Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS, tried TDSS killer but not able to cure - worm:W32/TDSS


  • Please log in to reply
9 replies to this topic

#1 Djtwin

Djtwin

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 10 September 2013 - 12:54 AM

The worm does not allow me to open any programs, it opens a mock internet security scanner and claims to have found a virus and when prompted to remove it asks for credit card info.  Still able to open control panel and folders and start in safe mode.  Tried the Kasper DSS killer but only gave option to quar or delete, and from what i read that's a bad idea.  Currently system is being backed up.

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_31
Run by jason at 2:31:24 on 2013-09-10
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.207 [GMT -3:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Runtime Software\DriveImage XML\dixml.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: HotSpot Shield Elite Toolbar: {f16708b8-d2df-482d-9dfa-aa8d8894f0f4} - c:\program files\hotspot_shield_elite\prxtbHotS.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.0.318\McAfeeMSS_IE.dll
BHO: privitize Helper Object: {1ACB5ABE-4890-4747-952C-F13BDB93FB75} - c:\program files\industriya\privitize\1.8.16.22\bh\privitize.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: SoundFrost: {d997c836-ff82-4519-b459-1482ba942a4f} - c:\program files\soundfrost\SoundFrost.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HotSpot Shield Elite Toolbar: {f16708b8-d2df-482d-9dfa-aa8d8894f0f4} - c:\program files\hotspot_shield_elite\prxtbHotS.dll
BHO: SoundFrost: {f9c70819-7219-47fc-a9c6-edf2c22a7f81} - c:\program files\soundfrost\SoundFrost.dll
BHO: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: HotSpot Shield Elite Toolbar: {F16708B8-D2DF-482D-9DFA-AA8D8894F0F4} - c:\program files\hotspot_shield_elite\prxtbHotS.dll
TB: HotSpot Shield Elite Toolbar: {f16708b8-d2df-482d-9dfa-aa8d8894f0f4} - c:\program files\hotspot_shield_elite\prxtbHotS.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\documents and settings\jason\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [rwbfjuz] "c:\documents and settings\jason\local settings\application data\rwbfjuz.exe" rwbfjuz
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"  /MINIMIZED
uRun: [LxrAutorun] c:\documents and settings\jason\local settings\application data\lexar media\LxrAutorun.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SearchProtect] c:\documents and settings\jason\application data\searchprotect\bin\cltmng.exe
uRun: [SoundFrost Service] c:\program files\soundfrost\SoundFrostService.exe
uRun: [afbabeaebbcbgfdgfdgdfg] "c:\documents and settings\all users\application data\afbabeaebbcbgfdgfdgdfg.exe"
uRun: [Google Update] "c:\documents and settings\jason\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Adobe CSS5.1 Manager] c:\documents and settings\jason\local settings\application data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe
uRun: [Internet Security] c:\documents and settings\all users\application data\meprotection.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\lgfw.exe" blrun
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\media suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\media suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SearchProtectAll] c:\program files\searchprotect\bin\cltmng.exe
mRun: [PrivitizeVPN] c:\program files\privitizevpn\PrivitizeVPN.exe /autorun
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uExplorerRun: [afbabeaebbcbad] c:\documents and settings\jason\local settings\application data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se ver.5\transfer utility\CameraMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.318\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} - hxxp://www.worldwinner.com/games/v49/dinerdash/dinerdash.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{0D313A7F-B3A0-44C6-B14A-C22C6C109FD2} : NameServer = 192.168.2.1
TCP: Interfaces\{3617991C-97A0-4EA9-9052-BCD7CCEF4C0B} : DHCPNameServer = 193.70.152.25 193.70.192.25
TCP: Interfaces\{44EB3562-7640-4C17-B838-975A22D980BD} : DHCPNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\magnipic\assist~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jason\application data\mozilla\firefox\profiles\xnlv2j0d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2707060&CUI=UN41118168699758550&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2707060&SearchSource=2&CUI=UN41118168699758550&UM=2&q=
FF - component: c:\documents and settings\jason\application data\mozilla\firefox\profiles\xnlv2j0d.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
FF - component: c:\program files\pricegong\2.1.0\ff\components\PriceGongFF.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\jason\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jason\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\jason\application data\mozilla\plugins\npo1d.dll
FF - plugin: c:\documents and settings\jason\local settings\application data\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee security scan\3.0.318\npMcAfeeMSS.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - ExtSQL: !HIDDEN! 2009-09-05 22:36; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: security.warn_entering_secure - false
FF - user.js: security.warn_entering_weak - false
FF - user.js: security.warn_leaving_secure - false
FF - user.js: extensions.privitize.hpOld0 - hxxps://www.google.ca/
FF - user.js: extensions.privitize.tlbrSrchUrl - hxxp://searchou.com/?id=982496420000000000000018de989ef0&q=
FF - user.js: extensions.privitize.id - 982496420000000000000018de989ef0
FF - user.js: extensions.privitize.appId - {301966DF-A84B-4255-AAB9-574B5CE237E4}
FF - user.js: extensions.privitize.instlDay - 15893
FF - user.js: extensions.privitize.vrsn - 1.8.16.22
FF - user.js: extensions.privitize.vrsni - 1.8.16.22
FF - user.js: extensions.privitize.vrsnTs - 1.8.16.220:02:47
FF - user.js: extensions.privitize.prtnrId - privitize
FF - user.js: extensions.privitize.prdct - privitize
FF - user.js: extensions.privitize.aflt - orgnl
FF - user.js: extensions.privitize.smplGrp - none
FF - user.js: extensions.privitize.tlbrId - base
FF - user.js: extensions.privitize.instlRef - 
FF - user.js: extensions.privitize.dfltLng - 
FF - user.js: extensions.privitize.excTlbr - true
FF - user.js: extensions.privitize.ffxUnstlRst - false
FF - user.js: extensions.privitize.admin - false
FF - user.js: extensions.privitize.autoRvrt - false
FF - user.js: extensions.privitize.rvrt - false
FF - user.js: extensions.privitize.hmpg - true
FF - user.js: extensions.privitize.hmpgUrl - hxxp://searchou.com/?id=982496420000000000000018de989ef0
FF - user.js: extensions.privitize.dfltSrch - true
FF - user.js: extensions.privitize.srchPrvdr - Search The Web (privitize)
FF - user.js: extensions.privitize.kw_url - hxxp://searchou.com/?q={searchTerms}&id=982496420000000000000018de989ef0
FF - user.js: extensions.privitize.dnsErr - true
FF - user.js: extensions.privitize.newTab - true
FF - user.js: extensions.privitize.newTabUrl - hxxp://searchou.com/?id=982496420000000000000018de989ef0
.
============= SERVICES / DRIVERS ===============
.
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-1 11608]
S1 hiscoyvu;hiscoyvu;\??\c:\windows\system32\drivers\hiscoyvu.sys --> c:\windows\system32\drivers\hiscoyvu.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-1 136360]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-1 269480]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-1 66616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\searchprotect\bin\CltMngSvc.exe [2013-5-8 97056]
S2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\cmw_srv.exe [2013-7-25 853800]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe [2013-7-25 548136]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2012-10-11 63448]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-5-9 814728]
S2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2009-1-31 20736]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-9-18 114432]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-9-18 100736]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2012-1-1 33792]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.318\McCHSvc.exe [2013-2-5 235216]
S3 UCharger;Energizer Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [2007-5-15 13765]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
.
=============== Created Last 30 ================
.
2013-09-10 04:03:27 -------- d-----w- c:\program files\Runtime Software
2013-09-10 03:04:54 843776 ----a-w- c:\documents and settings\all users\application data\meprotection.exe
2013-09-10 03:04:52 270336 ----a-w- c:\documents and settings\jason\winlogon.exe
2013-09-10 03:04:52 0 ----a-w- c:\documents and settings\jason\rundll32.exe
2013-09-10 03:04:52 0 ----a-w- c:\documents and settings\jason\csrss.exe
2013-09-10 03:04:47 -------- d-----w- c:\documents and settings\jason\local settings\application data\a256fb97-162a-4558-be23-08ae4bbcb195ad
2013-08-18 04:38:49 -------- d-----w- c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-08-28 02:50:12 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-28 02:50:12 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-26 02:47:17 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47:13 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59 385024 ----a-w- c:\windows\system32\html.iec
2013-07-24 02:10:56 44744 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-21 00:19:10 33512 ----a-w- c:\windows\system32\drivers\taphss.sys
2013-06-14 01:05:51 56320 ----a-w- c:\documents and settings\all users\application data\afbabeaebbcbgfdgfdgdfg.exe
2012-07-28 05:19:20 4024320 ----a-w- c:\program files\GUT49.tmp
2007-08-05 01:39:19 774144 ----a-w- c:\program files\RngInterstitial.dll
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR 
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 
1 nt!IofCallDriver[0x804E1311] -> \Device\Harddisk0\DR0[0x86B81AB8]
3 CLASSPNP[0xF768BFD7] -> nt!IofCallDriver[0x804E1311] -> \Device\00000078[0x86B0E3B8]
5 ACPI[0xF7602620] -> nt!IofCallDriver[0x804E1311] -> \Device\Ide\IdeDeviceP0T0L0-3[0x86B85D98]
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d;  }
user != kernel MBR !!! 
.
============= FINISH:  2:33:55.15 ===============
 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 PM

