Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit infection


  • This topic is locked This topic is locked
29 replies to this topic

#1 Randallw

Randallw

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 11 September 2013 - 02:41 AM

This problem begin with the popup window directing to ad.xtendmedia.com, featuring the 'warning' that the computer is infected with spyware.  I received assistance from BC Advisor, running Security Check, Farbar Service Scanner,  MiniToolBox, Malwarebytes, MBytes Anti-rootkit, and RKill.

 

Thread is here:

http://www.bleepingcomputer.com/forums/t/507204/infection-with-adxtendmediacom-popup-window/

 

Then I ran the DDS Tool.

 

Log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by RandallW at 0:25:36 on 2013-09-11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2040.949 [GMT -7:00]
.
AV: Trend Micro Titanium 2012 *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ZoneAlarm Free Firewall Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Western Digital\WD Drive Manager\WDDriveService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\HP\KBD\KBD.EXE
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Western Digital\WD Print Share\WDPrintShare.exe
C:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Check Point Software Technologies LTD\zonealarm\AbineSDK\IE\DNTPService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=c4b8c7ed20484759b4c089c7600e6253&tu=10GX000892B0008&sku=&tstsId=&ver=&
uURLSearchHooks: OLE (Part 1 of 5):  - LocalServer32 - <no file>
uURLSearchHooks: FCToolbarURLSearchHook Class: {f3954c17-b785-b6e4-e583-60efe47cb84a} - c:\program files\mypoints toolbar\Helper.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -
BHO: Zonealarm Helper Object: {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - c:\program files\check point software technologies ltd\zonealarm\1.8.11.11\bh\zonealarm.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - <orphaned>
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: MyPoints Toolbar BHO: {948548C2-1801-7A14-F509-7FE523202B1D} - c:\program files\mypoints toolbar\Toolbar.dll
BHO: PrintMe: {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} - c:\program files\efi\printmetoolbar\htpmcap.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: MyPoints Toolbar: {5495B7A2-8F65-DEE4-A9FF-9BB6409140D4} - c:\program files\mypoints toolbar\Toolbar.dll
TB: PrintMe: {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} - c:\program files\efi\printmetoolbar\htpmcap.dll
TB: FlashGet Bar: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - c:\program files\flashget\fgiebar.dll
TB: ZoneAlarm Security Toolbar: {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - c:\program files\check point software technologies ltd\zonealarm\1.8.11.11\zonealarmTlbr.dll
TB: MyPoints Toolbar: {5495B7A2-8F65-DEE4-A9FF-9BB6409140D4} - c:\program files\mypoints toolbar\Toolbar.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CPQEASYACC] c:\program files\compaq\easy access button support\StartEAK.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [MediaFace Integration] c:\program files\fellowes\mediaface 4.2\SetHook.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISW] <no file>
mRunOnce: [ (A0)] cmd /c "c:\documents and settings\randallw\desktop\mbar\mbar.exe" /rdv /s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://biz.lgservice.com/DjvuViewer/DjVuControl-6.1.4.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} - hxxp://www.worldwinner.com/games/v47/skillgam/skillgam.cab
DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - hxxp://www.worldwinner.com/games/v48/brickout/brickout.cab
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {357A8DEC-0CAC-4D8D-9869-C2C356B844F7} - hxxp://192.168.2.4/RSVideoOcx.cab
DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} - hxxp://www.worldwinner.com/games/v56/trivialpursuit/trivialpursuit.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v53/wwhearts/wwhearts.cab
DPF: {61900274-3323-4446-BDCD-91548D32AF1B} - hxxp://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab
DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - hxxp://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341102748290
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - hxxp://www.worldwinner.com/games/v41/freecell/freecell.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341102733805
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {8F2EACD9-51A6-4915-B9AD-2AA8657CB472} - hxxps://webpostage.stamps.com/webpostage/plugin/SdcWebClientServices.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.23.01.0/iewwload.cab
DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} - hxxp://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} - hxxp://www.worldwinner.com/games/v68/clue/clue.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - hxxp://www.worldwinner.com/games/v41/hangman/hangman.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://www.worldwinner.com/games/v42/tilecity/tilecity.cab
DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} - hxxp://www.worldwinner.com/games/v52/dinerdash/dinerdash.cab
DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v43/paint/paint.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v54/wwspades/wwspades.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{1AEFF1E5-635F-41BD-91E2-06A7B06AE393} : DHCPNameServer = 192.168.1.1
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} -
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -
Notify: avldr - avldr.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages =  scecli scecli scecli scecli
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.66\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\randallw\application data\mozilla\firefox\profiles\9001sjv9.default\
FF - prefs.js: browser.search.selectedEngine - Search and Earn Points!
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\worldwinner.com, inc\worldwinner games\npwwload.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - ExtSQL: 2013-08-25 00:18; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.zonealarm.autoRvrt - true
FF - user.js: extensions.zonealarm_i.newTab - false
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN27938900269373-1013&toolbarId=base&affiliateId=1600&Lan=en&utid=28cd6f1400000000000000e018a0d8f9&q=
FF - user.js: extensions.zonealarm.id - 28cd6f1400000000000000e018a0d8f9
FF - user.js: extensions.zonealarm.instlDay - 15423
FF - user.js: extensions.zonealarm.vrsn - 1.5.20.3
FF - user.js: extensions.zonealarm.vrsni - 1.5.20.3
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.20.321:18:04
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1600
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN27938900269373-1013
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=28cd6f1400000000000000e018a0d8f9&q=
FF - user.js: extensions.BabylonToolbar.id - 28cd6f1400000000000000e018a0d8f9
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15687
FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.4.9
FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.4.9
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.4.910:17:18
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar_i.excTlbr - false
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109220&tt=5012_8
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar.rvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [2002-11-28 22016]
R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2007-8-3 62279]
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2012-3-23 76648]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2013-3-27 527848]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-3-16 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-3-16 497320]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-11-29 38608]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R2 WDDriveService;WD Drive Manager;c:\program files\western digital\wd drive manager\WDDriveService.exe [2012-2-27 247704]
R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [2007-8-3 4538]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [2004-6-23 10653]
R3 WDUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\WDUDSMBus.sys [2012-4-16 91264]
R3 WDUDSTcpBus;WDUDSTcpBus;c:\windows\system32\drivers\WDUDSTcpBus.sys [2012-4-16 146688]
S?4 mbamchameleon;mbamchameleon;\??\c:\windows\system32\drivers\mbamchameleon.sys --> c:\windows\system32\drivers\mbamchameleon.sys [?]
S?4 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\MBAMSwissArmy.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 tvtool;tvtool;c:\program files\tvtool 8 base\TVTOOL.SYS [1996-4-3 5248]
S2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2012-3-23 200632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2012-1-20 30312]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [2003-9-29 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2007-8-3 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2011-9-28 109708]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-12-13 23456]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10741.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10741.sys [?]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\drivers\LEXAR2K.SYS [2001-10-19 16969]
S3 NUVision;Pinnacle LINX;c:\windows\system32\drivers\Nuvision.sys [2004-2-14 136352]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2012-1-20 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2012-1-20 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2012-1-20 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2012-1-20 114280]
S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\spixnew.sys --> c:\windows\system32\drivers\SPIXNEW.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
ShellExec: corelpnt.exe: cancel=c:\corel50\programs\CORELPNT.EXE
ShellExec: corelpnt.exe: print=c:\corel50\programs\CORELPNT.EXE
.
=============== Created Last 30 ================
.
2013-09-10 17:33:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-08-30 06:24:01 869656 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2013-08-25 07:00:42 -------- d-----w- c:\documents and settings\all users\application data\Western Digital
2013-08-25 06:57:55 -------- d-----w- c:\program files\Western Digital
.
==================== Find3M  ====================
.
2013-09-11 07:00:42 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-11 07:00:42 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-11 06:53:27 4746 ----a-w- c:\windows\compaq.reg
.
============= FINISH:  0:27:24.40 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 AM

Posted 11 September 2013 - 03:04 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

 

 

 

 

Add-/remove programms

Click on start-->control panel.

Vista/7: Open Programs and Features
XP: Open add/remove programs

Search for and remove the following programs

MyPoints Toolbar
ZoneAlarm Security Toolbar
ZoneAlarm LTD Toolbar

 



Close the window.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Randallw

Randallw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 12 September 2013 - 03:26 AM

aswmbr log:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-11 10:29:32
-----------------------------
10:29:32.578    OS Version: Windows 5.1.2600 Service Pack 3
10:29:32.578    Number of processors: 1 586 0x204
10:29:32.578    ComputerName: COMPAQDESKTOP  UserName: RandallW
10:29:33.609    Initialize success
10:36:38.218    AVAST engine defs: 13091100
15:34:00.828    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
15:34:00.859    Disk 0 Vendor: WDC_WD400EB-11CPF0 06.04G06 Size: 38166MB BusType: 3
15:34:00.921    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
15:34:00.953    Disk 1 Vendor: WDC_WD1200JB-00FUA0 15.05R15 Size: 114473MB BusType: 3
15:34:01.250    Disk 0 MBR read successfully
15:34:01.250    Disk 0 MBR scan
15:34:01.593    Disk 0 unknown MBR code
15:34:01.593    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        38154 MB offset 63
15:34:01.906    Disk 0 scanning sectors +78140160
15:34:01.937    Disk 0 malicious Win32:MBRoot code @ sector 78140163 !
15:34:02.484    Disk 0 scanning C:\WINDOWS\system32\drivers
15:36:07.140    Service scanning
15:38:18.046    Modules scanning
15:38:46.906    Disk 0 trace - called modules:
15:38:46.953    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:38:46.984    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8bf36ab8]
15:38:47.015    3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000073[0x8bf796b0]
15:38:47.015    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8bf31d98]
15:38:49.906    AVAST engine scan C:\WINDOWS
15:39:27.140    AVAST engine scan C:\WINDOWS\system32
16:06:43.078    AVAST engine scan C:\WINDOWS\system32\drivers
16:09:01.203    AVAST engine scan C:\Documents and Settings\RandallW
17:18:41.187    AVAST engine scan C:\Documents and Settings\All Users
17:35:51.609    File: C:\Documents and Settings\All Users\Application Data\WorldWinner\plantsvzombies\null0.870031748165995.exe  **INFECTED** Win32:MalOb-FN [Cryp]
17:39:02.734    Scan finished successfully
23:10:55.531    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\RandallW\Desktop\MBR.dat"
23:10:55.843    The log file has been saved successfully to "C:\Documents and Settings\RandallW\Desktop\aswMBR.txt"

 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 AM

Posted 12 September 2013 - 03:44 AM

Please upload the files witihn the code box below here: http://www.bleepingcomputer.com/submit-malware.php?channel=156

C:\Documents and Settings\RandallW\Desktop\MBR.dat
C:\Documents and Settings\All Users\Application Data\WorldWinner\plantsvzombies\null0.870031748165995.exe

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Randallw

Randallw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 13 September 2013 - 02:58 AM

I have uploaded the files.



