Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with Win32:Evo-gen or Win32:Malware-gen


  • This topic is locked This topic is locked
28 replies to this topic

#1 wnlewis

wnlewis

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 17 October 2013 - 10:25 PM

My Dell has been infected at the root level with what has been identified by ASWmbr as Win32:Evo-gen and by Avast! on boot scan as Win32:Malware-gen. They can find the malware but are unable to get rid of it. I have also tried MalwareBytes, RKiller.

 

Any recommendations?

 

Thanks,

 

Neal Lewis

wnlewis@southwind.net

 

Here is the log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.4.2_03
Run by W. Neal Lewis at 21:58:37 on 2013-10-17
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.103 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\W6000~1.NEA\LOCALS~1\Temp\AutoDetect.exe
C:\Program Files\GoZone\GoZone_iSync.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://writing-well.carrie-lewis.com/
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uURLSearchHooks: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - <orphaned>
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - <orphaned>
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Ceedo AutoDetect] c:\docume~1\w6000~1.nea\locals~1\temp\AutoDetect.exe /active
uRun: [BrowserSafeguard] c:\program files\browsersafeguard\Browsersafeguard.exe
uRunOnce: [Ceedo Repair] c:\docume~1\w6000~1.nea\locals~1\temp\AutoDetect.exe /repair /drive=
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRunOnce: [Browsersafeguard-pitch FF:0] c:\program files\browsersafeguard\resources\certutil.exe -a -n "do_not_trust_fiddlerroot" -t "tcu,tcu,tcu" -i "c:\program files\browsersafeguard\trustedroot.cer" -d "c:\documents and settings\w. neal lewis\application data\mozilla\firefox\profiles\cpl52ifk.default"
StartupFolder: c:\docume~1\w6000~1.nea\startm~1\programs\startup\gozone~1.lnk - c:\program files\gozone\GoZone_iSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBC} - <orphaned>
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
TCP: NameServer = 68.94.156.1 68.94.157.1
TCP: Interfaces\{9B212BF6-8554-4401-95C9-CE0E5C15A677} : DHCPNameServer = 68.94.156.1 68.94.157.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\w. neal lewis\application data\mozilla\firefox\profiles\cpl52ifk.default\
FF - prefs.js: browser.startup.homepage - hxxp://writing-well.carrie-lewis.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
FF - ExtSQL: !HIDDEN! 2010-10-25 22:31; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-10-10 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-10-10 177864]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-2-16 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-19 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-19 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-10-10 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-2 46808]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2013-10-12 04:22:03    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-12 04:22:03    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-23 18:33:58    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-09-23 18:33:57    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-09-23 18:06:48    385024    ----a-w-    c:\windows\system32\html.iec
2013-09-11 18:54:25    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-09-11 18:54:10    868264    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-09-11 18:54:07    790440    ----a-w-    c:\windows\system32\deployJava1.dll
2013-08-30 07:48:12    770344    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-08-30 07:47:40    41664    ----a-w-    c:\windows\avastSS.scr
2013-08-29 01:31:44    1878656    ----a-w-    c:\windows\system32\win32k.sys
2013-08-09 01:56:45    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-09 00:55:08    144128    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55:06    5376    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30:32    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-01 00:26:12    868528    ----a-w-    c:\windows\system32\wmvdmod.dll
.
============= FINISH: 21:59:57.29 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:31 PM

Posted 17 October 2013 - 10:57 PM


Hello wnlewis

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 wnlewis

wnlewis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 19 October 2013 - 02:19 PM

Gringo,

 

Thanks for the reply. The computer may have improved a little, but not significantly. It is still running slowly. I attribute that to the Win32:Evo-gen or Win32:Malware-gen at the root level. That may be a systemic problem that has to be solved at the root level.

 

I ran AdwCleaner and got the following results:

 

# AdwCleaner v3.008 - Report created 19/10/2013 at 12:16:43
# Updated 17/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : W. Neal Lewis - NEALSDELL
# Running from : C:\Documents and Settings\W. Neal Lewis\My Documents\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Found C:\Program Files\Viewpoint

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\MyWaySA
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\MyWaySA
Key Found : HKLM\Software\Viewpoint

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\W. Neal Lewis\Application Data\Mozilla\Firefox\Profiles\cpl52ifk.default\prefs.js ]

Line Found : user_pref("plugin.blocklisted.npviewpoint", true);

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uvoqwy0q.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2111 octets] - [19/10/2013 12:16:43]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2171 octets] ##########
 

I then ran Junk Removal Tool and it got these results:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Microsoft Windows XP x86
Ran by W. Neal Lewis on Sat 10/19/2013 at 13:23:56.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\browsersafeguard
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Program Files\browsersafeguard"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 10/19/2013 at 13:31:35.35
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Thanks again for your help. Let me know what to do next. Have a great weekend!

