Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue iexplore.exe: WebWatcher(?); cannot kill, cannot remove!


  • Please log in to reply
5 replies to this topic

#1 mesanore

mesanore

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 07 September 2013 - 04:37 PM

I have a rogue internet explorer process that runs constantly in the background.  When I actually use the internet explorer browser, I observe (at least) 2 distinct internet explorer processes, corresponding to the true browser/tabs I am using, as well as this rogue process.

 

I have tried several obvious routes for killing the process:  Task manager, process explorer ("end process" and "end process tree"; both fail to work), and TCPView.

 

When I kill/end process using these various tools, the result is that the process simply remains.  There is no "error" or "failure" dialogue indicating that the particular iexplore.exe process is somehow protected as a system process or something similar.  Rather, it appears as though I did nothing at all.  The process does NOT disappear momentarily, then reappear somewhere else in the list of active processes.  It simply stays there, with the same PID and same resource utilization, as though I did nothing.

 

I have identified this with WebWatcher by using the TCPView program.  This program has identified that the iexplore.exe process constantly tries to acccess the following external domain via HTTPS:

 

svc.webwatcherdata.com

 

It typically uses 2 separate connections on a port in the 366X range (3660-3669), and it appears to restrict its communications unless I am using a browser.  I say that because the "upstream" and "downstream" packet count remains zero for these 2 connections until I begin using a browser, at which point it begins to send/receive packets (as measured in TCPView)

 

Using TCPView, I can close the connections by right clicking the processes and choosing "close connection"

 

within about 20 seconds, though never immediately, the connection is reestablished.  

 

 

I have found several other threads on this forum, as well as on the web in general, detailing this problem.

 

It appears to be a "legitimately" installed keylogger/monitor program, that is often associated with parental, or perhaps corporate, oversight of one's computer use.

 

This may be why literally not a single AV/AS/AM program I have tried thus far has detected it (MS security essentials, Spybot search and destroy, Malware bytes, and Norton Power Erase).

 

 

I have followed the other threads found on this forum, and I realize that the program may create a fake/rogue folder in the Windows/system32 directory, along with several DLL files that are associated with it.

 

 

The other successful threads associated with WebWatcher had success using Combofix, either in a standard operation, or by the addition of a script that instructs Combofix to target a specific driver/dll.

 

 

I have had no luck running Combofix by itself, so perhaps my particular solution will involve the use of a script targeting some obscurely named folder/DLL combo.

 

 

With all of that established, I will post the results of DDS.txt (and attach attach.txt) in the next post, in order to keep my comments distinct from the log output.

 

 

Thanks in advance


Edited by mesanore, 07 September 2013 - 04:40 PM.


BC AdBot (Login to Remove)

 


#2 mesanore

mesanore
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 07 September 2013 - 04:39 PM