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 AM

Posted 15 September 2013 - 06:29 AM

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Randallw

Randallw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 16 September 2013 - 03:57 AM

ComboFix 13-09-14.01 - RandallW 09/15/2013  23:27:03.6.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2040.1185 [GMT -7:00]
Running from: c:\documents and settings\RandallW\Desktop\ComboFix.exe
AV: Trend Micro Titanium 2012 *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\MyNetDashboard.ico
c:\documents and settings\All Users\Application Data\WDInternetSecurityAndParentalControl.ico
c:\documents and settings\RandallW\Application Data\5f456feb
c:\documents and settings\RandallW\Application Data\a83d1811
c:\documents and settings\RandallW\Application Data\bf989014
c:\documents and settings\RandallW\Error.log
c:\documents and settings\RandallW\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
c:\windows\system32\_005173_.tmp.dll
c:\windows\system32\_005174_.tmp.dll
c:\windows\system32\_005175_.tmp.dll
c:\windows\system32\_005176_.tmp.dll
c:\windows\system32\_005183_.tmp.dll
c:\windows\system32\_005184_.tmp.dll
c:\windows\system32\_005185_.tmp.dll
c:\windows\system32\_005186_.tmp.dll
c:\windows\system32\_005187_.tmp.dll
c:\windows\system32\_005188_.tmp.dll
c:\windows\system32\_005189_.tmp.dll
c:\windows\system32\_005191_.tmp.dll
c:\windows\system32\_005192_.tmp.dll
c:\windows\system32\_005193_.tmp.dll
c:\windows\system32\_005194_.tmp.dll
c:\windows\system32\_005195_.tmp.dll
c:\windows\system32\_005196_.tmp.dll
c:\windows\system32\_005198_.tmp.dll
c:\windows\system32\_005201_.tmp.dll
c:\windows\system32\_005202_.tmp.dll
c:\windows\system32\_005206_.tmp.dll
c:\windows\system32\_005207_.tmp.dll
c:\windows\system32\_005208_.tmp.dll
c:\windows\system32\_005209_.tmp.dll
c:\windows\system32\_005210_.tmp.dll
c:\windows\system32\_005211_.tmp.dll
c:\windows\system32\_005212_.tmp.dll
c:\windows\system32\_005214_.tmp.dll
c:\windows\system32\_005215_.tmp.dll
c:\windows\system32\_005216_.tmp.dll
c:\windows\system32\_005217_.tmp.dll
c:\windows\system32\_005218_.tmp.dll
c:\windows\system32\_005219_.tmp.dll
c:\windows\system32\_005220_.tmp.dll
c:\windows\system32\_005221_.tmp.dll
c:\windows\system32\_005222_.tmp.dll
c:\windows\system32\_005223_.tmp.dll
c:\windows\system32\_005224_.tmp.dll
c:\windows\system32\_005227_.tmp.dll
c:\windows\system32\_005228_.tmp.dll
c:\windows\system32\_005229_.tmp.dll
c:\windows\system32\_005231_.tmp.dll
c:\windows\system32\_005233_.tmp.dll
c:\windows\system32\_005236_.tmp.dll
c:\windows\system32\_005239_.tmp.dll
c:\windows\system32\_005240_.tmp.dll
c:\windows\system32\_005245_.tmp.dll
c:\windows\system32\_005247_.tmp.dll
c:\windows\system32\_005250_.tmp.dll
c:\windows\system32\_005253_.tmp.dll
c:\windows\system32\_005254_.tmp.dll
c:\windows\system32\_005255_.tmp.dll
c:\windows\system32\_005258_.tmp.dll
c:\windows\system32\_005259_.tmp.dll
c:\windows\system32\_005260_.tmp.dll
c:\windows\system32\_005261_.tmp.dll
c:\windows\system32\_005262_.tmp.dll
c:\windows\system32\_005267_.tmp.dll
c:\windows\system32\_005269_.tmp.dll
c:\windows\system32\_007802_.tmp.dll
c:\windows\system32\_007803_.tmp.dll
c:\windows\system32\_007804_.tmp.dll
c:\windows\system32\_007805_.tmp.dll
c:\windows\system32\_007812_.tmp.dll
c:\windows\system32\_007813_.tmp.dll
c:\windows\system32\_007814_.tmp.dll
c:\windows\system32\_007815_.tmp.dll
c:\windows\system32\_007817_.tmp.dll
c:\windows\system32\_007818_.tmp.dll
c:\windows\system32\_007821_.tmp.dll
c:\windows\system32\_007822_.tmp.dll
c:\windows\system32\_007824_.tmp.dll
c:\windows\system32\_007825_.tmp.dll
c:\windows\system32\_007826_.tmp.dll
c:\windows\system32\_007828_.tmp.dll
c:\windows\system32\_007829_.tmp.dll
c:\windows\system32\_007831_.tmp.dll
c:\windows\system32\_007832_.tmp.dll
c:\windows\system32\_007836_.tmp.dll
c:\windows\system32\_007837_.tmp.dll
c:\windows\system32\_007839_.tmp.dll
c:\windows\system32\_007842_.tmp.dll
c:\windows\system32\_007844_.tmp.dll
c:\windows\system32\_007845_.tmp.dll
c:\windows\system32\_007846_.tmp.dll
c:\windows\system32\_007847_.tmp.dll
c:\windows\system32\_007848_.tmp.dll
c:\windows\system32\_007851_.tmp.dll
c:\windows\system32\_007852_.tmp.dll
c:\windows\system32\_007853_.tmp.dll
c:\windows\system32\_007854_.tmp.dll
c:\windows\system32\_007855_.tmp.dll
c:\windows\system32\_007860_.tmp.dll
c:\windows\system32\_007862_.tmp.dll
c:\windows\system32\SET10B.tmp
c:\windows\system32\SET10C.tmp
c:\windows\system32\SET10C2.tmp
c:\windows\system32\SET10D.tmp
c:\windows\system32\SET10F.tmp
c:\windows\system32\SET111.tmp
c:\windows\system32\SET113.tmp
c:\windows\system32\SET11A.tmp
c:\windows\system32\SET11B.tmp
c:\windows\system32\SET11E.tmp
c:\windows\system32\SET124.tmp
c:\windows\system32\SET125.tmp
c:\windows\system32\SET126.tmp
c:\windows\system32\SET128.tmp
c:\windows\system32\SET12A.tmp
c:\windows\system32\SET12C.tmp
c:\windows\system32\SET12D.tmp
c:\windows\system32\SET12E.tmp
c:\windows\system32\SET12F.tmp
c:\windows\system32\SET132.tmp
c:\windows\system32\SET133.tmp
c:\windows\system32\SET134.tmp
c:\windows\system32\SET135.tmp
c:\windows\system32\SET136.tmp
c:\windows\system32\SET137.tmp
c:\windows\system32\SET139.tmp
c:\windows\system32\SET13A.tmp
c:\windows\system32\SET13D.tmp
c:\windows\system32\SET13E.tmp
c:\windows\system32\SET13F.tmp
c:\windows\system32\SET140.tmp
c:\windows\system32\SET141.tmp
c:\windows\system32\SET142.tmp
c:\windows\system32\SET145.tmp
c:\windows\system32\SET146.tmp
c:\windows\system32\SET147.tmp
c:\windows\system32\SET149.tmp
c:\windows\system32\SET14A.tmp
c:\windows\system32\SET14D.tmp
c:\windows\system32\SET14E.tmp
c:\windows\system32\SET14F.tmp
c:\windows\system32\SET155.tmp
c:\windows\system32\SET15A.tmp
c:\windows\system32\SET15C.tmp
c:\windows\system32\SET15D.tmp
c:\windows\system32\SET15E.tmp
c:\windows\system32\SET160.tmp
c:\windows\system32\SET161.tmp
c:\windows\system32\SET163.tmp
c:\windows\system32\SET164.tmp
c:\windows\system32\SET165.tmp
c:\windows\system32\SET167.tmp
c:\windows\system32\SET16B.tmp
c:\windows\system32\SET16D.tmp
c:\windows\system32\SET16E.tmp
c:\windows\system32\SET16F.tmp
c:\windows\system32\SET171.tmp
c:\windows\system32\SET172.tmp
c:\windows\system32\SET173.tmp
c:\windows\system32\SET175.tmp
c:\windows\system32\SET176.tmp
c:\windows\system32\SET177.tmp
c:\windows\system32\SET178.tmp
c:\windows\system32\SET179.tmp
c:\windows\system32\SET17A.tmp
c:\windows\system32\SET17B.tmp
c:\windows\system32\SET17C.tmp
c:\windows\system32\SET182.tmp
c:\windows\system32\SET185.tmp
c:\windows\system32\SET186.tmp
c:\windows\system32\SET187.tmp
c:\windows\system32\SET188.tmp
c:\windows\system32\SET189.tmp
c:\windows\system32\SET18C.tmp
c:\windows\system32\SET18D.tmp
c:\windows\system32\SET18F.tmp
c:\windows\system32\SET190.tmp
c:\windows\system32\SET197.tmp
c:\windows\system32\SET198.tmp
c:\windows\system32\SET19B.tmp
c:\windows\system32\SET19E.tmp
c:\windows\system32\SET19F.tmp
c:\windows\system32\SET1A0.tmp
c:\windows\system32\SET1A1.tmp
c:\windows\system32\SET1A2.tmp
c:\windows\system32\SET1A3.tmp
c:\windows\system32\SET1A4.tmp
c:\windows\system32\SET1A5.tmp
c:\windows\system32\SET1A6.tmp
c:\windows\system32\SET1A7.tmp
c:\windows\system32\SET1AE.tmp
c:\windows\system32\SET1AF.tmp
c:\windows\system32\SET1B0.tmp
c:\windows\system32\SET1B1.tmp
c:\windows\system32\SET1B2.tmp
c:\windows\system32\SET1B3.tmp
c:\windows\system32\SET1B5.tmp
c:\windows\system32\SET1B8.tmp
c:\windows\system32\SET1B9.tmp
c:\windows\system32\SET1BA.tmp
c:\windows\system32\SET1BB.tmp
c:\windows\system32\SET1BC.tmp
c:\windows\system32\SET1BD.tmp
c:\windows\system32\SET1BE.tmp
c:\windows\system32\SET1BF.tmp
c:\windows\system32\SET1C0.tmp
c:\windows\system32\SET1C1.tmp
c:\windows\system32\SET1C2.tmp
c:\windows\system32\SET1C4.tmp
c:\windows\system32\SET1C5.tmp
c:\windows\system32\SET1C8.tmp
c:\windows\system32\SET1C9.tmp
c:\windows\system32\SET1CA.tmp
c:\windows\system32\SET1CB.tmp
