Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore.exe infection


  • This topic is locked This topic is locked
32 replies to this topic

#1 closibley

closibley

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 11 November 2013 - 08:30 AM

iexplore.exe, whatever this is, shows up multiple times in Windows Task Manager whenever I connect to the internet. It eats up memory, so that performance gets slower and slower and slower. CPU usage typically shows 100% when I open a new window or tab. 

An Avast full scan, MBAM, adwcleaner and ComboFix have all failed to eliminate it.

In addition to the dds logs, my ComboFix log is also shown below.

This problem began at the time that my e-mail account was hacked into. All sorts of nasties infected my system and this is the only one remaining.

Would greatly appreciate help in resolving. Thanks. 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Chris at 12:36:01 on 2013-11-11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1535.816 [GMT 0:00]
.
AV: AVG AntiVirus 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/news/
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Nvtmru] "c:\program files\nvidia corporation\nvidia update core\nvtmru.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282566059720
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{244B4F37-08F9-41D5-8619-8546249209B7} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\896\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2013-11-4 12112]
R0 aswNdis2;avast! Firewall NDIS Driver;c:\windows\system32\drivers\aswNdis2.sys [2013-11-4 247192]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-11-2 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-11-2 178304]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2011-11-25 41912]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2013-11-4 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-11-2 774392]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2013-11-2 403440]
R1 RapportCerberus_56758;RapportCerberus_56758;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_56758.sys [2013-8-15 330960]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-9-10 148688]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-9-10 222416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-11-2 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-11-2 70384]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-11-2 50344]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2013-11-4 116776]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-9-10 1435928]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2013-8-14 39056]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-23 1684736]
S3 AsrCDDrv;AsrCDDrv;\??\c:\windows\system32\drivers\asrcddrv.sys --> c:\windows\system32\drivers\AsrCDDrv.sys [?]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-9-10 97008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2012-10-17 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-11-06 15:16:48 -------- d-sha-r- C:\cmdcons
2013-11-06 15:11:38 98816 ----a-w- c:\windows\sed.exe
2013-11-06 15:11:38 256000 ----a-w- c:\windows\PEV.exe
2013-11-06 15:11:38 208896 ----a-w- c:\windows\MBR.exe
2013-11-06 15:07:59 -------- d-----w- c:\documents and settings\chris\local settings\application data\Avg2014
2013-11-06 14:02:56 -------- d-----w- C:\AdwCleaner
2013-11-04 10:28:30 26136 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2013-11-04 10:28:30 247192 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2013-11-04 10:28:05 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2013-11-02 22:30:37 -------- d-----w- c:\documents and settings\chris\application data\AVAST Software
2013-11-02 22:28:32 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-11-02 22:28:31 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-11-02 22:28:31 70384 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-11-02 22:28:31 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-11-02 22:28:21 43152 ----a-w- c:\windows\avastSS.scr
2013-11-02 22:27:54 -------- d-----w- c:\program files\AVAST Software
2013-11-02 22:27:30 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2013-11-02 21:53:04 -------- d-----w- c:\documents and settings\chris\application data\ElevatedDiagnostics
2013-11-02 13:19:13 -------- d-----w- c:\documents and settings\chris\.android
2013-10-31 22:49:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-10-31 22:34:27 -------- d-----w- c:\documents and settings\chris\local settings\application data\cache
2013-10-31 22:33:50 -------- d-----w- c:\documents and settings\chris\local settings\application data\Mobogenie
2013-10-31 22:33:46 -------- d-----w- c:\program files\CSBrowserHelper
2013-10-31 19:35:43 712264 ----a-w- c:\windows\is-6OA4D.exe
2013-10-30 20:57:43 -------- d-----w- c:\documents and settings\chris\application data\SparkTrust
2013-10-30 20:38:38 -------- d-----w- c:\documents and settings\all users\application data\SparkTrust
2013-10-29 18:51:19 -------- d-----w- c:\documents and settings\chris\application data\AVG
2013-10-29 18:35:44 -------- d-----w- c:\documents and settings\all users\application data\AVG
2013-10-29 18:35:24 -------- d-sh--w- c:\documents and settings\all users\application data\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
.
==================== Find3M  ====================
.
2013-10-09 17:58:00 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 17:57:58 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33:58 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06:48 385024 ----a-w- c:\windows\system32\html.iec
2013-09-10 23:18:28 97008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2013-09-07 08:03:21 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-09-07 08:03:21 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-08-29 01:31:44 1878656 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 12:37:20.73 ===============