 

Neal Lewis



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:31 PM

Posted 19 October 2013 - 02:47 PM


Hello Neal

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 wnlewis

wnlewis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 19 October 2013 - 11:17 PM

Gringo,

 

Just finished the scan and delete with ComboFix.

 

I won't know whether or not the computer is doing better until I have used it a while.

 

Here is the log from ComboFix:

ComboFix 13-10-19.02 - W. Neal Lewis 10/19/2013  22:26:31.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.185 [GMT -5:00]
Running from: c:\documents and settings\W. Neal Lewis\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9488E0FA-F058-4673-850E-E755F112BABC}
FW:  *Enabled* {9488E0FA-F058-4673-850E-E755F112BABC}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\1382067399.bdinstall.bin
c:\documents and settings\All Users\Application Data\1382068533.bdinstall.bin
c:\documents and settings\All Users\Application Data\1382068595.bdinstall.bin
c:\documents and settings\All Users\Application Data\1382123418.3620.bin
c:\documents and settings\All Users\Application Data\1382123418.3624.bin
c:\documents and settings\All Users\Application Data\1382123418.bdinstall.bin
c:\documents and settings\All Users\Application Data\1382238773.bdinstall.bin
c:\documents and settings\All Users\Application Data\1382238812.bdinstall.bin
c:\program files\MyWaySA
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\setb5.tmp
c:\windows\wininit.ini
E:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-20 to 2013-10-20  )))))))))))))))))))))))))))))))
.
.
2013-10-19 18:23 . 2013-10-19 18:23    --------    d-----w-    c:\windows\ERUNT
2013-10-19 17:48 . 2013-10-19 17:48    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\AVAST Software
2013-10-19 17:31 . 2013-10-19 17:31    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVAST Software
2013-10-19 17:12 . 2013-10-19 18:03    --------    d-----w-    C:\AdwCleaner
2013-10-18 03:54 . 2013-10-18 03:54    --------    d-----w-    c:\documents and settings\LocalService\Application Data\QuickScan
2013-10-18 03:45 . 2013-10-18 03:45    224222    ----a-w-    c:\documents and settings\All Users\Application Data\1382067374.bdinstall.bin
2013-10-18 03:39 . 2013-10-18 03:39    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\QuickScan
2013-10-18 03:38 . 2013-10-20 03:17    --------    d-----w-    c:\program files\Bitdefender
2013-10-16 03:33 . 2013-10-16 03:33    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-10-15 23:26 . 2013-10-15 23:29    --------    d-----w-    c:\documents and settings\Administrator
2013-10-12 20:38 . 2013-10-12 20:38    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-10-12 20:34 . 2013-10-12 20:34    105176    ----a-w-    c:\windows\system32\drivers\48230029.sys
2013-10-12 20:33 . 2013-10-12 20:33    47064    ----a-w-    c:\windows\system32\drivers\6F712994.sys
2013-10-12 18:14 . 2013-10-12 21:42    --------    d-----w-    c:\program files\Mozilla Thunderbird
2013-10-12 05:19 . 2013-10-12 05:19    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\Apple Computer
2013-10-12 04:33 . 2013-10-12 04:34    --------    d-----w-    c:\program files\QuickTime
2013-10-12 04:33 . 2013-10-12 04:33    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple Computer
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\program files\Common Files\Apple
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Local Settings\Application Data\Apple
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\program files\Apple Software Update
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple
2013-10-12 04:31 . 2013-10-12 04:31    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Local Settings\Application Data\Apple Computer
2013-10-11 17:28 . 2013-10-11 17:28    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\Malwarebytes
2013-10-11 17:28 . 2013-10-11 17:28    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2013-10-11 04:17 . 2013-10-19 17:39    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-10-11 04:17 . 2013-10-19 17:39    178304    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-10-11 04:17 . 2013-10-19 17:39    70384    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-10-09 16:00 . 2013-07-03 02:12    25088    ------w-    c:\windows\system32\dllcache\hidparse.sys
2013-10-09 16:00 . 2013-07-03 01:59    14976    ------w-    c:\windows\system32\dllcache\usbscan.sys
2013-10-09 15:59 . 2013-07-17 00:58    60160    ------w-    c:\windows\system32\dllcache\usbaudio.sys
2013-10-09 15:59 . 2013-07-17 00:58    123008    ------w-    c:\windows\system32\dllcache\usbvideo.sys
2013-10-09 15:57 . 2013-08-09 00:55    144128    ------w-    c:\windows\system32\dllcache\usbport.sys
2013-10-09 15:57 . 2013-08-09 00:55    32384    ------w-    c:\windows\system32\dllcache\usbccgp.sys
2013-10-09 15:57 . 2013-08-09 00:55    5376    ------w-    c:\windows\system32\dllcache\usbd.sys
2013-10-09 15:57 . 2009-03-18 11:02    30336    ------w-    c:\windows\system32\dllcache\usbehci.sys
2013-09-27 18:43 . 2013-09-27 18:43    --------    d-----w-    c:\program files\FileZilla FTP Client
2013-09-25 19:52 . 2013-09-29 17:49    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\FileZilla
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-19 17:39 . 2009-03-20 00:41    57672    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-10-19 17:39 . 2013-02-16 21:54    774392    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-10-19 17:39 . 2009-03-20 00:41    35656    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-10-19 17:39 . 2009-03-20 00:41    403440    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-10-19 17:39 . 2009-03-20 00:42    54832    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2013-10-19 17:39 . 2010-10-02 22:50    43152    ----a-w-    c:\windows\avastSS.scr
2013-10-19 17:39 . 2009-03-20 00:41    269216    ----a-w-    c:\windows\system32\aswBoot.exe
2013-10-12 04:22 . 2013-02-16 22:59    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-12 04:22 . 2013-02-16 22:59    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-23 18:33 . 2004-08-04 11:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2004-08-04 11:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2004-08-04 11:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2004-08-04 11:00    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2004-08-04 11:00    385024    ----a-w-    c:\windows\system32\html.iec
2013-09-11 18:54 . 2013-09-11 18:56    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-09-11 18:54 . 2013-09-11 18:56    868264    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-09-11 18:54 . 2010-09-26 03:52    790440    ----a-w-    c:\windows\system32\deployJava1.dll
2013-08-29 01:31 . 2004-08-04 11:00    1878656    ----a-w-    c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2004-08-04 11:00    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-09 00:55 . 1980-01-01 06:00    144128    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2004-08-04 11:00    5376    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2004-08-04 11:00    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-01 00:26 . 2004-08-04 11:00    868528    ----a-w-    c:\windows\system32\wmvdmod.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-10-19 17:39    321752    ----a-w-    c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-08 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"AvastUI.exe"="c:\program files\Alwil Software\Avast5\AvastUI.exe" [2013-10-19 3567800]
.
c:\documents and settings\W. Neal Lewis\Start Menu\Programs\Startup\
GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2013-2-18 431608]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\SYSTEM32\DRIVERS\aswRvrt.sys [10/10/2013 11:17 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\SYSTEM32\DRIVERS\aswVmm.sys [10/10/2013 11:17 PM 178304]
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\DRIVERS\aswSnx.sys [2/16/2013 4:54 PM 774392]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/19/2009 7:41 PM 403440]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/19/2009 7:41 PM 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\SYSTEM32\DRIVERS\aswMonFlt.sys [10/10/2013 11:17 PM 70384]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - gzflt
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-16 04:22]
.
2013-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-10-20 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2013-02-16 17:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://writing-well.carrie-lewis.com/
FF - ProfilePath - c:\documents and settings\W. Neal Lewis\Application Data\Mozilla\Firefox\Profiles\cpl52ifk.default\
FF - prefs.js: browser.startup.homepage - hxxp://writing-well.carrie-lewis.com/
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: !HIDDEN! 2010-10-25 22:31; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-Browsersafeguard-pitch FF:0 - c:\program files\Browsersafeguard\Resources\certutil.exe
SafeBoot-46347111.sys
AddRemove-Browsersafeguard - c:\program files\Browsersafeguard\uninstall.browsersafeguard.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-19 22:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-10-19  22:47:58
ComboFix-quarantined-files.txt  2013-10-20 03:47
.
Pre-Run: 12,702,298,112 bytes free
Post-Run: 12,882,202,624 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8CE91396E553D62B7F4334F1C44DFEFA
49A546210C3E024EAC559A37A6BF499A
 



