Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/Rovnix.gen!B and another virus


  • Please log in to reply
86 replies to this topic

#1 sweetcarolinesue

sweetcarolinesue

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 09 December 2013 - 08:35 AM

Good morning. I am trying to "fix" my parent's computer. They have some bad infections. Initial malwarebytes scan showed 69. I spoke to an IT person who recommended this site, I ran combofix and then re-enabled Microsoft Security Essentials which shows two viruses for sure. I read about the malwarebytes anti-root program which I am attempting to run now. I also ran the DDS log and it shows zero. Now I am beyond my element with how to proceed. My parents had a powered external hard drive attached and I transferred their pictures and documents to it but am hesitant to attach it to their new computer until I can determine if it is clean.

 

My Dad was a music teacher for 35 years so he has been in the process of transferring casette tapes to CDs and the software is on the old computer (I just bought them a new CPU). He would like to keep using the old one just for the music if possible.

 

Attached is the combofix log. Any assistance is appreciated.

Thank you, Carolyn



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 12 December 2013 - 09:48 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I need to know what we are dealing with. Please run these tools and will take it from there.

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 sweetcarolinesue

sweetcarolinesue
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 14 December 2013 - 07:30 AM

Thank you so much for your assistance.  Below are the results from the scans:

 

Adware:

# AdwCleaner v3.015 - Report created 12/12/2013 at 18:07:10
# Updated 10/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Administrator - HOME-F7XQOUACQA
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\apn
Folder Deleted : C:\Documents and Settings\All Users\Application Data\w3i
Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\WINDOWS\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}
Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\AskToolbar
File Deleted : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\AskToolbar
Key Deleted : HKCU\Software\FLEXnet
Key Deleted : HKCU\Software\wecarereminder
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [6823 octets] - [12/12/2013 15:21:45]
AdwCleaner[R1].txt - [6883 octets] - [12/12/2013 16:29:36]
AdwCleaner[S0].txt - [6940 octets] - [12/12/2013 18:07:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7000 octets] ##########

 

JRT would not run, it gave me an error message something like (7X JRT zip not supported)

 

DDS log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
.
==== Image File Execution Options =============
.
IFEO: Your Image File Name Here without a path - ntsd -d
.
==== Installed Programs ======================
.
.
==== End Of File ===========================
 

Security Check:

 Results of screen317's Security Check version 0.99.77 
   x86  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
Please wait while WMIC compiles updated MOF files.
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 3%
[b][u]````````````````````End of Log```````````

 

 

I had disabled Microsoft Secuirty Essentials and the firewall to run these programs. Some of the viruses are appearing as MP4 movies requesting to be downloaded. Sometimes a new screen will appear as a faux fullscreen website showing video clips of sorts seeming to entice i.e. girl filets 150 lb halibut in 7 minutes. However there isn't an address bar at the top or an x to close out so I do not ever click on anything. Eventually the screen disappears.

 

There were (3) MP4 mega-movie pop ups that appeared while trying to complete these steps. I did a print screen & saved if I need to post it later. It has taken me 2 days to get them done due to freezing up & SLOW processing of this computer.

 

Thank you for taking the time to review these logs and I will look for further instructions.


Edited by sweetcarolinesue, 14 December 2013 - 07:42 AM.


#4 sweetcarolinesue

sweetcarolinesue
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 14 December 2013 - 08:21 AM

Another "movie" popped up as I was trying to edit the above post. They are MPEG-4 Mega Movie. I have re-enabled the firewall and microsoft security essentials.

 

 

MSE files had 2 items. Virus: win32/Rovnix.gen!B and Exploit: Java/CVE-2012-4681 listed as severe threats. I selected remove and am running MSE again. 

 

Their computer is Dell with Windows XP Professional 2002 SP 3, Intel ® Celeron ® CPU 1.70 GHz, 1.69 GHz, 512 MB of RAM. 

 

I do not have spec on the external HD as the CPU is not even showing it is connected. 

 

I don't believe I have any typographical errors but I'm sending this part from my "smart" phone because the other one deleted my post. Uff da!



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 14 December 2013 - 11:26 AM


--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
==============

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

I also need to see the content of the log from the DDS tool previously requested.

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

Edited by nasdaq, 14 December 2013 - 11:27 AM.