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Nore at 14:17:28 on 2013-09-07
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1368 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k svcboot_xengjzcm
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyServer = localhost:21320
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303795108468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1349844178640
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{38FA7831-646A-47EB-A4DE-F35CFB748D9D} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{EA2D1112-AEAA-4604-B4FF-978FDD206022} : NameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nore\application data\mozilla\firefox\profiles\7t58p32d.default\
FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chem3d\npChem3DPlugin.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chemdraw\NPCDP32.DLL
FF - plugin: c:\program files\common files\wolfram research\browser\8.0.0.1802959\npmathplugin.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-09-06 11:15; web2pdfextension@web2pdf.adobedotcom; c:\program files\adobe\acrobat 10.0\acrobat\browser\WCFirefoxExtn
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 211560]
R0 SMR322;Symantec SMR Utility Service 3.2.2;c:\windows\system32\drivers\SMR322.SYS [2013-9-7 98392]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2013-9-6 243128]
R1 MpKslafae69e7;MpKslafae69e7;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0f00a9cd-42a6-476f-9ced-67c6a36ba83f}\MpKslafae69e7.sys [2013-9-7 29904]
R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2013-8-13 218112]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-9-6 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-9-6 1033688]
R2 svcboot_xengjzcm;svcboot_xengjzcm;c:\windows\system32\svchost.exe -k svcboot_xengjzcm [2004-8-4 14336]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2013-7-8 159208]
S0 msjf;msjf;c:\windows\system32\drivers\kroscei.sys --> c:\windows\system32\drivers\kroscei.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-9-6 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-9-6 701512]
S2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\scutum50.sys --> c:\windows\system32\drivers\Scutum50.sys [?]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-9-6 171928]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\nore\locals~1\temp\alsysio.sys --> c:\docume~1\nore\locals~1\temp\ALSysIO.sys [?]
S3 cpuz134;cpuz134;\??\c:\program files\cpuid\pc wizard 2010\pcwiz_x32.sys --> c:\program files\cpuid\pc wizard 2010\pcwiz_x32.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 9\DfSdkS.exe [2012-3-1 406016]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-9-6 22856]
S3 msftesql$CSSQL05;SQL Server FullText Search (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2010-3-26 91992]
S3 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-16 755880]
.
=============== Created Last 30 ================
.
2013-09-07 20:56:27 60872 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0f00a9cd-42a6-476f-9ced-67c6a36ba83f}\offreg.dll
2013-09-07 20:56:27 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0f00a9cd-42a6-476f-9ced-67c6a36ba83f}\MpKslafae69e7.sys
2013-09-07 20:33:51 7166848 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0f00a9cd-42a6-476f-9ced-67c6a36ba83f}\mpengine.dll
2013-09-07 20:31:15 7166848 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-09-07 20:11:27 20 ----a-w- c:\windows\system32\drivers\SMR322.dat
2013-09-07 20:10:27 98392 ----a-w- c:\windows\system32\drivers\SMR322.SYS
2013-09-07 19:59:13 -------- d-----w- c:\documents and settings\nore\local settings\application data\NPE
2013-09-07 19:59:13 -------- d-----w- c:\documents and settings\all users\application data\Norton
2013-09-07 00:16:48 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2013-09-07 00:16:38 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-09-07 00:16:32 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-09-06 20:16:33 -------- d-sha-r- C:\cmdcons
2013-09-06 20:11:28 98816 ----a-w- c:\windows\sed.exe
2013-09-06 20:11:28 256000 ----a-w- c:\windows\PEV.exe
2013-09-06 20:11:28 208896 ----a-w- c:\windows\MBR.exe
2013-09-06 19:28:30 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe
2013-09-06 19:25:18 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-06 19:25:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-09-06 18:16:53 -------- d-----w- c:\documents and settings\all users\application data\ALM
2013-09-06 17:34:54 243128 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-09-06 17:34:44 -------- d-----w- c:\program files\DAEMON Tools Lite
2013-08-25 01:41:04 -------- d-----w- c:\program files\Bigasoft
2013-08-21 12:08:30 -------- d-----r- C:\Sandbox
2013-08-21 12:07:50 -------- d-----w- c:\program files\Sandboxie
2013-08-21 12:07:19 -------- d-----w- c:\documents and settings\all users\application data\Xilisoft
2013-08-21 11:53:14 5632 ----a-w- c:\windows\system32\ptpusb.dll
2013-08-21 11:53:13 159232 ----a-w- c:\windows\system32\ptpusd.dll
2013-08-21 11:53:12 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2013-08-21 11:53:12 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-08-21 10:00:34 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-08-21 09:23:01 -------- d-----w- c:\documents and settings\nore\local settings\application data\3D_Systems
2013-08-21 09:22:58 -------- d-----w- c:\documents and settings\nore\local settings\application data\CubeX
2013-08-21 09:22:22 -------- d-----w- c:\program files\3D Systems
2013-08-21 07:37:39 -------- d-----w- C:\Usenet Extracted
2013-08-21 07:26:24 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 07:26:24 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-21 07:26:12 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-08-21 07:13:32 645632 ----a-w- c:\windows\system32\xvidcore.dll
2013-08-21 07:13:32 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2013-08-21 07:13:32 153088 ----a-w- c:\windows\system32\xvid.ax
2013-08-21 07:13:31 -------- d-----w- c:\program files\Xvid
2013-08-21 07:05:59 -------- d-----w- c:\program files\GNU
2013-08-21 07:05:17 -------- d-----w- c:\windows\system32\AGEIA
2013-08-21 07:04:43 -------- d-----w- c:\program files\ffmpeg
2013-08-21 07:03:17 -------- d-----w- C:\NVIDIA
2013-08-21 06:38:03 -------- d-----w- c:\windows\TempD5975266-1094-63E1-6E07-516F977EB9F0-Signatures
2013-08-20 21:43:50 -------- dc-h--w- c:\windows\ie8
2013-08-20 10:22:04 -------- d-----w- c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-08-21 07:25:17 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-08-21 07:25:13 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-08-21 07:25:13 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-08-21 07:25:12 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-03 21:18:38 1543680 ----a-w- c:\windows\system32\wmvdecod.dll
2013-07-26 02:47:17 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47:13 43520 ------w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59 385024 ------w- c:\windows\system32\html.iec
2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-19 04:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-19 02:51:26 421888 ----a-w- c:\windows\system32\RealMediaSplitter.ax
2012-07-12 08:28:44 2174976 ----a-w- c:\program files\common files\atimpenc.dll
.
============= FINISH: 14:17:57.70 ===============
 

