c:\program files\Safe Saver\Safe Saver-enabler.exe [2013-07-17 20:35]
.
2013-07-21 c:\windows\Tasks\Safe Saver-firefoxinstaller.job
- c:\program files\Safe Saver\Safe Saver-firefoxinstaller.exe [2013-07-17 20:35]
.
2013-07-21 c:\windows\Tasks\Safe Saver-updater.job
- c:\program files\Safe Saver\Safe Saver-updater.exe [2013-07-17 20:35]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: dell.com
Trusted Zone: tdameritrade.com
TCP: DhcpNameServer = 192.168.200.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-QuickGammaResume - (no file)
MSConfigStartUp-Google Update - c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
AddRemove-{730D5EE0-97ED-45C3-AC77-8F7DFDE47DF7} - c:\program files\InstallShield Installation Information\{68F34B52-A8E7-4DF9-95AC-079FE280DEBE}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-21 12:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,fb,7c,44,80,ee,39,4b,86,ed,21,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,fb,7c,44,80,ee,39,4b,86,ed,21,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,fb,7c,44,80,ee,39,4b,86,ed,21,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2013-07-21  12:45:07
ComboFix-quarantined-files.txt  2013-07-21 16:44
.
Pre-Run: 274,774,818,816 bytes free
Post-Run: 282,604,630,016 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /numproc=4
.
- - End Of File - - 0278763F5B9094FD51DB568985A1EEC3
5CB90281D1A59B251F6603134774EEC3
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 21 July 2013 - 11:48 PM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 purplemon

purplemon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 23 July 2013 - 12:36 AM

