Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG detected Trojan Horse Generic34.BSLL, no internet access


  • This topic is locked This topic is locked
12 replies to this topic

#1 xy32

xy32

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 05 November 2013 - 02:25 PM

My work has an old computer running Window XP that I have been asked to see if I can get working. Apparently someone else had been attempting to fix it with no success. Since there's nothing on it I have free rein to do whatever. The information I was given from the previous person is as follows:

 

Computer was re-directing to gaming websites and a gaming program kept reappearing even though it was uninstalled several times.

Computer was supposed to have Microsoft Security Essentials, but MSE was not working, attempted to uninstall and re-install, but got error code 0x80070643 during re-install.

Cannot access Windows firewall.

Cannot access Windows update.

Ran Windows Fix-it and was able to access updates, but still could not install MSE.

Installed AVG

AVG detected a Trojan Horse Generic34.BSLL in c:\System Volume Information\_restore{1D6CD17C-C960-432C-8914-252CC2F9466D}\RP308\A0022430.ini

Removed virus, still unable to access firewall or install MSE

Game program appeared again, but AVG did not detect any viruses.

 

I guess they then tried to run Junkware Removal Tool, because I found a log for it on the desktop. I also discovered the internet doesn't work, though as far as I can tell all the network settings are fine. From the log, I think this is because of Junkware. Log is posted below.

 

I have no idea what to do about this, especially with no internet. Help?

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Microsoft Windows XP x86
Ran by Owner on Mon 11/04/2013 at  9:45:40.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\browsersafeguard
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Program Files\browsersafeguard"
Successfully deleted: [Folder] "C:\Program Files\social privacy"
 