 

 

 

 

 

ComboFix 13-11-04.01 - Chris 06/11/2013  15:19:05.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1535.937 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG AntiVirus 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: avast! Internet Security *Enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Chris\My Documents\~WRL0002.tmp
c:\windows\system32\MrvGINA.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_PCCMSERVICE
-------\Service_pcCMService
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-06 to 2013-11-06  )))))))))))))))))))))))))))))))
.
.
2013-11-06 15:07 . 2013-11-06 15:07 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Avg2014
2013-11-06 14:02 . 2013-11-06 14:12 -------- d-----w- C:\AdwCleaner
2013-11-04 10:29 . 2013-11-04 10:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVAST Software
2013-11-04 10:28 . 2013-11-04 10:28 26136 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2013-11-04 10:28 . 2013-11-04 10:28 247192 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2013-11-04 10:28 . 2013-11-04 10:28 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2013-11-02 22:30 . 2013-11-02 22:30 -------- d-----w- c:\documents and settings\Chris\Application Data\AVAST Software
2013-11-02 22:28 . 2013-11-02 22:28 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-11-02 22:28 . 2013-11-02 22:28 403440 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-11-02 22:28 . 2013-11-02 22:28 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-11-02 22:28 . 2013-11-02 22:28 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-11-02 22:28 . 2013-11-02 22:28 70384 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-11-02 22:28 . 2013-11-02 22:28 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-11-02 22:28 . 2013-11-02 22:28 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-11-02 22:28 . 2013-11-02 22:28 35656 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-11-02 22:28 . 2013-11-02 22:28 269216 ----a-w- c:\windows\system32\aswBoot.exe
2013-11-02 22:28 . 2013-11-02 22:28 43152 ----a-w- c:\windows\avastSS.scr
2013-11-02 22:27 . 2013-11-02 22:27 -------- d-----w- c:\program files\AVAST Software
2013-11-02 22:27 . 2013-11-02 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2013-11-02 21:53 . 2013-11-02 21:53 -------- d-----w- c:\documents and settings\Chris\Application Data\ElevatedDiagnostics
2013-11-02 13:19 . 2013-11-02 13:19 -------- d-----w- c:\documents and settings\Chris\.android
2013-10-31 22:49 . 2013-11-03 09:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-10-31 22:34 . 2013-11-02 13:18 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\cache
2013-10-31 22:33 . 2013-11-02 13:39 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Mobogenie
2013-10-31 22:33 . 2013-10-31 22:33 -------- d-----w- c:\program files\CSBrowserHelper
2013-10-31 19:35 . 2013-10-31 19:35 712264 ----a-w- c:\windows\is-6OA4D.exe
2013-10-30 20:57 . 2013-10-30 20:57 -------- d-----w- c:\documents and settings\Chris\Application Data\SparkTrust
2013-10-30 20:38 . 2013-11-02 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SparkTrust
2013-10-30 16:05 . 2013-10-30 16:05 -------- d-----w- c:\documents and settings\UpdatusUser\Application Data\AVG
2013-10-29 19:22 . 2013-10-29 19:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG
2013-10-29 18:51 . 2013-10-29 18:51 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG
2013-10-29 18:35 . 2013-10-29 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG
2013-10-29 18:35 . 2013-10-30 01:35 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-10-12 08:54 . 2013-10-12 08:54 -------- d-----w- c:\program files\Common Files\Sonic Shared
2013-10-12 08:54 . 2013-10-12 08:54 -------- d-----w- c:\program files\Sonic
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 17:58 . 2012-03-30 14:58 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 17:57 . 2011-06-19 07:25 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2006-02-28 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-09-10 23:18 . 2013-09-10 23:18 97008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2013-09-07 08:03 . 2010-08-23 13:10 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-09-07 08:03 . 2010-08-23 13:10 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-08-29 01:31 . 2006-02-28 12:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2006-02-28 12:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55 . 2006-02-28 12:00 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2010-08-23 13:13 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55 . 2006-02-28 12:00 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-02 22:28 321752 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-06-21 15677728]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-06-21 2586912]
"Nvtmru"="c:\program files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 1012000]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-09-07 295512]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-02 3568312]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2013-06-12 09:21 2011824 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-05-20 13:46 28160 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mylbx]
2011-05-07 13:42 1899328 ----a-w- c:\documents and settings\My Lockbox\mylbx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2013-06-21 09:54 223008 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 10:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2013-10-12 11:51 1140736 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-09-07 08:04 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Documents and Settings\\Chris\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [04/11/2013 10:28 12112]
R0 aswNdis2;avast! Firewall NDIS Driver;c:\windows\system32\drivers\aswNdis2.sys [04/11/2013 10:28 247192]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [02/11/2013 22:28 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [02/11/2013 22:28 178304]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [25/11/2011 23:34 41912]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [04/11/2013 10:28 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [02/11/2013 22:28 774392]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [02/11/2013 22:28 403440]
R1 RapportCerberus_56758;RapportCerberus_56758;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_56758.sys [15/08/2013 08:00 330960]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [10/09/2013 23:18 148688]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [10/09/2013 23:18 222416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [02/11/2013 22:28 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [02/11/2013 22:28 70384]
R2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [04/11/2013 10:28 116776]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [10/09/2013 23:18 1435928]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [14/08/2013 14:19 39056]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [21/01/2010 15:24 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 07:58 20480]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [28/02/2013 17:45 161384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [23/08/2010 12:00 1684736]
S3 AsrCDDrv;AsrCDDrv;\??\c:\windows\system32\Drivers\AsrCDDrv.sys --> c:\windows\system32\Drivers\AsrCDDrv.sys [?]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [10/09/2013 23:18 97008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [17/10/2012 08:40 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:58]
.
2013-11-06 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-11-02 22:28]
.
2013-09-20 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2013-08-14 14:19]
.
2013-11-06 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14 14:19]
.
2013-11-02 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14 14:19]
.
2013-11-06 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
2013-11-06 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/news/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
HKLM-Run-mobilegeni daemon - c:\program files\Mobogenie\DaemonProcess.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v3 Smart Wizard.lnk - (no file)
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-PCSU-SL_is1 - c:\program files\PC Speed Up\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-06 15:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  mobilegeni daemon = c:\program files\Mobogenie\DaemonProcess.exe?????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ... 
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1448)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2344)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trusteer\Rapport\bin\RapportService.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2013-11-06  15:48:14 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-06 15:48
.
Pre-Run: 60,297,969,664 bytes free
Post-Run: 61,236,166,656 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 2F209257898C915DEC795271A9F96D50
8F558EB6672622401DA993E1E865C861