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:31 PM

Posted 20 October 2013 - 12:40 AM


Hello wnlewis

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 wnlewis

wnlewis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 20 October 2013 - 05:35 PM

Gringo,

 

The computer has not changed the way it runs at this time.

 

Here are the results from ComboFix with ClearJavaCache:: included in a .txt labeled CFScript.txt and dropped on ComboFix to start it:

 

ComboFix 13-10-19.02 - W. Neal Lewis 10/20/2013  13:26:18.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.260 [GMT -5:00]
Running from: c:\documents and settings\W. Neal Lewis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\W. Neal Lewis\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-20 to 2013-10-20  )))))))))))))))))))))))))))))))
.
.
2013-10-19 18:23 . 2013-10-19 18:23    --------    d-----w-    c:\windows\ERUNT
2013-10-19 17:48 . 2013-10-19 17:48    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\AVAST Software
2013-10-19 17:31 . 2013-10-19 17:31    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVAST Software
2013-10-19 17:12 . 2013-10-19 18:03    --------    d-----w-    C:\AdwCleaner
2013-10-18 03:54 . 2013-10-18 03:54    --------    d-----w-    c:\documents and settings\LocalService\Application Data\QuickScan
2013-10-18 03:45 . 2013-10-18 03:45    224222    ----a-w-    c:\documents and settings\All Users\Application Data\1382067374.bdinstall.bin
2013-10-18 03:39 . 2013-10-18 03:39    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\QuickScan
2013-10-18 03:38 . 2013-10-20 03:17    --------    d-----w-    c:\program files\Bitdefender
2013-10-16 03:33 . 2013-10-16 03:33    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-10-15 23:26 . 2013-10-15 23:29    --------    d-----w-    c:\documents and settings\Administrator
2013-10-12 20:38 . 2013-10-12 20:38    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-10-12 20:34 . 2013-10-12 20:34    105176    ----a-w-    c:\windows\system32\drivers\48230029.sys
2013-10-12 20:33 . 2013-10-12 20:33    47064    ----a-w-    c:\windows\system32\drivers\6F712994.sys
2013-10-12 18:14 . 2013-10-12 21:42    --------    d-----w-    c:\program files\Mozilla Thunderbird
2013-10-12 05:19 . 2013-10-12 05:19    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\Apple Computer
2013-10-12 04:33 . 2013-10-12 04:34    --------    d-----w-    c:\program files\QuickTime
2013-10-12 04:33 . 2013-10-12 04:33    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple Computer
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\program files\Common Files\Apple
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Local Settings\Application Data\Apple
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\program files\Apple Software Update
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple
2013-10-12 04:31 . 2013-10-12 04:31    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Local Settings\Application Data\Apple Computer
2013-10-11 17:28 . 2013-10-11 17:28    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\Malwarebytes
2013-10-11 17:28 . 2013-10-11 17:28    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2013-10-11 04:17 . 2013-10-19 17:39    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-10-11 04:17 . 2013-10-19 17:39    178304    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-10-11 04:17 . 2013-10-19 17:39    70384    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-10-09 16:00 . 2013-07-03 02:12    25088    ------w-    c:\windows\system32\dllcache\hidparse.sys
2013-10-09 16:00 . 2013-07-03 01:59    14976    ------w-    c:\windows\system32\dllcache\usbscan.sys
2013-10-09 15:59 . 2013-07-17 00:58    60160    ------w-    c:\windows\system32\dllcache\usbaudio.sys
2013-10-09 15:59 . 2013-07-17 00:58    123008    ------w-    c:\windows\system32\dllcache\usbvideo.sys
2013-10-09 15:57 . 2013-08-09 00:55    144128    ------w-    c:\windows\system32\dllcache\usbport.sys
2013-10-09 15:57 . 2013-08-09 00:55    32384    ------w-    c:\windows\system32\dllcache\usbccgp.sys
2013-10-09 15:57 . 2013-08-09 00:55    5376    ------w-    c:\windows\system32\dllcache\usbd.sys
2013-10-09 15:57 . 2009-03-18 11:02    30336    ------w-    c:\windows\system32\dllcache\usbehci.sys
2013-09-27 18:43 . 2013-09-27 18:43    --------    d-----w-    c:\program files\FileZilla FTP Client
2013-09-25 19:52 . 2013-09-29 17:49    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\FileZilla
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-19 17:39 . 2009-03-20 00:41    57672    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-10-19 17:39 . 2013-02-16 21:54    774392    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-10-19 17:39 . 2009-03-20 00:41    35656    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-10-19 17:39 . 2009-03-20 00:41    403440    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-10-19 17:39 . 2009-03-20 00:42    54832    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2013-10-19 17:39 . 2010-10-02 22:50    43152    ----a-w-    c:\windows\avastSS.scr
2013-10-19 17:39 . 2009-03-20 00:41    269216    ----a-w-    c:\windows\system32\aswBoot.exe
2013-10-12 04:22 . 2013-02-16 22:59    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-12 04:22 . 2013-02-16 22:59    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-23 18:33 . 2004-08-04 11:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2004-08-04 11:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2004-08-04 11:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2004-08-04 11:00    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2004-08-04 11:00    385024    ----a-w-    c:\windows\system32\html.iec
2013-09-11 18:54 . 2013-09-11 18:56    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-09-11 18:54 . 2013-09-11 18:56    868264    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-09-11 18:54 . 2010-09-26 03:52    790440    ----a-w-    c:\windows\system32\deployJava1.dll
2013-08-29 01:31 . 2004-08-04 11:00    1878656    ----a-w-    c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2004-08-04 11:00    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-09 00:55 . 1980-01-01 06:00    144128    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2004-08-04 11:00    5376    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2004-08-04 11:00    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-01 00:26 . 2004-08-04 11:00    868528    ----a-w-    c:\windows\system32\wmvdmod.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-10-19 17:39    321752    ----a-w-    c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-08 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"AvastUI.exe"="c:\program files\Alwil Software\Avast5\AvastUI.exe" [2013-10-19 3567800]
.
c:\documents and settings\W. Neal Lewis\Start Menu\Programs\Startup\
GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2013-2-18 431608]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\SYSTEM32\DRIVERS\aswRvrt.sys [10/10/2013 11:17 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\SYSTEM32\DRIVERS\aswVmm.sys [10/10/2013 11:17 PM 178304]
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\DRIVERS\aswSnx.sys [2/16/2013 4:54 PM 774392]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/19/2009 7:41 PM 403440]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/19/2009 7:41 PM 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\SYSTEM32\DRIVERS\aswMonFlt.sys [10/10/2013 11:17 PM 70384]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [1/18/2007 1:20 PM 24120]
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-16 04:22]
.
2013-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-10-20 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2013-02-16 17:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://writing-well.carrie-lewis.com/
FF - ProfilePath - c:\documents and settings\W. Neal Lewis\Application Data\Mozilla\Firefox\Profiles\cpl52ifk.default\
FF - prefs.js: browser.startup.homepage - hxxp://writing-well.carrie-lewis.com/
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: !HIDDEN! 2010-10-25 22:31; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-20 13:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1112)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-10-20  13:44:07
ComboFix-quarantined-files.txt  2013-10-20 18:44
ComboFix2.txt  2013-10-20 06:07
ComboFix3.txt  2013-10-20 03:47
.
Pre-Run: 13,080,322,048 bytes free
Post-Run: 13,070,163,968 bytes free
.
- - End Of File - - E58104B57BE6F857FF074AB7AC083067
49A546210C3E024EAC559A37A6BF499A
 