 
 
~~~ Chrome
 
Successfully deleted: [Folder] C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 11/04/2013 at  9:55:48.90
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:48 PM

Posted 06 November 2013 - 04:47 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

 

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 xy32

xy32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 06 November 2013 - 11:45 AM

Hi Marius! Thank you for your help!

 

Here are the reports. When I ran Farbar Serivce Scanner it gave me a message that said "Cannot find the FSS.txt file. Do you want to create a new file?" but when I selected yes it just opened a blank .txt document, so there is no report for that one.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Owner at 9:57:05 on 2013-11-06
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.687 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\WINDOWS\Installer\MSI89.tmp
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uProxyServer = hxxp=127.0.0.1:1037;https=127.0.0.1:1037
uProxyOverride = <-loopback>
uURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Social Privacy: {91FBEA5C-E3C7-42EA-8C2B-B168189AB5BE} - 
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} - hxxp://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{E3166D10-0D18-468C-8914-632C0D37BA6D} : DHCPNameServer = 192.168.1.254
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs=  
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\30.0.1599.101\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-9-2 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-9-2 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-8-20 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-9-8 27448]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-9-25 120632]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-9-2 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-9-10 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-9-2 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 193848]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-9-25 301152]
R2 Level Quality Watcher;Level Quality Watcher;c:\windows\installer\msi89.tmp run sourceguid=422332b5-f3a6-47f6-93ef-792299ef24dc --> c:\windows\installer\MSI89.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC [?]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2013-3-15 47640]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-10-3 3538480]
S2 ca82e1a5;Optimizer Pro Crash Monitor;"c:\progra~1\optimi~1\optprocrash.exe" --> c:\progra~1\optimi~1\OptProCrash.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2013-11-05 15:45:38 -------- d-----w- c:\windows\ERUNT
2013-11-05 15:29:12 -------- d-----w- C:\AdwCleaner
2013-11-05 15:16:39 -------- d-----w- c:\program files\Level Quality Watcher
2013-11-05 15:13:32 -------- d-----w- c:\program files\sp
2013-11-04 22:21:31 -------- d-----w- c:\documents and settings\owner\application data\AVG2014
2013-11-04 22:17:56 -------- d--h--w- C:\$AVG
2013-11-04 22:17:55 -------- d-----w- c:\documents and settings\all users\application data\AVG2014
2013-11-04 22:16:52 -------- d-----w- c:\documents and settings\owner\local settings\application data\Avg2014
2013-11-04 20:36:46 -------- d-----w- c:\program files\Microsoft Download Manager
2013-11-04 19:47:16 -------- d-----w- c:\windows\system32\winrm
2013-11-04 19:47:16 -------- d-----w- c:\windows\system32\GroupPolicy
2013-11-04 19:47:09 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-11-04 17:59:46 -------- d-----w- c:\program files\VS Revo Group
2013-11-04 16:00:19 -------- d-----w- c:\documents and settings\owner\application data\AVG
2013-11-04 15:57:45 -------- d-----w- c:\documents and settings\all users\application data\AVG
2013-11-04 15:56:39 -------- d-sh--w- c:\documents and settings\all users\application data\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-10-28 15:03:11 7796464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{40d819e7-8d35-4c24-b4f3-f0ff0413949a}\mpengine.dll
2013-10-24 14:16:50 7796464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-10-16 13:29:46 -------- d-----w- c:\documents and settings\owner\local settings\application data\cache
2013-10-16 13:29:20 -------- d-----w- c:\documents and settings\owner\local settings\application data\Mobogenie
2013-10-16 13:24:16 -------- d-----w- c:\program files\Mobogenie
2013-10-12 03:21:27 5376 -c----w- c:\windows\system32\dllcache\usbd.sys
2013-10-12 03:21:27 30336 -c----w- c:\windows\system32\dllcache\usbehci.sys
2013-10-12 03:21:27 144128 -c----w- c:\windows\system32\dllcache\usbport.sys
2013-10-12 03:20:50 25088 -c----w- c:\windows\system32\dllcache\hidparse.sys
2013-10-12 03:20:49 14976 -c----w- c:\windows\system32\dllcache\usbscan.sys
2013-10-12 02:24:06 275696 ----a-w- c:\windows\system32\mucltui.dll
2013-10-12 02:24:06 214256 ----a-w- c:\windows\system32\muweb.dll
2013-10-12 02:24:06 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2013-10-12 02:10:34 -------- d-----w- c:\documents and settings\owner\local settings\application data\Google
2013-10-12 01:26:53 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-10-12 01:21:09 -------- d-----w- c:\program files\Microsoft Security Client
2013-10-12 01:18:44 -------- d-----w- c:\documents and settings\owner\application data\TuneUp Software
2013-10-12 01:03:46 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2013-10-12 01:03:46 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2013-10-11 19:54:58 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2013-10-11 19:54:58 21504 ----a-w- c:\windows\system32\hidserv.dll