 

Attached Files


Edited by bloopie, 14 November 2013 - 02:38 PM.
Deleted double post for continuity.


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:35 AM

Posted 14 November 2013 - 02:37 PM

Hello closibley, and welcome to Bleeping Computer!

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Please do not run any other tools without my instruction to do so!

==========

Now that we've got the ground rules out of the way, let's get to work! :)

First of all let's clarify a few things:

  • You mention that your e-mail was hacked into...the first thing you should do whenever this happens is to change your password to your e-mail accounts!
  • Another bit of clarificaiton: iexplore.exe just happens to be Internet Explorer! :wink: Several instances of this file running is quite normal if you use IE.

==========

Aside from that, I see two other things that are of concern in your logs. The first and extremely important thing, is that I see you have two active Antivirus programs running! The other less important one is that you have µTorrent installed. So here are my two warnings for these:

:step1:

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG 2014 or Avast.

:step2:

Going over your logs I noticed that you have µTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

==========

Once you have uninstalled one of the Antivirus programs, then please delete your copy of Combofix (via the right-click > Delete method), and then download a fresh copy from here (save it to your desktop). Run another scan with combofix and post me the new log (it will be located at C:\Combofix.txt).

Once that is done then please update me on the performance of the machine, and we'll go from there! Also, please let me know if you encountered any trouble along the way!

bloopie



#3 closibley

closibley
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 15 November 2013 - 04:41 PM

Hello Bloopie  …  Thank you for your interest. Problem still unresolved and, yes, I have the original Windows XP CD (though it’s Service Pack 2 rather than SP3).
 
I have done all the necessary to protect my email.
 