Posted 10 September 2013 - 01:03 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Djtwin

Djtwin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 10 September 2013 - 06:54 AM

I have completed the log and am still in safe mode, should I reboot an get out of safe mode? Log below

 

 

ComboFix 13-09-09.04 - jason 10/09/2013   3:37.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.390 [GMT -3:00]
Running from: c:\documents and settings\jason\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\jason\LOCALS~1\APPLIC~1\Google\Desktop\Install
c:\docume~1\jason\LOCALS~1\APPLIC~1\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\C3C1~1\01C8~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\@
c:\docume~1\jason\LOCALS~1\APPLIC~1\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\C3C1~1\01C8~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\GoogleUpdate.exe
c:\documents and settings\All Users\Application Data\afbabeaebbcbgfdgfdgdfg.exe
c:\documents and settings\All Users\Application Data\meprotection.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\Setup.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe
c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\Setup.exe
c:\documents and settings\jason\Application Data\PriceGong
c:\documents and settings\jason\Application Data\PriceGong\Data\1.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\a.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\b.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\c.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\d.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\e.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\f.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\g.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\h.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\i.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\j.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\k.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\l.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\m.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\n.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\o.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\p.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\q.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\r.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\s.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\t.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\u.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\v.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\w.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\x.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\y.txt
c:\documents and settings\jason\Application Data\PriceGong\Data\z.txt
c:\documents and settings\jason\Application Data\SearchProtect
c:\documents and settings\jason\Application Data\SearchProtect\bin\ChromeModule.dll
c:\documents and settings\jason\Application Data\SearchProtect\bin\cltmng.exe
c:\documents and settings\jason\Application Data\SearchProtect\bin\CltMngSvc.exe
c:\documents and settings\jason\Application Data\SearchProtect\bin\FirefoxModule.dll
c:\documents and settings\jason\Application Data\SearchProtect\bin\InternetExplorerModule.dll
c:\documents and settings\jason\Application Data\SearchProtect\bin\msvcp100.dll
c:\documents and settings\jason\Application Data\SearchProtect\bin\msvcr100.dll
c:\documents and settings\jason\Application Data\SearchProtect\bin\rep.dat
c:\documents and settings\jason\Application Data\SearchProtect\bin\SPHook32.dll
c:\documents and settings\jason\Application Data\SearchProtect\bin\SPRunner.exe
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\dialogsApi.js
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\lib\jquery.min.js
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\lib\json2.js
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spbd\bubble.css
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spbd\bubble.js
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spbd\images\information.png
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spbd\main.html
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spsd\images\warning.png
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spsd\main.html
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css
c:\documents and settings\jason\Application Data\SearchProtect\Dialogs\spsd\settings.js
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\abstraction.js
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\application.js
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\nsprotector.js
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\popupTransparent.xul
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\SProtectorRepository\EN
c:\documents and settings\jason\Application Data\SearchProtect\ffprotect\SProtectorRepository\searchProtectorData
c:\documents and settings\jason\Application Data\SearchProtect\Res\SPSetup.exe
c:\documents and settings\jason\csrss.exe
c:\documents and settings\jason\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad
c:\documents and settings\jason\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe
c:\documents and settings\jason\Local Settings\Application Data\fmlrqxw.dat
c:\documents and settings\jason\Local Settings\Application Data\fmlrqxw_nav.dat
c:\documents and settings\jason\Local Settings\Application Data\fmlrqxw_navps.dat
c:\documents and settings\jason\Local Settings\Application Data\rwbfjuz.dat
c:\documents and settings\jason\Local Settings\Application Data\rwbfjuz_nav.dat
c:\documents and settings\jason\Local Settings\Application Data\rwbfjuz_navps.dat
c:\documents and settings\jason\rundll32.exe
c:\documents and settings\jason\WINDOWS
c:\documents and settings\jason\winlogon.exe
c:\documents and settings\LocalService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad
c:\documents and settings\LocalService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe
