Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Qone8 virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 wavemaker

wavemaker

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 15 November 2013 - 09:12 PM

Gooday all at BC. From the wife's notepad with Win XP SP2. I have downloaded JRT and the log is as follows. Any help most appreciated.
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by James on Sat 16/11/2013 at 11:57:11.85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
Failed to stop: [Service] update spring smart 
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7f232128-6f42-4f37-8efe-2e6020b2d478}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{7f232128-6f42-4f37-8efe-2e6020b2d478}
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\Documents and Settings\James\appdata\locallow\SkwConfig.bin"
 
 
 
~~~ Folders
 
Failed to delete: [Folder] "C
:\Program Files\spring smart"

Moderator edit: moved from XP to the appropriate forum. dds logs
are allowed only in malware removal logs.
 

Edited by Queen-Evie, 16 November 2013 - 09:26 AM.

When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

BC AdBot (Login to Remove)

 


#2 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 15 November 2013 - 09:25 PM

DDS files.

DS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by James at 12:20:38 on 2013-11-16
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.453 [GMT 10:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Spring Smart\updateSpringSmart.exe
C:\Program Files\Spring Smart\bin\utilSpringSmart.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k yksvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.

When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

#3 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 15 November 2013 - 09:27 PM

Very strange. I am unable to locate the paperclip icon to attach the next DDS file.


When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 19 November 2013 - 11:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Uncheck the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Please run the DDS tool one more time and post the complete log.
Your current log was truncated.

There is no need for me to see the Attach.txt at the moment.

If needed the option will be found by using the Reply to this Topic on the right - top of the topic.

#5 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 19 November 2013 - 06:29 PM

Thanks. PM sent.


When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 20 November 2013 - 09:22 AM

Will be waiting for the logs.

#7 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 21 November 2013 - 07:22 PM

# AdwCleaner v3.012 - Report created 22/11/2013 at 10:17:00
# Updated 11/11/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : James - JENNA29
# Running from : C:\Documents and Settings\James\My Documents\Downloads\adwcleaner (1).exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Conduit
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Searchprotect
Folder Deleted : C:\Program Files\Connect_DLC_5
Folder Deleted : C:\Documents and Settings\James\Local Settings\Application Data\Connect_DLC_5
Folder Deleted : C:\Documents and Settings\James\Application Data\Searchprotect
File Deleted : C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage
File Deleted : C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage-journal
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3306061
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D1B5AAD5-D1AE-4B20-88B1-FEEAEB4C1EBC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{24C1F23B-0796-4C3A-8E00-BAB4D876D4A9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D1B5AAD5-D1AE-4B20-88B1-FEEAEB4C1EBC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{24C1F23B-0796-4C3A-8E00-BAB4D876D4A9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A29819E1-5D6A-433B-B877-8763D9CBB7F4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CFBF2A14-2FB7-4A3C-A449-EA4729C5E42B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D1B5AAD5-D1AE-4B20-88B1-FEEAEB4C1EBC}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D1B5AAD5-D1AE-4B20-88B1-FEEAEB4C1EBC}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\smartbar
Key Deleted : HKCU\Software\Connect_DLC_5
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\Connect_DLC_5
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
-\\ Google Chrome v31.0.1650.57
 
[ File : C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [19215 octets] - [05/11/2013 15:34:12]
AdwCleaner[R1].txt - [3311 octets] - [22/11/2013 10:06:19]
AdwCleaner[S0].txt - [17877 octets] - [05/11/2013 16:16:34]
AdwCleaner[S1].txt - [3302 octets] - [22/11/2013 10:17:00]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [3362 octets] ##########