I do not believe that iexplore.exe is genuine Windows Internet Explorer.
1. It’s new to my system
2. explorer.exe is also shown in Task Manager, single entry with low and and stable numbers.
3. After a while, when I reduce a window in size and move it swiftly across the screen, I can see a blue blur of hundreds of windows behind it as it smears across the screen.
4. As you can see from the screenshot below, after half an hour and just a couple of windows open, iexplore is taking over and CPU usage is shown as up to 100%. The iexplore.exe numbers leap around like crazy when a new window or tab is opened.
 
 [tried and failed to cut and paste the screenshot]
 
 
On to your two warnings:
 
1. I uninstalled AVG when I signed up for Avast (and before I ran the Avast scan). AVG is not showing on my list of currently installed programs, so hopefully there is no conflict.
 
2. Your advice is appreciated. I am very careful about my occasional downloads but will consider uninstalling it. In the meantime I promise not to use it until my computer is clean!
 
 
Ps  …  I began to run ComboFix and my system froze as I was in the process of disabling Avast. It remained frozen, so I had to turn off and start again.
However, I also got a warning message that AVG AntiVirus 2014 is active (confirming your observation).
This is puzzling and it seems that the first thing we have to do is to rid my system of AVG – even though I have already uninstalled it.
I can’t see it running in the Task Manager box either, unless it’s calling itself something else, so is it really there?
Can you help with this please?

 

Thanks a lot.  ...  Chris.



#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:35 AM

Posted 15 November 2013 - 05:35 PM

Hello again,

 

Can you help with this please?

I am here to help you! ...And I'm not going anywhere, I'll stay with you until the end! :wink:

 

AVG is notorious for not uninstalling properly, so try running the AVG 2014 Removal Tool. Once that's finished, please reboot the system and try running Combofix again. If it still warns you about AVG after running the removal tool, then ignore the warning and run Combofix anyway.

 

Post me the results and let me know if you had any trouble with it! :)

 

bloopie



#5 closibley

closibley
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 16 November 2013 - 03:18 PM

Hello Bloopie  ...
I have removed AVG, I hope, and run ComboFix.

This is the log, which I hope is of some use:

 
 
