Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit detected


  • This topic is locked This topic is locked
16 replies to this topic

#1 mwagner17

mwagner17

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 09 September 2013 - 04:53 PM

Hello,

 

I have run rkill, malwarebytes, tdsskiller but same rootkit comes back. Also has system care av that malwarebytes seems to not remove. And services not found. Looks like it needs some more help :)

 

Here is my DDS. Thank you!!

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by dcs at 14:52:45 on 2013-09-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1980.1409 [GMT -7:00]
.
AV: Avira Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Rey\Bin\Ucsinsvc.exe
C:\WINDOWS\Explorer.EXE
C:\rey\bin\PscVersionService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.live.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Avira SearchFree Toolbar plus Web Protection: {41564952-412D-5637-00A7-7A786E7484D7} -
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Avira SearchFree Toolbar plus Web Protection: {41564952-412D-5637-00A7-7A786E7484D7} -
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Avira SearchFree Toolbar plus Web Protection: {41564952-412D-5637-00A7-7A786E7484D7} -
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Rawoo] "c:\documents and settings\dcs\application data\nuuxax\rawoo.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RegWork] c:\program files\regwork\RegWork.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\avira\antivir desktop\avsda.dll
Trusted Zone: 164.109.25.72
Trusted Zone: 207.130.86.35
Trusted Zone: acura.com
Trusted Zone: acuraclientpurchaseexperience.com
Trusted Zone: acurainfo.programhq.com
Trusted Zone: acuraspinplay.programhq.com
Trusted Zone: ahm-ownerlink.com
Trusted Zone: ahmdealer.com
Trusted Zone: edcor.com
Trusted Zone: honda.com
Trusted Zone: honda.vo.llnwd.net
Trusted Zone: hondaadcmd.com
Trusted Zone: hondacars.com
Trusted Zone: hondainfo.programhq.com
Trusted Zone: hondamap.com
Trusted Zone: hondapqr.com
Trusted Zone: hondaprofessional.com
Trusted Zone: hondaspinplay.programhq.com
Trusted Zone: hondasso.com
Trusted Zone: jdpa.com
Trusted Zone: jdpower.com
Trusted Zone: mylcchonda.com
Trusted Zone: pcsc.acurasrs.com
Trusted Zone: prospectingacurasrs.com
Trusted Zone: travelhq.com
Trusted Zone: xmradio.com
DPF: CM_AdvancedCAB - hxxps://www.gs.reyrey.com/common/ClientCheck/CM_AdvancedCAB.CAB
DPF: PrintTemplateViewerCab - hxxps://www.gs.reyrey.com/clientdll/printtemplateviewer.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.in.honda.com/Rraaapps/RRAAsec/Codebase/RRAAINAX/RYXAINAX_LandscapePrintingActiveX.cab
DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} - hxxp://powerkatalyst.jdpower.com/download/CfxIEAx.cab
DPF: {297DE2B6-509A-4B36-93C5-A65276606900} - hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} - hxxp://199.194.181.129/apps/common/includes/PC-CONFIG-CHECK.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{09CBAE06-E8B2-4970-9319-3CE0A0A8F75F} : NameServer = 64.65.128.6,66.213.224.2
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.66\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dcs\application data\mozilla\firefox\profiles\63tkhs4l.default\
FF - prefs.js: browser.startup.homepage - hxxp://portal.ethosgroup.com/login.aspx?ReturnUrl=%2fdefault.aspx
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-4-14 24064]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-9-9 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-9-9 84024]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-9-9 108088]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2013-9-9 815160]
R2 APNMCP;Ask Update Service;c:\program files\askpartnernetwork\toolbar\apnmcp.exe [2013-7-26 168400]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-9-9 88840]
R2 REY Install NT Service;REY Install NT Service;c:\rey\bin\UcsInSvc.exe [2010-7-29 110592]
R2 REY PSCVersionService;REY PSCVersionService;c:\rey\bin\PSCVersionService.exe [1969-12-31 65536]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-4-14 144480]
S0 ipkxg;ipkxg;c:\windows\system32\drivers\xwrvmejx.sys --> c:\windows\system32\drivers\xwrvmejx.sys [?]
S2 UCS Install NT Service;UCS Install NT Service;c:\ucc\services\ucsinsvc.exe --> c:\ucc\services\UcsInSvc.exe [?]
.
=============== Created Last 30 ================
.
2013-09-09 21:44:34 -------- d-----w- c:\documents and settings\dcs\application data\Avira
2013-09-09 21:44:25 -------- d-----w- c:\documents and settings\dcs\local settings\application data\AskPartnerNetwork
2013-09-09 21:40:25 -------- d-----w- c:\program files\AskPartnerNetwork
2013-09-09 21:40:25 -------- d-----w- c:\documents and settings\all users\application data\AskPartnerNetwork
2013-09-09 21:40:07 -------- d-----w- c:\documents and settings\all users\application data\APN
2013-09-09 21:38:53 88840 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-09-09 21:38:53 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-09-09 21:38:17 -------- d-----w- c:\program files\Avira
2013-09-09 21:38:17 -------- d-----w- c:\documents and settings\all users\application data\Avira
2013-09-09 21:09:28 -------- d-----w- C:\TDSSKiller_Quarantine
2013-08-17 17:00:59 74136 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2013-08-17 17:00:59 3429784 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2013-08-17 17:00:59 301976 ----a-w- c:\program files\mozilla firefox\freebl3.dll
2013-08-17 17:00:59 276376 ----a-w- c:\program files\mozilla firefox\firefox.exe
2013-08-17 17:00:59 262552 ----a-w- c:\program files\mozilla firefox\browser\components\browsercomps.dll
2013-08-17 17:00:59 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2013-08-17 17:00:59 19352 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2013-08-17 17:00:59 116120 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2013-08-15 10:03:13 -------- d-----w- c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-08-21 02:30:47 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 02:30:47 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-31 22:11:22 810496 ----a-w- c:\windows\system32\wmvdmod.dll
2013-07-26 02:47:17 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47:13 43520 ------w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59 385024 ------w- c:\windows\system32\html.iec
2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 14:53:05.29 ===============
 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 10 September 2013 - 01:06 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:50 AM