 

Let me know what needs to be done next.

 

Thanks for the help.

 

Neal Lewis



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:31 PM

Posted 20 October 2013 - 10:12 PM


Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)
  • Programs to remove

    • Adobe Reader 6.0.1
      Internet Explorer Default Page
      Java 2 Runtime Environment, SE v1.4.2_03
      My Way Search Assistant
      Viewpoint Media Player



Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe reader
  • Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
    • If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be careful not to install anything to do with AskBar.

Install Java:

Please go here to install Java
  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close
Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. default settings are fine
    • Click Run Cleaner.
    • Close CCleaner.
Run Malwarebytes

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download HijackThis
  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 wnlewis

wnlewis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 21 October 2013 - 10:09 PM

Gringo,

 

Right now the computer isn't running as well as it was, but there are several new programs trying to do stuff.

 

Revo Uninstaller did not uninstall Internet Explorer Default Page because that is not on this computer (to the best of my searching in addition to what Revo found), same for My Way Search Assistant, and Viewpoint Media Player.

 

I would really like to get rid of IE 8 but it is tied to updating Windows. So I just set Firefox to be the default browser.

 

Here is the log file from Malware Bytes:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.22.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
 :: NEALSDELL [administrator]

Protection: Enabled

10/21/2013 8:45:18 PM
MBAM-log-2013-10-21 (21-02-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216062
Time elapsed: 16 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.iBryte) -> No action taken.
HKLM\SOFTWARE\BROWSERSAFEGUARD (PUP.Optional.BrowserSafeGuard.A) -> No action taken.

Registry Values Detected: 1
HKLM\SOFTWARE\Browsersafeguard|sourceid (PUP.Optional.BrowserSafeGuard.A) -> Data: google_browsersafeguard-display-us-bleeping-728x90-36639128953 -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\W. Neal Lewis\My Documents\Downloads\Setup(1).exe (PUP.Optional.iBryte) -> No action taken.
C:\Documents and Settings\W. Neal Lewis\My Documents\Downloads\Setup.exe (PUP.Optional.iBryte) -> No action taken.

(end)
 

 

Here is the log from Hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:32:36 PM, on 10/21/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GoZone\GoZone_iSync.exe
C:\Documents and Settings\W. Neal Lewis\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://writing-well.carrie-lewis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\Alwil Software\Avast5\AvastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe

--
End of file - 6968 bytes

 

Thanks for the help and very quick replies.

 

Neal Lewis
 



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:31 PM

Posted 22 October 2013 - 07:02 PM


Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
      O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
      O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
      O4 - Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
    • NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brackets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
When the scan is complete
  • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 wnlewis

wnlewis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 23 October 2013 - 07:35 AM

Gringo,

 

Bad news. I forgot to turn Avast! back on late Monday. By Tuesday, Firefox would not start.

 

I used Internet Explorer on Tuesday (not realizing Avast! was still off). Internet Explorer was not working well but it still worked.