ComboFix 13-07-20.03 - Me 07/22/2013   9:29.2.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2538 [GMT -4:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Trend Micro Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
FILE ::
"c:\windows\Tasks\Safe Saver-chromeinstaller.job"
"c:\windows\Tasks\Safe Saver-codedownloader.job"
"c:\windows\Tasks\Safe Saver-enabler.job"
"c:\windows\Tasks\Safe Saver-firefoxinstaller.job"
"c:\windows\Tasks\Safe Saver-updater.job"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI
c:\documents and settings\Me\Application Data\BabSolution
c:\documents and settings\Me\Application Data\BabSolution\CR\Delta.crx
c:\documents and settings\Me\Application Data\BabSolution\Shared\BabMaint.exe
c:\documents and settings\Me\Application Data\BabSolution\Shared\BUSolution.dll
c:\documents and settings\Me\Application Data\BabSolution\Shared\Delta.ico
c:\documents and settings\Me\Application Data\BabSolution\Shared\GUninstaller.exe
c:\documents and settings\Me\Application Data\BabSolution\Shared\SetupParams.ini
c:\documents and settings\Me\Application Data\BabSolution\Shared\sqlite3.dll
c:\documents and settings\Me\Application Data\Babylon
c:\documents and settings\Me\Application Data\Babylon\log_file.txt
c:\documents and settings\Me\Application Data\Delta
c:\documents and settings\Me\Application Data\Delta\sqlite3.dll
c:\documents and settings\Me\Application Data\DSite
c:\documents and settings\Me\Application Data\DSite\UpdateProc\config.dat
c:\progra~1\READIN~2\bar
c:\progra~1\READIN~2\bar\1.bin\6xauxstb.dll
c:\progra~1\READIN~2\bar\1.bin\6xbar.dll
c:\progra~1\READIN~2\bar\1.bin\6xbarsvc.exe
c:\progra~1\READIN~2\bar\1.bin\6xbrmon.exe
c:\progra~1\READIN~2\bar\1.bin\6xbrstub.dll
c:\progra~1\READIN~2\bar\1.bin\6xdatact.dll
c:\progra~1\READIN~2\bar\1.bin\6xdlghk.dll
c:\progra~1\READIN~2\bar\1.bin\6xdyn.dll
c:\progra~1\READIN~2\bar\1.bin\6xfeedmg.dll
c:\progra~1\READIN~2\bar\1.bin\6xhighin.exe
c:\progra~1\READIN~2\bar\1.bin\6xhkstub.dll
c:\progra~1\READIN~2\bar\1.bin\6xhtmlmu.dll
c:\progra~1\READIN~2\bar\1.bin\6xhttpct.dll
c:\progra~1\READIN~2\bar\1.bin\6xidle.dll
c:\progra~1\READIN~2\bar\1.bin\6xieovr.dll
c:\progra~1\READIN~2\bar\1.bin\6ximpipe.exe
c:\progra~1\READIN~2\bar\1.bin\6xmedint.exe
c:\progra~1\READIN~2\bar\1.bin\6xmlbtn.dll
c:\progra~1\READIN~2\bar\1.bin\6xmsg.dll
c:\progra~1\READIN~2\bar\1.bin\6xradio.dll
c:\progra~1\READIN~2\bar\1.bin\6xreghk.dll
c:\progra~1\READIN~2\bar\1.bin\6xregiet.dll
c:\progra~1\READIN~2\bar\1.bin\6xscript.dll
c:\progra~1\READIN~2\bar\1.bin\6xskin.dll
c:\progra~1\READIN~2\bar\1.bin\6xsknlcr.dll
c:\progra~1\READIN~2\bar\1.bin\6xskplay.exe
c:\progra~1\READIN~2\bar\1.bin\6xSrcAs.dll
c:\progra~1\READIN~2\bar\1.bin\6xSrchMn.exe
c:\progra~1\READIN~2\bar\1.bin\6xtpinst.dll
c:\progra~1\READIN~2\bar\1.bin\6xuabtn.dll
c:\progra~1\READIN~2\bar\1.bin\BOOTSTRAP.JS
c:\progra~1\READIN~2\bar\1.bin\CREXT.DLL
c:\progra~1\READIN~2\bar\1.bin\CrExtP6x.exe
c:\progra~1\READIN~2\bar\1.bin\LOGO.BMP
c:\progra~1\READIN~2\bar\1.bin\T8EXTEX.DLL
c:\progra~1\READIN~2\bar\1.bin\T8EXTPEX.DLL
c:\progra~1\READIN~2\bar\1.bin\T8HTML.DLL
c:\progra~1\READIN~2\bar\1.bin\T8RES.DLL
c:\progra~1\READIN~2\bar\1.bin\T8TICKER.DLL
c:\progra~1\READIN~2\bar\Cache\0AB6745C
c:\progra~1\READIN~2\bar\Cache\0AB67507.bmp
c:\progra~1\READIN~2\bar\Cache\0AB67556.bmp
c:\progra~1\READIN~2\bar\Cache\0AB67584.bmp
c:\progra~1\READIN~2\bar\Cache\0AB67601.bmp
c:\progra~1\READIN~2\bar\Cache\0AB67630.bmp
c:\progra~1\READIN~2\bar\Cache\0AB6766F.bmp
c:\progra~1\READIN~2\bar\Cache\0AB6768E.bmp
c:\progra~1\READIN~2\bar\Cache\0AB676BD.bmp
c:\progra~1\READIN~2\bar\Cache\0AB676DC.bmp
c:\progra~1\READIN~2\bar\Cache\0AB6771B.bmp
c:\progra~1\READIN~2\bar\Cache\files.ini
c:\progra~1\READIN~2\bar\gen1\COMMON.T8S
c:\progra~1\READIN~2\bar\History\search3
c:\progra~1\READIN~2\bar\IE9Mesg\COMMON.T8S
c:\progra~1\READIN~2\bar\Message\COMMON.T8S
c:\progra~1\READIN~2\bar\Settings\prevcfg2.htm
c:\progra~1\READIN~2\bar\Settings\s_pid.dat
c:\program files\Common Files\Symantec Shared
c:\program files\Safe Saver
c:\program files\Safe Saver\33254.crx
c:\program files\Safe Saver\33254.xpi
c:\program files\Safe Saver\background.html
c:\program files\Safe Saver\Installer.log
c:\program files\Safe Saver\Safe Saver-bg.exe
c:\program files\Safe Saver\Safe Saver-bho.dll
c:\program files\Safe Saver\Safe Saver-buttonutil.dll
c:\program files\Safe Saver\Safe Saver-buttonutil.exe
c:\program files\Safe Saver\Safe Saver-buttonutil64.dll
c:\program files\Safe Saver\Safe Saver-buttonutil64.exe
c:\program files\Safe Saver\Safe Saver-chromeinstaller.exe
c:\program files\Safe Saver\Safe Saver-codedownloader.exe
c:\program files\Safe Saver\Safe Saver-enabler.exe
c:\program files\Safe Saver\Safe Saver-firefoxinstaller.exe
c:\program files\Safe Saver\Safe Saver-helper.exe
c:\program files\Safe Saver\Safe Saver-updater.exe
c:\program files\Safe Saver\Safe Saver.ico
c:\program files\Safe Saver\Uninstall.exe
c:\program files\Safe Saver\utils.exe
c:\windows\Tasks\Safe Saver-chromeinstaller.job
c:\windows\Tasks\Safe Saver-codedownloader.job
c:\windows\Tasks\Safe Saver-enabler.job
c:\windows\Tasks\Safe Saver-firefoxinstaller.job
c:\windows\Tasks\Safe Saver-updater.job
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ReadingFanatic_6xService
-------\Legacy_ReadingFanatic_6xService
-------\Service_ReadingFanatic_6xService
-------\Service_ReadingFanatic_6xService
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-22 to 2013-07-22  )))))))))))))))))))))))))))))))
