Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mal/HTMLGen-A (High Risk Website Blocked)


  • This topic is locked This topic is locked
12 replies to this topic

#1 SheGo2Slow

SheGo2Slow

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 22 July 2013 - 06:36 AM

PC is running slow and these mal/htmlGen-A popups appear at more and more frequency.  Malware and virus scans show no activity.

 

Thank you!

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 22 July 2013 - 07:03 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 SheGo2Slow

SheGo2Slow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 22 July 2013 - 09:01 AM

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-07-22 09:53:02
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-8 Hitachi_HDP725032GLA360 rev.GM3OA5BA 298.09GB
Running: gztk7819.exe; Driver: C:\DOCUME~1\mtaormin\LOCALS~1\Temp\pwldykoc.sys


---- Devices - GMER 2.1 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                          savonaccessfilter.sys

Device          \Driver\usbehci \Device\USBPDO-0                Achernar.sys
Device          \Driver\usbuhci \Device\USBPDO-1                Achernar.sys
Device          \Driver\usbuhci \Device\USBPDO-2                Achernar.sys
Device          \Driver\usbuhci \Device\USBPDO-3                Achernar.sys
Device          \Driver\usbehci \Device\USBPDO-4                Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0002               Achernar.sys
Device          \Driver\usbuhci \Device\USBPDO-5                Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0010               Achernar.sys
Device          \Driver\usbuhci \Device\USBPDO-6                Achernar.sys
Device          \Driver\usbccgp \Device\00000070                Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0004               Achernar.sys
Device          \Driver\usbuhci \Device\USBPDO-7                Achernar.sys
Device          \Driver\usbhub \Device\00000071                 Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0005               Achernar.sys
Device          \Driver\usbhub \Device\USBPDO-8                 Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0013               Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0006               Achernar.sys
Device          \Driver\IntelIde \Device\Ide\PciIde1Channel0-2  Achernar.sys
Device          \Driver\PCIIde \Device\Ide\PciIde0Channel0-0    Achernar.sys
Device          \Driver\IntelIde \Device\Ide\PciIde2Channel0-4  Achernar.sys
Device          \Driver\IntelIde \Device\Ide\PciIde1Channel1-3  Achernar.sys
Device          \Driver\PCIIde \Device\Ide\PciIde0Channel1-1    Achernar.sys
Device          \Driver\usbhub \Device\USBPDO-9                 Achernar.sys
Device          \Driver\usbccgp \Device\00000073                Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0014               Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0007               Achernar.sys
Device          \Driver\usbhub \Device\00000066                 Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0015               Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0008               Achernar.sys
Device          \Driver\usbhub \Device\00000067                 Achernar.sys
Device          \Driver\usbhub \Device\USBPDO-10                Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0009               Achernar.sys
Device          \Driver\usbhub \Device\00000068                 Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0022               Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0016               Achernar.sys
Device          \Driver\usbhub \Device\USBPDO-11                Achernar.sys
Device          \Driver\usbhub \Device\00000069                 Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0023               Achernar.sys
Device          \Driver\usbhub \Device\USBPDO-12                Achernar.sys
Device          \Driver\PCI \Device\NTPNP_PCI0018               Achernar.sys
Device          \Driver\usbhub \Device\USBPDO-13                Achernar.sys
Device          \Driver\usbccgp \Device\00000079                Achernar.sys
Device          \Driver\usbhub \Device\0000006a                 Achernar.sys
Device          \Driver\usbuhci \Device\USBFDO-0                Achernar.sys
Device          \Driver\usbccgp \Device\0000007a                Achernar.sys
Device          \Driver\usbhub \Device\0000006d                 Achernar.sys
Device          \Driver\usbuhci \Device\USBFDO-1                Achernar.sys
Device          \Driver\usbhub \Device\0000006e                 Achernar.sys
Device          \Driver\usbuhci \Device\USBFDO-2                Achernar.sys
Device          \Driver\usbhub \Device\0000006f                 Achernar.sys
Device          \Driver\usbehci \Device\USBFDO-3                Achernar.sys
Device          \Driver\usbuhci \Device\USBFDO-4                Achernar.sys
Device          \Driver\usbuhci \Device\USBFDO-5                Achernar.sys
Device          \Driver\usbuhci \Device\USBFDO-6                Achernar.sys
Device          \Driver\usbehci \Device\USBFDO-7                Achernar.sys

AttachedDevice  \FileSystem\Fastfat \Fat                        savonaccessfilter.sys
AttachedDevice  \FileSystem\Fastfat \Fat                        fltMgr.sys

Device          \FileSystem\Cdfs \Cdfs                          DLAIFS_M.SYS

---- EOF - GMER 2.1 ----
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 22 July 2013 - 11:50 PM