 

Internet Explorer will not come up completely now and Avast! will not work (The Avast! control panel comes up but there is no way I can get it to connect or to start).

 

I tried ASWmbr and it got stopped.

 

Any suggestions?

 

Neal



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:31 PM

Posted 24 October 2013 - 12:11 AM


Hello Neal

I would like you to download an updated version of combofix.

update combofix
  • Delete the version of combofix you have now on your desktop and download a new one from here**Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.

    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

    Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 wnlewis

wnlewis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 24 October 2013 - 05:45 PM

Gringo,

 

I am back on the Dell for this post. The previous one was from my Mac since it was the only computer running (3 PC's and 1 Mac).

 

Firefox had been totally disabled (would not even come up). IE would come up but would not finish loading. Avast! (which had been left turned off had been disabled).

 

I started in Safe Mode without internet connection and ran the only Malware program that would work, Malware Bytes. I then ran ASWmbr. ASWmbr repaired some problems but was not able to get rid of the Win 32 malware.

 

I then started again in Safe Mode and downloaded Avast!

 

With Avast! running I was able to get IE back up and running. I then did a boot level scan with Avast! Instead of 4 instances of Win 32 I now have between 10 and 12 instances of infected files at the root level. Avast! was not able to clean the infections.

 

I then downloaded Firefox and then downloaded ComboFix.

 

Here is the log from ComboFix.