 

Attached Files



#3 mesanore

mesanore
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 07 September 2013 - 05:22 PM

Edit:

 

Couldn't move/delete/rename the seemingly rogue/infected DLLs or their associated folder as they are gone/invisible (even with Hidden files/folders and system files set to "visible").

 

Perhaps the overarching EXE that controls this infection creates the DLLs momentarily, then deletes them at startup....

 

 

 

 

Update:

 

Before posting this topic here, which I have done as a sort of "last resort,"  I already ran the suite of antivirus software that I had mentioned in my first post.  Thus, any subsequent logs are going to indicate what "remains" after all of the obvious and easy stuff has been removed automatically by those programs.

 

 

In an effort of personal investigation, I have just run combofix.exe (following the directions about saving to desktop, and if necessary renaming, disabling AV software, etc.).

 

I will post the log output in the following response so that this post remains easy to read, but for the sake of expedience I will mention that I seem to have identified a fake/rogue/suspicious folder and set of DLLs that display similar characteristics to the assumed root cause of the WebWatcher "infection" in previous threads dedicated to it.  In particular, I have identified a folder in the Windows directory with a "random" name, containing DLL files with similary "random" filenames.  I have already searched for them on Google to see if they have associations with known programs or the OS, and they do not produce a single relevant result.

 

 

In my case, the suspicious activity appears to be eminating from:

 

 

C:\windows\system32\piggomafl

 

within the "piggomafl" folder, the following DLL files are associated with running processes:

 

Winlogon.exe:

shim_gtcbdaigy.dll

mcsc_vzjfdzgti.dll

 

explorer.exe:

shim_gtcbdaigy.dll

mcapp_cntcvzad.dll

mcsc_vzjfdzgti.dll

 

 

Those are what appear to be the most obvious fake/infected/rogue DLLs and are associated with processes that seem to support their rogue/fake nature.

 

 

I could be completely wrong about this.  These DLLs could, very well, be associated with a legitimate/wanted installation that merely produces individualized randomly named files or is obscure enough to lack documentation online

 

I will take the obvious precautions of backing up my registry and creating a restore point before taking any action..... But I think I am going to attempt to move these files to a folder that I have set with special security settings that will prevent the "system" from modifying the contents.

 

I am borrowing this strategy from a previous thread associated with WebWatcher, where the forum admin who was assisting the OP suggested such a move/removal strategy, which failed initially and subsequently required the use of a more powerful program to "forcibly" move the rogue folder's contents (cant remember the program's name right off the top of my head, but I'm going to download it before I attempt this strategy).

 

 

The Combofix log file may indicate *other* potential oddities that I have yet to research for the sake of validation.  I have simply reported what I consider to be the most evidently bad results while I wait for communication from a forum admin/expert.

 

 

Thanks in advance for any help and consideration.


Edited by mesanore, 07 September 2013 - 05:47 PM.


#4 mesanore

mesanore
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 07 September 2013 - 05:24 PM

---NOTE----
I bolded the lines that I consider to be the most obvious, though other stuff in that section appeared suspicious, at least to my eyes
---END NOTE---
 
