Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Reading Scan Results


  • Please log in to reply
6 replies to this topic

#1 Heidi42

Heidi42

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 20 November 2013 - 04:10 PM

I'm trying to fix a computer for a friend and she does not have a lot of computer security sense so it was infected with of lots malware, including a trojan.0access rootkit. I ran a full avast scan multiple times, malwarebytes antimalware, malwarebytes anti-rootkit, Kaspersky TDSSkiller, and finally Combofix. I want to avoid completely wiping the hard disk clean because she does not have the Windows XP recovery disc anymore. I need some help trying to read the Combofix results log, which I will copy and paste here. I think it quarantined the mbr file, which didn't look good. I want to learn how to look for key things in this log for when I fix other computers. I know that you shouldn't use it unless told to do so but I did everything else I could except re-install Windows. This computer was in pretty poor shape and she didn't want buy a new one because it's only used for (free) online games. I assume that this is where most of the problems came from. Did it completely get rid of the rootkit based on the results? I have pasted the Combofix log, Combofix quarantined files log, and Malwarebytes Anti-Rootkit results. Thanks
 
Malwarebytes Anti-rootkit
 
Database version: v2013.10.02.12
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: USER-AA2A7F0BE0 [administrator]
 
11/18/2013 6:00:43 PM
mbar-log-2013-11-18 (18-00-43).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 234742
Time elapsed: 13 minute(s), 10 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 14
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install\{28339ff9-3059-6822-1351-338e2adac0ba}\❤≸⋙ (Trojan.0Access) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install\{28339ff9-3059-6822-1351-338e2adac0ba}\❤≸⋙\Ⱒ☠⍨ (Trojan.0Access) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install\{28339ff9-3059-6822-1351-338e2adac0ba}\❤≸⋙\Ⱒ☠⍨\ﯹ๛ (Trojan.0Access) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install\{28339ff9-3059-6822-1351-338e2adac0ba}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba} (Trojan.0Access) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install\{28339ff9-3059-6822-1351-338e2adac0ba}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba}\L (Trojan.0Access) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install\{28339ff9-3059-6822-1351-338e2adac0ba}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba}\U (Trojan.0Access) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install\{28339ff9-3059-6822-1351-338e2adac0ba} (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\    (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\   \    (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\   \   \ﯹ๛ (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\   \   \ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba} (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\   \   \ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba}\l (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\   \   \ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba}\u (Trojan.0Access) -> Delete on reboot.
C:\Program Files\Google\Desktop\Install\{28339ff9-3059-6822-1351-338e2adac0ba} (Trojan.0Access) -> Delete on reboot.
 
Files Detected: 5
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install\{28339ff9-3059-6822-1351-338e2adac0ba}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba}\@ (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\   \   \ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba}\@ (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\   \   \ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba}\l\00000004.@ (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\   \   \ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba}\l\76603ac3 (Trojan.0Access) -> Delete on reboot.
c:\program files\google\desktop\install\{28339ff9-3059-6822-1351-338e2adac0ba}\   \   \ﯹ๛\{28339ff9-3059-6822-1351-338e2adac0ba}\u\00000008.@ (Trojan.0Access) -> Delete on reboot.
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
Combofix Quarantined Files
 