c:\windows\system32\SET1CC.tmp
c:\windows\system32\SET1D0.tmp
c:\windows\system32\SET1D7.tmp
c:\windows\system32\SET1D8.tmp
c:\windows\system32\SET1D9.tmp
c:\windows\system32\SET1DB.tmp
c:\windows\system32\SET1DC.tmp
c:\windows\system32\SET1DE.tmp
c:\windows\system32\SET1E0.tmp
c:\windows\system32\SET1E3.tmp
c:\windows\system32\SET1E5.tmp
c:\windows\system32\SET1E6.tmp
c:\windows\system32\SET1E8.tmp
c:\windows\system32\SET1E9.tmp
c:\windows\system32\SET1EA.tmp
c:\windows\system32\SET1EB.tmp
c:\windows\system32\SET1EC.tmp
c:\windows\system32\SET1ED.tmp
c:\windows\system32\SET1EE.tmp
c:\windows\system32\SET1EF.tmp
c:\windows\system32\SET1F1.tmp
c:\windows\system32\SET1F2.tmp
c:\windows\system32\SET1F3.tmp
c:\windows\system32\SET1F4.tmp
c:\windows\system32\SET1F6.tmp
c:\windows\system32\SET1F7.tmp
c:\windows\system32\SET1F8.tmp
c:\windows\system32\SET1FA.tmp
c:\windows\system32\SET1FC.tmp
c:\windows\system32\SET1FD.tmp
c:\windows\system32\SET1FE.tmp
c:\windows\system32\SET200.tmp
c:\windows\system32\SET201.tmp
c:\windows\system32\SET202.tmp
c:\windows\system32\SET203.tmp
c:\windows\system32\SET204.tmp
c:\windows\system32\SET205.tmp
c:\windows\system32\SET206.tmp
c:\windows\system32\SET207.tmp
c:\windows\system32\SET20A.tmp
c:\windows\system32\SET20B.tmp
c:\windows\system32\SET20E.tmp
c:\windows\system32\SET20F.tmp
c:\windows\system32\SET210.tmp
c:\windows\system32\SET212.tmp
c:\windows\system32\SET213.tmp
c:\windows\system32\SET216.tmp
c:\windows\system32\SET219.tmp
c:\windows\system32\SET21A.tmp
c:\windows\system32\SET21C.tmp
c:\windows\system32\SET21D.tmp
c:\windows\system32\SET223.tmp
c:\windows\system32\SET224.tmp
c:\windows\system32\SET225.tmp
c:\windows\system32\SET226.tmp
c:\windows\system32\SET227.tmp
c:\windows\system32\SET228.tmp
c:\windows\system32\SET22A.tmp
c:\windows\system32\SET22B.tmp
c:\windows\system32\SET22C.tmp
c:\windows\system32\SET22D.tmp
c:\windows\system32\SET22E.tmp
c:\windows\system32\SET230.tmp
c:\windows\system32\SET231.tmp
c:\windows\system32\SET236.tmp
c:\windows\system32\SET237.tmp
c:\windows\system32\SET239.tmp
c:\windows\system32\SET23C.tmp
c:\windows\system32\SET23D.tmp
c:\windows\system32\SET23E.tmp
c:\windows\system32\SET241.tmp
c:\windows\system32\SET242.tmp
c:\windows\system32\SET243.tmp
c:\windows\system32\SET245.tmp
c:\windows\system32\SET246.tmp
c:\windows\system32\SET247.tmp
c:\windows\system32\SET248.tmp
c:\windows\system32\SET249.tmp
c:\windows\system32\SET24B.tmp
c:\windows\system32\SET24C.tmp
c:\windows\system32\SET24D.tmp
c:\windows\system32\SET24F.tmp
c:\windows\system32\SET250.tmp
c:\windows\system32\SET251.tmp
c:\windows\system32\SET252.tmp
c:\windows\system32\SET253.tmp
c:\windows\system32\SET255.tmp
c:\windows\system32\SET256.tmp
c:\windows\system32\SET257.tmp
c:\windows\system32\SET25B.tmp
c:\windows\system32\SET25D.tmp
c:\windows\system32\SET25E.tmp
c:\windows\system32\SET25F.tmp
c:\windows\system32\SET264.tmp
c:\windows\system32\SET266.tmp
c:\windows\system32\SET267.tmp
c:\windows\system32\SET269.tmp
c:\windows\system32\SET26A.tmp
c:\windows\system32\SET26B.tmp
c:\windows\system32\SET26C.tmp
c:\windows\system32\SET26D.tmp
c:\windows\system32\SET26E.tmp
c:\windows\system32\SET26F.tmp
c:\windows\system32\SET271.tmp
c:\windows\system32\SET273.tmp
c:\windows\system32\SET274.tmp
c:\windows\system32\SET277.tmp
c:\windows\system32\SET279.tmp
c:\windows\system32\SET27C.tmp
c:\windows\system32\SET27F.tmp
c:\windows\system32\SET282.tmp
c:\windows\system32\SET283.tmp
c:\windows\system32\SET285.tmp
c:\windows\system32\SET286.tmp
c:\windows\system32\SET287.tmp
c:\windows\system32\SET288.tmp
c:\windows\system32\SET289.tmp
c:\windows\system32\SET28A.tmp
c:\windows\system32\SET28B.tmp
c:\windows\system32\SET28C.tmp
c:\windows\system32\SET28E.tmp
c:\windows\system32\SET290.tmp
c:\windows\system32\SET291.tmp
c:\windows\system32\SET292.tmp
c:\windows\system32\SET294.tmp
c:\windows\system32\SET297.tmp
c:\windows\system32\SET29A.tmp
c:\windows\system32\SET29B.tmp
c:\windows\system32\SET29C.tmp
c:\windows\system32\SET29D.tmp
c:\windows\system32\SET29F.tmp
c:\windows\system32\SET2A0.tmp
c:\windows\system32\SET2A1.tmp
c:\windows\system32\SET2A2.tmp
c:\windows\system32\SET2A3.tmp
c:\windows\system32\SET2A4.tmp
c:\windows\system32\SET2A5.tmp
c:\windows\system32\SET2A6.tmp
c:\windows\system32\SET2A7.tmp
c:\windows\system32\SET2A9.tmp
c:\windows\system32\SET2AA.tmp
c:\windows\system32\SET2AB.tmp
c:\windows\system32\SET2AC.tmp
c:\windows\system32\SET2AE.tmp
c:\windows\system32\SET2AF.tmp
c:\windows\system32\SET2B0.tmp
c:\windows\system32\SET2B1.tmp
c:\windows\system32\SET2B2.tmp
c:\windows\system32\SET2B4.tmp
c:\windows\system32\SET2B5.tmp
c:\windows\system32\SET2B7.tmp
c:\windows\system32\SET2B8.tmp
c:\windows\system32\SET2B9.tmp
c:\windows\system32\SET2BB.tmp
c:\windows\system32\SET2C0.tmp
c:\windows\system32\SET2C1.tmp
c:\windows\system32\SET2C2.tmp
c:\windows\system32\SET2C3.tmp
c:\windows\system32\SET2C4.tmp
c:\windows\system32\SET2C5.tmp
c:\windows\system32\SET2C6.tmp
c:\windows\system32\SET2C7.tmp
c:\windows\system32\SET2C8.tmp
c:\windows\system32\SET2C9.tmp
c:\windows\system32\SET2CA.tmp
c:\windows\system32\SET2CB.tmp
c:\windows\system32\SET2CC.tmp
c:\windows\system32\SET2CE.tmp
c:\windows\system32\SET2CF.tmp
c:\windows\system32\SET2D0.tmp
c:\windows\system32\SET2D2.tmp
c:\windows\system32\SET2D3.tmp
c:\windows\system32\SET2D4.tmp
c:\windows\system32\SET2D5.tmp
c:\windows\system32\SET2D6.tmp
c:\windows\system32\SET2D7.tmp
c:\windows\system32\SET2D9.tmp
c:\windows\system32\SET2DA.tmp
c:\windows\system32\SET2DB.tmp
c:\windows\system32\SET2DC.tmp
c:\windows\system32\SET2DF.tmp
c:\windows\system32\SET2E0.tmp
c:\windows\system32\SET2E1.tmp
c:\windows\system32\SET2E2.tmp
c:\windows\system32\SET2E3.tmp
c:\windows\system32\SET2E4.tmp
c:\windows\system32\SET2E5.tmp
c:\windows\system32\SET2E6.tmp
c:\windows\system32\SET2E7.tmp
c:\windows\system32\SET2E8.tmp
c:\windows\system32\SET2E9.tmp
c:\windows\system32\SET2EA.tmp
c:\windows\system32\SET2EB.tmp
c:\windows\system32\SET2EC.tmp
c:\windows\system32\SET2ED.tmp
c:\windows\system32\SET2EE.tmp
c:\windows\system32\SET2EF.tmp
c:\windows\system32\SET2F1.tmp
c:\windows\system32\SET2F3.tmp
c:\windows\system32\SET2F4.tmp
c:\windows\system32\SET2F5.tmp
c:\windows\system32\SET2F7.tmp
c:\windows\system32\SET2F9.tmp
c:\windows\system32\SET2FA.tmp
c:\windows\system32\SET2FC.tmp
c:\windows\system32\SET2FD.tmp
c:\windows\system32\SET2FE.tmp
c:\windows\system32\SET303.tmp
c:\windows\system32\SET304.tmp
c:\windows\system32\SET306.tmp
c:\windows\system32\SET30A.tmp
c:\windows\system32\SET30B.tmp
c:\windows\system32\SET30C.tmp
c:\windows\system32\SET30E.tmp
c:\windows\system32\SET30F.tmp
c:\windows\system32\SET310.tmp
c:\windows\system32\SET313.tmp
c:\windows\system32\SET316.tmp
c:\windows\system32\SET317.tmp
c:\windows\system32\SET318.tmp
c:\windows\system32\SET319.tmp
c:\windows\system32\SET31A.tmp
c:\windows\system32\SET31B.tmp
c:\windows\system32\SET31C.tmp
c:\windows\system32\SET31D.tmp
c:\windows\system32\SET31E.tmp
c:\windows\system32\SET31F.tmp
c:\windows\system32\SET320.tmp
c:\windows\system32\SET322.tmp
c:\windows\system32\SET329.tmp
c:\windows\system32\SET32A.tmp
c:\windows\system32\SET32C.tmp
c:\windows\system32\SET32D.tmp
c:\windows\system32\SET32F.tmp
c:\windows\system32\SET330.tmp
c:\windows\system32\SET332.tmp
c:\windows\system32\SET333.tmp
c:\windows\system32\SET33D.tmp
c:\windows\system32\SET33F.tmp
c:\windows\system32\SET340.tmp
c:\windows\system32\SET341.tmp
c:\windows\system32\SET342.tmp
c:\windows\system32\SET343.tmp
c:\windows\system32\SET344.tmp
c:\windows\system32\SET345.tmp
c:\windows\system32\SET347.tmp
c:\windows\system32\SET34A.tmp
c:\windows\system32\SET34B.tmp
c:\windows\system32\SET34C.tmp
c:\windows\system32\SET34D.tmp
c:\windows\system32\SET34E.tmp
c:\windows\system32\SET34F.tmp
c:\windows\system32\SET353.tmp
c:\windows\system32\SET357.tmp
c:\windows\system32\SET358.tmp
c:\windows\system32\SET35B.tmp
c:\windows\system32\SET35C.tmp