.
.
2013-07-22 13:04 . 2013-07-22 13:07    --------    d-----w-    c:\windows\system32\MRT
2013-07-19 12:07 . 2013-07-20 22:02    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-17 21:33 . 2013-07-17 21:38    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-17 21:33 . 2013-04-04 18:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-17 20:41 . 2013-07-17 20:41    --------    d--h--w-    c:\windows\PIF
2013-07-17 20:35 . 2013-07-17 20:35    --------    d-----w-    c:\documents and settings\All Users\Application Data\NortonInstaller
2013-07-17 19:41 . 2013-07-17 19:41    --------    d-----w-    c:\program files\Microsoft ActiveSync
2013-07-17 19:32 . 2013-07-17 19:32    --------    d-----r-    C:\MSOCache
2013-07-15 01:27 . 2013-07-22 01:24    --------    d-----w-    c:\program files\SpeedFan
2013-07-15 01:25 . 2013-07-15 01:25    --------    d-----w-    c:\documents and settings\Me\AppData
2013-07-15 01:25 . 2011-05-13 23:17    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-07-15 01:25 . 2011-05-13 23:17    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-07-15 01:25 . 2011-05-13 23:17    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-07-15 01:17 . 2013-07-15 01:17    0    ----a-w-    c:\windows\system32\TempWmicBatchFile.bat
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-15 00:54 . 2012-04-25 17:42    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-15 00:54 . 2011-09-27 17:54    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-13 01:48 . 2012-09-17 20:41    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-13 01:48 . 2011-02-10 22:10    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-13 01:48 . 2013-06-21 13:23    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-13 01:35 . 2013-06-21 13:23    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-08 03:55 . 2004-08-11 22:00    385024    ----a-w-    c:\windows\system32\html.iec
2013-06-07 21:56 . 2004-08-11 22:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2004-08-11 22:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2004-08-11 22:00    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2004-08-11 22:00    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-08-31 17:40    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-09 04:28 . 2006-10-19 01:47    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-05-03 01:30 . 2008-08-31 17:40    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-08-31 17:40    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickGammaLoader"="c:\program files\QuickGamma\QuickGammaLoader.exe" [2011-03-11 100352]
"Akamai NetSession Interface"="c:\documents and settings\Me\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-06-05 4489472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-05-08 18680424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"lxeemon.exe"="c:\program files\Lexmark Pro700 Series\lxeemon.exe" [2011-01-24 770728]
"EzPrint"="c:\program files\Lexmark Pro700 Series\ezprint.exe" [2011-01-24 148280]
"Lexmark Pro700 Series Fax Server"="c:\program files\Lexmark Pro700 Series\fm3032.exe" [2009-10-01 316072]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-06-27 345144]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-20 22:06    10536    ----a-w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ----a-w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IntuitUpdateService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Me\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1081:TCP"= 1081:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [1/11/2013 11:44 AM 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/11/2013 11:44 AM 84024]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 1:37 PM 13672]
R2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]
S2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [12/30/2011 11:16 AM 193192]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [3/1/2013 12:11 PM 161384]
S3 SQTECH913D;Photo Frame;c:\windows\system32\drivers\Capt8080.sys [12/25/2008 12:29 PM 27280]
S4 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [1/11/2013 11:44 AM 589368]
S4 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys --> c:\windows\system32\DRIVERS\avgidshx.sys [?]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys --> c:\windows\system32\DRIVERS\avgidsshimx.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
HPService    REG_MULTI_SZ       HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-25 00:54]
.
2013-07-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: dell.com
Trusted Zone: tdameritrade.com
TCP: DhcpNameServer = 192.168.200.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Safe Saver - c:\program files\Safe Saver\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-22 09:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(5824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\system32\lxeecoms.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2013-07-22  10:04:12 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-22 14:04
ComboFix2.txt  2013-07-21 16:45
.
Pre-Run: 282,453,856,256 bytes free
Post-Run: 282,310,967,296 bytes free
.
- - End Of File - - 36865BE2DD63156AE4643E03E3A3E0B6
5CB90281D1A59B251F6603134774EEC3
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 23 July 2013 - 01:02 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 purplemon