2013-10-11 19:54:53 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2013-10-11 19:54:53 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2013-10-11 19:54:34 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2013-10-11 19:54:34 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2013-10-11 19:54:24 32384 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2013-10-11 19:54:24 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
.
==================== Find3M  ====================
.
2013-10-12 02:00:21 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-12 02:00:21 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-26 02:57:14 120632 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-09-23 18:33:58 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06:48 385024 ----a-w- c:\windows\system32\html.iec
2013-09-11 04:11:44 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-09 04:12:16 27448 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-09-02 16:39:32 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-09-02 16:28:06 145720 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-09-02 16:28:04 209208 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-09-02 16:28:00 223032 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-08-29 01:31:44 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56:45 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55:08 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55:06 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
.
============= FINISH:  9:57:41.87 ===============
 
 
 
 
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-11-06 10:27:58
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JB-00JJC0 rev.05.01C05 74.53GB
Running: zf79hhqs.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwncapoc.sys
 
 
---- System - GMER 2.1 ----
 
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                      ZwNotifyChangeKey [0xF7C4C690]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                      ZwNotifyChangeMultipleKeys [0xF7C4C7B0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                      ZwOpenProcess [0xF7C4C010]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                      ZwOpenThread [0xF7C4C490]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                      ZwSuspendProcess [0xF7C4C2D0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                      ZwSuspendThread [0xF7C4C3B0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                      ZwTerminateProcess [0xF7C4C110]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                      ZwTerminateThread [0xF7C4C1F0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                      ZwWriteVirtualMemory [0xF7C4C590]
 
---- Devices - GMER 2.1 ----
 
Device                                                                            Ntfs.sys
Device                                                                            Fastfat.SYS
 
AttachedDevice  \Driver\Tcpip \Device\Ip                                          avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                         avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                         avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                       avgtdix.sys
 
Device                                                                            mrxsmb.sys
 
AttachedDevice                                                                    fltMgr.sys
 
Device                                                                            Cdfs.SYS
 
---- Registry - GMER 2.1 ----
 
Reg             HKLM\SYSTEM\CurrentControlSet\Services\                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\@Parameters\0\x202e\x2764  3860
Reg             HKLM\SYSTEM\ControlSet002\Services\ (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\@Parameters\0\x202e\x2764      3860
 
---- EOF - GMER 2.1 ----
 

 

Attached Files



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:48 PM

Posted 06 November 2013 - 11:50 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 xy32

xy32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 06 November 2013 - 12:14 PM

I ran Combofix, and it gave me a message saying it detected Microsoft Security Essentials real-time scanners. MSE was supposed to already be uninstalled. I can't find the program anywhere, and it does not appear in the add/remove programs list, though when I searched the words "microsoft security essentials" I got quite a few .txt documents under \Application Data\ and C:\WINDOWS\$NtUninstallKB



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:48 PM

Posted 07 November 2013 - 03:24 AM

Ignore the message and proceed


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 xy32

xy32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 07 November 2013 - 10:09 AM

Combofix report:

 

 

ComboFix 13-11-04.01 - Owner 11/07/2013   8:20.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.616 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Owner\LOCALS~1\APPLIC~1\Google\Desktop\Install
c:\docume~1\Owner\LOCALS~1\APPLIC~1\Google\Desktop\Install\{19e274f2-530d-27d3-0797-283b0928c04b}\C3C1~1\01C8~1\CFFE~1\{19e274f2-530d-27d3-0797-283b0928c04b}\@
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\Google\Desktop\Install