 
ComboFix 13-09-06.01 - Nore 09/07/2013  14:45:34.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1406 [GMT -7:00]
Running from: c:\documents and settings\Nore\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\user32.dll was found and disinfected 
Restored copy from - c:\windows\erdnt\cache\user32.dll 
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-07 to 2013-09-07  )))))))))))))))))))))))))))))))
.
.
2013-09-07 20:33 . 2013-08-06 07:28 7166848 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F00A9CD-42A6-476F-9CED-67C6A36BA83F}\mpengine.dll
2013-09-07 20:31 . 2013-08-06 07:28 7166848 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-07 19:59 . 2013-09-07 20:12 -------- d-----w- c:\documents and settings\Nore\Local Settings\Application Data\NPE
2013-09-07 19:59 . 2013-09-07 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2013-09-07 00:16 . 2013-09-07 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2013-09-07 00:16 . 2009-01-25 20:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-09-07 00:16 . 2013-09-07 00:19 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-09-06 19:47 . 2013-09-06 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-09-06 19:28 . 2013-09-06 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2013-09-06 19:25 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-06 19:25 . 2013-09-06 19:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-09-06 18:16 . 2013-09-06 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2013-09-06 18:10 . 2013-09-06 18:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2013-09-06 17:34 . 2013-09-06 17:34 243128 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-09-06 17:34 . 2013-09-06 17:34 -------- d-----w- c:\program files\DAEMON Tools Lite
2013-08-25 01:41 . 2013-08-25 01:41 -------- d-----w- c:\program files\Bigasoft
2013-08-21 12:08 . 2013-08-21 12:08 -------- d-----r- C:\Sandbox
2013-08-21 12:07 . 2013-08-21 12:07 -------- d-----w- c:\program files\Sandboxie
2013-08-21 12:07 . 2013-08-21 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Xilisoft
2013-08-21 11:53 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2013-08-21 11:53 . 2008-04-14 12:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2013-08-21 11:53 . 2008-04-14 07:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2013-08-21 11:53 . 2008-04-14 07:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-08-21 10:00 . 2008-04-14 12:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-08-21 09:23 . 2013-08-21 09:23 -------- d-----w- c:\documents and settings\Nore\Local Settings\Application Data\3D_Systems
2013-08-21 09:22 . 2013-08-21 09:24 -------- d-----w- c:\documents and settings\Nore\Local Settings\Application Data\CubeX
2013-08-21 09:22 . 2013-08-21 09:22 -------- d-----w- c:\program files\3D Systems
2013-08-21 08:42 . 2013-09-07 21:16 -------- d-----w- c:\documents and settings\Nore\Application Data\vlc
2013-08-21 07:37 . 2013-09-07 20:50 -------- d-----w- C:\Usenet Extracted
2013-08-21 07:26 . 2013-08-21 07:26 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-21 07:26 . 2013-08-21 07:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 07:26 . 2013-08-21 07:26 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-08-21 07:13 . 2011-05-30 13:42 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2013-08-21 07:13 . 2011-05-23 09:52 153088 ----a-w- c:\windows\system32\xvid.ax
2013-08-21 07:13 . 2011-05-23 07:46 645632 ----a-w- c:\windows\system32\xvidcore.dll
2013-08-21 07:13 . 2013-08-21 07:40 -------- d-----w- c:\program files\Xvid
2013-08-21 07:05 . 2013-08-21 07:05 -------- d-----w- c:\program files\GNU
2013-08-21 07:05 . 2013-08-21 07:05 -------- d-----w- c:\program files\AGEIA Technologies
2013-08-21 07:05 . 2013-08-21 07:05 -------- d-----w- c:\windows\system32\AGEIA
2013-08-21 07:04 . 2013-08-21 07:08 -------- d-----w- c:\program files\ffmpeg
2013-08-21 07:03 . 2013-08-21 07:03 -------- d-----w- C:\NVIDIA
2013-08-21 06:58 . 2013-08-21 06:58 -------- d-----w- c:\program files\7-Zip
2013-08-21 06:38 . 2013-08-21 06:38 -------- d-----w- c:\windows\TempD5975266-1094-63E1-6E07-516F977EB9F0-Signatures
2013-08-20 21:43 . 2013-08-20 21:43 -------- dc-h--w- c:\windows\ie8
2013-08-20 10:22 . 2013-08-20 10:24 -------- d-----w- c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-21 07:25 . 2012-11-17 06:02 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-08-21 07:25 . 2011-05-23 17:00 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-03 21:18 . 2009-01-31 03:35 1543680 ----a-w- c:\windows\system32\wmvdecod.dll
2013-07-26 02:47 . 2004-08-04 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2013-07-10 10:37 . 2004-08-04 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2004-08-04 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-19 04:50 . 2010-10-25 04:25 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-19 02:51 . 2013-06-19 02:51 421888 ----a-w- c:\windows\system32\RealMediaSplitter.ax
2012-07-12 08:28 . 2012-07-12 08:28 2174976 ----a-w- c:\program files\Common Files\atimpenc.dll
2012-05-30 09:32 . 2013-03-08 08:20 2189200 ----a-w- c:\program files\mozilla firefox\components\1609830.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2013-07-08 543320]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2013-08-01 3673696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]