ComboFix 13-10-24.01 - W. Neal Lewis 10/24/2013  16:59:03.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.149 [GMT -5:00]
Running from: c:\documents and settings\W. Neal Lewis\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9488E0FA-F058-4673-850E-E755F112BABC}
FW:  *Enabled* {9488E0FA-F058-4673-850E-E755F112BABC}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\MyWaySA
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-3428148793-1125985912-2954510025-1006(2)\INFO2
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-24 to 2013-10-24  )))))))))))))))))))))))))))))))
.
.
2013-10-24 11:35 . 2013-10-24 11:38    --------    d-----w-    c:\program files\Google
2013-10-24 11:35 . 2013-10-24 11:44    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Local Settings\Application Data\Google
2013-10-24 11:28 . 2013-10-24 11:28    403440    ----a-w-    c:\windows\system32\drivers\slqtjnob.sys
2013-10-24 03:18 . 2013-10-24 03:21    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-10-24 03:18 . 2013-04-04 19:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-10-23 02:52 . 2013-10-23 02:52    --------    d-----w-    c:\windows\system32\wbem\Repository
2013-10-23 02:46 . 2013-10-23 02:46    --------    d-----w-    c:\documents and settings\All Users\Application Data\Viewpoint
2013-10-23 02:46 . 2013-10-23 02:46    --------    d-----w-    c:\program files\Viewpoint
2013-10-22 03:22 . 2013-10-22 03:22    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Local Settings\Application Data\Sun
2013-10-19 18:23 . 2013-10-19 18:23    --------    d-----w-    c:\windows\ERUNT
2013-10-19 17:48 . 2013-10-19 17:48    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\AVAST Software
2013-10-19 17:31 . 2013-10-19 17:31    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVAST Software
2013-10-19 17:12 . 2013-10-19 18:03    --------    d-----w-    C:\AdwCleaner
2013-10-18 03:54 . 2013-10-18 03:54    --------    d-----w-    c:\documents and settings\LocalService\Application Data\QuickScan
2013-10-18 03:45 . 2013-10-18 03:45    224222    ----a-w-    c:\documents and settings\All Users\Application Data\1382067374.bdinstall.bin
2013-10-18 03:43 . 2013-10-18 03:43    0    ----a-w-    c:\windows\system32\drivers\avchv.sys
2013-10-18 03:43 . 2013-04-17 19:59    633344    ----a-w-    c:\windows\system32\drivers\avc3.sys
2013-10-18 03:43 . 2013-04-17 19:59    486536    ----a-w-    c:\windows\system32\drivers\avckf.sys
2013-10-18 03:39 . 2013-10-18 03:39    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\QuickScan
2013-10-18 03:38 . 2013-10-23 02:45    --------    d-----w-    c:\program files\Bitdefender
2013-10-18 03:38 . 2013-04-22 18:20    164952    ----a-w-    c:\windows\system32\drivers\gzflt.sys
2013-10-18 03:37 . 2013-05-28 17:11    355744    ----a-w-    c:\windows\system32\drivers\trufos.sys
2013-10-16 03:33 . 2013-10-16 03:33    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-10-15 23:26 . 2013-10-23 02:52    --------    d-----w-    c:\documents and settings\Administrator
2013-10-12 20:38 . 2013-10-12 20:38    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-10-12 20:34 . 2013-10-12 20:34    105176    ----a-w-    c:\windows\system32\drivers\48230029.sys
2013-10-12 20:33 . 2013-10-12 20:33    47064    ----a-w-    c:\windows\system32\drivers\6F712994.sys
2013-10-12 18:14 . 2013-10-23 01:46    --------    d-----w-    c:\program files\Mozilla Thunderbird
2013-10-12 05:19 . 2013-10-12 05:19    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\Apple Computer
2013-10-12 04:33 . 2013-10-12 04:34    --------    d-----w-    c:\program files\QuickTime
2013-10-12 04:33 . 2013-10-12 04:33    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple Computer
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\program files\Common Files\Apple
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Local Settings\Application Data\Apple
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\program files\Apple Software Update
2013-10-12 04:32 . 2013-10-12 04:32    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple
2013-10-12 04:31 . 2013-10-12 04:31    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Local Settings\Application Data\Apple Computer
2013-10-11 17:28 . 2013-10-11 17:28    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\Malwarebytes
2013-10-11 17:28 . 2013-10-11 17:28    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2013-10-11 04:17 . 2013-10-24 11:34    178304    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-10-11 04:17 . 2013-10-24 11:34    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-10-11 04:17 . 2013-10-24 11:34    70384    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-10-09 16:00 . 2013-07-03 02:12    25088    ------w-    c:\windows\system32\dllcache\hidparse.sys
2013-10-09 16:00 . 2013-07-03 01:59    14976    ------w-    c:\windows\system32\dllcache\usbscan.sys
2013-10-09 15:59 . 2013-07-17 00:58    60160    ------w-    c:\windows\system32\dllcache\usbaudio.sys
2013-10-09 15:59 . 2013-07-17 00:58    123008    ------w-    c:\windows\system32\dllcache\usbvideo.sys
2013-10-09 15:57 . 2013-08-09 00:55    144128    ------w-    c:\windows\system32\dllcache\usbport.sys
2013-10-09 15:57 . 2013-08-09 00:55    32384    ------w-    c:\windows\system32\dllcache\usbccgp.sys
2013-10-09 15:57 . 2013-08-09 00:55    5376    ------w-    c:\windows\system32\dllcache\usbd.sys