c:\program files\Google\Desktop\Install\{19e274f2-530d-27d3-0797-283b0928c04b}\0103~1\0103~1\CFFE~1\{19e274f2-530d-27d3-0797-283b0928c04b}\@
c:\program files\Google\Desktop\Install\{19e274f2-530d-27d3-0797-283b0928c04b}\0103~1\0103~1\CFFE~1\{19e274f2-530d-27d3-0797-283b0928c04b}\L\00000004.@
c:\program files\Google\Desktop\Install\{19e274f2-530d-27d3-0797-283b0928c04b}\0103~1\0103~1\CFFE~1\{19e274f2-530d-27d3-0797-283b0928c04b}\L\201d3dde
c:\program files\Google\Desktop\Install\{19e274f2-530d-27d3-0797-283b0928c04b}\0103~1\0103~1\CFFE~1\{19e274f2-530d-27d3-0797-283b0928c04b}\L\76603ac3
c:\program files\Google\Desktop\Install\{19e274f2-530d-27d3-0797-283b0928c04b}\0103~1\0103~1\CFFE~1\{19e274f2-530d-27d3-0797-283b0928c04b}\U\00000008.@
c:\windows\system32\Cache
c:\windows\system32\Cache\1c671d0ecdfff6d6.fb
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\77d94b6c1b2b4e68.fb
c:\windows\system32\Cache\9582f32a717b5647.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\cfc06901a14804f5.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-07 to 2013-11-07  )))))))))))))))))))))))))))))))
.
.
2013-11-05 15:45 . 2013-11-05 15:45 -------- d-----w- c:\windows\ERUNT
2013-11-05 15:29 . 2013-11-05 15:31 -------- d-----w- C:\AdwCleaner
2013-11-05 15:16 . 2013-11-05 15:16 -------- d-----w- c:\program files\Level Quality Watcher
2013-11-05 15:13 . 2013-11-05 15:13 -------- d-----w- c:\program files\sp
2013-11-04 22:20 . 2013-11-04 22:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVG2014
2013-11-04 22:17 . 2013-11-04 22:17 -------- d-----w- C:\$AVG
2013-11-04 22:16 . 2013-11-04 22:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Avg2014
2013-11-04 20:36 . 2013-11-04 20:36 -------- d-----w- c:\program files\Microsoft Download Manager
2013-11-04 20:18 . 2013-11-04 20:18 -------- d-----w- c:\program files\Microsoft.NET
2013-11-04 19:47 . 2013-11-04 19:47 -------- d-----w- c:\windows\system32\winrm
2013-11-04 19:47 . 2013-11-04 19:47 -------- d-----w- c:\windows\system32\GroupPolicy
2013-11-04 19:47 . 2013-11-04 19:47 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-11-04 17:59 . 2013-11-04 17:59 -------- d-----w- c:\program files\VS Revo Group
2013-11-04 16:01 . 2013-11-04 16:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG
2013-11-04 16:00 . 2013-11-04 19:35 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG
2013-11-04 15:57 . 2013-11-04 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG
2013-11-04 15:56 . 2013-11-04 16:55 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-10-28 15:03 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{40D819E7-8D35-4C24-B4F3-F0FF0413949A}\mpengine.dll
2013-10-24 14:16 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-10-16 13:29 . 2013-10-16 13:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\cache
2013-10-16 13:29 . 2013-10-16 13:44 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mobogenie
2013-10-16 13:24 . 2013-10-16 13:52 -------- d-----w- c:\program files\Mobogenie
2013-10-12 03:21 . 2013-08-09 00:55 144128 -c----w- c:\windows\system32\dllcache\usbport.sys
2013-10-12 03:21 . 2013-08-09 00:55 5376 -c----w- c:\windows\system32\dllcache\usbd.sys
2013-10-12 03:21 . 2009-03-18 11:02 30336 -c----w- c:\windows\system32\dllcache\usbehci.sys
2013-10-12 03:20 . 2013-07-03 02:12 25088 -c----w- c:\windows\system32\dllcache\hidparse.sys
2013-10-12 03:20 . 2013-07-03 01:59 14976 -c----w- c:\windows\system32\dllcache\usbscan.sys
2013-10-12 02:24 . 2012-06-02 20:18 275696 ----a-w- c:\windows\system32\mucltui.dll
2013-10-12 02:24 . 2012-06-02 20:18 214256 ----a-w- c:\windows\system32\muweb.dll
2013-10-12 02:10 . 2013-10-28 19:39 -------- d-----w- c:\program files\Google
2013-10-12 02:10 . 2013-10-28 19:39 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2013-10-12 01:26 . 2013-05-02 15:28 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-10-12 01:21 . 2013-10-15 22:13 -------- d-----w- c:\program files\Microsoft Security Client
2013-10-12 01:18 . 2013-10-12 01:18 -------- d-----w- c:\documents and settings\Owner\Application Data\TuneUp Software
2013-10-12 01:03 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2013-10-12 01:03 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2013-10-11 19:54 . 2008-04-14 10:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2013-10-11 19:54 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2013-10-11 19:54 . 2008-04-14 05:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2013-10-11 19:54 . 2008-04-14 05:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2013-10-11 19:54 . 2008-04-14 05:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2013-10-11 19:54 . 2008-04-14 05:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2013-10-11 19:54 . 2013-08-09 00:55 32384 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2013-10-11 19:54 . 2013-08-09 00:55 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-12 02:00 . 2012-10-31 16:29 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-12 02:00 . 2012-10-31 16:29 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-26 02:57 . 2013-09-26 02:57 120632 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-09-23 18:33 . 2008-04-14 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2008-04-14 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-09-11 04:11 . 2013-09-11 04:11 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-09 04:12 . 2013-09-09 04:12 27448 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-09-02 16:39 . 2013-09-02 16:39 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-09-02 16:28 . 