c:\windows\system32\SET35D.tmp
c:\windows\system32\SET35E.tmp
c:\windows\system32\SET35F.tmp
c:\windows\system32\SET360.tmp
c:\windows\system32\SET361.tmp
c:\windows\system32\SET362.tmp
c:\windows\system32\SET363.tmp
c:\windows\system32\SET364.tmp
c:\windows\system32\SET365.tmp
c:\windows\system32\SET366.tmp
c:\windows\system32\SET367.tmp
c:\windows\system32\SET368.tmp
c:\windows\system32\SET369.tmp
c:\windows\system32\SET36A.tmp
c:\windows\system32\SET36B.tmp
c:\windows\system32\SET36D.tmp
c:\windows\system32\SET36E.tmp
c:\windows\system32\SET36F.tmp
c:\windows\system32\SET370.tmp
c:\windows\system32\SET371.tmp
c:\windows\system32\SET372.tmp
c:\windows\system32\SET373.tmp
c:\windows\system32\SET374.tmp
c:\windows\system32\SET376.tmp
c:\windows\system32\SET377.tmp
c:\windows\system32\SET378.tmp
c:\windows\system32\SET379.tmp
c:\windows\system32\SET37A.tmp
c:\windows\system32\SET37B.tmp
c:\windows\system32\SET380.tmp
c:\windows\system32\SET381.tmp
c:\windows\system32\SET383.tmp
c:\windows\system32\SET387.tmp
c:\windows\system32\SET388.tmp
c:\windows\system32\SET389.tmp
c:\windows\system32\SET38A.tmp
c:\windows\system32\SET38C.tmp
c:\windows\system32\SET38D.tmp
c:\windows\system32\SET38E.tmp
c:\windows\system32\SET391.tmp
c:\windows\system32\SET392.tmp
c:\windows\system32\SET393.tmp
c:\windows\system32\SET394.tmp
c:\windows\system32\SET396.tmp
c:\windows\system32\SET397.tmp
c:\windows\system32\SET39A.tmp
c:\windows\system32\SET39B.tmp
c:\windows\system32\SET39C.tmp
c:\windows\system32\SET39D.tmp
c:\windows\system32\SET39F.tmp
c:\windows\system32\SET3A0.tmp
c:\windows\system32\SET3A1.tmp
c:\windows\system32\SET3A2.tmp
c:\windows\system32\SET3A4.tmp
c:\windows\system32\SET3A5.tmp
c:\windows\system32\SET3A7.tmp
c:\windows\system32\SET3A8.tmp
c:\windows\system32\SET3A9.tmp
c:\windows\system32\SET3AA.tmp
c:\windows\system32\SET3AE.tmp
c:\windows\system32\SET3B1.tmp
c:\windows\system32\SET3B2.tmp
c:\windows\system32\SET3B3.tmp
c:\windows\system32\SET3B4.tmp
c:\windows\system32\SET3BD.tmp
c:\windows\system32\SET3BF.tmp
c:\windows\system32\SET3C3.tmp
c:\windows\system32\SET3C5.tmp
c:\windows\system32\SET3C7.tmp
c:\windows\system32\SET3C8.tmp
c:\windows\system32\SET3CB.tmp
c:\windows\system32\SET3CD.tmp
c:\windows\system32\SET3CE.tmp
c:\windows\system32\SET3CF.tmp
c:\windows\system32\SET3D0.tmp
c:\windows\system32\SET3D2.tmp
c:\windows\system32\SET3D3.tmp
c:\windows\system32\SET3D6.tmp
c:\windows\system32\SET3D7.tmp
c:\windows\system32\SET3D9.tmp
c:\windows\system32\SET3DA.tmp
c:\windows\system32\SET3DC.tmp
c:\windows\system32\SET3DD.tmp
c:\windows\system32\SET3DE.tmp
c:\windows\system32\SET3E4.tmp
c:\windows\system32\SET3E5.tmp
c:\windows\system32\SET3E8.tmp
c:\windows\system32\SET3E9.tmp
c:\windows\system32\SET3ED.tmp
c:\windows\system32\SET3EE.tmp
c:\windows\system32\SET3EF.tmp
c:\windows\system32\SET3F3.tmp
c:\windows\system32\SET3F5.tmp
c:\windows\system32\SET3F6.tmp
c:\windows\system32\SET3F7.tmp
c:\windows\system32\SET3FF.tmp
c:\windows\system32\SET400.tmp
c:\windows\system32\SET403.tmp
c:\windows\system32\SET406.tmp
c:\windows\system32\SET408.tmp
c:\windows\system32\SET409.tmp
c:\windows\system32\SET40A.tmp
c:\windows\system32\SET40E.tmp
c:\windows\system32\SET410.tmp
c:\windows\system32\SET414.tmp
c:\windows\system32\SET41A.tmp
c:\windows\system32\SET41B.tmp
c:\windows\system32\SET41E.tmp
c:\windows\system32\SET41F.tmp
c:\windows\system32\SET420.tmp
c:\windows\system32\SET421.tmp
c:\windows\system32\SET422.tmp
c:\windows\system32\SET423.tmp
c:\windows\system32\SET427.tmp
c:\windows\system32\SET428.tmp
c:\windows\system32\SET429.tmp
c:\windows\system32\SET42D.tmp
c:\windows\system32\SET42F.tmp
c:\windows\system32\SET430.tmp
c:\windows\system32\SET431.tmp
c:\windows\system32\SET437.tmp
c:\windows\system32\SET438.tmp
c:\windows\system32\SET439.tmp
c:\windows\system32\SET43A.tmp
c:\windows\system32\SET43B.tmp
c:\windows\system32\SET446.tmp
c:\windows\system32\SET447.tmp
c:\windows\system32\SET44C.tmp
c:\windows\system32\SET451.tmp
c:\windows\system32\SET453.tmp
c:\windows\system32\SET454.tmp
c:\windows\system32\SET455.tmp
c:\windows\system32\SET456.tmp
c:\windows\system32\SET457.tmp
c:\windows\system32\SET458.tmp
c:\windows\system32\SET459.tmp
c:\windows\system32\SET45C.tmp
c:\windows\system32\SET45E.tmp
c:\windows\system32\SET45F.tmp
c:\windows\system32\SET460.tmp
c:\windows\system32\SET463.tmp
c:\windows\system32\SET465.tmp
c:\windows\system32\SET466.tmp
c:\windows\system32\SET468.tmp
c:\windows\system32\SET46A.tmp
c:\windows\system32\SET46B.tmp
c:\windows\system32\SET46C.tmp
c:\windows\system32\SET470.tmp
c:\windows\system32\SET472.tmp
c:\windows\system32\SET473.tmp
c:\windows\system32\SET474.tmp
c:\windows\system32\SET475.tmp
c:\windows\system32\SET47B.tmp
c:\windows\system32\SET481.tmp
c:\windows\system32\SET482.tmp
c:\windows\system32\SET485.tmp
c:\windows\system32\SET488.tmp
c:\windows\system32\SET48A.tmp
c:\windows\system32\SET48E.tmp
c:\windows\system32\SET491.tmp
c:\windows\system32\SET492.tmp
c:\windows\system32\SET493.tmp
c:\windows\system32\SET497.tmp
c:\windows\system32\SET498.tmp
c:\windows\system32\SET49C.tmp
c:\windows\system32\SET49D.tmp
c:\windows\system32\SET4A0.tmp
c:\windows\system32\SET4A2.tmp
c:\windows\system32\SET4A8.tmp
c:\windows\system32\SET4AB.tmp
c:\windows\system32\SET4AE.tmp
c:\windows\system32\SET4AF.tmp
c:\windows\system32\SET4B1.tmp
c:\windows\system32\SET4B2.tmp
c:\windows\system32\SET4B3.tmp
c:\windows\system32\SET4B5.tmp
c:\windows\system32\SET4BC.tmp
c:\windows\system32\SET4BD.tmp
c:\windows\system32\SET4BE.tmp
c:\windows\system32\SET4C0.tmp
c:\windows\system32\SET4C1.tmp
c:\windows\system32\SET4C2.tmp
c:\windows\system32\SET4C5.tmp
c:\windows\system32\SET4C7.tmp
c:\windows\system32\SET4C8.tmp
c:\windows\system32\SET4C9.tmp
c:\windows\system32\SET4CA.tmp
c:\windows\system32\SET4CC.tmp
c:\windows\system32\SET4CE.tmp
c:\windows\system32\SET4D3.tmp
c:\windows\system32\SET4D4.tmp
c:\windows\system32\SET4D5.tmp
c:\windows\system32\SET4DD.tmp
c:\windows\system32\SET4E1.tmp
c:\windows\system32\SET4E4.tmp
c:\windows\system32\SET4E8.tmp
c:\windows\system32\SET4EB.tmp
c:\windows\system32\SET4EE.tmp
c:\windows\system32\SET4F1.tmp
c:\windows\system32\SET4F3.tmp
c:\windows\system32\SET4F7.tmp
c:\windows\system32\SET4FA.tmp
c:\windows\system32\SET4FB.tmp
c:\windows\system32\SET4FC.tmp
c:\windows\system32\SET4FD.tmp
c:\windows\system32\SET500.tmp
c:\windows\system32\SET501.tmp
c:\windows\system32\SET505.tmp
c:\windows\system32\SET506.tmp
c:\windows\system32\SET509.tmp
c:\windows\system32\SET50B.tmp
c:\windows\system32\SET511.tmp
c:\windows\system32\SET514.tmp
c:\windows\system32\SET518.tmp
c:\windows\system32\SET519.tmp
c:\windows\system32\SET51A.tmp
c:\windows\system32\SET51C.tmp
c:\windows\system32\SET523.tmp
c:\windows\system32\SET529.tmp
c:\windows\system32\SET52B.tmp
c:\windows\system32\SET544.tmp
c:\windows\system32\SET554.tmp
c:\windows\system32\SET555.tmp
c:\windows\system32\SET582.tmp
c:\windows\system32\SET58A.tmp
c:\windows\system32\SET58B.tmp
c:\windows\system32\SET58D.tmp
c:\windows\system32\SET58E.tmp
c:\windows\system32\SET58F.tmp
c:\windows\system32\SET592.tmp
c:\windows\system32\SET594.tmp
c:\windows\system32\SET595.tmp
c:\windows\system32\SET596.tmp
c:\windows\system32\SET59B.tmp
c:\windows\system32\SET5AA.tmp
c:\windows\system32\SET5B1.tmp
c:\windows\system32\SET5BB.tmp
c:\windows\system32\SET5C4.tmp
c:\windows\system32\SET5C7.tmp
c:\windows\system32\SET5C8.tmp
c:\windows\system32\SET5CE.tmp
c:\windows\system32\SET5D2.tmp
c:\windows\system32\SET5D6.tmp
c:\windows\system32\SET5D8.tmp
c:\windows\system32\SET5DE.tmp
c:\windows\system32\SET5E5.tmp
c:\windows\system32\SET5E9.tmp
c:\windows\system32\SETF53.tmp
c:\windows\system32\SETF56.tmp
c:\windows\system32\SETF57.tmp
c:\windows\system32\SETF5B.tmp
c:\windows\system32\SETF8C.tmp
c:\windows\system32\SETFBC.tmp
c:\windows\system32\SETFBF.tmp
c:\windows\system32\SETFC0.tmp
c:\windows\system32\SETFC4.tmp
c:\windows\system32\SETFF5.tmp