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 SheGo2Slow

SheGo2Slow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 23 July 2013 - 07:04 AM

ComboFix 13-07-22.01 - mtaormin 07/23/2013   7:37.6.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3582.2710 [GMT -4:00]
Running from: c:\documents and settings\mtaormin\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-23 to 2013-07-23  )))))))))))))))))))))))))))))))
.
.
2013-07-09 16:48 . 2013-07-09 16:48    --------    d-----w-    c:\program files\MSECache
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-23 10:14 . 2011-02-25 20:23    0    ----a-w-    c:\documents and settings\mtaormin\Local Settings\Application Data\WavXMapDrive.bat
2013-07-15 10:48 . 2012-04-04 12:20    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-15 10:48 . 2011-07-07 15:34    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-13 11:06 . 2009-04-24 15:14    33736    ----a-w-    c:\windows\system32\drivers\savonaccessfilter.sys
2013-06-13 11:06 . 2009-04-24 15:14    172232    ----a-w-    c:\windows\system32\drivers\savonaccesscontrol.sys
2013-06-13 11:06 . 2013-06-13 11:06    33096    ----a-w-    c:\windows\system32\drivers\skmscan.sys
2013-06-13 11:06 . 2012-06-28 15:41    30784    ----a-w-    c:\windows\system32\SophosBootTasks.exe
2013-06-08 03:55 . 2008-04-25 16:16    385024    ------w-    c:\windows\system32\html.iec
2013-06-07 21:56 . 2008-04-25 16:16    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2008-04-25 16:16    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2008-04-25 16:16    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2008-04-25 16:16    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-04-25 16:16    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-09 04:28 . 2009-01-31 00:35    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-05-03 01:30 . 2008-04-25 16:16    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2010-11-08 15:30 . 2010-11-08 15:30    568664    ----a-w-    c:\program files\GoogleEarthPluginSetup.exe
2009-09-13 03:05 . 2013-06-27 11:26    124240    ----a-w-    c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 03:06 . 2013-06-27 11:26    13136    ----a-w-    c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 03:06 . 2013-06-27 11:26    70488    ----a-w-    c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 03:06 . 2013-06-27 11:26    91480    ----a-w-    c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 03:06 . 2013-06-27 11:26    22360    ----a-w-    c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 03:07 . 2013-06-27 11:26    255312    ----a-w-    c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 03:06 . 2013-06-27 11:26    31064    ----a-w-    c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 03:06 . 2013-06-27 11:26    40280    ----a-w-    c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 17:33 . 2013-06-27 11:26    652640    ----a-w-    c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 03:06 . 2013-06-27 11:26    23896    ----a-w-    c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"
[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]
2009-11-07 05:07    297808    ----a-w-    c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"
[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]
2009-11-07 05:07    297808    ----a-w-    c:\windows\system32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-08-27 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-11 141336]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-08-06 182808]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-08-21 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-08-22 145408]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-08-28 656696]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-08-28 91448]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 1501064]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2013-06-13 929272]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
c:\documents and settings\mtaormin\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.EXE [2002-8-9 299008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-11-12 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2011-3-20 294912]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe  /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2136492297-579076380-10498456-2725\Scripts\Logon\0\0]
"Script"=UpdateCompDescriptionAttrib.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2136492297-579076380-10498456-2725\Scripts\Logon\1\0]
"Script"=FMD-ALL-Global.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2136492297-579076380-10498456-2725\Scripts\Logon\2\0]
"Script"=RadSafeLogon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2136492297-579076380-10498456-2725\Scripts\Logon\3\0]
"Script"=UpdateCompDescriptionAttrib.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2136492297-579076380-10498456-2725\Scripts\Logon\4\0]
"Script"=FMD-ALL-Global.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launch Whitesmoke Translator.lnk]
backup=c:\windows\pss\Launch Whitesmoke Translator.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22    3739648    ----a-w-    c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Grindstone 2]
2012-04-02 07:37    1555968    ----a-w-    c:\program files\Grindstone 2\Grindstone 2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 02:41    3882312    ----a-w-    c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44    248552    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2005-11-21 19:55    45056    ----a-w-    c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.1.20090925-1604\\win32\\x86\\notes2.exe"=
"c:\\Documents and Settings\\mtaormin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
.
R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [1/15/2013 10:56 AM 24888]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/16/2009 10:35 PM 24064]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [8/2/2010 1:56 PM 22312]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [4/24/2009 11:14 AM 172232]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [4/24/2009 11:14 AM 33736]