2013-09-02 16:28 145720 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-09-02 16:28 . 2013-09-02 16:28 209208 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-09-02 16:28 . 2013-09-02 16:28 223032 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-08-29 01:31 . 2008-04-14 12:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-21 04:54 . 2013-08-21 04:54 102200 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-10-08 4908592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2013-06-08 04:28 92488 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0c:\progra~1\AVG\AVG2014\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 13:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-17 16:11 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"PLFlash DeviceIoControl Service"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Desktop\Install\{19e274f2-530d-27d3-0797-283b0928c04b}\???\???\???\{19e274f2-530d-27d3-0797-283b0928c04b}\GoogleUpdate.exe" >
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [9/2/2013 10:28 AM 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/2/2013 10:28 AM 223032]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/8/2013 10:12 PM 27448]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [9/25/2013 8:57 PM 120632]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [9/2/2013 10:28 AM 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [9/10/2013 10:11 PM 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/2/2013 10:39 AM 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [8/1/2013 4:08 PM 193848]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [9/25/2013 9:47 PM 301152]
R2 Level Quality Watcher;Level Quality Watcher;c:\windows\Installer\MSI89.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC --> c:\windows\Installer\MSI89.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [10/3/2013 10:00 PM 3538480]
S2 ca82e1a5;Optimizer Pro Crash Monitor;"c:\progra~1\optimi~1\OptProCrash.exe" --> c:\progra~1\optimi~1\OptProCrash.exe [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - POLICYAGENT
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-16 18:21 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-31 02:00]
.
2013-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-12 02:10]
.
2013-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-12 02:10]
.
2013-11-06 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-08-12 15:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:1037;https=127.0.0.1:1037
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{91FBEA5C-E3C7-42EA-8C2B-B168189AB5BE} - c:\program files\Social Privacy\sp.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
AddRemove-Browsersafeguard - c:\program files\Browsersafeguard\uninstall.browsersafeguard.exe
AddRemove-sp@sp.com - c:\program files\Social Privacy\uninstall.exe
AddRemove-UpdaterEX - c:\documents and settings\Owner\Application Data\UpdaterEX\UpdateProc\UpdateTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-07 08:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Level Quality Watcher]
"ImagePath"="c:\windows\Installer\MSI89.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1412)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\sxs.dll
.
Completion time: 2013-11-07  08:40:13
ComboFix-quarantined-files.txt  2013-11-07 14:40
.
Pre-Run: 65,597,210,624 bytes free
Post-Run: 67,205,255,168 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 30CE10900B1A778E0064BDEF7DCEDDD4
8F558EB6672622401DA993E1E865C861


#8 xy32

xy32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 07 November 2013 - 01:15 PM

Internet and Windows Firewall are both working now.



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:48 PM

Posted 08 November 2013 - 02:25 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Full System Scan with Malwarebytes Antimalware
  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 xy32

xy32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 08 November 2013 - 10:58 AM

Microsoft Security Essentials is now showing in my systems tray again.

 

Also, unfortunately I have just been informed that I will be transfering to a new area next week, so today will be my last day to work on this. I'd like to be able to finish and not have to pass it along to someone else, but I understand if that's not possible. I appreciate however far along you can help me can get. It'll be their fault for not giving me more warning.

 

 

ComboFix 13-11-07.01 - Owner 11/08/2013   7:57.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.572 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript[1].txt
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\Installer\MSI89.tmp"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Local Settings\Application Data\Google\Desktop
c:\program files\Level Quality Watcher
c:\program files\Level Quality Watcher\LevelQualityWatcher32.exe
c:\program files\Level Quality Watcher\LevelQualityWatcher64.exe
c:\program files\sp
c:\program files\sp\sp.exe
c:\program files\sp\spdns.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CA82E1A5
-------\Legacy_LEVEL_QUALITY_WATCHER
-------\Service_ca82e1a5
-------\Service_Level Quality Watcher
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-08 to 2013-11-08  )))))))))))))))))))))))))))))))
.
.
2013-11-08 14:08 . 2013-11-08 14:08 40392 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E8284323-20B0-417C-B298-08F849F50314}\MpKsldc1854ec.sys
2013-11-07 18:06 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E8284323-20B0-417C-B298-08F849F50314}\mpengine.dll