When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

#8 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 21 November 2013 - 07:40 PM

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by James at 12:20:38 on 2013-11-16
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.453 [GMT 10:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Spring Smart\updateSpringSmart.exe
C:\Program Files\Spring Smart\bin\utilSpringSmart.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k yksvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uProxyServer = localhost:21320
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [SUPBackground] c:\program files\samsung\samsung update plus\SUPBackground.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1368666016109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
TCP: NameServer = 10.0.0.138
TCP: Interfaces\{5EC34FD5-23DD-48B4-A4E7-707CF08D0B02} : DHCPNameServer = 10.0.0.138
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\30.0.1599.101\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-8-8 4300]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2012-10-8 166912]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-6-21 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-6-21 1033688]
R2 Update Spring Smart;Update Spring Smart;c:\program files\spring smart\updateSpringSmart.exe [2013-10-5 66344]
R2 Util Spring Smart;Util Spring Smart;c:\program files\spring smart\bin\utilSpringSmart.exe [2013-11-3 66344]
R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2009-8-8 14336]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 hspabus;SAMSUNG HSPA USB Composite Device driver (WDM);c:\windows\system32\drivers\hspabus.sys [2009-8-8 91776]
R3 hspamdfl;SAMSUNG HSPA Modem Filter;c:\windows\system32\drivers\hspamdfl.sys [2009-8-8 14976]
R3 hspamdm;SAMSUNG HSPA Modem Drivers;c:\windows\system32\drivers\hspamdm.sys [2009-8-8 119808]
R3 hspaserd;SAMSUNG HSPA Modem Diagnostic Serial Port (WDM);c:\windows\system32\drivers\hspaserd.sys [2009-8-8 98560]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-8-8 238464]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-6-21 171928]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-3 162408]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2013-6-21 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2012-10-8 21248]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-2 19840]
S3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\drivers\swg3kser00.sys [2013-10-1 216064]
S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\drivers\swiwdmbx.sys [2013-10-1 83456]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2013-10-1 211712]
.
=============== Created Last 30 ================
.
2013-11-16 01:57:07 -------- d-----w- c:\windows\ERUNT
2013-11-05 06:39:50 -------- d-sha-r- C:\cmdcons
2013-11-05 06:38:45 98816 ----a-w- c:\windows\sed.exe
2013-11-05 06:38:45 256000 ----a-w- c:\windows\PEV.exe
2013-11-05 06:38:45 208896 ----a-w- c:\windows\MBR.exe
2013-11-05 05:34:05 -------- d-----w- C:\AdwCleaner
2013-11-02 08:37:25 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-02 08:37:25 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-02 08:35:06 -------- d-----w- c:\program files\Spring Smart
2013-10-24 21:09:44 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M  ====================
.
2013-10-13 07:25:38 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24:17 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57:59 385024 ----a-w- c:\windows\system32\html.iec
2013-10-12 15:56:19 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12:48 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 21:29:36 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-07 10:59:21 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14:01 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-09-09 08:54:24 773968 ----a-w- c:\windows\system32\msvcr100.dll
2013-09-09 08:54:24 632656 ----a-w- c:\windows\system32\msvcr80.dll
2013-09-09 08:54:24 554832 ----a-w- c:\windows\system32\msvcp80.dll
2013-09-09 08:54:24 479232 ----a-w- c:\windows\system32\msvcm80.dll
2013-09-09 08:54:24 421200 ----a-w- c:\windows\system32\msvcp100.dll
2013-08-29 01:31:44 1878656 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 12:21:16.20 ===============

When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 22 November 2013 - 09:12 AM


This process looks to be the culprit.
Remove it using the Add/Remove Program is you can.

C:\Program Files\Spring Smart\updateSpringSmart.exe

Then run these tools.

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
==============

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check..