Posted 10 September 2013 - 01:12 AM

TB-Psychotic beat me to it

:)

Edited by gringo_pr, 10 September 2013 - 01:13 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 10 September 2013 - 09:18 PM

Which one should I do?

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:50 AM

Posted 10 September 2013 - 09:21 PM

Follow TB-Psychotic
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 10 September 2013 - 09:25 PM

Ok thank you! I'll be able to do it tomorrow.

#7 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 11 September 2013 - 03:35 PM

Here is the mbar log

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org
 
Database version: v2013.09.11.07
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
dcs :: H207579-01W25 [administrator]
 
9/11/2013 1:13:36 PM
mbar-log-2013-09-11 (13-13-36).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 238603
Time elapsed: 10 minute(s), 20 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 1
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_*202EETADPUG (Rootkit.0Access) -> No action taken.
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 14
C:\Documents and Settings\dcs\Local Settings\Application Data\Google\Desktop\Install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\❤≸⋙ (Trojan.0Access) -> No action taken.
C:\Documents and Settings\dcs\Local Settings\Application Data\Google\Desktop\Install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\❤≸⋙\Ⱒ☠⍨ (Trojan.0Access) -> No action taken.
C:\Documents and Settings\dcs\Local Settings\Application Data\Google\Desktop\Install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛ (Trojan.0Access) -> No action taken.
C:\Documents and Settings\dcs\Local Settings\Application Data\Google\Desktop\Install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d} (Trojan.0Access) -> No action taken.
C:\Documents and Settings\dcs\Local Settings\Application Data\Google\Desktop\Install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\L (Trojan.0Access) -> No action taken.
C:\Documents and Settings\dcs\Local Settings\Application Data\Google\Desktop\Install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\U (Trojan.0Access) -> No action taken.
C:\Documents and Settings\dcs\Local Settings\Application Data\Google\Desktop\Install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d} (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\    (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\   \    (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\   \   \‮ﯹ๛ (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\   \   \‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d} (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\   \   \‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\l (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\   \   \‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\u (Trojan.0Access) -> No action taken.
C:\Program Files\Google\Desktop\Install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d} (Trojan.0Access) -> No action taken.
 
Files Detected: 5
C:\Documents and Settings\dcs\Local Settings\Application Data\Google\Desktop\Install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\@ (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\   \   \‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\@ (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\   \   \‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\u\00000001.@ (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\   \   \‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\u\80000000.@ (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\   \   \‮ﯹ๛\{e99841d0-4c5c-5b86-ec8a-7beb7135b10d}\u\800000cb.@ (Trojan.0Access) -> No action taken.
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 12 September 2013 - 12:03 AM

Fix with Malwarebytes Anti-Rootkit

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 12 September 2013 - 01:51 PM

Below is the log after the second scan. Nothing found the second time around. Seems a little slow still, but not enough time to really see. Any other logs needed?

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.09.11.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
dcs :: H207579-01W25 [administrator]

9/12/2013 11:37:45 AM
mbar-log-2013-09-12 (11-37-45).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 238437
Time elapsed: 12 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 12 September 2013 - 11:56 PM

Please create and post a new log by dds.

 

Also do the following:

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 17 September 2013 - 01:10 PM

Here is the FSS log:

 

Farbar Service Scanner Version: 13-09-2013
Ran by dcs (administrator) on 17-09-2013 at 11:09:11
Running from "C:\Documents and Settings\dcs\Desktop\ANTI VIRUS SOFTWARE"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 18 September 2013 - 12:29 AM

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 20 September 2013 - 03:41 PM

Here are the two logs. Nothing found on MBAM.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.20.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
dcs :: H207579-01W25 [administrator]

9/20/2013 12:59:17 PM
mbam-log-2013-09-20 (12-59-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219915
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

ESET

 

C:\Documents and Settings\dcs\Local Settings\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files\Avira\AntiVir Desktop\offercast_avirav7_.exe a variant of Win32/Bundled.Toolbar.Ask.D application
C:\WINDOWS\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application
 



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:50 AM

Posted 20 September 2013 - 08:57 PM

sorry

Edited by gringo_pr, 21 September 2013 - 11:40 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 23 September 2013 - 02:58 PM

What happened to the post?? I did still have the email so I made the .bat file and ran it. how come the post was deleted?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users