ComboFix 13-11-16.01 - Chris 16/11/2013  19:27:44.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1535.999 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-16 to 2013-11-16  )))))))))))))))))))))))))))))))
.
.
2013-11-14 19:30 . 2013-11-14 19:31 -------- d-----w- C:\Bleeping Computer
2013-11-06 14:02 . 2013-11-06 14:12 -------- d-----w- C:\AdwCleaner
2013-11-04 10:29 . 2013-11-04 10:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVAST Software
2013-11-04 10:28 . 2013-11-04 10:28 26136 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2013-11-04 10:28 . 2013-11-04 10:28 247192 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2013-11-04 10:28 . 2013-11-04 10:28 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2013-11-02 22:30 . 2013-11-02 22:30 -------- d-----w- c:\documents and settings\Chris\Application Data\AVAST Software
2013-11-02 22:28 . 2013-11-07 08:49 403440 ----a-w- c:\windows\system32\drivers\aswsp.sys
2013-11-02 22:28 . 2013-11-02 22:28 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-11-02 22:28 . 2013-11-02 22:28 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-11-02 22:28 . 2013-11-02 22:28 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-11-02 22:28 . 2013-11-02 22:28 70384 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-11-02 22:28 . 2013-11-02 22:28 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-11-02 22:28 . 2013-11-02 22:28 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-11-02 22:28 . 2013-11-02 22:28 35656 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-11-02 22:28 . 2013-11-02 22:28 269216 ----a-w- c:\windows\system32\aswBoot.exe
2013-11-02 22:28 . 2013-11-02 22:28 43152 ----a-w- c:\windows\avastSS.scr
2013-11-02 22:27 . 2013-11-02 22:27 -------- d-----w- c:\program files\AVAST Software
2013-11-02 22:27 . 2013-11-02 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2013-11-02 21:53 . 2013-11-02 21:53 -------- d-----w- c:\documents and settings\Chris\Application Data\ElevatedDiagnostics
2013-11-02 13:19 . 2013-11-02 13:19 -------- d-----w- c:\documents and settings\Chris\.android
2013-10-31 22:49 . 2013-11-03 09:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-10-31 22:34 . 2013-11-02 13:18 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\cache
2013-10-31 22:33 . 2013-11-02 13:39 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Mobogenie
2013-10-31 22:33 . 2013-10-31 22:33 -------- d-----w- c:\program files\CSBrowserHelper
2013-10-31 19:35 . 2013-10-31 19:35 712264 ----a-w- c:\windows\is-6OA4D.exe
2013-10-30 20:57 . 2013-10-30 20:57 -------- d-----w- c:\documents and settings\Chris\Application Data\SparkTrust
2013-10-30 20:38 . 2013-11-02 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SparkTrust
2013-10-30 16:05 . 2013-10-30 16:05 -------- d-----w- c:\documents and settings\UpdatusUser\Application Data\AVG
2013-10-29 19:22 . 2013-10-29 19:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG
2013-10-29 18:51 . 2013-10-29 18:51 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG
2013-10-29 18:35 . 2013-10-29 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG
2013-10-29 18:35 . 2013-10-30 01:35 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-14 12:40 . 2012-03-30 14:58 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-14 12:40 . 2011-06-19 07:25 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-13 07:25 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2006-02-28 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-10-12 15:56 . 2006-02-28 12:00 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2006-02-28 12:00 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2006-02-28 12:00 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2010-08-23 13:13 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-09-10 23:18 . 2013-09-10 23:18 97008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2013-09-07 08:03 . 2010-08-23 13:10 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-09-07 08:03 . 2010-08-23 13:10 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-08-29 01:31 . 2006-02-28 12:00 1878656 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-02 22:28 321752 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-06-21 15677728]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-06-21 2586912]
"Nvtmru"="c:\program files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 1012000]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-09-07 295512]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-02 3568312]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2013-11-06 17:11 14232 ----a-w- c:\program files\Citrix\GoToAssist\896\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2013-06-12 09:21 2011824 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-05-20 13:46 28160 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mylbx]
2011-05-07 13:42 1899328 ----a-w- c:\documents and settings\My Lockbox\mylbx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2013-06-21 09:54 223008 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 10:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2013-11-11 18:59 1140736 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-09-07 08:04 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Documents and Settings\\Chris\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [04/11/2013 10:28 12112]
R0 aswNdis2;avast! Firewall NDIS Driver;c:\windows\system32\drivers\aswNdis2.sys [04/11/2013 10:28 247192]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [02/11/2013 22:28 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [02/11/2013 22:28 178304]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [25/11/2011 23:34 41912]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [04/11/2013 10:28 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [02/11/2013 22:28 774392]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [02/11/2013 22:28 403440]
R1 RapportCerberus_56758;RapportCerberus_56758;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_56758.sys [15/08/2013 08:00 330960]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [10/09/2013 23:18 148688]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [10/09/2013 23:18 222416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [02/11/2013 22:28 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [02/11/2013 22:28 70384]
R2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [04/11/2013 10:28 116776]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [10/09/2013 23:18 1435928]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [14/08/2013 14:19 39056]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [21/01/2010 15:24 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 07:58 20480]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [28/02/2013 17:45 161384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [23/08/2010 12:00 1684736]
S3 AsrCDDrv;AsrCDDrv;\??\c:\windows\system32\Drivers\AsrCDDrv.sys --> c:\windows\system32\Drivers\AsrCDDrv.sys [?]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [10/09/2013 23:18 97008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [17/10/2012 08:40 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 12:40]
.
2013-11-16 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-11-02 22:28]
.
2013-09-20 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2013-08-14 14:19]
.
2013-11-16 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14 14:19]
.
2013-11-02 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14 14:19]
.
2013-11-16 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
2013-11-16 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/news/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-16 19:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1440)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\Citrix\GoToAssist\896\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(352)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-11-16  19:42:36
ComboFix-quarantined-files.txt  2013-11-16 19:42
.
Pre-Run: 58,710,491,136 bytes free
Post-Run: 58,873,327,616 bytes free
.
- - End Of File - - 686C446AA4FB7B7AB1E24205B296DFED
8F558EB6672622401DA993E1E865C861

 
 
 
 I look forward to hearing from you.  ...  Chris.
 