c:\windows\wininit.ini
D:\RealPlayer.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-16 to 2013-09-16  )))))))))))))))))))))))))))))))
.
.
2013-09-10 17:33 . 2013-09-10 18:24    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-08-25 07:00 . 2013-08-25 07:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\Western Digital
2013-08-25 06:57 . 2013-08-25 07:21    --------    d-----w-    c:\program files\Western Digital
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-16 07:02 . 2009-02-15 06:50    4746    ----a-w-    c:\windows\compaq.reg
2013-09-13 07:00 . 2012-04-01 18:30    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-13 07:00 . 2011-05-14 19:33    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 98304]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.2\SetHook.exe" [2005-09-05 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-03 61440]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-03-27 73832]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-12-18 1304296]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-01-25 295072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"WD UDS Control Center"="c:\program files\Western Digital\WD Print Share\WDPrintShare.exe" [2012-04-18 19841536]
"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-02-28 5234072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"(A0)"="c:\documents and settings\RandallW\Desktop\mbar\mbar.exe" [2013-08-13 1178424]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-12-26 221247]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe -boot [2007-5-28 217088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 23:58    58672    ----a-w-    c:\windows\system32\avldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 10:12    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-10 01:18    39408    -c--a-w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-01-25 09:03    295072    ----a-w-    c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPxySvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"PhotoshopElementsDeviceConnect"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [11/28/2002 3:43 AM 22016]
R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [8/3/2007 10:57 AM 62279]
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/23/2012 9:54 PM 76648]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [3/16/2012 9:06 AM 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [3/16/2012 9:07 AM 497320]
R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [8/3/2007 10:57 AM 4538]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [6/23/2004 1:13 PM 10653]
R3 WDUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\WDUDSMBus.sys [4/16/2012 11:55 AM 91264]
R3 WDUDSTcpBus;WDUDSTcpBus;c:\windows\system32\drivers\WDUDSTcpBus.sys [4/16/2012 11:53 AM 146688]
S?4 mbamchameleon;mbamchameleon;\??\c:\windows\system32\drivers\mbamchameleon.sys --> c:\windows\system32\drivers\mbamchameleon.sys [?]
S?4 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\MBAMSwissArmy.sys --> c:\windows\system32\drivers\MBAMSwissArmy.sys [?]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 tvtool;tvtool;c:\program files\TVTool 8 base\TVTOOL.SYS [4/3/1996 11:33 AM 5248]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [3/23/2012 9:52 PM 200632]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [1/20/2012 2:39 PM 30312]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [9/29/2003 9:40 AM 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [8/3/2007 10:57 AM 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [9/28/2011 11:53 AM 109708]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [12/13/2010 12:11 AM 23456]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [?]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\drivers\LEXAR2K.SYS [10/19/2001 2:57 PM 16969]
S3 NUVision;Pinnacle LINX;c:\windows\system32\drivers\Nuvision.sys [2/14/2004 9:05 PM 136352]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [1/20/2012 2:39 PM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [1/20/2012 2:39 PM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [1/20/2012 2:39 PM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [1/20/2012 2:39 PM 114280]
S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\Drivers\SPIXNEW.SYS --> c:\windows\system32\Drivers\SPIXNEW.SYS [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-04 13:00    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 07:00]
.
2013-09-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-10 01:31]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 01:29]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 01:29]
.
2013-09-15 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-15 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=c4b8c7ed20484759b4c089c7600e6253&tu=10GX000892B0008&sku=&tstsId=&ver=&
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
Trusted Zone: pchlotto.com\www
Trusted Zone: spamcop.net\www
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java
DPF: {357A8DEC-0CAC-4D8D-9869-C2C356B844F7} - hxxp://192.168.2.4/RSVideoOcx.cab
DPF: {8F2EACD9-51A6-4915-B9AD-2AA8657CB472} - hxxps://webpostage.stamps.com/webpostage/plugin/SdcWebClientServices.cab
DPF: {A305FBA3-4A87-483D-A53B-138F9F635357}
DPF: {AF697529-9D41-4647-8D80-9E2D74696D5E}
DPF: {BE153019-DCDB-479E-827B-C2AAB8CDCA64}
FF - ProfilePath - c:\documents and settings\RandallW\Application Data\Mozilla\Firefox\Profiles\9001sjv9.default\
FF - prefs.js: browser.search.selectedEngine - Search and Earn Points!
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2013-08-25 00:18; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: extensions.zonealarm.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.zonealarm.autoRvrt - true
FF - user.js: extensions.zonealarm_i.newTab - false
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN27938900269373-1013&toolbarId=base&affiliateId=1600&Lan=en&utid=28cd6f1400000000000000e018a0d8f9&q=
FF - user.js: extensions.zonealarm.id - 28cd6f1400000000000000e018a0d8f9
FF - user.js: extensions.zonealarm.instlDay - 15423
FF - user.js: extensions.zonealarm.vrsn - 1.5.20.3
FF - user.js: extensions.zonealarm.vrsni - 1.5.20.3
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.20.321:18
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1600
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN27938900269373-1013
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=28cd6f1400000000000000e018a0d8f9&q=
FF - user.js: extensions.BabylonToolbar.id - 28cd6f1400000000000000e018a0d8f9
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15687
FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.4.9
FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.4.9
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.4.910:17
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar_i.excTlbr - false
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109220&tt=5012_8
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar.rvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ISW - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-16 01:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6CB39D60-4086-B7F8-381D8F903EAF6AF0}\{AFC2635D-FADA-3E20-D0B5B6B6E250D71B}\{28C204A2-D9FA-6C6E-1B551E281BAD6C81}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
   de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7D123B2E-0C5F-D919-194C2B3C78E1FEC1}\{313463E6-9B37-5C56-F570B6CAA31EBA6B}\{14D54DC1-EDC1-0F67-65A1433CC409F39D}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
   de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\avldr.dll
.
Completion time: 2013-09-16  01:19:15
ComboFix-quarantined-files.txt  2013-09-16 08:18
.
Pre-Run: 7,956,746,240 bytes free
Post-Run: 7,999,713,280 bytes free
.
- - End Of File - - 524C9321AB529BE4E5B0BE663D5B4FC2
24BF22B59C30B9B11E1AF62CFC3C418E
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 AM