c:\documents and settings\NetworkService\3199735.exe
C:\install.exe
c:\progra~1\SOUNDF~1\SOUNdf~1.dll
c:\program files\Google\Desktop\Install
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\@
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\GoogleUpdate.exe
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\L\00000004.@
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\L\201d3dde
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\L\76603ac3
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\00000004.@
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\00000008.@
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\000000cb.@
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\80000000.@
c:\program files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\80000032.@
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\Pe
c:\program files\Pe\AEGAXS.dll
c:\program files\Pe\App.ico
c:\program files\Pe\CageDLL.dll
c:\program files\Pe\Configs.xml
c:\program files\Pe\dnscache.dll
c:\program files\Pe\HuD.xml
c:\program files\Pe\iexplore.exe
c:\program files\Pe\iexplore.exe.config
c:\program files\Pe\Lib\accllistbar.dll
c:\program files\Pe\Lib\AxInterop.SHDocVw.dll
c:\program files\Pe\Lib\Infragistics.Shared.v3.2.dll
c:\program files\Pe\Lib\Infragistics.UltraChart.Core.v4.1.dll
c:\program files\Pe\Lib\Infragistics.UltraChart.Data.v4.1.dll
c:\program files\Pe\Lib\Infragistics.UltraChart.Render.v4.1.dll
c:\program files\Pe\Lib\Infragistics.UltraChart.Resources.v4.1.dll
c:\program files\Pe\Lib\Infragistics.Win.Misc.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinChart.v4.1.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinDock.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinEditors.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinListBar.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinTabControl.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinToolbars.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.v3.2.dll
c:\program files\Pe\Lib\Interop.SHDocVw.dll
c:\program files\Pe\Lib\MessageBoxExLib.dll
c:\program files\Pe\Lib\pecomm.dll
c:\program files\Pe\Lib\PokerHUD.dll
c:\program files\Pe\Lib\shellstyle.dll
c:\program files\Pe\Lib\xpexplorerbar.dll
c:\program files\Pe\License.txt
c:\program files\Pe\Notes.xml
c:\program files\Pe\NTGA11X.dll
c:\program files\Pe\Readme.txt
c:\program files\Pe\S_MinerX.exe
c:\program files\Pe\Settings.xml
c:\windows\system32\Cache
c:\windows\system32\Cache\075884af680ff6dc.fb
c:\windows\system32\Cache\227113dfa1ca894d.fb
c:\windows\system32\Cache\49fbbc5a8678d502.fb
c:\windows\system32\Cache\5c54eb1a1655b076.fb
c:\windows\system32\Cache\613e8ce7ab7106af.fb
c:\windows\system32\Cache\633a76311867bd11.fb
c:\windows\system32\Cache\691f14230153a9e1.fb
c:\windows\system32\Cache\6cb409d7ac73d9f1.fb
c:\windows\system32\Cache\7614bd6cfa99e546.fb
c:\windows\system32\Cache\77664b6ccc36be9f.fb
c:\windows\system32\Cache\7b6683f4085f96aa.fb
c:\windows\system32\Cache\881b3593316772f0.fb
c:\windows\system32\Cache\98657d0579ae1930.fb
c:\windows\system32\Cache\c4e10d1be905349b.fb
c:\windows\system32\Cache\d5c0f4e7bbe35bf3.fb
c:\windows\system32\Cache\d9ca663388d21ec0.fb
c:\windows\system32\Cache\f2cda51fd108941f.fb
c:\windows\system32\Cache\f34d8db84131d925.fb
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-10 to 2013-09-10  )))))))))))))))))))))))))))))))
.
.
2013-09-10 04:03 . 2013-09-10 04:03 -------- d-----w- c:\program files\Runtime Software
2013-08-18 04:38 . 2013-08-19 01:17 -------- d-----w- c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-28 02:50 . 2012-06-04 02:54 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-28 02:50 . 2012-06-04 02:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-26 02:47 . 2004-08-10 18:51 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2004-08-10 18:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
2013-07-24 02:10 . 2013-06-21 01:05 44744 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2013-07-10 10:37 . 2004-08-10 18:51 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2004-08-10 18:51 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-21 00:19 . 2013-06-21 00:19 33512 ----a-w- c:\windows\system32\drivers\taphss.sys
2012-07-28 05:19 . 2012-07-28 05:19 4024320 ----a-w- c:\program files\GUT49.tmp
2007-08-05 01:39 . 2007-08-05 01:41 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f16708b8-d2df-482d-9dfa-aa8d8894f0f4}"= "c:\program files\HotSpot_Shield_Elite\prxtbHotS.dll" [2013-06-18 231712]
.
[HKEY_CLASSES_ROOT\clsid\{f16708b8-d2df-482d-9dfa-aa8d8894f0f4}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{f16708b8-d2df-482d-9dfa-aa8d8894f0f4}]
2013-06-18 11:54 231712 ----a-w- c:\program files\HotSpot_Shield_Elite\prxtbHotS.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f16708b8-d2df-482d-9dfa-aa8d8894f0f4}"= "c:\program files\HotSpot_Shield_Elite\prxtbHotS.dll" [2013-06-18 231712]
.
[HKEY_CLASSES_ROOT\clsid\{f16708b8-d2df-482d-9dfa-aa8d8894f0f4}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F16708B8-D2DF-482D-9DFA-AA8D8894F0F4}"= "c:\program files\HotSpot_Shield_Elite\prxtbHotS.dll" [2013-06-18 231712]
.
[HKEY_CLASSES_ROOT\clsid\{f16708b8-d2df-482d-9dfa-aa8d8894f0f4}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-17 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-09-28 298376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"LGODDFU"="c:\program files\lg_fwupdate\lgfw.exe" [2012-08-12 27760]
"UpdatePSTShortCut"="c:\program files\CyberLink\Media Suite\MUITransfer\MUIStartMenu.exe" [2011-12-15 222504]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SearchProtectAll"="c:\program files\SearchProtect\bin\cltmng.exe" [2013-05-08 2852640]
"PrivitizeVPN"="c:\program files\PrivitizeVPN\PrivitizeVPN.exe" [2013-08-04 196784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-22 24576]
ImageMixer 3 SE Camera Monitor Ver.5.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.5\Transfer Utility\CameraMonitor.exe [2010-1-24 253952]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n [2005-5-4 81920]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DivX\\DivX Media Server\\DivXMediaServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\jason\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