#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:35 AM

Posted 16 November 2013 - 04:58 PM

Hello again,
 
Good work! :thumbup2:
 
Let's run a couple of other scans:

Step :step1:

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg
  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png
  • Click Start Scan and allow the scan process to run


    tds4-1.jpg
  • If threats are detected select Skip or Cure (if available) for all of them unless otherwise instructed.
    ***Do NOT select Delete!
  • Click Continue


    tds6.jpg
  • Click Reboot computer
  • Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply

==========

Step :step2:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

==========

In addition to both logs, please let me know how the machine is running now!

bloopie



#7 closibley

closibley
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 17 November 2013 - 04:30 PM

Hello again ...
I have run the scans and the results are in the attached files.
Attached File  Addition.txt   22.72KB   4 downloads
Attached File  FRST.txt   34.56KB   6 downloads
Attached File  TDSSKiller.3.0.0.17_17.11.2013_19.53.44_log.txt   3.58KB   1 downloads
Attached File  TDSSKiller.3.0.0.17_17.11.2013_19.56.23_log.txt   397.1KB   1 downloads
System performance no better than before and as described earlier in this correspondence. Increasingly slow to respond when using Internet Explorer, with regular freezes.
Thank you for your time and trouble.
... Chris.

#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:35 AM

Posted 17 November 2013 - 06:02 PM

Hello again,

As I stated in my first post, please DO NOT attach files, just copy and paste them here.

Also, did you intentionally install My Lockbox 2.5?

Step :step1:
 
We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    Attached File  fixlist.txt   1.36KB   2 downloads
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

==========

Step :step2:

Run a Combofix Script


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy the text in the codebox below, then paste it into the empty notepad:
 

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Step :step3:

Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.

Note: Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

==========

Please post all requested logs in your next reply and let me know of any changes to the machine!

bloopie



#9 closibley

closibley
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 18 November 2013 - 07:05 AM

Hello Bloopie ...

Firstly, sorry about sending you files last time. My problem was that, when I copied and pasted, I got the message "post too long". So I tried twice more, each time halving the length of the post, but the message came back the same each time. How do I overcome this?

Secondly, yes, Lockbox is intentionally installed.

Thirdly,I have run fixlog.txt and the report is below.

This is as for as I have got though. I may have a problem with CFScript. I've created the notepad page as instructed but, when I drop the notepad icon into the cat icon:
a. the notepad icon does not disappear, and
b. a small window opens asking me if I want to run this software (ComboFix.exe)
What should I do?

... Chris.






Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 17-11-2013 02
Ran by Chris at 2013-11-18 11:33:26 Run:1
Running from C:\Documents and Settings\Chris\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {17D90F9C-7FFB-4446-8F8A-28771A90FB66} URL = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=714647&p={searchTerms}
SearchScopes: HKCU - {60AD6DF2-957C-42B9-8E67-AC1B6BC6EB97} URL = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1
SearchScopes: HKCU - {F7982D08-8612-41E1-90DE-CCAE10D93039} URL = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=uk&nt=1
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282566059720
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
S3 AsrCDDrv; \??\C:\WINDOWS\system32\Drivers\AsrCDDrv.sys [x]
S3 catchme; \??\C:\DOCUME~1\Chris\LOCALS~1\Temp\catchme.sys [x]
S4 IntelIde; No ImagePath
*****************

HKCU\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{17D90F9C-7FFB-4446-8F8A-28771A90FB66} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{17D90F9C-7FFB-4446-8F8A-28771A90FB66} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{60AD6DF2-957C-42B9-8E67-AC1B6BC6EB97} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{60AD6DF2-957C-42B9-8E67-AC1B6BC6EB97} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F7982D08-8612-41E1-90DE-CCAE10D93039} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{F7982D08-8612-41E1-90DE-CCAE10D93039} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700} => Key deleted successfully.
HKCR\CLSID\{17492023-C23A-453E-A040-C7C580BBF700} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6414512B-B978-451D-A0D8-FCFDF33E833C} => Key deleted successfully.
HKCR\CLSID\{6414512B-B978-451D-A0D8-FCFDF33E833C} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A90A5822-F108-45AD-8482-9BC8B12DD539} => Key deleted successfully.
HKCR\CLSID\{A90A5822-F108-45AD-8482-9BC8B12DD539} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7} => Key deleted successfully.
HKCR\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7} => Key not found.
AsrCDDrv => Service deleted successfully.
catchme => Service deleted successfully.
IntelIde => Service deleted successfully.

==== End of Fixlog ====

#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:35 AM

Posted 18 November 2013 - 09:22 AM

Hello again,

Okay, if the files are too big to copy/paste then attaching is okay.