2013-11-20 00:03:11 . 2013-11-20 00:03:11              654 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SunJavaUpdateSched.reg.dat
2013-11-20 00:03:11 . 2013-11-20 00:03:11              668 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SearchEngineProtection.reg.dat
2013-11-20 00:03:11 . 2013-11-20 00:03:11              618 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-RDReminder.reg.dat
2013-11-20 00:03:11 . 2013-11-20 00:03:11              686 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-GamingWonderland Search Scope Monitor.reg.dat
2013-11-20 00:03:11 . 2013-11-20 00:03:11              654 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-GamingWonderland Browser Plugin Loader.reg.dat
2013-11-20 00:03:11 . 2013-11-20 00:03:11              782 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Facebook Update.reg.dat
2013-11-20 00:03:11 . 2013-11-20 00:03:11              632 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Exetender.reg.dat
2013-11-20 00:03:11 . 2013-11-20 00:03:11              646 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DW7.reg.dat
2013-11-20 00:03:11 . 2013-11-20 00:03:11              636 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe ARM.reg.dat
2013-11-20 00:03:11 . 2013-11-20 00:03:11              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-18384548.sys.reg.dat
2013-11-20 00:03:10 . 2013-11-20 00:03:10              618 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Notify-SDWinLogon.reg.dat
2013-11-20 00:03:04 . 2013-11-20 00:03:04              572 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\BHO-{f05ad658-0f9f-4bca-9c4a-cfd43ff53d77}.reg.dat
2013-11-19 23:31:48 . 2013-11-20 01:35:44              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2013-10-06 04:12:00 . 2013-10-12 16:23:35            4,096 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Osie\Local Settings\Application Data.LOG.vir
2013-10-06 04:11:59 . 2013-10-12 16:23:35            4,096 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data.LOG.vir
2013-10-06 04:11:59 . 2013-10-12 16:23:35            4,096 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data.LOG.vir
2013-05-20 21:28:12 . 2013-05-20 21:28:13              235 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\wininit.ini.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              630 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\272512937d9e61a4.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              639 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\590ba23ce359fd0c.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              627 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\651c5d3cdbfb8bd1.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              398 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\6c59ac5e7e7a3ad0.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              663 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\c1fa887b03019701.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              586 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\c4d28dca2e7648be.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01            1,045 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\d201ef9910cd39de.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              661 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\32c84fe32bb74d60.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              668 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\6d03dad1035885d3.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              366 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\ad10a52aff5e038d.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01            1,071 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\f998975c9cc711ee.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              636 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\26c630d098e22dd5.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              622 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\287204568329e189.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              628 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\31a0997e9a5b5eb3.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              365 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\610289e025a3ee9a.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              577 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\95f567698be8a182.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01            1,291 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\28bc8f716fd76a47.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01            1,022 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\3917078cb68ec657.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              567 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\d2e94710a5708128.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01              627 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\d79b9dfe81484ec4.fb.vir
2013-05-20 15:46:14 . 2013-05-20 15:46:01           11,064 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\cd01fa389a8ca85a.fb.vir
2013-05-20 15:37:27 . 2013-11-20 01:38:40            7,692 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-05-20 13:09:00 . 2013-11-20 01:34:30              255 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2008-04-14 12:00:00 . 2008-04-14 05:10:32           96,512 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir
2005-04-21 14:59:06 . 2005-04-21 14:59:06          131,072 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.dll.vir
 