.
S1 hiscoyvu;hiscoyvu;\??\c:\windows\system32\drivers\hiscoyvu.sys --> c:\windows\system32\drivers\hiscoyvu.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [01/07/2009 10:15 PM 136360]
S2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\SearchProtect\bin\CltMngSvc.exe [08/05/2013 3:18 AM 97056]
S2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\cmw_srv.exe [25/07/2013 1:57 PM 853800]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [25/07/2013 1:57 PM 548136]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [11/10/2012 10:39 PM 63448]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [09/05/2008 1:43 PM 814728]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [18/09/2010 4:40 PM 114432]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [18/09/2010 4:40 PM 100736]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [01/01/2012 1:26 PM 33792]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [05/02/2013 12:48 PM 235216]
S3 UCharger;Energizer Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [15/05/2007 9:43 AM 13765]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-04 02:08 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-04 02:50]
.
2010-04-24 c:\windows\Tasks\expressburnSevenDaysInit.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-04-24 02:08]
.
2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 00:27]
.
2013-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 00:27]
.
2013-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-46812269-3355033471-1508176883-1007Core.job
- c:\documents and settings\jason\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-11 01:07]
.
2013-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-46812269-3355033471-1508176883-1007UA.job
- c:\documents and settings\jason\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-11 01:07]
.
2013-08-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
2013-06-14 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-20 03:42]
.
2013-09-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-46812269-3355033471-1508176883-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]
.
2013-08-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-46812269-3355033471-1508176883-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]
.
2010-04-24 c:\windows\Tasks\videopadSevenDays.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-04-24 02:08]
.
2010-04-24 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-04-24 02:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{0D313A7F-B3A0-44C6-B14A-C22C6C109FD2}: NameServer = 192.168.2.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\jason\Application Data\Mozilla\Firefox\Profiles\xnlv2j0d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2707060&CUI=UN41118168699758550&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2707060&SearchSource=2&CUI=UN41118168699758550&UM=2&q=
FF - ExtSQL: !HIDDEN! 2009-09-05 22:36; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: security.warn_entering_secure - false
FF - user.js: security.warn_entering_weak - false
FF - user.js: security.warn_leaving_secure - false
FF - user.js: extensions.privitize.hpOld0 - hxxps://www.google.ca/
FF - user.js: extensions.privitize.tlbrSrchUrl - hxxp://searchou.com/?id=982496420000000000000018de989ef0&q=
FF - user.js: extensions.privitize.id - 982496420000000000000018de989ef0
FF - user.js: extensions.privitize.appId - {301966DF-A84B-4255-AAB9-574B5CE237E4}
FF - user.js: extensions.privitize.instlDay - 15893
FF - user.js: extensions.privitize.vrsn - 1.8.16.22
FF - user.js: extensions.privitize.vrsni - 1.8.16.22
FF - user.js: extensions.privitize.vrsnTs - 1.8.16.220:02
FF - user.js: extensions.privitize.prtnrId - privitize
FF - user.js: extensions.privitize.prdct - privitize
FF - user.js: extensions.privitize.aflt - orgnl
FF - user.js: extensions.privitize.smplGrp - none
FF - user.js: extensions.privitize.tlbrId - base
FF - user.js: extensions.privitize.instlRef - 
FF - user.js: extensions.privitize.dfltLng - 
FF - user.js: extensions.privitize.excTlbr - true
FF - user.js: extensions.privitize.ffxUnstlRst - false
FF - user.js: extensions.privitize.admin - false
FF - user.js: extensions.privitize.autoRvrt - false
FF - user.js: extensions.privitize.rvrt - false
FF - user.js: extensions.privitize.hmpg - true
FF - user.js: extensions.privitize.hmpgUrl - hxxp://searchou.com/?id=982496420000000000000018de989ef0
FF - user.js: extensions.privitize.dfltSrch - true
FF - user.js: extensions.privitize.srchPrvdr - Search The Web (privitize)
FF - user.js: extensions.privitize.kw_url - hxxp://searchou.com/?q={searchTerms}&id=982496420000000000000018de989ef0
FF - user.js: extensions.privitize.dnsErr - true
FF - user.js: extensions.privitize.newTab - true
FF - user.js: extensions.privitize.newTabUrl - hxxp://searchou.com/?id=982496420000000000000018de989ef0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{f9c70819-7219-47fc-a9c6-edf2c22a7f81} - c:\progra~1\SOUNDF~1\SOUNDF~1.DLL
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe
SafeBoot-WinDefend
AddRemove-rwbfjuz - c:\documents and settings\jason\local settings\application data\rwbfjuz.exe
AddRemove-Updater Service - c:\documents and settings\All Users\Application Data\IBUpdaterService\ibsvc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-10 04:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-46812269-3355033471-1508176883-1007\Software\Microsoft\MessengerService\GroupStateCacheU\!÷d*÷**]
"Name"=hex:13,21,c3,03,b7,03,64,00,c3,03,b7,03,2a,00,00,00
"Collapsed"=hex:00,00,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
Completion time: 2013-09-10  04:09:03
ComboFix-quarantined-files.txt  2013-09-10 07:08
.
Pre-Run: 3,176,771,584 bytes free
Post-Run: 7,103,922,176 bytes free
.
- - End Of File - - DE3A606FF4BFC26AA25F46681A409691
5CB90281D1A59B251F6603134774EEC3