2013-10-09 15:57 . 2009-03-18 11:02    30336    ------w-    c:\windows\system32\dllcache\usbehci.sys
2013-09-27 18:43 . 2013-09-27 18:43    --------    d-----w-    c:\program files\FileZilla FTP Client
2013-09-25 19:52 . 2013-10-22 00:59    --------    d-----w-    c:\documents and settings\W. Neal Lewis\Application Data\FileZilla
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-24 11:34 . 2009-03-20 00:41    57672    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-10-24 11:34 . 2009-03-20 00:41    403440    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-10-24 11:34 . 2013-02-16 21:54    774392    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-10-24 11:34 . 2009-03-20 00:42    54832    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2013-10-24 11:34 . 2009-03-20 00:41    35656    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-10-24 11:34 . 2010-10-02 22:50    43152    ----a-w-    c:\windows\avastSS.scr
2013-10-24 11:34 . 2009-03-20 00:41    269216    ----a-w-    c:\windows\system32\aswBoot.exe
2013-10-12 04:22 . 2013-02-16 22:59    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-12 04:22 . 2013-02-16 22:59    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-23 18:33 . 2004-08-04 11:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2004-08-04 11:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2004-08-04 11:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2004-08-04 11:00    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2004-08-04 11:00    385024    ----a-w-    c:\windows\system32\html.iec
2013-09-11 18:54 . 2013-09-11 18:56    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-09-11 18:54 . 2013-09-11 18:56    868264    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-09-11 18:54 . 2010-09-26 03:52    790440    ----a-w-    c:\windows\system32\deployJava1.dll
2013-08-29 01:31 . 2004-08-04 11:00    1878656    ----a-w-    c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2004-08-04 11:00    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-09 00:55 . 1980-01-01 06:00    144128    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2004-08-04 11:00    5376    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2004-08-04 11:00    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-01 00:26 . 2004-08-04 11:00    868528    ----a-w-    c:\windows\system32\wmvdmod.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-10-24 11:33    321752    ----a-w-    c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-08 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"AvastUI.exe"="c:\program files\Alwil Software\Avast5\AvastUI.exe" [2013-10-24 3567800]
.
c:\documents and settings\W. Neal Lewis\Start Menu\Programs\Startup\
GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2013-2-18 431608]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\SYSTEM32\DRIVERS\aswRvrt.sys [10/10/2013 11:17 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\SYSTEM32\DRIVERS\aswVmm.sys [10/10/2013 11:17 PM 178304]
R0 avc3;avc3;c:\windows\SYSTEM32\DRIVERS\avc3.sys [10/17/2013 10:43 PM 633344]
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\DRIVERS\aswSnx.sys [2/16/2013 4:54 PM 774392]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/19/2009 7:41 PM 403440]
R1 gzflt;gzflt;c:\windows\SYSTEM32\DRIVERS\gzflt.sys [10/17/2013 10:38 PM 164952]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/19/2009 7:41 PM 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\SYSTEM32\DRIVERS\aswMonFlt.sys [10/10/2013 11:17 PM 70384]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [10/23/2013 10:18 PM 22856]
S0 huinche;huinche;c:\windows\system32\drivers\pnylidh.sys --> c:\windows\system32\drivers\pnylidh.sys [?]
S3 avckf;avckf;c:\windows\SYSTEM32\DRIVERS\avckf.sys [10/17/2013 10:43 PM 486536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-24 11:38    1185744    ----a-w-    c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-16 04:22]
.
2013-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-10-24 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2013-02-16 11:33]
.
2013-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-24 11:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://writing-well.carrie-lewis.com/
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
FF - ProfilePath - c:\documents and settings\W. Neal Lewis\Application Data\Mozilla\Firefox\Profiles\cpl52ifk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?fr=fp-yff24
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-yff24&p=
FF - ExtSQL: 2013-10-24 16:01; {635abd67-4fe9-1b23-4f01-e679fa7484c1}; c:\documents and settings\W. Neal Lewis\Application Data\Mozilla\Firefox\Profiles\cpl52ifk.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - ExtSQL: !HIDDEN! 2010-10-25 22:31; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-BrowserSafeguard - c:\program files\Browsersafeguard\Browsersafeguard.exe
HKLM-RunOnce-Browsersafeguard-pitch FF:0 - c:\program files\Browsersafeguard\Resources\certutil.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-24 17:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-10-24  17:20:15
ComboFix-quarantined-files.txt  2013-10-24 22:20
ComboFix2.txt  2013-10-20 18:44
ComboFix3.txt  2013-10-20 06:07
ComboFix4.txt  2013-10-20 03:47
.
Pre-Run: 9,688,113,152 bytes free
Post-Run: 9,886,666,752 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 24DBD90301573F5403A565B23B6A8CAF
49A546210C3E024EAC559A37A6BF499A
 