2013-11-05 15:45 . 2013-11-05 15:45 -------- d-----w- c:\windows\ERUNT
2013-11-05 15:29 . 2013-11-05 15:31 -------- d-----w- C:\AdwCleaner
2013-11-04 22:20 . 2013-11-04 22:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVG2014
2013-11-04 22:17 . 2013-11-04 22:17 -------- d-----w- C:\$AVG
2013-11-04 22:16 . 2013-11-04 22:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Avg2014
2013-11-04 20:36 . 2013-11-04 20:36 -------- d-----w- c:\program files\Microsoft Download Manager
2013-11-04 20:18 . 2013-11-04 20:18 -------- d-----w- c:\program files\Microsoft.NET
2013-11-04 19:47 . 2013-11-04 19:47 -------- d-----w- c:\windows\system32\winrm
2013-11-04 19:47 . 2013-11-04 19:47 -------- d-----w- c:\windows\system32\GroupPolicy
2013-11-04 19:47 . 2013-11-04 19:47 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-11-04 17:59 . 2013-11-04 17:59 -------- d-----w- c:\program files\VS Revo Group
2013-11-04 16:01 . 2013-11-04 16:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG
2013-11-04 16:00 . 2013-11-04 19:35 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG
2013-11-04 15:57 . 2013-11-04 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG
2013-11-04 15:56 . 2013-11-04 16:55 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-10-28 15:03 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-10-16 13:29 . 2013-10-16 13:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\cache
2013-10-16 13:29 . 2013-10-16 13:44 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mobogenie
2013-10-16 13:24 . 2013-10-16 13:52 -------- d-----w- c:\program files\Mobogenie
2013-10-12 03:21 . 2013-08-09 00:55 144128 -c----w- c:\windows\system32\dllcache\usbport.sys
2013-10-12 03:21 . 2013-08-09 00:55 5376 -c----w- c:\windows\system32\dllcache\usbd.sys
2013-10-12 03:21 . 2009-03-18 11:02 30336 -c----w- c:\windows\system32\dllcache\usbehci.sys
2013-10-12 03:20 . 2013-07-03 02:12 25088 -c----w- c:\windows\system32\dllcache\hidparse.sys
2013-10-12 03:20 . 2013-07-03 01:59 14976 -c----w- c:\windows\system32\dllcache\usbscan.sys
2013-10-12 02:24 . 2012-06-02 20:18 275696 ----a-w- c:\windows\system32\mucltui.dll
2013-10-12 02:24 . 2012-06-02 20:18 214256 ----a-w- c:\windows\system32\muweb.dll
2013-10-12 02:10 . 2013-11-08 14:04 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2013-10-12 02:10 . 2013-10-28 19:39 -------- d-----w- c:\program files\Google
2013-10-12 01:26 . 2013-05-02 15:28 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-10-12 01:21 . 2013-10-15 22:13 -------- d-----w- c:\program files\Microsoft Security Client
2013-10-12 01:18 . 2013-10-12 01:18 -------- d-----w- c:\documents and settings\Owner\Application Data\TuneUp Software
2013-10-12 01:03 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2013-10-12 01:03 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2013-10-11 19:54 . 2008-04-14 10:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2013-10-11 19:54 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2013-10-11 19:54 . 2008-04-14 05:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2013-10-11 19:54 . 2008-04-14 05:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2013-10-11 19:54 . 2008-04-14 05:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2013-10-11 19:54 . 2008-04-14 05:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2013-10-11 19:54 . 2013-08-09 00:55 32384 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2013-10-11 19:54 . 2013-08-09 00:55 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-12 02:00 . 2012-10-31 16:29 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-12 02:00 . 2012-10-31 16:29 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-26 02:57 . 2013-09-26 02:57 120632 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-09-23 18:33 . 2008-04-14 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2008-04-14 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-09-11 04:11 . 2013-09-11 04:11 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-09 04:12 . 2013-09-09 04:12 27448 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-09-02 16:39 . 2013-09-02 16:39 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-09-02 16:28 . 2013-09-02 16:28 145720 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-09-02 16:28 . 2013-09-02 16:28 209208 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-09-02 16:28 . 2013-09-02 16:28 223032 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-08-29 01:31 . 2008-04-14 12:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-21 04:54 . 2013-08-21 04:54 102200 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-10-08 4908592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFU3SEctWUxVVlUtRVMyRUctUUY3WEMtVkxDOVctUTRMWkc&inst=NzctMTczNDAyMzYzOS1GUDkrNi1GTCs5LUZMMTArMS1YTzEwKzExLUREVCswLVRMKzEtQzEwVSs5MTExMi1GMTBVMTMrMS1GMTBVMTNWKzEtRjEwVTEzUysx&prod=90&ver=10.0.1432" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2013-06-08 04:28 92488 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2014\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 13:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-17 16:11 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"PLFlash DeviceIoControl Service"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [9/2/2013 10:28 AM 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/2/2013 10:28 AM 223032]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/8/2013 10:12 PM 27448]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [9/25/2013 8:57 PM 120632]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [9/2/2013 10:28 AM 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [9/10/2013 10:11 PM 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/2/2013 10:39 AM 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [8/1/2013 4:08 PM 193848]