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#10 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 23 November 2013 - 05:24 PM

Strange thing happened. I tried to delete that spring smart thing the other day and I was unable to do so. I renamed it and tried getting rid of it but it persisted. RogueKiller V8.7.8 [Nov 14 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : James [Admin rights]
Mode : Remove -- Date : 11/24/2013 08:19:31
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (@Classes@TFiler@) : rtl150.bpl -> HOOKED (Unknown @ 0x3059296C)
[Inline] EAT @explorer.exe (@Classes@TReader@) : rtl150.bpl -> HOOKED (Unknown @ 0xB45933BC)
[Inline] EAT @explorer.exe (@Classes@TStreamWriter@) : rtl150.bpl -> HOOKED (Unknown @ 0x54599FB5)
[Inline] EAT @explorer.exe (@Comobj@TAutoObjectEvent@) : rtl150.bpl -> HOOKED (Unknown @ 0xDC5BB8A4)
[Inline] EAT @explorer.exe (@Ioutils@TPath@FInvalidFileNameChars) : rtl150.bpl -> HOOKED (Unknown @ 0x101D93B3)
[Inline] EAT @explorer.exe (@Msxml@IID_ISAXEntityResolver) : rtl150.bpl -> HOOKED (Unknown @ 0x1FB8BAB5)
[Inline] EAT @explorer.exe (@Oledb@DBOBJECT_DOMAIN) : rtl150.bpl -> HOOKED (Unknown @ 0x43E12FD7)
[Inline] EAT @explorer.exe (@Oledb@DBOBJECT_SCHEMA) : rtl150.bpl -> HOOKED (Unknown @ 0x43E12FC7)
[Inline] EAT @explorer.exe (@System@ExceptionClass) : rtl150.bpl -> HOOKED (Unknown @ 0xDD6A1039)
[Inline] EAT @explorer.exe (@Wincodec@CATID_WICFormatConverters) : rtl150.bpl -> HOOKED (Unknown @ 0x6490FC7F)
[Inline] EAT @explorer.exe (@Clipbrd@CF_PICTURE) : vcl150.bpl -> HOOKED (Unknown @ 0x4FFDCBE9)
[Inline] EAT @explorer.exe (@Controls@TCustomTouchManager@) : vcl150.bpl -> HOOKED (Unknown @ 0x34772A44)
[Inline] EAT @explorer.exe (@Controls@TDockTree@) : vcl150.bpl -> HOOKED (Unknown @ 0xC0779121)
[Inline] EAT @explorer.exe (@Controls@TTouchManager@) : vcl150.bpl -> HOOKED (Unknown @ 0x34772FF8)
[Inline] EAT @explorer.exe (@Jclmath@Catalan) : Jcl150.bpl -> HOOKED (Unknown @ 0x00BF2040)
[Inline] EAT @explorer.exe (@Jclmath@Cbrt3) : Jcl150.bpl -> HOOKED (Unknown @ 0x90B1D717)
[Inline] EAT @explorer.exe (@Jclmath@LnPi) : Jcl150.bpl -> HOOKED (Unknown @ 0xCA671DA3)
[Inline] EAT @explorer.exe (@Jclmath@Log3) : Jcl150.bpl -> HOOKED (Unknown @ 0x84D25F65)
[Inline] EAT @explorer.exe (@Jclsimplexml@TJclSimpleXMLProps@) : Jcl150.bpl -> HOOKED (Unknown @ 0x4858BACA)
[Inline] EAT @explorer.exe (@Jclstructstorage@UnitVersioning) : Jcl150.bpl -> HOOKED (Unknown @ 0xF469DFA7)
[Inline] EAT @explorer.exe (@Jclwin32@RtdlNetGroupAdd) : Jcl150.bpl -> HOOKED (Unknown @ 0x3467D32D)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_AsymmetricSignatureDeformatter) : Jcl150.bpl -> HOOKED (Unknown @ 0x269C6902)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_Buffer) : Jcl150.bpl -> HOOKED (Unknown @ 0x8313E316)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_CaseInsensitiveComparer) : Jcl150.bpl -> HOOKED (Unknown @ 0x6C9E7D34)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_FileNotFoundException) : Jcl150.bpl -> HOOKED (Unknown @ 0xEB14FC04)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_JulianCalendar) : Jcl150.bpl -> HOOKED (Unknown @ 0x607DE6A9)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_PKCS1MaskGenerationMethod) : Jcl150.bpl -> HOOKED (Unknown @ 0x5E0E5459)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_ProgIdAttribute) : Jcl150.bpl -> HOOKED (Unknown @ 0x64693527)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_SHA384) : Jcl150.bpl -> HOOKED (Unknown @ 0x062DADDF)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_SoapDateTime) : Jcl150.bpl -> HOOKED (Unknown @ 0x886A688F)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID_IChannel) : Jcl150.bpl -> HOOKED (Unknown @ 0xB577C87E)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID__BitConverter) : Jcl150.bpl -> HOOKED (Unknown @ 0xD97E4C5E)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID__CryptographicException) : Jcl150.bpl -> HOOKED (Unknown @ 0xFA6AC5AF)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID__CustomAttributeBuilder) : Jcl150.bpl -> HOOKED (Unknown @ 0x47E035A9)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID__ExternalException) : Jcl150.bpl -> HOOKED (Unknown @ 0x70C9C911)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID__IsolatedStorageFilePermission) : Jcl150.bpl -> HOOKED (Unknown @ 0x292E9B90)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID__Pointer) : Jcl150.bpl -> HOOKED (Unknown @ 0x03125CDC)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID__RegionInfo) : Jcl150.bpl -> HOOKED (Unknown @ 0xD76F9F58)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID__SiteIdentityPermission) : Jcl150.bpl -> HOOKED (Unknown @ 0x4E9A9BCB)
[Inline] EAT @explorer.exe (@Mscorlib_tlb@IID__ThaiBuddhistCalendar) : Jcl150.bpl -> HOOKED (Unknown @ 0xA3E88D47)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD1600BEVT-22ZCT0 +++++
--- User ---
[MBR] 09eafc6deb67f63e14ea0b3f38bcedb5
[BSP] b4229cb0d5f5162eb795c8a2b455428b : KIWI Image system MBR Code
Partition table:
0 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 63 | Size: 6149 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 12594960 | Size: 72749 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161585152 | Size: 73727 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_11242013_081931.txt >>
RKreport[0]_S_11242013_081707.txt
 
 
 

 Went to it this morning, one click and it went straight to the recycle bin, which I then emptied. Here is the RK report.