Posted 16 September 2013 - 04:06 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Randallw

Randallw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 18 September 2013 - 01:00 PM

Seems a lot of people have this infection and it is hard to delete?

 

ComboFix log:

 

ComboFix 13-09-17.01 - RandallW 09/18/2013   1:43.7.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2040.1475 [GMT -7:00]
Running from: c:\documents and settings\RandallW\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RandallW\Desktop\CFScript.txt
AV: Trend Micro Titanium 2012 *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-18 to 2013-09-18  )))))))))))))))))))))))))))))))
.
.
2013-09-17 06:51 . 2012-06-02 22:18    275696    ----a-w-    c:\windows\system32\mucltui.dll
2013-09-17 06:51 . 2013-09-17 06:51    --------    d-----w-    c:\windows\LastGood
2013-09-10 17:33 . 2013-09-10 18:24    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-09-05 14:04 . 2013-09-05 14:04    209272    ----a-w-    c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2013-09-05 14:04 . 2013-09-05 14:04    209272    ----a-w-    c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2013-08-30 06:24 . 2013-08-14 17:56    869656    ----a-w-    c:\program files\Mozilla Firefox\uninstall\helper.exe
2013-08-25 07:00 . 2013-08-25 07:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\Western Digital
2013-08-25 06:57 . 2013-08-25 07:21    --------    d-----w-    c:\program files\Western Digital
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-18 09:03 . 2009-02-15 06:50    4746    ----a-w-    c:\windows\compaq.reg
2013-09-13 07:00 . 2012-04-01 18:30    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-13 07:00 . 2011-05-14 19:33    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 98304]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.2\SetHook.exe" [2005-09-05 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-03 61440]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-03-27 73832]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-12-18 1304296]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-01-25 295072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"WD UDS Control Center"="c:\program files\Western Digital\WD Print Share\WDPrintShare.exe" [2012-04-18 19841536]
"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-02-28 5234072]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-11-22 738984]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-12-26 221247]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe -boot [2007-5-28 217088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 23:58    58672    ----a-w-    c:\windows\system32\avldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 10:12    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-10 01:18    39408    -c--a-w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-01-25 09:03    295072    ----a-w-    c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPxySvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"PhotoshopElementsDeviceConnect"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Western Digital\\WD Print Share\\WDPrintShare.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7436:UDP"= 7436:UDP:Control Center UDP Port
.
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [11/28/2002 3:43 AM 22016]
R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [8/3/2007 10:57 AM 62279]
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/23/2012 9:54 PM 76648]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [3/16/2012 9:06 AM 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [3/16/2012 9:07 AM 497320]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [11/29/2012 9:31 PM 38608]
R2 WDDriveService;WD Drive Manager;c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe [2/27/2012 5:05 PM 247704]
R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [8/3/2007 10:57 AM 4538]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [6/23/2004 1:13 PM 10653]
R3 WDUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\WDUDSMBus.sys [4/16/2012 11:55 AM 91264]
R3 WDUDSTcpBus;WDUDSTcpBus;c:\windows\system32\drivers\WDUDSTcpBus.sys [4/16/2012 11:53 AM 146688]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 tvtool;tvtool;c:\program files\TVTool 8 base\TVTOOL.SYS [4/3/1996 11:33 AM 5248]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [3/23/2012 9:52 PM 200632]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [1/20/2012 2:39 PM 30312]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [9/29/2003 9:40 AM 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [8/3/2007 10:57 AM 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [9/28/2011 11:53 AM 109708]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [12/13/2010 12:11 AM 23456]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [?]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\drivers\LEXAR2K.SYS [10/19/2001 2:57 PM 16969]
S3 NUVision;Pinnacle LINX;c:\windows\system32\drivers\Nuvision.sys [2/14/2004 9:05 PM 136352]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [1/20/2012 2:39 PM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [1/20/2012 2:39 PM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [1/20/2012 2:39 PM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [1/20/2012 2:39 PM 114280]
S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\Drivers\SPIXNEW.SYS --> c:\windows\system32\Drivers\SPIXNEW.SYS [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-04 13:00    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 07:00]
.
2013-09-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-10 01:31]
.
2013-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 01:29]
.
2013-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 01:29]
.
2013-09-17 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-17 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
.
------- Supplementary Scan -------
.
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
Trusted Zone: pchlotto.com\www
Trusted Zone: spamcop.net\www
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java
DPF: {357A8DEC-0CAC-4D8D-9869-C2C356B844F7} - hxxp://192.168.2.4/RSVideoOcx.cab
DPF: {8F2EACD9-51A6-4915-B9AD-2AA8657CB472} - hxxps://webpostage.stamps.com/webpostage/plugin/SdcWebClientServices.cab
DPF: {A305FBA3-4A87-483D-A53B-138F9F635357}
DPF: {AF697529-9D41-4647-8D80-9E2D74696D5E}
DPF: {BE153019-DCDB-479E-827B-C2AAB8CDCA64}
FF - ProfilePath - c:\documents and settings\RandallW\Application Data\Mozilla\Firefox\Profiles\9001sjv9.default\
FF - ExtSQL: 2013-08-25 00:18; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-18 02:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6CB39D60-4086-B7F8-381D8F903EAF6AF0}\{AFC2635D-FADA-3E20-D0B5B6B6E250D71B}\{28C204A2-D9FA-6C6E-1B551E281BAD6C81}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
   de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7D123B2E-0C5F-D919-194C2B3C78E1FEC1}\{313463E6-9B37-5C56-F570B6CAA31EBA6B}\{14D54DC1-EDC1-0F67-65A1433CC409F39D}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
   de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\avldr.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(784)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(4088)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
Completion time: 2013-09-18  02:26:09
ComboFix-quarantined-files.txt  2013-09-18 09:25
ComboFix2.txt  2013-09-16 08:19
.
Pre-Run: 7,967,944,704 bytes free
Post-Run: 7,950,311,424 bytes free
.
- - End Of File - - 8BAF2C37A3711A4A0023294E6F2C1795
24BF22B59C30B9B11E1AF62CFC3C418E
 

=================================================

 

Malwarebytes Anti Malware log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.18.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
RandallW :: COMPAQDESKTOP [administrator]

9/18/2013 2:31:27 AM
mbam-log-2013-09-18 (02-31-27).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 474014
Time elapsed: 2 hour(s), 35 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCR\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB} (PUP.Optional.BabylonToolBar.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk (PUP.Optional.Gophoto.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Program Files\Gophoto.it (PUP.Optional.Gophoto.A) -> Quarantined and deleted successfully.

Files Detected: 3
C:\websaves\winhex.zip[setup.exe] (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\websaves\winhex11.zip (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Program Files\Gophoto.it\gophotoit14.crx (PUP.Optional.Gophoto.A) -> Quarantined and deleted successfully.

(end)
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 AM

Posted 19 September 2013 - 02:48 AM

Yes, ZeroAccess is a pain.

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Randallw

Randallw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 22 September 2013 - 01:11 AM

ESET scan log:

 

C:\Documents and Settings\RandallW\Local Settings\Application Data\{2B093B25-EA20-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul    JS/Redirector.NIQ trojan
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\zonealarmApp.dll    a variant of Win32/Toolbar.Montiera.A application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\zonealarmEng.dll    probably a variant of Win32/Toolbar.Montiera.A application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\zonealarmsrv.exe    a variant of Win32/Toolbar.Montiera.A application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\zonealarmTlbr.dll    a variant of Win32/Toolbar.Montiera.F application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\bh\zonealarm.dll    a variant of Win32/Toolbar.Escort.A application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\zonealarmApp.dll    a variant of Win32/Toolbar.Montiera.A application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\zonealarmEng.dll    probably a variant of Win32/Toolbar.Montiera.A application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\zonealarmsrv.exe    a variant of Win32/Toolbar.Montiera.A application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\zonealarmTlbr.dll    a variant of Win32/Toolbar.Montiera.F application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\bh\zonealarm.dll    a variant of Win32/Toolbar.Escort.A application
C:\Program Files\GoforFiles\uninstall.exe    a variant of Win32/ExpressFiles.B application
C:\Program Files\OpinionSquare\opls.dll    a variant of Win32/Adware.RK.AM application
C:\Program Files\OpinionSquare\opnsqr.exe    a variant of Win32/Adware.RK.AE application
C:\Program Files\OpinionSquare\opservice.exe    a variant of Win32/Adware.RK application
C:\Program Files\OpinionSquare\components\opxg.dll    a variant of Win32/Adware.RK.AM application
C:\Program Files\OpinionSquare\firefox\opnx.dll    a variant of Win32/Adware.RK.AM application
C:\websaves\dvdxplatkey.zip    a variant of Win32/Keygen.AF application
C:\WINDOWS\system32\opls.dll    a variant of Win32/Adware.RK.AM application
D:\zlsSetup_70_483_000_en.exe    a variant of Win32/AdInstaller application
Operating memory    multiple threats
 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 AM