#6 sweetcarolinesue

sweetcarolinesue
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 14 December 2013 - 05:37 PM

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/3/2010 11:45:01 PM
System Uptime: 12/14/2013 3:01:27 PM (0 hours ago)
.
Motherboard: Dell Computer Corporation |  | 07W080
Processor:                 Intel® Celeron® CPU 1.70GHz | Socket 478 | 1694/400mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 25.832 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 12/14/2013 3:03:22 PM - System Checkpoint
.
==== Image File Execution Options =============
.
IFEO: Your Image File Name Here without a path - ntsd -d
.
==== Installed Programs ======================
.
.
==== End Of File ===========================

 



#7 sweetcarolinesue

sweetcarolinesue
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 14 December 2013 - 05:41 PM

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 12/14/2013 10:57:54
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost


RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Remove -- Date : 12/14/2013 11:07:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ( @ )  +++++
--- User ---
[MBR] aa93efdffb894ec25a5a935001187d21
[BSP] 6a91a4de6106f398edc1d449d4e587bc : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38162 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_12142013_110708.txt >>
RKreport[0]_S_12142013_105754.txt

 



#8 sweetcarolinesue

sweetcarolinesue
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 14 December 2013 - 05:42 PM

ComboFix 13-12-13.01 - Administrator 12/14/2013  15:59:10.6.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.510.319 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-14 to 2013-12-14  )))))))))))))))))))))))))))))))
.
.
2013-12-14 13:05 . 2013-12-14 21:03 62576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E69398F4-F639-43DF-8752-49E813FE2D53}\offreg.dll
2013-12-14 13:04 . 2013-12-14 13:04 40392 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E69398F4-F639-43DF-8752-49E813FE2D53}\MpKsle7bd9f59.sys
2013-12-14 12:44 . 2013-11-07 23:15 7772552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E69398F4-F639-43DF-8752-49E813FE2D53}\mpengine.dll
2013-12-12 21:21 . 2013-12-14 03:06 -------- d-----w- C:\AdwCleaner
2013-12-09 12:35 . 2013-12-10 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-12-09 00:17 . 2013-11-07 23:15 7772552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-12-08 01:47 . 2013-12-08 01:47 -------- d--h--w- c:\windows\system32\GroupPolicy
2013-11-30 23:32 . 2013-11-30 23:32 -------- d-----w- C:\Malwarebytes
2013-11-28 16:16 . 2013-11-28 16:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-11-28 16:14 . 2013-11-28 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-19 10:21 . 2010-12-04 19:23 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-13 02:59 . 2001-08-23 12:00 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2001-08-23 12:00 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2010-12-06 03:48 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2001-08-23 12:00 1879040 ----a-w- c:\windows\system32\win32k.sys
2013-10-29 07:57 . 2001-08-23 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-29 07:57 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-29 07:57 . 2001-08-23 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-29 07:57 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-29 00:45 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2013-10-23 23:45 . 2001-08-23 12:00 172032 ----a-w- c:\windows\system32\scrrun.dll
2013-10-12 15:56 . 2001-08-23 12:00 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2001-08-23 12:00 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2001-08-23 12:00 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-09-27 15:53 . 2013-09-27 15:53 214696 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-05-06 18:42 . 2012-05-06 18:42 38808920 ----a-w- c:\program files\FileFormatConverters.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-06-20 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExpressServices 2000.lnk - c:\program files\Day-Timer Organizer SHARP Edition\user\xserv2k.exe [2011-6-28 48659]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsle7bd9f59;MpKsle7bd9f59;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E69398F4-F639-43DF-8752-49E813FE2D53}\MpKsle7bd9f59.sys [12/14/2013 7:04 AM 40392]
S0 joxbmqn;joxbmqn;c:\windows\system32\drivers\gornny.sys --> c:\windows\system32\drivers\gornny.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 23:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-14 16:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-823518204-1292428093-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,c5,c8,12,a7,9c,5f,4d,b8,90,cb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c7,c3,62,91,53,da,84,48,ac,ee,2e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,c5,c8,12,a7,9c,5f,4d,b8,90,cb,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,c5,c8,12,a7,9c,5f,4d,b8,90,cb,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,c5,c8,12,a7,9c,5f,4d,b8,90,cb,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\l3codecx.acm
.
- - - - - - - > 'explorer.exe'(2688)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\Dxtrans.dll
c:\windows\system32\Dxtmsft.dll
.
- - - - - - - > 'explorer.exe'(1536)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
.
- - - - - - - > 'explorer.exe'(2748)
c:\windows\system32\WININET.dll
.
Completion time: 2013-12-14  16:25:35
ComboFix-quarantined-files.txt  2013-12-14 22:25
.
Pre-Run: 27,756,343,296 bytes free
Post-Run: 27,812,450,304 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - A02BEFF42A015F413D54E138D53605D0
8F558EB6672622401DA993E1E865C861
 



#9 sweetcarolinesue

sweetcarolinesue
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 14 December 2013 - 05:56 PM

I'm sorry but I wasn't able to post any comments until now from my phone. I was able to copy & paste the logs.I got a message informing me I was leaving a secure Internet connectionand asking if I wanted to continue. I have never gotten that message before.

 

 

thank you again for your assistance



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 15 December 2013 - 09:36 AM

Open notepad and copy/paste the text in the quote box below into it:
 
Driver::
joxbmqn

ClearJavaCache::

Save this as CFScript.txt on your desktop.

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists with this computer.
==================================
 

.I got a message informing me I was leaving a secure Internet connectionand asking if I wanted to continue.

This is an option in Internet explorer.