R1 MpKsldc1854ec;MpKsldc1854ec;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E8284323-20B0-417C-B298-08F849F50314}\MpKsldc1854ec.sys [11/8/2013 8:08 AM 40392]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [10/3/2013 10:00 PM 3538480]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [9/25/2013 9:47 PM 301152]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLDC1854EC
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-16 18:21 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-31 02:00]
.
2013-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-12 02:10]
.
2013-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-12 02:10]
.
2013-11-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-08-12 15:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wtagc.org/
uInternet Settings,ProxyOverride = <-loopback>
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-08 08:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1384)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(3576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2013-11-08  08:13:12 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-08 14:13
ComboFix2.txt  2013-11-07 14:40
.
Pre-Run: 65,977,405,440 bytes free
Post-Run: 65,889,112,064 bytes free
.
- - End Of File - - 9F39362D0D28D9F2FB54D3A56D6C812E
8F558EB6672622401DA993E1E865C861
 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.08.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: PLANROOMCOMPUTE [administrator]

11/8/2013 8:30:30 AM
mbam-log-2013-11-08 (08-30-30).txt

Scan type: Full scan (A:\|C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 249952
Time elapsed: 46 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\BROWSERSAFEGUARD (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{19DC5AB8-0792-4875-8F1B-896C5A9CE6AE} (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKLM\SOFTWARE\Browsersafeguard|sourceid (PUP.Optional.BrowserSafeGuard.A) -> Data: google_browsersafeguard-display-us-bleeping-728x90-36639128953 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{19DC5AB8-0792-4875-8F1B-896C5A9CE6AE}|DisplayName (PUP.Optional.Adpeak) -> Data: Level Quality Watcher -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\All Users\Start Menu\Programs\BrowserSafeguard (PUP.Optional.BrowserSafeGuard) -> Quarantined and deleted successfully.

Files Detected: 22
C:\AdwCleaner\Quarantine\C\Program Files\optimizer pro\OptProGuard.exe.vir (PUP.Optional.OptimizerPro) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\optimizer pro\OptimizerPro.exe.vir (PUP.Optional.OptimizerPro) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\optimizer pro\OptProReminder.exe.vir (PUP.Optional.OptimizerPro) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\optimizer pro\OptProSchedule.exe.vir (PUP.Optional.OptimizerPro) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\optimizer pro\OptProSmartScan.exe.vir (PUP.Optional.OptimizerPro) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\optimizer pro\OptProStart.exe.vir (PUP.Optional.OptimizerPro) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\Main\bin\CltMngSvc.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\Main\bin\SPTool.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\Main\bin\uninstall.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\cltmng.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPTool64.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPVC32.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPVC32Loader.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPVC64.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPVC64Loader.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\UI\bin\cltmngui.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Level Quality Watcher\LevelQualityWatcher32.exe.vir (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D6CD17C-C960-432C-8914-252CC2F9466D}\RP331\A0026109.exe (PUP.Optional.OptimizerPro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1D6CD17C-C960-432C-8914-252CC2F9466D}\RP338\A0026888.exe (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\MSI89.tmp (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\2bf214.msi (PUP.Optional.Adpeak) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\BrowserSafeguard\BrowserSafeguard.lnk (PUP.Optional.BrowserSafeGuard) -> Quarantined and deleted successfully.

(end)



#11 xy32

xy32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 08 November 2013 - 07:26 PM

Thank you very much for your help! I really appreciate it. I'm sorry I'm having to end part-way through, it's quite frustrating. I ran a Full Scan with MSE and got rid of a couple Trojans that were downloading other Trojans, so hopefully that will solve some problems. I've also uninstalled Combofix according to the instructions on this website. 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:48 PM

Posted 11 November 2013 - 03:16 AM

IF you want to get further advice, please follow my instructions. It is not possible to help if you run other tools as adviced:

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:48 PM

Posted 14 November 2013 - 04:21 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users