And regarding Combofix, thanks for stopping to ask if you're unsure...Yes when you drop the CfScript.txt onto Combofix it will run the program again, so please allow it to do so. Post me the resultant log when finished. :)

bloopie

#11 closibley

closibley
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 19 November 2013 - 05:26 AM

Bloopie ... Step 2 finished and log below. Now proceeding with Step 3. ... Chris.




ComboFix 13-11-19.01 - Chris 19/11/2013 10:03:24.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.940 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2013-10-19 to 2013-11-19 )))))))))))))))))))))))))))))))
.
.
2013-11-17 20:05 . 2013-11-17 20:05 -------- d-----w- C:\FRST
2013-11-17 19:54 . 2013-11-17 19:54 204896 ----a-w- c:\windows\system32\drivers\54702193.sys
2013-11-17 19:31 . 2013-11-17 19:31 204896 ----a-w- c:\windows\system32\drivers\61540085.sys
2013-11-14 19:30 . 2013-11-14 19:31 -------- d-----w- C:\Bleeping Computer
2013-11-06 14:02 . 2013-11-06 14:12 -------- d-----w- C:\AdwCleaner
2013-11-04 10:29 . 2013-11-04 10:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVAST Software
2013-11-04 10:28 . 2013-11-04 10:28 26136 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2013-11-04 10:28 . 2013-11-04 10:28 247192 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2013-11-04 10:28 . 2013-11-04 10:28 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2013-11-02 22:30 . 2013-11-02 22:30 -------- d-----w- c:\documents and settings\Chris\Application Data\AVAST Software
2013-11-02 22:28 . 2013-11-07 08:49 403440 ----a-w- c:\windows\system32\drivers\aswsp.sys
2013-11-02 22:28 . 2013-11-02 22:28 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-11-02 22:28 . 2013-11-02 22:28 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-11-02 22:28 . 2013-11-02 22:28 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-11-02 22:28 . 2013-11-02 22:28 70384 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-11-02 22:28 . 2013-11-02 22:28 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-11-02 22:28 . 2013-11-02 22:28 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-11-02 22:28 . 2013-11-02 22:28 35656 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-11-02 22:28 . 2013-11-02 22:28 269216 ----a-w- c:\windows\system32\aswBoot.exe
2013-11-02 22:28 . 2013-11-02 22:28 43152 ----a-w- c:\windows\avastSS.scr
2013-11-02 22:27 . 2013-11-02 22:27 -------- d-----w- c:\program files\AVAST Software
2013-11-02 22:27 . 2013-11-02 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2013-11-02 21:53 . 2013-11-02 21:53 -------- d-----w- c:\documents and settings\Chris\Application Data\ElevatedDiagnostics
2013-11-02 13:19 . 2013-11-02 13:19 -------- d-----w- c:\documents and settings\Chris\.android
2013-10-31 22:49 . 2013-11-03 09:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-10-31 22:34 . 2013-11-02 13:18 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\cache
2013-10-31 22:33 . 2013-11-02 13:39 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Mobogenie
2013-10-31 22:33 . 2013-10-31 22:33 -------- d-----w- c:\program files\CSBrowserHelper
2013-10-31 19:35 . 2013-10-31 19:35 712264 ----a-w- c:\windows\is-6OA4D.exe
2013-10-30 20:57 . 2013-10-30 20:57 -------- d-----w- c:\documents and settings\Chris\Application Data\SparkTrust
2013-10-30 20:38 . 2013-11-02 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SparkTrust
2013-10-30 16:05 . 2013-10-30 16:05 -------- d-----w- c:\documents and settings\UpdatusUser\Application Data\AVG
2013-10-29 19:22 . 2013-10-29 19:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG
2013-10-29 18:51 . 2013-10-29 18:51 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG
2013-10-29 18:35 . 2013-10-29 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG
2013-10-29 18:35 . 2013-10-30 01:35 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-14 12:40 . 2012-03-30 14:58 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-14 12:40 . 2011-06-19 07:25 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-13 07:25 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2006-02-28 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-10-12 15:56 . 2006-02-28 12:00 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2006-02-28 12:00 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2006-02-28 12:00 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2010-08-23 13:13 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-09-10 23:18 . 2013-09-10 23:18 97008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2013-09-07 08:03 . 2010-08-23 13:10 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-09-07 08:03 . 2010-08-23 13:10 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-08-29 01:31 . 2006-02-28 12:00 1878656 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-02 22:28 321752 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-06-21 15677728]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-06-21 2586912]
"Nvtmru"="c:\program files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 1012000]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-09-07 295512]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-02 3568312]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2013-11-06 17:11 14232 ----a-w- c:\program files\Citrix\GoToAssist\896\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2013-06-12 09:21 2011824 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-05-20 13:46 28160 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mylbx]
2011-05-07 13:42 1899328 ----a-w- c:\documents and settings\My Lockbox\mylbx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2013-06-21 09:54 223008 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 10:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2013-11-11 18:59 1140736 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-09-07 08:04 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Documents and Settings\\Chris\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [04/11/2013 10:28 12112]
R0 aswNdis2;avast! Firewall NDIS Driver;c:\windows\system32\drivers\aswNdis2.sys [04/11/2013 10:28 247192]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [02/11/2013 22:28 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [02/11/2013 22:28 178304]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [25/11/2011 23:34 41912]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [04/11/2013 10:28 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [02/11/2013 22:28 774392]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [02/11/2013 22:28 403440]
R1 RapportCerberus_56758;RapportCerberus_56758;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_56758.sys [15/08/2013 08:00 330960]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [10/09/2013 23:18 148688]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [10/09/2013 23:18 222416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [02/11/2013 22:28 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [02/11/2013 22:28 70384]
R2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [04/11/2013 10:28 116776]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [10/09/2013 23:18 1435928]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [14/08/2013 14:19 39056]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [21/01/2010 15:24 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 07:58 20480]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [28/02/2013 17:45 161384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [23/08/2010 12:00 1684736]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [10/09/2013 23:18 97008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [17/10/2012 08:40 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 12:40]
.
2013-11-19 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-11-02 22:28]
.
2013-11-19 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2013-08-14 14:19]
.
2013-11-19 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14 14:19]
.
2013-11-17 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14 14:19]
.
2013-11-19 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
2013-11-19 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-790525478-838170752-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/news/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-07045463.sys
SafeBoot-85456422.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-19 10:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1444)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\Citrix\GoToAssist\896\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(4016)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-11-19 10:19:21
ComboFix-quarantined-files.txt 2013-11-19 10:19
ComboFix2.txt 2013-11-16 19:42
.
Pre-Run: 59,660,914,688 bytes free
Post-Run: 59,724,632,064 bytes free
.
- - End Of File - - BDB90223BBCBA7116740181709DDDD2B
8F558EB6672622401DA993E1E865C861

