Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access TRojan


  • This topic is locked This topic is locked
25 replies to this topic

#1 BatMasterson

BatMasterson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 18 July 2013 - 11:56 PM

Greetings, I have been having a few issues with my pc. On further inspection I found entries that I has not noticed beforel

Here is the DDS LOg

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 19 July 2013 - 12:37 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 BatMasterson

BatMasterson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 19 July 2013 - 04:15 AM

Here is the mbar log, attatched per your request.Thank you.There is also a System Log txt as well. Do You need that also?

Attached Files


Edited by BatMasterson, 19 July 2013 - 04:24 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 19 July 2013 - 04:43 AM

no, thank you.

 

 

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 BatMasterson

BatMasterson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 19 July 2013 - 11:29 AM

Here is the log :smash:

 

 

ComboFix 13-07-18.04 - Owner 07/19/2013  13:46:38.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.446.149 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-19 to 2013-07-19  )))))))))))))))))))))))))))))))
.
.
2013-07-19 02:24 . 2013-07-19 02:35 -------- d-----w- C:\getsup
2013-07-19 01:51 . 2013-07-19 01:51 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2013-07-19 01:21 . 2013-07-19 01:22 551408 ----a-w- C:\rootkitremover.exe
2013-07-19 00:36 . 2013-07-19 00:40 -------- d-----w- C:\MGtools
2013-07-19 00:19 . 2013-07-19 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-07-18 14:36 . 2013-07-18 14:36 -------- d-----w- c:\program files\iMesh Applications
2013-07-18 14:32 . 2013-07-18 15:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{FBD38C9D-3733-43E5-91B0-5416123D09D4}
2013-07-18 14:25 . 2013-07-18 14:25 -------- d-----w- c:\windows\ERUNT
2013-07-18 13:55 . 2013-07-18 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-18 03:46 . 2013-07-18 20:54 -------- d-----w- C:\Stinger_Quarantine
2013-07-18 03:46 . 2013-07-18 21:43 -------- d-----w- c:\program files\stinger
2013-07-17 00:47 . 2013-07-17 00:47 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-07-16 03:10 . 2013-07-16 03:17 -------- d-----w- c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-19 00:40 . 2013-07-19 00:36 154577 ----a-w- C:\MGlogs.zip
2013-07-16 03:24 . 2013-02-13 17:40 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-16 03:24 . 2013-02-13 17:40 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 04:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-06-07 21:56 . 2008-04-14 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2008-04-14 12:00 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-04-14 12:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-09 05:28 . 2006-10-19 03:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:26 . 2008-04-14 12:00 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"iMesh"="c:\program files\iMesh Applications\iMesh\iMesh.exe" [2013-06-24 31020056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2010-08-20 107816]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-03-15 54832]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1278064]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
.
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 146872]
R3 MFE_RR;MFE_RR;c:\docume~1\Owner\LOCALS~1\Temp\mfe_rr.sys [x]
R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [2013-02-19 84904]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-02-19 92632]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2013-02-19 91640]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2012-08-31 167784]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2012-08-31 167784]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2012-08-31 167784]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2013-02-19 169320]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-02-19 172416]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-02-19 60920]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-02-19 363080]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [2013-02-19 84904]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-13 21:09 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-13 03:24]
.
2013-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-12 22:47]
.
2013-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-12 22:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cox.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-19 13:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-07-19  13:57:13
ComboFix-quarantined-files.txt  2013-07-19 18:57
.
Pre-Run: 152,491,323,392 bytes free
Post-Run: 152,452,972,544 bytes free
.
- - End Of File - - 66CE51DFC90D45143FF5278BE74D7667
8F558EB6672622401DA993E1E865C861
 

 

 

 

Thank You


Edited by BatMasterson, 19 July 2013 - 03:20 PM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 20 July 2013 - 04:49 AM

Looks good!

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

 

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Edited by TB-Psychotic, 20 July 2013 - 04:49 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 BatMasterson

BatMasterson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 20 July 2013 - 08:17 AM

Here are the logs:

 

ESET

C:\MGtools\Process.exe Win32/PrcView application
C:\System Volume Information\_restore{A673D543-AA8F-40B2-A2B0-45263BEA00D6}\RP178\A0235588.exe multiple threats

 

Farbar Service

 

Farbar Service Scanner Version: 13-07-2013
Ran by Owner (administrator) on 20-07-2013 at 08:07:45
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) mfetdi2k(8) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

 

 

Thank You



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 20 July 2013 - 08:19 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 BatMasterson

BatMasterson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 20 July 2013 - 08:22 AM

Here are the logs

 

Farbar Service Scanner Version: 13-07-2013
Ran by Owner (administrator) on 20-07-2013 at 08:07:45
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) mfetdi2k(8) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.C:\MGtools\Process.exe Win32/PrcView application
C:\System Volume Information\_restore{A673D543-AA8F-40B2-A2B0-45263BEA00D6}\RP178\A0235588.exe multiple threats
 

 

 

**** End of log ****

C:\MGtools\Process.exe Win32/PrcView application
C:\System Volume Information\_restore{A673D543-AA8F-40B2-A2B0-45263BEA00D6}\RP178\A0235588.exe multiple threats
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 20 July 2013 - 08:27 AM

ehm...looks like you did something wrong.. ;-)


Edited by TB-Psychotic, 20 July 2013 - 08:28 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 BatMasterson

BatMasterson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 20 July 2013 - 08:51 AM

Oopsie! My Bad. :notme: Logs to follow.