R1 SKMScan;SKMScan;c:\windows\system32\drivers\skmscan.sys [6/13/2013 7:06 AM 33096]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [8/27/2012 11:35 AM 157496]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [6/13/2013 10:02 AM 219648]
R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\LANDesk\LDClient\tmcsvc.exe [6/13/2013 10:02 AM 179200]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [6/13/2013 7:06 AM 217592]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [6/13/2013 7:06 AM 159296]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [6/13/2013 10:02 AM 639024]
R2 Sophos Web Control Service;Sophos Web Control Service;c:\program files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [6/28/2012 11:37 AM 357400]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [6/13/2013 7:06 AM 2890232]
R2 tracksvc;LANDesk® Power Management Track Service;c:\program files\LANDesk\LDClient\tracksvc.exe [6/13/2013 10:02 AM 75608]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [8/16/2010 2:16 PM 592120]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [6/11/2012 5:22 PM 240208]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [3/16/2009 10:35 PM 144480]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [6/13/2013 10:02 AM 14848]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [6/13/2013 10:02 AM 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [6/13/2013 10:02 AM 6656]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [6/11/2012 5:22 PM 193616]
S2 ProcTrigger;LANDesk® Process Trigger Service;c:\program files\LANDesk\LDClient\ProcTriggerSvc.exe [6/13/2013 10:02 AM 153376]
S2 swi_update;Sophos Web Intelligence Update;c:\documents and settings\All Users\Application Data\Sophos\Web Intelligence\swi_update.exe [6/28/2012 11:42 AM 1468920]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [3/9/2011 10:27 AM 33696]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/8/2011 7:49 AM 14976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 10:48]
.
2011-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-08 15:30]
.
2013-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-08 15:30]
.
2013-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2136492297-579076380-10498456-2725Core.job
- c:\documents and settings\mtaormin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-18 15:30]
.
2013-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2136492297-579076380-10498456-2725UA.job
- c:\documents and settings\mtaormin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-18 15:30]
.
2010-09-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-05-26 19:16]
.
2010-09-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-05-21 18:25]
.
2013-07-23 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\program files\SmartDraw 2009\Messages\SDNotify.exe [2009-08-11 11:29]
.
2013-07-17 c:\windows\Tasks\Weekly scan Wednesday 12 noon.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2013-06-13 11:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.vcu.edu/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: c:\documents and settings\All Users\Application Data\Sophos\Web Intelligence\swi_ifslsp.dll
Trusted Zone: mcvh-vcu.edu\vcuhsra
TCP: DhcpNameServer = 192.168.8.1 192.168.8.2 128.172.1.1
TCP: Interfaces\{36D9EEB0-42D0-4BC4-9B52-3A3DD559F458}: NameServer = 128.172.1.11,128.172.1.12
FF - ProfilePath - c:\documents and settings\mtaormin\Application Data\Mozilla\Firefox\Profiles\pnp1ru6h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.vcu.edu
FF - prefs.js: keyword.URL - hxxp://websearch.shopathome.com?user_id={ea941574-c4f6-4310-be39-7014f9c0cf29}&q=
FF - ExtSQL: !HIDDEN! 2009-09-02 12:43; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-23 07:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
c:\combofix\CF7348.3XE [4756] 0x8A074C68
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(848)
c:\documents and settings\All Users\Application Data\Sophos\Web Intelligence\swi_ifslsp.dll
.
- - - - - - - > 'explorer.exe'(5344)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmUserInterface.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-07-23  07:51:28
ComboFix-quarantined-files.txt  2013-07-23 11:51
ComboFix2.txt  2013-07-17 19:08
ComboFix3.txt  2012-04-05 11:56
ComboFix4.txt  2011-09-20 16:17
ComboFix5.txt  2013-07-23 11:34
.
Pre-Run: 223,808,913,408 bytes free
Post-Run: 223,763,849,216 bytes free
.
- - End Of File - - AFD49B84A018CA99C85C370664F8C600
5C616939100B85E558DA92B899A0FC36
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 23 July 2013 - 07:52 AM

Is this a business machine or one for Public Finance or Govrnement purposes?


Edited by TB-Psychotic, 23 July 2013 - 07:52 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 SheGo2Slow

SheGo2Slow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 23 July 2013 - 08:40 AM

University (State governed).



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 23 July 2013 - 11:31 PM

Are you a student or an employee?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 SheGo2Slow

SheGo2Slow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 24 July 2013 - 06:06 AM

Employee/Faculty



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 24 July 2013 - 06:13 AM

This machine shouldn´t be handled in the forum.

You need to contact the Information Services or Technology group and let them manage this infection as it should also be reported to the authorities as it could potentially have compromised student data.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 SheGo2Slow

SheGo2Slow
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 24 July 2013 - 06:33 AM

Thank you.



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 24 July 2013 - 06:37 AM

You´re welcome.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 24 July 2013 - 06:37 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users