"nwiz"="nwiz.exe" [2009-01-30 1657376]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-06-21 995176]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 86016]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2013-05-16 3830224]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-10-25 22:13 821144 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-10-25 22:13 36760 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-30 15:46 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 14:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 14:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 20:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=3 (0x3)
"WMZuneComm"=3 (0x3)
"rpcapd"=3 (0x3)
"iPod Service"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\hfs\\hfs.exe"=
"c:\program files\Bigasoft\Total Video Converter\videoconverter.exe"= c:\program files\Bigasoft\Total Video Converter\videoconverter.exe:192.168.2.123/255.255.255.255:Enabled:Bigasoft Total Video Converter
"c:\program files\Bigasoft\Total Video Converter\unins000.exe"= c:\program files\Bigasoft\Total Video Converter\unins000.exe:192.168.2.123/255.255.255.255:Enabled:Uninstall Total Video Converter
"c:\program files\Bigasoft\Total Video Converter\ffmpeg.exe"= c:\program files\Bigasoft\Total Video Converter\ffmpeg.exe:192.168.2.123/255.255.255.255:Enabled:ffmpeg.exe
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 
"11111:TCP"= 11111:TCP:hfs
"11111:UDP"= 11111:UDP:hfs
"7000:TCP"= 7000:TCP:hfs
"7000:UDP"= 7000:UDP:hfs
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [9/6/2013 10:34 AM 243128]
R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [8/13/2013 2:53 AM 218112]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/6/2013 12:25 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/6/2013 12:25 PM 701512]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [9/6/2013 5:16 PM 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [9/6/2013 5:16 PM 1033688]
R2 svcboot_xengjzcm;svcboot_xengjzcm;c:\windows\system32\svchost.exe -k svcboot_xengjzcm [8/4/2004 5:00 AM 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/6/2013 12:25 PM 22856]
S0 msjf;msjf;c:\windows\system32\drivers\kroscei.sys --> c:\windows\system32\drivers\kroscei.sys [?]
S2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\Drivers\Scutum50.sys --> c:\windows\system32\Drivers\Scutum50.sys [?]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [9/6/2013 5:16 PM 171928]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Nore\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Nore\LOCALS~1\Temp\ALSysIO.sys [?]
S3 cpuz134;cpuz134;\??\c:\program files\CPUID\PC Wizard 2010\pcwiz_x32.sys --> c:\program files\CPUID\PC Wizard 2010\pcwiz_x32.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 9\DfSdkS.exe [3/1/2012 9:33 PM 406016]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [7/29/2010 1:25 AM 25112]
S3 msftesql$CSSQL05;SQL Server FullText Search (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [3/26/2010 3:07 AM 91992]
S3 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
svcboot_xengjzcm REG_MULTI_SZ   svcboot_xengjzcm
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-07 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-09-07 17:58]
.
2013-09-07 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-06-21 01:05]
.
2013-09-07 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-09-07 17:57]
.
2013-09-07 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-09-07 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:21320
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{EA2D1112-AEAA-4604-B4FF-978FDD206022}: NameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Nore\Application Data\Mozilla\Firefox\Profiles\7t58p32d.default\
FF - ExtSQL: 2013-09-06 11:15; web2pdfextension@web2pdf.adobedotcom; c:\program files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Xilisoft Video Converter Ultimate - c:\program files\Xilisoft\Video Converter Ultimate\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-07 14:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$CSSQL05]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:CSSQL05"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\piqgomafl\shim_gtcbdaigy.dll
c:\windows\system32\piqgomafl\mcsc_vzjfdzgti.dll
.
- - - - - - - > 'explorer.exe'(3296)
c:\windows\system32\WININET.dll
c:\windows\system32\piqgomafl\shim_gtcbdaigy.dll
c:\windows\system32\nview.dll
c:\windows\system32\piqgomafl\mcapp_cntcvzad.dll
c:\windows\system32\piqgomafl\mcsc_vzjfdzgti.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\wscntfy.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2013-09-07  14:57:32 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-07 21:57
ComboFix2.txt  2013-09-07 04:06
ComboFix3.txt  2013-09-06 20:32
.
Pre-Run: 16,786,075,648 bytes free
Post-Run: 16,794,021,888 bytes free
.
- - End Of File - - 0BFC2A9D85306347AF59BBF197B6ED55
8F558EB6672622401DA993E1E865C861


#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 12 September 2013 - 04:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/507078 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:20 PM

Posted 14 September 2013 - 12:44 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please run these tools and post the logs for my review.
Let me know what problem persists.

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
---

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM

Edited by nasdaq, 14 September 2013 - 12:48 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users