Posted 23 September 2013 - 07:50 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Randallw

Randallw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 24 September 2013 - 01:22 PM

ComboFix 13-09-23.02 - RandallW 09/24/2013   0:31.9.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2040.1360 [GMT -7:00]
Running from: c:\documents and settings\RandallW\Desktop\ComboFix.exe
AV: Trend Micro Titanium 2012 *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\opls.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-24 to 2013-09-24  )))))))))))))))))))))))))))))))
.
.
2013-09-22 00:04 . 2013-09-22 00:04    --------    d-----w-    c:\program files\ESET
2013-09-19 10:20 . 2013-09-19 10:20    --------    d-----w-    c:\program files\MSXML 4.0
2013-09-19 10:06 . 2013-09-19 10:20    --------    d-----w-    c:\windows\system32\MRT
2013-09-19 07:47 . 2013-08-08 06:05    522240    -c----w-    c:\windows\system32\dllcache\jsdbgui.dll
2013-09-19 06:45 . 2013-05-28 00:41    6144    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-09-19 06:23 . 2013-09-24 15:20    --------    d-----w-    c:\program files\OpinionSquare
2013-09-19 06:21 . 2013-09-19 06:22    --------    d-----w-    c:\documents and settings\RandallW\Local Settings\Application Data\Deployment
2013-09-17 06:51 . 2012-06-02 22:18    275696    ----a-w-    c:\windows\system32\mucltui.dll
2013-09-10 17:33 . 2013-09-10 18:24    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-09-05 14:04 . 2013-09-05 14:04    209272    ----a-w-    c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2013-09-05 14:04 . 2013-09-05 14:04    209272    ----a-w-    c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2013-08-30 06:24 . 2013-08-14 17:56    869656    ----a-w-    c:\program files\Mozilla Firefox\uninstall\helper.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-24 16:49 . 2009-02-15 06:50    4746    ----a-w-    c:\windows\compaq.reg
2013-09-19 18:01 . 2012-04-01 18:30    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-19 18:01 . 2011-05-14 19:33    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-09 01:56 . 2004-05-04 19:44    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2004-05-04 19:45    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2004-05-04 19:45    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2004-02-07 01:05    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2002-08-13 05:18    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2012-03-23 03:18    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2004-08-04 05:59    385024    ----a-w-    c:\windows\system32\html.iec
2013-08-05 13:30 . 2004-06-21 01:03    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-03 21:18 . 2006-10-19 05:47    1543680    ----a-w-    c:\windows\system32\wmvdecod.dll
2013-07-10 10:37 . 2004-05-04 19:44    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 02:59 . 2012-03-23 03:18    2193536    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2012-03-23 03:18    2070144    ----a-w-    c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 98304]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.2\SetHook.exe" [2005-09-05 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-03 61440]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-03-27 73832]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-12-18 1304296]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-01-25 295072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"WD UDS Control Center"="c:\program files\Western Digital\WD Print Share\WDPrintShare.exe" [2012-04-18 19841536]
"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-02-28 5234072]
"ISW"="" [BU]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-12-26 221247]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe -boot [2007-5-28 217088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 23:58    58672    ----a-w-    c:\windows\system32\avldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 10:12    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-10 01:18    39408    -c--a-w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-01-25 09:03    295072    ----a-w-    c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPxySvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"PhotoshopElementsDeviceConnect"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Western Digital\\WD Print Share\\WDPrintShare.exe"=
"c:\\program files\\opinionsquare\\opnsqr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7436:UDP"= 7436:UDP:Control Center UDP Port
.
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [11/28/2002 3:43 AM 22016]
R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [8/3/2007 10:57 AM 62279]
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/23/2012 9:54 PM 76648]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [3/16/2012 9:06 AM 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [3/16/2012 9:07 AM 497320]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [11/29/2012 9:31 PM 38608]
R2 WDDriveService;WD Drive Manager;c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe [2/27/2012 5:05 PM 247704]
R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [8/3/2007 10:57 AM 4538]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [6/23/2004 1:13 PM 10653]
R3 WDUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\WDUDSMBus.sys [4/16/2012 11:55 AM 91264]
R3 WDUDSTcpBus;WDUDSTcpBus;c:\windows\system32\drivers\WDUDSTcpBus.sys [4/16/2012 11:53 AM 146688]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 tvtool;tvtool;c:\program files\TVTool 8 base\TVTOOL.SYS [4/3/1996 11:33 AM 5248]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [3/23/2012 9:52 PM 200632]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [1/20/2012 2:39 PM 30312]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [9/29/2003 9:40 AM 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [8/3/2007 10:57 AM 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [9/28/2011 11:53 AM 109708]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [12/13/2010 12:11 AM 23456]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [?]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\drivers\LEXAR2K.SYS [10/19/2001 2:57 PM 16969]
S3 NUVision;Pinnacle LINX;c:\windows\system32\drivers\Nuvision.sys [2/14/2004 9:05 PM 136352]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [1/20/2012 2:39 PM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [1/20/2012 2:39 PM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [1/20/2012 2:39 PM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [1/20/2012 2:39 PM 114280]
S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\Drivers\SPIXNEW.SYS --> c:\windows\system32\Drivers\SPIXNEW.SYS [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-20 06:11    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 18:01]
.
2013-09-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-10 01:31]
.
2013-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 01:29]
.
2013-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 01:29]
.
2013-09-24 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-24 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
.
------- Supplementary Scan -------
.
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
Trusted Zone: pchlotto.com\www
Trusted Zone: spamcop.net\www
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java
DPF: {357A8DEC-0CAC-4D8D-9869-C2C356B844F7} - hxxp://192.168.2.4/RSVideoOcx.cab
DPF: {8F2EACD9-51A6-4915-B9AD-2AA8657CB472} - hxxps://webpostage.stamps.com/webpostage/plugin/SdcWebClientServices.cab
DPF: {A305FBA3-4A87-483D-A53B-138F9F635357}
DPF: {AF697529-9D41-4647-8D80-9E2D74696D5E}
DPF: {BE153019-DCDB-479E-827B-C2AAB8CDCA64}
FF - ProfilePath - c:\documents and settings\RandallW\Application Data\Mozilla\Firefox\Profiles\9001sjv9.default\
FF - ExtSQL: 2013-08-25 00:18; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2013-09-18 23:25; {C7AE725D-FA5C-4027-BB4C-787EF9F8248A}; c:\program files\OpinionSquare\firefox
.
- - - - ORPHANS REMOVED - - - -
.
Notify-OpinionSquare - c:\windows\system32\opls.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-24 09:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6CB39D60-4086-B7F8-381D8F903EAF6AF0}\{AFC2635D-FADA-3E20-D0B5B6B6E250D71B}\{28C204A2-D9FA-6C6E-1B551E281BAD6C81}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
   de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7D123B2E-0C5F-D919-194C2B3C78E1FEC1}\{313463E6-9B37-5C56-F570B6CAA31EBA6B}\{14D54DC1-EDC1-0F67-65A1433CC409F39D}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
   de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\avldr.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(788)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(628)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\compaq\Compaq Advisor\bin\compaq-rba.exe
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\program files\Compaq\Easy Access Button Support\CPQEADM.EXE
c:\compaq\EAKDRV\EAUSBKBD.EXE
c:\windows\system32\RUNDLL32.EXE
c:\progra~1\Compaq\EASYAC~1\BttnServ.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2013-09-24  10:03:20 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-24 17:02
ComboFix2.txt  2013-09-18 09:26
ComboFix3.txt  2013-09-16 08:19
.
Pre-Run: 7,585,943,552 bytes free
Post-Run: 7,903,391,744 bytes free
.
- - End Of File - - 35DF22088891B95482324A112B42E2C6
24BF22B59C30B9B11E1AF62CFC3C418E



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 AM

Posted 24 September 2013 - 01:52 PM

Please read my instructions carefully and repeat the process - you have to download the attached CFScript.txt and then drag it into combofix as seen on the animation.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Randallw

Randallw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 27 September 2013 - 03:36 PM