Combofix Log
 

ComboFix 13-11-18.01 - Administrator 11/19/2013  17:31:49.2.2 - x86 MINIMAL
Running from: c:\security tools\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Osie\Local Settings\Application Data.LOG
c:\documents and settings\Owner\Local Settings\Application Data.LOG
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\cd01fa389a8ca85a.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\wininit.ini
.
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected 
Restored copy from - c:\windows\erdnt\cache\atapi.sys 
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-20 to 2013-11-20  )))))))))))))))))))))))))))))))
.
.
2013-11-19 03:19 . 2013-11-19 03:20 -------- d-----w- C:\AdwCleaner
2013-11-19 03:18 . 2013-11-19 03:18 -------- d-----w- c:\program files\FileASSASSIN
2013-11-19 02:16 . 2013-09-20 16:49 18968 ----a-w- c:\windows\system32\sdnclean.exe
2013-11-19 02:16 . 2013-11-19 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2013-11-19 02:16 . 2013-11-19 02:17 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-11-19 02:09 . 2013-11-19 23:27 -------- d-----w- C:\Security Tools
2013-11-19 00:00 . 2013-11-19 01:00 105176 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-19 00:00 . 2013-11-19 01:00 47064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-11-18 23:58 . 2013-11-18 18:42 3386520 ----a-w- C:\avg_remover_stf_x86_2014_4116.exe
2013-11-15 03:58 . 2013-11-15 03:58 -------- d-----w- c:\documents and settings\Owner\Application Data\AVAST Software
2013-11-15 03:29 . 2013-11-15 03:29 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-11-15 03:29 . 2013-11-15 03:29 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-11-15 03:29 . 2013-11-15 03:29 403440 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-11-15 03:29 . 2013-11-15 03:29 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-11-15 03:29 . 2013-11-15 03:29 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-11-15 03:29 . 2013-11-15 03:29 70384 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-11-15 03:29 . 2013-11-15 03:29 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-11-15 03:29 . 2013-11-15 03:29 35656 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-11-15 03:29 . 2013-11-15 03:29 269216 ----a-w- c:\windows\system32\aswBoot.exe
2013-11-15 03:29 . 2013-11-15 03:29 43152 ----a-w- c:\windows\avastSS.scr
2013-11-15 03:28 . 2013-11-15 03:28 -------- d-----w- c:\program files\AVAST Software
2013-11-14 23:22 . 2013-11-14 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2013-11-14 22:36 . 2013-04-04 20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-14 22:36 . 2013-11-14 22:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-11-14 04:21 . 2013-11-19 03:20 -------- d-----w- c:\documents and settings\Administrator
2013-11-13 04:17 . 2013-11-13 04:17 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-20 18:53 . 2013-05-20 18:53 434 ----a-w- c:\program files\0520201313531375.bat
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-05-26 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-15 03:29 321752 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-27 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-27 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-27 131072]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2013-08-12 295512]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-15 3568312]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ   msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2011-10-27 20:14 18082304 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-09-13 171416]
R3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192u.sys [2008-09-12 443776]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-11-15 774392]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-11-15 403440]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-11-15 35656]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-11-15 70384]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-04-16 39056]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-10-15 3921880]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-09-20 1042272]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - POLICYAGENT
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-17 10:57 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-20 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-11-15 03:29]
.
2013-11-20 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-11-19 16:57]
.
2013-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-06 15:25]
.
2013-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-06 15:25]
.
2013-11-20 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1214440339-838170752-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45]
.
2013-11-13 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1214440339-838170752-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45]
.
2013-11-19 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-11-19 16:49]
.
2013-11-19 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-11-19 16:51]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{f05ad658-0f9f-4bca-9c4a-cfd43ff53d77} - (no file)
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-18384548.sys
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-DW7 - c:\program files\The Weather Channel\The Weather Channel App\TWCApp.exe
MSConfigStartUp-Exetender - c:\program files\Free Ride Games\GPlayer.exe
MSConfigStartUp-Facebook Update - c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
MSConfigStartUp-GamingWonderland Browser Plugin Loader - c:\progra~1\GAMING~2\bar\1.bin\gtbrmon.exe
MSConfigStartUp-GamingWonderland Search Scope Monitor - c:\progra~1\GAMING~2\bar\1.bin\gtsrchmn.exe
MSConfigStartUp-RDReminder - c:\program files\RegClean Pro\RegCleanPro.exe
MSConfigStartUp-SearchEngineProtection - c:\program files\Gamesbar\SearchEngineProtection.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-19 18:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2013-11-19  18:03:37 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-20 00:03
.
Pre-Run: 98,262,089,728 bytes free
Post-Run: 98,796,171,264 bytes free
.
- - End Of File - - 7BCDCFA9182C01E3A8F9B38377578BE5
8F558EB6672622401DA993E1E865C861

Edit: Moved topic from Windows XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 25 November 2013 - 10:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 Heidi42

Heidi42
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 25 November 2013 - 02:44 PM

I've already run adware cleaner, junkware, and security check. I believe this pc had the zeroaccess trojan but now scans find nothing to report. Could it be gone now?

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 26 November 2013 - 08:05 AM

Lets just check further.

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
==============

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 02 December 2013 - 09:18 AM

Are you still with me?

#6 Heidi42

Heidi42
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 02 December 2013 - 10:40 PM

I'm still here but I think I've got this problem solved already. I do have another question though, so I will put it here to see what you think. I have a problem with a friend's windows 7 pc that will not allow me to download the avast! free edition. It keeps saying that the download contained a virus and was deleted. Also, I am not able to do anything with windows firewall (I don't even know if it is on or not). It says that the recommended settings are not on but will not allow me to do anything about it. I also cannot open some folders such and documents and settings folder. I suspect that there is some kind of malware controlling these things but I have not yet run any scans. What would you recommend doing first?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 03 December 2013 - 09:15 AM

We do not service two computer in a topic.

Run the tools I suggested in my post No 2.

But before you run them download and run this one first.

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
==============

Start a new topic and include the logs.

In your next reply give me the URL and I will review it.
Do not include the logs here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users