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 PM

Posted 10 September 2013 - 07:22 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Djtwin

Djtwin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 10 September 2013 - 03:26 PM

computer rebooted and is no longer in safe mode however appears i am able to open browsers now.  Log below, Thanks thus far appreciate the help

 

ComboFix 13-09-10.03 - jason 10/09/2013  16:18:39.3.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.288 [GMT -3:00]
Running from: c:\documents and settings\jason\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\jason\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
 * Created a new restore point
.
FILE ::
"c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk"
"c:\program files\GUT49.tmp"
"c:\program files\HotSpot_Shield_Elite\prxtbHotS.dll"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Desktop\Internet Security 2013.lnk
C:\END
c:\windows\assembly\GAC\Desktop.ini
c:\windows\system32\AegisI5Installer.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\nvs2.inf
c:\windows\system32\roboot.exe
c:\windows\wininit.ini
.
---- Previous Run -------
.
c:\program files\McAfee Security Scan\3.0.318\AVScanComponent.dll
c:\program files\McAfee Security Scan\3.0.318\AVScanner.ini
c:\program files\McAfee Security Scan\3.0.318\avvclean.dat
c:\program files\McAfee Security Scan\3.0.318\avvnames.dat
c:\program files\McAfee Security Scan\3.0.318\avvscan.dat
c:\program files\McAfee Security Scan\3.0.318\config.dat
c:\program files\McAfee Security Scan\3.0.318\ftconfig.ini
c:\program files\McAfee Security Scan\3.0.318\McAfee.ico
c:\program files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll
c:\program files\McAfee Security Scan\3.0.318\mcbrwsr2.dll
c:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe
c:\program files\McAfee Security Scan\3.0.318\MCCompHostConfig.ini
c:\program files\McAfee Security Scan\3.0.318\McInstallerRes.dll
c:\program files\McAfee Security Scan\3.0.318\McInstallerRes_LD.dll
c:\program files\McAfee Security Scan\3.0.318\McInstallerStartup.dll
c:\program files\McAfee Security Scan\3.0.318\mcscan32.dll
c:\program files\McAfee Security Scan\3.0.318\mcuicnt.exe
c:\program files\McAfee Security Scan\3.0.318\McUpdater.dll
c:\program files\McAfee Security Scan\3.0.318\npMcAfeeMSS.dll
c:\program files\McAfee Security Scan\3.0.318\sa_cache_sqlite.dll
c:\program files\McAfee Security Scan\3.0.318\sa_http_win32.dll
c:\program files\McAfee Security Scan\3.0.318\sa_mbl.dll
c:\program files\McAfee Security Scan\3.0.318\sa_store_sqlite.dll
c:\program files\McAfee Security Scan\3.0.318\sacore.db
c:\program files\McAfee Security Scan\3.0.318\sacore.dll
c:\program files\McAfee Security Scan\3.0.318\sacoredata\uds_filetypes.txt
c:\program files\McAfee Security Scan\3.0.318\sacoredata\uds_hosting.txt
c:\program files\McAfee Security Scan\3.0.318\sacoredata\uds_tlds.txt
c:\program files\McAfee Security Scan\3.0.318\SecurityScanner.dll
c:\program files\McAfee Security Scan\3.0.318\SecurityScanner_LD.dll
c:\program files\McAfee Security Scan\3.0.318\signlic.txt
c:\program files\McAfee Security Scan\3.0.318\sqlite3.dll
c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe
c:\program files\McAfee Security Scan\3.0.318\uninstaller.ini
c:\program files\McAfee Security Scan\3.0.318\WebInfoScanner.dll
c:\program files\McAfee Security Scan\3.0.318\WMIScanner.dll
c:\program files\McAfee Security Scan\uninstall.exe
c:\program files\SearchProtect\bin\ChromeModule.dll
c:\program files\SearchProtect\bin\cltmng.exe
c:\program files\SearchProtect\bin\CltMngSvc.exe
c:\program files\SearchProtect\bin\FirefoxModule.dll
c:\program files\SearchProtect\bin\InternetExplorerModule.dll
c:\program files\SearchProtect\bin\msvcp100.dll
c:\program files\SearchProtect\bin\msvcr100.dll
c:\program files\SearchProtect\bin\rep.dat
c:\program files\SearchProtect\bin\SPHook32.dll
c:\program files\SearchProtect\bin\SPRunner.exe
c:\program files\SearchProtect\bin\uninstall.exe
c:\program files\SearchProtect\Dialogs\dialogsApi.js
c:\program files\SearchProtect\Dialogs\lib\jquery.min.js
c:\program files\SearchProtect\Dialogs\lib\json2.js
c:\program files\SearchProtect\Dialogs\spbd\bubble.css
c:\program files\SearchProtect\Dialogs\spbd\bubble.js
c:\program files\SearchProtect\Dialogs\spbd\images\information.png
c:\program files\SearchProtect\Dialogs\spbd\images\x-default-LTR.png
c:\program files\SearchProtect\Dialogs\spbd\images\x-default-RTL.png
c:\program files\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\program files\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\program files\SearchProtect\Dialogs\spbd\main.html
c:\program files\SearchProtect\Dialogs\spsd\images\ok-button.png
c:\program files\SearchProtect\Dialogs\spsd\images\separation-line.png
c:\program files\SearchProtect\Dialogs\spsd\images\warning.png
c:\program files\SearchProtect\Dialogs\spsd\main.html
c:\program files\SearchProtect\Dialogs\spsd\SearchProtector.css
c:\program files\SearchProtect\Dialogs\spsd\settings.js
c:\program files\SearchProtect\ffprotect\abstraction.js
c:\program files\SearchProtect\ffprotect\application.js
c:\program files\SearchProtect\ffprotect\nsprotector.js
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CLTMNGSVC
-------\Legacy_MCCOMPONENTHOSTSERVICE
-------\Service_CltMngSvc
-------\Service_hiscoyvu
-------\Service_McComponentHostService
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-10 to 2013-09-10  )))))))))))))))))))))))))))))))