When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

#11 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 23 November 2013 - 06:00 PM

ComboFix 13-11-23.02 - James 24/11/2013   8:46.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.654 [GMT 10:00]
Running from: c:\documents and settings\James\My Documents\Downloads\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
D:\AUTORUN.INF
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-23 to 2013-11-23  )))))))))))))))))))))))))))))))
.
.
2013-11-16 04:33 . 2006-12-28 14:31 19569 ----a-w- c:\windows\000001_.tmp
2013-11-16 02:34 . 2013-11-16 02:34 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\WhiteListing
2013-11-16 02:33 . 2013-11-16 02:33 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\NativeMessaging
2013-11-16 01:57 . 2013-11-16 01:57 -------- d-----w- c:\windows\ERUNT
2013-11-05 05:34 . 2013-11-22 00:17 -------- d-----w- C:\AdwCleaner
2013-11-02 08:37 . 2013-11-02 08:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-02 08:37 . 2013-11-02 08:37 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-13 07:25 . 2009-08-07 22:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25 . 2009-08-07 21:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2009-08-07 21:59 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2009-08-07 21:59 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57 . 2009-08-07 21:59 385024 ----a-w- c:\windows\system32\html.iec
2013-10-12 15:56 . 2009-08-07 21:59 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2009-08-07 21:59 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 21:50 . 2013-10-24 21:09 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-07 21:29 . 2013-07-25 07:25 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-07 10:59 . 2009-08-07 21:59 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2010-02-27 22:37 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-09-09 08:54 . 2013-10-15 06:12 773968 ----a-w- c:\windows\system32\msvcr100.dll
2013-09-09 08:54 . 2013-10-15 06:12 632656 ----a-w- c:\windows\system32\msvcr80.dll
2013-09-09 08:54 . 2013-10-15 06:12 554832 ----a-w- c:\windows\system32\msvcp80.dll
2013-09-09 08:54 . 2013-10-15 06:12 479232 ----a-w- c:\windows\system32\msvcm80.dll
2013-09-09 08:54 . 2013-10-15 06:12 421200 ----a-w- c:\windows\system32\msvcp100.dll
2013-08-30 07:47 . 2013-10-08 04:09 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-08-29 01:31 . 2009-08-07 22:00 1878656 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"SUPBackground"="c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe" [2010-04-20 300912]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2009-06-02 3153408]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-01 254336]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [8/08/2009 8:37 AM 4300]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [8/10/2012 5:04 PM 166912]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [8/08/2009 8:00 AM 14336]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [15/01/2008 12:01 PM 30208]
R3 hspabus;SAMSUNG HSPA USB Composite Device driver (WDM);c:\windows\system32\drivers\hspabus.sys [8/08/2009 8:42 AM 91776]
R3 hspamdfl;SAMSUNG HSPA Modem Filter;c:\windows\system32\drivers\hspamdfl.sys [8/08/2009 8:42 AM 14976]
R3 hspamdm;SAMSUNG HSPA Modem Drivers;c:\windows\system32\drivers\hspamdm.sys [8/08/2009 8:42 AM 119808]
R3 hspaserd;SAMSUNG HSPA Modem Diagnostic Serial Port (WDM);c:\windows\system32\drivers\hspaserd.sys [8/08/2009 8:42 AM 98560]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [8/08/2009 8:41 AM 238464]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [3/06/2013 4:21 PM 162408]
S2 Util Spring Smart;Util Spring Smart;"c:\program files\Spring Smart\bin\utilSpringSmart.exe" --> c:\program files\Spring Smart\bin\utilSpringSmart.exe [?]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [21/06/2013 6:40 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [8/10/2012 5:04 PM 21248]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2/08/2006 8:57 AM 19840]
S3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\drivers\swg3kser00.sys [1/10/2013 6:02 PM 216064]
S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\drivers\swiwdmbx.sys [1/10/2013 6:02 PM 83456]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [1/10/2013 6:02 PM 211712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs REG_MULTI_SZ   yksvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-16 03:44 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-21 00:21]
.