Open the Tools > insternet Options > Advanced tab
Under Secutiry section
Remove the check mark on "Warn if changing between Secure and not Secure mode"

Click the apply button is required.

===

#11 sweetcarolinesue

sweetcarolinesue
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 16 December 2013 - 09:12 AM

now I have a different problem. For some reason  The mouse stopped working and I cannot get another mouse to work.none of the USB ports seem to be operational. Using function keys I can get to the website and this Post but I cannot type & I don't know how to get program without clicking on it. I've tried 3 other mice which all work on other computers. I am typing this from my phone



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 16 December 2013 - 10:19 AM

Does if work in Safe Mode?
  • Restart your computer in Safe Mode, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
  • When the Windows Advanced Options menu appears, select an option, and then press ENTER.
  • When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.


#13 sweetcarolinesue

sweetcarolinesue
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 16 December 2013 - 11:32 AM

I tried booting in safe mode, switching mouse plug to all available ISB ports but the computer isnt reading any of them. Normally it isnt necessary to install software when using new/different mouse but I do have a disc I could try if it will read it. The only drives appearing are none of USB. It is configured to Z if that means anything. Somehow the Drives are not booting. I can try restarting again in both regular and safe mode. At 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 16 December 2013 - 01:21 PM

You may be able to restore you computer to a date prior to your current problems.

How to on this page.
http://support.microsoft.com/kb/304449

Keep me posted.

#15 sweetcarolinesue

sweetcarolinesue
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin
  • Local time:08:58 PM

Posted 18 December 2013 - 07:21 PM

I finally got it to work. Even tho the box is unselected for leaving secure site notification, the message still came up. The computer is operating very very slow so I apologize it has taken a couple days.

 

Here is the lot from the combofix with CFScript:

 

 

ComboFix 13-12-17.02 - Administrator 12/18/2013   8:28.7.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_joxbmqn
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-18 to 2013-12-18  )))))))))))))))))))))))))))))))
.
.
2013-12-18 14:52 . 2013-12-18 14:52 62576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{16DA0EE5-B512-4CDE-8DEE-BC970EC41B72}\offreg.dll
2013-12-18 13:42 . 2013-12-04 02:57 7760024 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{16DA0EE5-B512-4CDE-8DEE-BC970EC41B72}\mpengine.dll
2013-12-18 04:33 . 2013-11-07 23:15 7772552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-12-12 21:21 . 2013-12-14 03:06 -------- d-----w- C:\AdwCleaner
2013-12-09 12:35 . 2013-12-10 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-12-08 01:47 . 2013-12-08 01:47 -------- d--h--w- c:\windows\system32\GroupPolicy
2013-11-30 23:32 . 2013-11-30 23:32 -------- d-----w- C:\Malwarebytes
2013-11-28 16:16 . 2013-11-28 16:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-11-28 16:14 . 2013-11-28 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-19 10:21 . 2010-12-04 19:23 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-13 02:59 . 2001-08-23 12:00 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2001-08-23 12:00 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2010-12-06 03:48 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2001-08-23 12:00 1879040 ----a-w- c:\windows\system32\win32k.sys
2013-10-29 07:57 . 2001-08-23 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-29 07:57 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-29 07:57 . 2001-08-23 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-29 07:57 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-29 00:45 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2013-10-23 23:45 . 2001-08-23 12:00 172032 ----a-w- c:\windows\system32\scrrun.dll
2013-10-12 15:56 . 2001-08-23 12:00 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2001-08-23 12:00 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2001-08-23 12:00 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-09-27 15:53 . 2013-09-27 15:53 214696 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-05-06 18:42 . 2012-05-06 18:42 38808920 ----a-w- c:\program files\FileFormatConverters.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-06-20 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExpressServices 2000.lnk - c:\program files\Day-Timer Organizer SHARP Edition\user\xserv2k.exe [2011-6-28 48659]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 23:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-18 15:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-823518204-1292428093-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,c5,c8,12,a7,9c,5f,4d,b8,90,cb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c7,c3,62,91,53,da,84,48,ac,ee,2e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,c5,c8,12,a7,9c,5f,4d,b8,90,cb,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,c5,c8,12,a7,9c,5f,4d,b8,90,cb,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,c5,c8,12,a7,9c,5f,4d,b8,90,cb,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\l3codecx.acm
.
- - - - - - - > 'explorer.exe'(1676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\BCMSMMSG.exe
.
**************************************************************************
.
Completion time: 2013-12-18  16:10:24 - machine was rebooted
ComboFix-quarantined-files.txt  2013-12-18 22:10
ComboFix2.txt  2013-12-14 22:25
.
Pre-Run: 27,356,991,488 bytes free
Post-Run: 27,480,113,152 bytes free
.
- - End Of File - - C06A1403F5D0E55A15C566DDB6330B50
8F558EB6672622401DA993E1E865C861
 


Edited by sweetcarolinesue, 18 December 2013 - 07:22 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users