ComboFix 13-09-26.03 - RandallW 09/27/2013   0:46.10.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2040.1429 [GMT -7:00]
Running from: c:\documents and settings\RandallW\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RandallW\Desktop\CFScript(2).txt
AV: Trend Micro Titanium 2012 *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
 * Created a new restore point
.
FILE ::
"c:\documents and settings\RandallW\Local Settings\Application Data\{2B093B25-EA20-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul"
"c:\program files\GoforFiles\uninstall.exe"
"c:\websaves\dvdxplatkey.zip"
"c:\windows\system32\opls.dll"
"D:\zlsSetup_70_483_000_en.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\RandallW\Local Settings\Application Data\{2B093B25-EA20-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul
c:\program files\Check Point Software Technologies LTD\zonealarm\1.5.20.3
c:\program files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\bh\zonealarm.dll
c:\program files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\escortShld.dll
c:\program files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\uninstall.exe
c:\program files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\zonealarmApp.dll
c:\program files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\zonealarmEng.dll
c:\program files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\zonealarmsrv.exe
c:\program files\Check Point Software Technologies LTD\zonealarm\1.5.20.3\zonealarmTlbr.dll
c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11
c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\bh\zonealarm.dll
c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\dntp-zonealarm-ie.exe
c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\escortShld.dll
c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\uninstall.exe
c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\zonealarmApp.dll
c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\zonealarmEng.dll
c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\zonealarmsrv.exe
c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\zonealarmTlbr.dll
c:\program files\GoforFiles\uninstall.exe
c:\program files\OpinionSquare
c:\program files\OpinionSquare\asmcf.dat
c:\program files\OpinionSquare\chrome.manifest
c:\program files\OpinionSquare\components\opxg.dll
c:\program files\OpinionSquare\firefox\bootstrap.js
c:\program files\OpinionSquare\firefox\defaults\preferences\prefs.js
c:\program files\OpinionSquare\firefox\harness-options.json
c:\program files\OpinionSquare\firefox\install.rdf
c:\program files\OpinionSquare\firefox\locales.json
c:\program files\OpinionSquare\firefox\opnx.dll
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\addon\runner.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\base64.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\console\plain-text.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\console\traceback.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\content\content-proxy.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\content\content-worker.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\content\loader.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\content\thumbnail.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\content\worker.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\core\heritage.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\core\namespace.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\core\promise.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\api-utils.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\cortex.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\errors.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\events.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\events\assembler.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\light-traits.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\list.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\memory.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\observer-service.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\traits.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\traits\core.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\deprecated\window-utils.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\dom\events.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\event\core.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\event\target.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\io\byte-streams.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\io\data.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\io\file.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\io\text-streams.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\l10n\core.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\l10n\html.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\l10n\loader.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\l10n\locale.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\l10n\prefs.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\lang\functional.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\loader\cuddlefish.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\loader\sandbox.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\net\url.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\page-mod.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\page-mod\match-pattern.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\platform\xpcom.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\preferences\service.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\private-browsing.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\private-browsing\utils.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\private-browsing\window\utils.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\self.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\system.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\system\environment.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\system\events.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\system\globals.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\system\runtime.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\system\unload.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\system\xul-app.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\common.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\events.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\helpers.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\namespace.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\observer.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\tab-fennec.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\tab-firefox.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\tab.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\tabs-firefox.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\tabs.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\utils.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\tabs\worker.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\timers.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\url.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\util\array.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\util\deprecate.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\util\list.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\util\object.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\util\registry.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\util\uuid.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\window\browser.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\window\namespace.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\window\utils.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\windows.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\windows\dom.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\windows\fennec.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\windows\firefox.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\windows\loader.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\windows\observer.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\windows\tabs-fennec.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\sdk\windows\tabs-firefox.js
c:\program files\OpinionSquare\firefox\resources\addon-sdk\lib\toolkit\loader.js
c:\program files\OpinionSquare\firefox\resources\chrome.manifest
c:\program files\OpinionSquare\firefox\resources\dpjs\data\content.js
c:\program files\OpinionSquare\firefox\resources\dpjs\lib\dompilot.js
c:\program files\OpinionSquare\firefox\resources\dpjs\lib\dputil.js
c:\program files\OpinionSquare\firefox\resources\dpjs\lib\main.js
c:\program files\OpinionSquare\install.rdf
c:\program files\OpinionSquare\nscf.dat
c:\program files\OpinionSquare\opcm.crx
c:\program files\OpinionSquare\opcm.txt
c:\program files\OpinionSquare\opls.dll
c:\program files\OpinionSquare\opls64.dll
c:\program files\OpinionSquare\opnsqr.exe
c:\program files\OpinionSquare\opnsqr32.exe
c:\program files\OpinionSquare\opnsqr64.exe
c:\program files\OpinionSquare\opoci.bin
c:\program files\OpinionSquare\opph.dll
c:\program files\OpinionSquare\opservice.exe
c:\program files\OpinionSquare\opxf.dll
c:\program files\OpinionSquare\readme.txt
c:\websaves\dvdxplatkey.zip
D:\zlsSetup_70_483_000_en.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-27 to 2013-09-27  )))))))))))))))))))))))))))))))
.
.
2013-09-22 00:04 . 2013-09-22 00:04    --------    d-----w-    c:\program files\ESET
2013-09-19 10:20 . 2013-09-19 10:20    --------    d-----w-    c:\program files\MSXML 4.0
2013-09-19 10:06 . 2013-09-19 10:20    --------    d-----w-    c:\windows\system32\MRT
2013-09-19 07:47 . 2013-08-08 06:05    522240    -c----w-    c:\windows\system32\dllcache\jsdbgui.dll
2013-09-19 06:45 . 2013-05-28 00:41    6144    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-09-19 06:21 . 2013-09-19 06:22    --------    d-----w-    c:\documents and settings\RandallW\Local Settings\Application Data\Deployment
2013-09-17 06:51 . 2012-06-02 22:18    275696    ----a-w-    c:\windows\system32\mucltui.dll
2013-09-10 17:33 . 2013-09-10 18:24    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-09-05 14:04 . 2013-09-05 14:04    209272    ----a-w-    c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2013-09-05 14:04 . 2013-09-05 14:04    209272    ----a-w-    c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2013-08-30 06:24 . 2013-08-14 17:56    869656    ----a-w-    c:\program files\Mozilla Firefox\uninstall\helper.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-27 09:43 . 2009-02-15 06:50    4746    ----a-w-    c:\windows\compaq.reg
2013-09-19 18:01 . 2012-04-01 18:30    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-19 18:01 . 2011-05-14 19:33    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-09 01:56 . 2004-05-04 19:44    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2004-05-04 19:45    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2004-05-04 19:45    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2004-02-07 01:05    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2002-08-13 05:18    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2012-03-23 03:18    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2004-08-04 05:59    385024    ----a-w-    c:\windows\system32\html.iec
2013-08-05 13:30 . 2004-06-21 01:03    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-03 21:18 . 2006-10-19 05:47    1543680    ----a-w-    c:\windows\system32\wmvdecod.dll
2013-07-10 10:37 . 2004-05-04 19:44    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 02:59 . 2012-03-23 03:18    2193536    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2012-03-23 03:18    2070144    ----a-w-    c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 98304]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.2\SetHook.exe" [2005-09-05 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-03 61440]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-03-27 73832]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-12-18 1304296]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-01-25 295072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"WD UDS Control Center"="c:\program files\Western Digital\WD Print Share\WDPrintShare.exe" [2012-04-18 19841536]
"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-02-28 5234072]
"ISW"="" [BU]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-12-26 221247]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe -boot [2007-5-28 217088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 23:58    58672    ----a-w-    c:\windows\system32\avldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 10:12    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-10 01:18    39408    -c--a-w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-01-25 09:03    295072    ----a-w-    c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPxySvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"PhotoshopElementsDeviceConnect"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Western Digital\\WD Print Share\\WDPrintShare.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7436:UDP"= 7436:UDP:Control Center UDP Port
.
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [11/28/2002 3:43 AM 22016]
R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [8/3/2007 10:57 AM 62279]
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/23/2012 9:54 PM 76648]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [3/16/2012 9:06 AM 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [3/16/2012 9:07 AM 497320]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [11/29/2012 9:31 PM 38608]
R2 WDDriveService;WD Drive Manager;c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe [2/27/2012 5:05 PM 247704]
R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [8/3/2007 10:57 AM 4538]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [6/23/2004 1:13 PM 10653]
R3 WDUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\WDUDSMBus.sys [4/16/2012 11:55 AM 91264]
R3 WDUDSTcpBus;WDUDSTcpBus;c:\windows\system32\drivers\WDUDSTcpBus.sys [4/16/2012 11:53 AM 146688]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 tvtool;tvtool;c:\program files\TVTool 8 base\TVTOOL.SYS [4/3/1996 11:33 AM 5248]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [3/23/2012 9:52 PM 200632]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [1/20/2012 2:39 PM 30312]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [9/29/2003 9:40 AM 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [8/3/2007 10:57 AM 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [9/28/2011 11:53 AM 109708]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [12/13/2010 12:11 AM 23456]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [?]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\drivers\LEXAR2K.SYS [10/19/2001 2:57 PM 16969]
S3 NUVision;Pinnacle LINX;c:\windows\system32\drivers\Nuvision.sys [2/14/2004 9:05 PM 136352]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [1/20/2012 2:39 PM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [1/20/2012 2:39 PM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [1/20/2012 2:39 PM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [1/20/2012 2:39 PM 114280]
S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\Drivers\SPIXNEW.SYS --> c:\windows\system32\Drivers\SPIXNEW.SYS [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-20 06:11    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 18:01]
.
2013-09-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-10 01:31]
.
2013-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 01:29]
.
2013-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 01:29]
.
2013-09-24 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-24 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-09-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-793999233-1439906313-590260106-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
.
------- Supplementary Scan -------
.
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
Trusted Zone: pchlotto.com\www
Trusted Zone: spamcop.net\www
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java


DPF: {A305FBA3-4A87-483D-A53B-138F9F635357}
DPF: {AF697529-9D41-4647-8D80-9E2D74696D5E}
DPF: {BE153019-DCDB-479E-827B-C2AAB8CDCA64}
FF - ProfilePath - c:\documents and settings\RandallW\Application Data\Mozilla\Firefox\Profiles\9001sjv9.default\
FF - ExtSQL: 2013-08-25 00:18; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2013-09-18 23:25; {C7AE725D-FA5C-4027-BB4C-787EF9F8248A}; c:\program files\OpinionSquare\firefox
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ZoneAlarm Security Toolbar - c:\program files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\uninstall.exe
AddRemove-{9cf77345-ac1f-46e5-83ff-79676bee4d6b} - c:\program files\OpinionSquare\opnsqr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-27 04:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6CB39D60-4086-B7F8-381D8F903EAF6AF0}\{AFC2635D-FADA-3E20-D0B5B6B6E250D71B}\{28C204A2-D9FA-6C6E-1B551E281BAD6C81}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
   de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7D123B2E-0C5F-D919-194C2B3C78E1FEC1}\{313463E6-9B37-5C56-F570B6CAA31EBA6B}\{14D54DC1-EDC1-0F67-65A1433CC409F39D}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
   de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\avldr.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(788)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2013-09-27  04:34:21
ComboFix-quarantined-files.txt  2013-09-27 11:33
ComboFix2.txt  2013-09-24 17:03
ComboFix3.txt  2013-09-18 09:26
ComboFix4.txt  2013-09-16 08:19
.
Pre-Run: 7,851,536,384 bytes free
Post-Run: 7,743,713,280 bytes free
.
- - End Of File - - A4B7503C5B5E3DF275010E8D3AB325FF
24BF22B59C30B9B11E1AF62CFC3C418E






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users