.
.
2013-09-10 04:03 . 2013-09-10 04:03 -------- d-----w- c:\program files\Runtime Software
2013-08-18 04:38 . 2013-08-19 01:17 -------- d-----w- c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-28 02:50 . 2012-06-04 02:54 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-28 02:50 . 2012-06-04 02:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-26 02:47 . 2004-08-10 18:51 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2004-08-10 18:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
2013-07-24 02:10 . 2013-06-21 01:05 44744 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2013-07-10 10:37 . 2004-08-10 18:51 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2004-08-10 18:51 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-21 00:19 . 2013-06-21 00:19 33512 ----a-w- c:\windows\system32\drivers\taphss.sys
2012-07-28 05:19 . 2012-07-28 05:19 4024320 ----a-w- c:\program files\GUT49.tmp
2007-08-05 01:39 . 2007-08-05 01:41 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-17 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-09-28 298376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"LGODDFU"="c:\program files\lg_fwupdate\lgfw.exe" [2012-08-12 27760]
"UpdatePSTShortCut"="c:\program files\CyberLink\Media Suite\MUITransfer\MUIStartMenu.exe" [2011-12-15 222504]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"PrivitizeVPN"="c:\program files\PrivitizeVPN\PrivitizeVPN.exe" [2013-08-04 196784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-22 24576]
ImageMixer 3 SE Camera Monitor Ver.5.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.5\Transfer Utility\CameraMonitor.exe [2010-1-24 253952]
McAfee Security Scan Plus.lnk - c:\qoobox\Quarantine\C\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe.vir [2013-2-5 272248]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n [2005-5-4 81920]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DivX\\DivX Media Server\\DivXMediaServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\jason\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [01/07/2009 10:15 PM 136360]
R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\cmw_srv.exe [25/07/2013 1:57 PM 853800]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [25/07/2013 1:57 PM 548136]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [11/10/2012 10:39 PM 63448]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [09/05/2008 1:43 PM 814728]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [18/09/2010 4:40 PM 114432]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [18/09/2010 4:40 PM 100736]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [01/01/2012 1:26 PM 33792]
S3 UCharger;Energizer Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [15/05/2007 9:43 AM 13765]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-04 02:08 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-04 02:50]
.
2010-04-24 c:\windows\Tasks\expressburnSevenDaysInit.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-04-24 02:08]
.
2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 00:27]
.
2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 00:27]
.
2013-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-46812269-3355033471-1508176883-1007Core.job
- c:\documents and settings\jason\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-11 01:07]
.
2013-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-46812269-3355033471-1508176883-1007UA.job
- c:\documents and settings\jason\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-11 01:07]
.
2013-08-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
2013-06-14 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-20 03:42]
.
2013-09-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-46812269-3355033471-1508176883-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]
.
2013-08-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-46812269-3355033471-1508176883-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]
.
2010-04-24 c:\windows\Tasks\videopadSevenDays.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-04-24 02:08]
.
2010-04-24 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-04-24 02:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{0D313A7F-B3A0-44C6-B14A-C22C6C109FD2}: NameServer = 192.168.2.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\jason\Application Data\Mozilla\Firefox\Profiles\xnlv2j0d.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - ExtSQL: !HIDDEN! 2009-09-05 22:36; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-McAfee Security Scan - c:\program files\McAfee Security Scan\uninstall.exe
AddRemove-SearchProtect - c:\program files\SearchProtect\bin\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-10 17:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-46812269-3355033471-1508176883-1007\Software\Microsoft\MessengerService\GroupStateCacheU\!÷d*÷**]
"Name"=hex:13,21,c3,03,b7,03,64,00,c3,03,b7,03,2a,00,00,00
"Collapsed"=hex:00,00,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\Hotspot Shield\bin\hsscp.exe
c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\program files\lg_fwupdate\fwupdate.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2013-09-10  17:07:38 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-10 20:07
ComboFix2.txt  2013-09-10 18:03
.
Pre-Run: 6,167,793,664 bytes free
Post-Run: 6,154,743,808 bytes free
.
- - End Of File - - 34B584091B6E1A7AAA130787E295CEAA
5CB90281D1A59B251F6603134774EEC3