#12 closibley

closibley
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 19 November 2013 - 06:12 AM

And finally ... the Stage 3 report.
System performance unchanged since running these scans.
I hope we're making progress!
Regards ... Chris.



Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.19.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Chris :: CHRIS-C1259C286 [administrator]

19/11/2013 10:39:28
mbam-log-2013-11-19 (10-39-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225005
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up (PUP.Optional.PCSpeedUp.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Chris\Desktop\adwcleaner setup.exe (PUP.Soft32Downloader) -> Quarantined and deleted successfully.

(end)



#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:35 AM

Posted 19 November 2013 - 12:24 PM

Hello again,
 

I hope we're making progress!

We are ruling out the possibility of malware being the culprit, and we're nearly there.
 
Let's run these next:

Step :step1:

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

==========

Step :step2:

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

==========

Step :step3:

***This next scan can take some time depending on the speed of your computer and your internet connection, so you may want to let it run overnight if it takes more than two hours***

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

==========

In your next reply, post the three logs and please update me on the machines performance!

bloopie



#14 closibley

closibley
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 20 November 2013 - 06:57 AM

Hello Bloopie ...

I have not been able to complete Step 1 because something is frustrating AdwCleaner.

The scan completes but, during the "Cleaning Browsers" stage, my whole system freezes. The egg timer remains,but nothing responds, so I cannot close the AdwC window nor close the computer down in the usual way. Even the clock freezes. So I have to turn the PC tower off. 

I have done this twice, with the same result each time.

What now?

  ...  Chris.



#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:35 AM

Posted 20 November 2013 - 08:10 AM

Hello again,

Please boot the computer into Safemode, and re-try the previous instructions.

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users