 

I think I need to get a restore CD and do a restore of the operating system, then go in with an antivirus program on a bootable CD to get rid of the root level infection. And then probably run the restore again.

 

After that I need an antivirus protection program that can prevent any future infections at the root level.

 

If that is the wrong approach, please let me know. But right now, things seem to be worse than they were when I started.

 

Thanks for hanging in on this.

 

Neal



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:31 PM

Posted 24 October 2013 - 10:09 PM


Hello Neal

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

    If the forum still complains about it being to long send me everything that is at the end of the report after where it says

    ==================
    Scan finished
    ==================
and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 wnlewis

wnlewis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 25 October 2013 - 01:35 AM

Gringo,

 

I have not operated the computer doing regular stuff enough to know if it is doing better. I will check and find out.

 

Here is the last part of the log from TDSSKiller. It did not find any malicious items, only suspicious. The log was too long.

01:01:49.0015 0x04d0  Scan finished
01:01:49.0015 0x04d0  ============================================================
01:01:49.0062 0x029c  Detected object count: 4
01:01:49.0062 0x029c  Actual detected object count: 4
01:02:40.0578 0x029c  drvmcdb ( UnsignedFile.Multi.Generic ) - skipped by user
01:02:40.0578 0x029c  drvmcdb ( UnsignedFile.Multi.Generic ) - User select action: Skip
01:02:40.0578 0x029c  NetSvc ( UnsignedFile.Multi.Generic ) - skipped by user
01:02:40.0578 0x029c  NetSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
01:02:40.0578 0x029c  tfsnifs ( UnsignedFile.Multi.Generic ) - skipped by user
01:02:40.0578 0x029c  tfsnifs ( UnsignedFile.Multi.Generic ) - User select action: Skip
01:02:40.0578 0x029c  tfsnudf ( UnsignedFile.Multi.Generic ) - skipped by user
01:02:40.0578 0x029c  tfsnudf ( UnsignedFile.Multi.Generic ) - User select action: Skip
01:06:41.0062 0x06b0  Deinitialize success
 

Here is the log from RogueKiller for 32 bit:

RogueKiller V8.7.5 [Oct 22 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : W. Neal Lewis [Admin rights]
Mode : Remove -- Date : 10/25/2013 01:16:00
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD400BB-75JHA0 +++++
--- User ---
[MBR] 33ac3232519c928d946e86744f219b3e
[BSP] 072e4731d9c3b0fb7639b8c568ab1145 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 35126 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 72003330 | Size: 2980 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_10252013_011600.txt >>
RKreport[0]_S_10252013_011434.txt



If that is not the right report, please let me know.

 

Thanks,

 

Neal






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users