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 PM

Posted 10 September 2013 - 11:41 PM

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 PM

Posted 15 September 2013 - 07:01 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 PM

Posted 16 September 2013 - 04:28 AM

This topic has been re-opened at the request of the person who originally posted.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Djtwin

Djtwin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 19 September 2013 - 07:50 PM

Logs attached, still shows virus in latest scan

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.15.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
jason :: LAPTOP [administrator]

Protection: Enabled

15/09/2013 11:38:54 AM
mbam-log-2013-09-15 (11-38-54).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 383919
Time elapsed: 1 hour(s), 53 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8B3FCE6F-6957-F76B-E00C-F04ECD619945} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B1AD0894-4FA3-6917-041B-502584E5A970} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\All Users\Application Data\IBUpdaterService (Adware.InstallBrain) -> Quarantined and deleted successfully.

Files Detected: 41
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP820\A0264664.exe (Trojan.Zbot.FVGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0284561.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0285565.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0286565.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0287565.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0288565.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0289565.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0290574.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291660.exe (Backdoor.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291694.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291706.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291708.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291710.exe (Trojan.Dropper.ED) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291661.exe (Backdoor.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP825\A0292043.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP825\A0292047.exe (PUP.Optional.PCPerformer.A) -> Quarantined and deleted successfully.
C:\Program Files\HotSpot_Shield_Elite\HotSpot_Shield_EliteToolbarHelper.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\meprotection.exe.vir (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jason\winlogon.exe.vir (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jason\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe.vir (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\3199735.exe.vir (Trojan.Dropper.ED) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\DOCUME~1\jason\LOCALS~1\APPLIC~1\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\C3C1~1\01C8~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\GoogleUpdate.exe.vir (Backdoor.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\GoogleUpdate.exe.vir (Backdoor.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\00000004.@.vir (Rootkit.Zaccess) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\000000cb.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\80000000.@.vir (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\roboot.exe.vir (PUP.Optional.PCPerformer.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\InstallMate\{9D77E9C9-74AA-43C2-A129-3C884694CB3F}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\InstallMate\{9D77E9C9-74AA-43C2-A129-3C884694CB3F}\TsuDll.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\InstallMate\{D0ACEC01-C753-44EF-A604-8F710B4FCEF7}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\InstallMate\{D0ACEC01-C753-44EF-A604-8F710B4FCEF7}\TsuDll.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\VisualBee\VisualBeeSoftware.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\jason\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\stub_data\stubinst_pkg_en-us.cab (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Documents and Settings\jason\Local Settings\Application Data\Conduit\CT2707060\HotSpot_Shield_EliteAutoUpdateHelper.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\jason\Local Settings\Temp\spbdmdb\smsbccp\wow.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\jason\My Documents\Downloads\Oz_the_Great_and_Powerful_(2013)_720p_BrRip_x264_-_YIFY_secure.exe (PUP.Optional.Topmedia) -> Quarantined and deleted successfully.
C:\Documents and Settings\jason\My Documents\Downloads\setup.exe (PUP.Optional.IBryte) -> Quarantined and deleted successfully.
C:\Documents and Settings\jason\My Documents\Downloads\SoftonicDownloader_for_soundfrost-music-downloader.exe (PUP.Optional.Softonic) -> Quarantined and deleted successfully.
C:\Documents and Settings\jason\My Documents\Downloads\Dexter.S08E02.HDTV.XviD-AFG_secure.exe (PUP.Optional.Topmedia) -> Quarantined and deleted successfully.
C:\Documents and Settings\jason\My Documents\Downloads\Winrar 4.20\keygen.exe (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\IBUpdaterService\repository.xml (Adware.InstallBrain) -> Quarantined and deleted successfully.