purplemon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 23 July 2013 - 10:28 AM

C:\Documents and Settings\Me\Local Settings\Application Data\AskToolbar\setup.exe    a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files\Avira\AntiVir Desktop\apnic.dll    a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files\Avira\AntiVir Desktop\apntoolbarinstaller.exe    a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files\Avira\AntiVir Desktop\Offercast_AVIRAV7_.exe    a variant of Win32/Bundled.Toolbar.Ask.D application
C:\Qoobox\Quarantine\C\Program Files\Safe Saver\utils.exe.vir    a variant of Win32/Packed.VMDetector.A application
C:\Qoobox\Quarantine\C\PROGRA~1\READIN~2\bar\1.bin\6xdatact.dll.vir    a variant of Win32/Toolbar.MyWebSearch.A application
C:\Qoobox\Quarantine\C\PROGRA~1\READIN~2\bar\1.bin\6xhtmlmu.dll.vir    probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\Qoobox\Quarantine\C\PROGRA~1\READIN~2\bar\1.bin\6xieovr.dll.vir    probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\Qoobox\Quarantine\C\PROGRA~1\READIN~2\bar\1.bin\6xskin.dll.vir    a variant of Win32/Toolbar.MyWebSearch.P application
C:\Qoobox\Quarantine\C\PROGRA~1\READIN~2\bar\1.bin\T8HTML.DLL.vir    probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1595\A0142256.dll    Win32/Wajam.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1595\A0142260.dll    a variant of Win32/Toolbar.BitCocktail.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1595\A0142261.exe    a variant of Win32/Toolbar.BitCocktail.B application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1595\A0142262.dll    a variant of Win32/Toolbar.Perion.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1595\A0142264.exe    Win32/DownWare.E application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1595\A0142267.exe    Win32/Wajam.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1597\A0144060.dll    a variant of Win32/bProtector.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1597\A0144061.exe    a variant of Win32/bProtector.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1597\A0144062.exe    a variant of Win32/bProtector.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1598\A0144313.dll    a variant of Win32/bProtector.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1598\A0144314.exe    a variant of Win32/bProtector.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1598\A0144316.exe    a variant of Win32/bProtector.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1602\A0151071.exe    Win32/InstallCore.BL application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1603\A0151280.dll    a variant of Win32/Toolbar.MyWebSearch.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1603\A0151286.dll    probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1603\A0151289.dll    probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1603\A0151298.dll    a variant of Win32/Toolbar.MyWebSearch.P application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1603\A0151309.DLL    probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1603\A0151327.exe    a variant of Win32/Packed.VMDetector.A application
 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 23 July 2013 - 11:42 PM

As you can see, Antivir brings  parts of the ask toolbar with it - which is adware itself.

I recommend to use another free antivirus program, for example:


Avast!
or
Microsoft Security Essentials
 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 purplemon

purplemon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 24 July 2013 - 10:01 AM

***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [bProtectorDefaultScope]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

-\\ Google Chrome v [Unable to get version]

*************************

AdwCleaner[R1].txt - [34202 octets] - [17/07/2013 16:49:10]
AdwCleaner[R2].txt - [1781 octets] - [24/07/2013 09:22:26]
AdwCleaner[S1].txt - [34908 octets] - [17/07/2013 16:51:36]
AdwCleaner[S2].txt - [1574 octets] - [24/07/2013 09:28:09]

########## EOF - C:\AdwCleaner[S2].txt - [1634 octets] ##########
 



#14 purplemon

purplemon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 24 July 2013 - 10:02 AM

 Results of screen317's Security Check version 0.99.71  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus                
Trend Micro Internet Security   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 CloneSpy 2.52    
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Duplicate Cleaner Free 3.0.1  
 Java 7 Update 25  
 Adobe Flash Player     11.7.700.224  
 Mozilla Firefox (22.0)
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast avastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 33% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



#15 purplemon

purplemon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 24 July 2013 - 10:09 AM

I uninstalled Avira and replaced with Avast.

I see Trend Micro is still listed, I uninstalled this a year or more ago and replaced it with Avira; are there still enough bits of Avira to show up in the scan? How can I remove them?

 

I still find that I can not start most programs by double clicking the desktop icons.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users