#12 BatMasterson

BatMasterson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 20 July 2013 - 09:40 AM

Logs

 

 Results of screen317's Security Check version 0.99.70 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 McAfee Virtual Technician   
 McAfee SecurityCenter    
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 CCleaner    
 Adobe Reader XI 
 Google Chrome 28.0.1500.71 
 Google Chrome 28.0.1500.72 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````
 

# AdwCleaner v2.306 - Logfile created 07/20/2013 at 09:13:22
# Updated 19/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - USER-C0870A6793
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\mammy\Local Settings\Application Data\iMesh
Folder Found : C:\Documents and Settings\mammy\Local Settings\Application Data\PackageAware
Folder Found : C:\Documents and Settings\Owner\Local Settings\Application Data\iMesh
Folder Found : C:\Documents and Settings\Owner\Local Settings\Application Data\PackageAware
Folder Found : C:\Program Files\iMesh Applications

***** [Registry] *****

Key Found : HKCU\Software\Imesh
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Imesh
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FC41815-FA4C-4F8B-B143-2C045C8EA2FC}
Key Found : HKLM\SOFTWARE\Classes\AppID\{21493C1F-D071-496A-9C27-450578888291}
Key Found : HKLM\SOFTWARE\Classes\AppID\{403A885F-CB00-40C1-BDC1-EB09053194F7}
Key Found : HKLM\SOFTWARE\Classes\AppID\{55C1727F-5535-4C2A-9601-8C2458608B48}
Key Found : HKLM\SOFTWARE\Classes\AppID\{A7DDCBDE-5C86-415C-8A37-763AE183E7E4}
Key Found : HKLM\SOFTWARE\Classes\AppID\DiscoveryHelper.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\GIFAnimator.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\iMesh.exe
Key Found : HKLM\SOFTWARE\Classes\AppID\IMTrProgress.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\IMWeb.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\WMHelper.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{27BF8F8D-58B8-D41C-F913-B7EEB57EF6F6}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7C3B01BC-53A5-48A0-A43B-0C67731134B9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B6F8DA9F-2696-419E-A8A3-19BE41EF51BD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F42C7B47-5234-4BF5-8882-DAAC0D64870D}
Key Found : HKLM\SOFTWARE\Classes\DiscoveryHelper.iMesh6Discovery
Key Found : HKLM\SOFTWARE\Classes\DiscoveryHelper.iMesh6Discovery.1
Key Found : HKLM\SOFTWARE\Classes\imweb.imwebcontrol
Key Found : HKLM\SOFTWARE\Classes\Interface\{69D3F709-9DE2-479F-980F-532D46895703}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B37B4BA6-334E-72C1-B57E-6AFE8F8A5AF3}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B77AD4AC-C1C2-B293-7737-71E13A11FFEA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{CA1CE38C-F04C-471F-B9F3-083C58165C10}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E773F2CF-5E6E-FF2B-81A1-AC581A26B2B2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F42C7B47-5234-4BF5-8882-DAAC0D64870D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F7BEBBB1-7E6B-4561-9444-6F4866D60C7C}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{403A885F-CB00-40C1-BDC1-EB09053194F7}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{55C1727F-5535-4C2A-9601-8C2458608B48}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{96F7FABC-5789-EFA4-B6ED-1272F4C1D27B}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EC96F516-51B2-4B46-8451-8665F5A6BA2B}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{F07FBD3E-2048-44A4-9065-71BF551E2672}
Key Found : HKLM\Software\Imesh
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ABE0FED-50E7-4E42-A125-57C0A11DBCDE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Imesh
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7C3B01BC-53A5-48A0-A43B-0C67731134B9}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{872F3C0B-4462-424C-BB9F-74C6899B9F92}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B6F8DA9F-2696-419E-A8A3-19BE41EF51BD}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4301 octets] - [20/07/2013 09:13:22]

########## EOF - C:\AdwCleaner[R1].txt - [4361 octets] ##########

 

It turns out that this Service MFE_RR is from McAfee Rootkit Remover. It is listed in many threads I searched containing infected pcs.I could not locate this service in any of the service listings online. Therefore I considered this box was infected. PC is running better. I`m ready for the next step.BTW how can I stop and delete this service ?

 

Thank You


Edited by BatMasterson, 20 July 2013 - 07:39 PM.


#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 21 July 2013 - 07:49 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 BatMasterson

BatMasterson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 21 July 2013 - 08:50 AM

No Joy! A student relative ran a program for a project and decided Combofix  would interfere with her project. Despite my taped note on the monitor to use another box since I was out last eve!

 

Question: Should I re-download CF and preform the last step you posted?

 

Seems like there are folks who listen and those who do as they wish. :censored:

 

MY apologies

 

Thank you


Edited by BatMasterson, 21 July 2013 - 08:55 AM.


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 21 July 2013 - 09:04 AM

yes, do that.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users