2013-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-21 00:21]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-24 08:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2013-11-24  08:55:06
ComboFix-quarantined-files.txt  2013-11-23 22:55
ComboFix2.txt  2013-11-05 06:53
.
Pre-Run: 61,097,897,984 bytes free
Post-Run: 61,086,543,872 bytes free
.
- - End Of File - - 747871D57ED39A2B48343DFB265832A2
A0A345F7AB6F3BAC008FB0DE602E66CD

When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

#12 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 23 November 2013 - 06:08 PM

 Results of screen317's Security Check version 0.99.77  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
`````````Anti-malware/Other Utilities Check:````````` 
 Java™ 6 Update 45  
 Java 7 Update 45  
 Adobe Reader 9 Adobe Reader out of Date! 
 Google Chrome 30.0.1599.101  
 Google Chrome 31.0.1650.57  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 7% 
````````````````````End of Log`````````````````````` 

When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

#13 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 23 November 2013 - 09:25 PM

I have updated Adobe reader and installed Avast Free virus protection also.


When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 24 November 2013 - 10:34 AM

Using the Add/Remove programs delete this old version of Java™ 6 Update 45

===

Open notepad and copy/paste the text in the quote box below into it:
 
Driver::
Util Spring Smart

ClearJavaCache::
Save this as CFScript.txt on your desktop.

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

Edited by nasdaq, 24 November 2013 - 10:34 AM.


#15 wavemaker

wavemaker
  • Topic Starter

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryborough Queensland Australia
  • Local time:07:15 PM

Posted 24 November 2013 - 05:25 PM

Gooday nasdaq, thanks again for your help. I notice that I didn't say that when I tried to delete spring smart following you instruction to do so, it went without a whimper, gone! I believe I have followed all your instructions and below is the combofix log created this morning. My wife says that she has had no issues with this notepad only that it seemed to be running a bit slower. I suspect that may be because of Avast.

ComboFix 13-11-23.02 - James 25/11/2013   7:40.3.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.651 [GMT 10:00]
Running from: c:\documents and settings\James\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\James\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_UTIL_SPRING_SMART
-------\Service_Util Spring Smart
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-24 to 2013-11-24  )))))))))))))))))))))))))))))))
.
.
2013-11-24 21:21 . 2013-10-07 21:51 873384 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-11-24 21:21 . 2013-10-07 21:51 796072 ----a-w- c:\windows\system32\deployJava1.dll
2013-11-23 23:39 . 2013-11-23 23:40 -------- d-----w- c:\program files\Common Files\Adobe
2013-11-23 23:33 . 2013-11-23 23:33 -------- d-----w- c:\documents and settings\James\Application Data\AVAST Software
2013-11-23 23:32 . 2013-11-23 23:32 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-11-23 23:32 . 2013-11-23 23:32 403440 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-11-23 23:32 . 2013-11-23 23:32 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-11-23 23:32 . 2013-11-23 23:32 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-11-23 23:32 . 2013-11-23 23:32 70384 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-11-23 23:32 . 2013-11-23 23:32 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-11-23 23:32 . 2013-11-23 23:32 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-11-23 23:32 . 2013-11-23 23:32 35656 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-11-23 23:32 . 2013-11-23 23:32 43152 ----a-w- c:\windows\avastSS.scr
2013-11-16 04:33 . 2006-12-28 14:31 19569 ----a-w- c:\windows\000001_.tmp
2013-11-16 02:34 . 2013-11-16 02:34 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\WhiteListing
2013-11-16 02:33 . 2013-11-16 02:33 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\NativeMessaging
2013-11-16 01:57 . 2013-11-16 01:57 -------- d-----w- c:\windows\ERUNT
2013-11-05 05:34 . 2013-11-22 00:17 -------- d-----w- C:\AdwCleaner
2013-11-02 08:37 . 2013-11-02 08:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-02 08:37 . 2013-11-02 08:37 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-23 23:32 . 2013-10-08 04:09 269216 ----a-w- c:\windows\system32\aswBoot.exe