(end)



#10 Djtwin

Djtwin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 19 September 2013 - 07:51 PM

and here's the second log

C:\Documents and Settings\jason\Desktop\temp fold\SetupImgBurn_2.5.7.0.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Documents and Settings\jason\My Documents\Downloads\setup-dm.exe a variant of Win32/Adware.Trymedia.A application
C:\Documents and Settings\jason\My Documents\Downloads\SoftonicDownloader_for_imgburn.exe Win32/SoftonicDownloader.E application
C:\Documents and Settings\jason\My Documents\Downloads\vlc-205-win32exe.exe a variant of Win32/OpenInstall application
C:\Documents and Settings\jason\My Documents\Downloads\vlcmediaplayer-setup.exe multiple threats
C:\Documents and Settings\jason\My Documents\Downloads\Yellow_Submarine_1968_DivX_-_velvetfog_secure.exe Win32/TopMedia.B application
C:\Documents and Settings\sabrina\Local Settings\Temporary Internet Files\Content.IE5\IP51BF6S\zedo_popunder[1].htm HTML/Iframe.B.Gen virus
C:\Documents and Settings\sabrina\Local Settings\Temporary Internet Files\Content.IE5\WAT8G2IN\entrypp[1].htm HTML/Iframe.B.Gen virus
C:\Documents and Settings\sabrina\Local Settings\Temporary Internet Files\Content.IE5\WAT8G2IN\screensavers_09[1].htm HTML/ScrInject.B.Gen virus
C:\Documents and Settings\sabrina\Local Settings\Temporary Internet Files\Content.IE5\X6ANU5PQ\3d[1].htm HTML/ScrInject.B.Gen virus
C:\Documents and Settings\sabrina\Local Settings\Temporary Internet Files\Content.IE5\X6ANU5PQ\3d_pg3[1].htm HTML/ScrInject.B.Gen virus
C:\Documents and Settings\sabrina\Local Settings\Temporary Internet Files\Content.IE5\X6ANU5PQ\PopDispatcher[1].js HTML/Iframe.B.Gen virus
C:\Program Files\Avira\AntiVir Desktop\ApnIC.dll a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files\Avira\AntiVir Desktop\ApnToolbarInstaller.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files\Industriya\privitize\1.8.16.22\escortShld.dll Win32/Toolbar.Funmoods application
C:\Program Files\MagniPic\assistant.dll a variant of Win32/SProtector.A application
C:\Program Files\Mozilla Firefox\nsprotector.js Win32/Conduit.SearchProtect.A application
C:\Program Files\Mozilla Firefox\browser\nsprotector.js Win32/Conduit.SearchProtect.A application
C:\Qoobox\Quarantine\C\Documents and Settings\jason\Application Data\SearchProtect\bin\ChromeModule.dll.vir a variant of Win32/Conduit.SearchProtect.C application
C:\Qoobox\Quarantine\C\Documents and Settings\jason\Application Data\SearchProtect\bin\cltmng.exe.vir a variant of Win32/Conduit.SearchProtect.B application
C:\Qoobox\Quarantine\C\Documents and Settings\jason\Application Data\SearchProtect\bin\FirefoxModule.dll.vir a variant of Win32/Conduit.SearchProtect.C application
C:\Qoobox\Quarantine\C\Documents and Settings\jason\Application Data\SearchProtect\bin\InternetExplorerModule.dll.vir a variant of Win32/Conduit.SearchProtect.C application
C:\Qoobox\Quarantine\C\Documents and Settings\jason\Application Data\SearchProtect\bin\SPHook32.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\Qoobox\Quarantine\C\Documents and Settings\jason\Application Data\SearchProtect\ffprotect\application.js.vir Win32/Conduit.SearchProtect.A application
C:\Qoobox\Quarantine\C\Documents and Settings\jason\Application Data\SearchProtect\ffprotect\nsprotector.js.vir Win32/Conduit.SearchProtect.A application
C:\Qoobox\Quarantine\C\Documents and Settings\jason\Application Data\SearchProtect\Res\SPSetup.exe.vir multiple threats
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\00000008.@.vir Win32/Conedex.T trojan
C:\Qoobox\Quarantine\C\Program Files\Google\Desktop\Install\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\0103~1\0103~1\CFFE~1\{55941747-7f0b-0b8d-bc77-0adbf1fab079}\U\80000032.@.vir probably a variant of Win32/Sirefef.FV trojan
C:\Qoobox\Quarantine\C\Program Files\SearchProtect\bin\ChromeModule.dll.vir a variant of Win32/Conduit.SearchProtect.C application
C:\Qoobox\Quarantine\C\Program Files\SearchProtect\bin\cltmng.exe.vir a variant of Win32/Conduit.SearchProtect.B application
C:\Qoobox\Quarantine\C\Program Files\SearchProtect\bin\FirefoxModule.dll.vir a variant of Win32/Conduit.SearchProtect.C application
C:\Qoobox\Quarantine\C\Program Files\SearchProtect\bin\InternetExplorerModule.dll.vir a variant of Win32/Conduit.SearchProtect.C application
C:\Qoobox\Quarantine\C\Program Files\SearchProtect\bin\SPHook32.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\Qoobox\Quarantine\C\Program Files\SearchProtect\ffprotect\application.js.vir Win32/Conduit.SearchProtect.A application
C:\Qoobox\Quarantine\C\Program Files\SearchProtect\ffprotect\nsprotector.js.vir Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP819\A0263623.exe Win32/PowerLoader.A trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291695.dll a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291696.exe a variant of Win32/Conduit.SearchProtect.B application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291698.dll a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291699.dll a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291702.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291704.exe multiple threats
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291926.dll a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291927.exe a variant of Win32/Conduit.SearchProtect.B application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291929.dll a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291930.dll a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP824\A0291933.dll probably a variant of Win32/Conduit.SearchProtect.C application
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users