2013-10-13 07:25 . 2009-08-07 22:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25 . 2009-08-07 21:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2009-08-07 21:59 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2009-08-07 21:59 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57 . 2009-08-07 21:59 385024 ----a-w- c:\windows\system32\html.iec
2013-10-12 15:56 . 2009-08-07 21:59 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2009-08-07 21:59 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 21:50 . 2013-10-24 21:09 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-07 21:29 . 2013-07-25 07:25 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-07 10:59 . 2009-08-07 21:59 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2010-02-27 22:37 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-09-09 08:54 . 2013-10-15 06:12 773968 ----a-w- c:\windows\system32\msvcr100.dll
2013-09-09 08:54 . 2013-10-15 06:12 632656 ----a-w- c:\windows\system32\msvcr80.dll
2013-09-09 08:54 . 2013-10-15 06:12 554832 ----a-w- c:\windows\system32\msvcp80.dll
2013-09-09 08:54 . 2013-10-15 06:12 479232 ----a-w- c:\windows\system32\msvcm80.dll
2013-09-09 08:54 . 2013-10-15 06:12 421200 ----a-w- c:\windows\system32\msvcp100.dll
2013-08-29 01:31 . 2009-08-07 22:00 1878656 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-23 23:32 321752 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"SUPBackground"="c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe" [2010-04-20 300912]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2009-06-02 3153408]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-23 3568312]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-09-05 958576]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [24/11/2013 9:32 AM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [24/11/2013 9:32 AM 178304]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [24/11/2013 9:32 AM 774392]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [24/11/2013 9:32 AM 403440]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24/11/2013 9:32 AM 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [24/11/2013 9:32 AM 70384]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [8/08/2009 8:37 AM 4300]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [8/10/2012 5:04 PM 166912]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [8/08/2009 8:00 AM 14336]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [15/01/2008 12:01 PM 30208]
R3 hspabus;SAMSUNG HSPA USB Composite Device driver (WDM);c:\windows\system32\drivers\hspabus.sys [8/08/2009 8:42 AM 91776]
R3 hspamdfl;SAMSUNG HSPA Modem Filter;c:\windows\system32\drivers\hspamdfl.sys [8/08/2009 8:42 AM 14976]
R3 hspamdm;SAMSUNG HSPA Modem Drivers;c:\windows\system32\drivers\hspamdm.sys [8/08/2009 8:42 AM 119808]
R3 hspaserd;SAMSUNG HSPA Modem Diagnostic Serial Port (WDM);c:\windows\system32\drivers\hspaserd.sys [8/08/2009 8:42 AM 98560]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [8/08/2009 8:41 AM 238464]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [3/06/2013 4:21 PM 162408]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [21/06/2013 6:40 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [8/10/2012 5:04 PM 21248]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2/08/2006 8:57 AM 19840]
S3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\drivers\swg3kser00.sys [1/10/2013 6:02 PM 216064]
S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\drivers\swiwdmbx.sys [1/10/2013 6:02 PM 83456]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [1/10/2013 6:02 PM 211712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs REG_MULTI_SZ   yksvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-16 03:44 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-24 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-11-23 23:32]
.
2013-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-21 00:21]
.
2013-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-21 00:21]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-25 07:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\SAMSUNG\MagicKBD\MagicKBD.exe
c:\program files\SAMSUNG\MagicKBD\PerformanceManager.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-11-25  07:54:35 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-24 21:54
ComboFix2.txt  2013-11-23 22:55
ComboFix3.txt  2013-11-05 06:53
.
Pre-Run: 60,454,453,248 bytes free
Post-Run: 60,362,903,552 bytes free
.
- - End Of File - - 5B4517CDD3F7C66838FBA6F1F28C6E7A
A0A345F7AB6F3BAC008FB0DE602E66CD

When The Going Gets Weird, The Weird Turn Pro. (H.S.T.)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users