Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maybe Bloodound.malPE; DC COM Server Process Launcher service terminated unexpec


  • This topic is locked This topic is locked
33 replies to this topic

#1 amgesq

amgesq

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 17 January 2014 - 12:14 AM

I posted originally in the Am I Infected Forum here:  http://www.bleepingcomputer.com/forums/t/520474/system-being-shutdown-by-ntauthoritysystem/.

 

The original was a long post.  I received a response, and was asked to run TDSSKiller.  It found nothing, and the helper then instructed me to follow the Preperation Guide from step 6 and start a new topic in this forum.   Although it will make this post longer, since it will keep all the info in one place, I will cut and paste my original post now: 

 

"Hello.  At the suggestion of my sister, a regular bleepingcomputer user, I am asking for some help.  Not sure if I am infected or if my 10yo computer is finally developing a glitch.  Been trying to solve this for a week.  Here’s my story; please excuse the length , but I want to explain not only the problem but also what I have done to try to fix it.

 

Computer is a Dell Dimension 4600; OS is Windows XP Professional; antivirus software is Norton Internet Security (although my subscription is up in a couple weeks and I will not be using it going forward, although I haven’t yet uninstalled it.).

 

Last week as I was on my computer connected to the internet (I think I was on facebook, but it may have been another site), I got the following message on my screen in a separate box titled System Shutdown.  “This system is shutting down.  Please save all work in progress and log off.  Any unsaved changes will be lost.  This shutdown was initiated by NTAUTHORITY\SYSTEM.  Time before shutdown [varies between 30 seconds or 60 seconds].  Then the box has a “Message” which reads:  “Windows must now restart because the DC COM Server Process Launcher service terminated unexpectedly”

 

The system restarted and I figured it was a one time glitch.  However I got the message again and it shutdown again after a time.  I am one of those persons who has Windows Task Manager open all the time so I can monitor what’s going on (even if I don't understand what a lot of teh processes are), and discovered that one of the svchost.exe processes seems to be the problem.  I noted that it used an ever-increasing amount of my CPU and memory.  When I terminated that process, I got the same System Shutdown message. 

 

I tried a system restore to several prior dates (going as far back as a month) and couldn’t restore.  (This has been the case on other occasions; system restore almost never works for me).  Norton hadn’t found anything except tracking cookies in a long time.  During my attempts to figure out what was the problem, I discovered the problem only happens when I am connected to the internet.  While the problematic svchost.exe pops up on every restart, if I am not connected to the internet it doesn’t cause problems and use up CPU and memory.  As soon as I connect, then it goes up and eventually I get the system shuts message and it restarts.  (I now connect and disconnct by unplugging my DSL line from my modem.)

 

So I contacted my sister, who has had success  fixing her and others computers.  She suggested I download Malwarebytes (MWBytes) and Microsoft Security Essentials (MSE).  She also said to turn off Norton, as it may interfere with the other 2 programs.  I couldn’t DL from my computer b/c my settings prevent most exe files from being downloaded.  (I have tried several changes to my settings to fix this and been unable to do so.  This is not a new issue.)  So I went to the public library and DL’d them onto a flash drive.  I installed MWBytes, and ran quick and full scans, both before updating and after connecting to the internet and updating.  Not much was found.  I can post those logs if you’d like.  The first attempt at installing MSE didn’t work b/c it wasn’t a 32-bit program.  When I found the right one, I ran scans;  It, too, didn’t find anything.  I also set up MSE to be my virus protection instead of Norton.

 

My Norton was set up to run a full system scan every night at 3:00am.  I forgot to stop this and on Jan 5, got a message that Norton had found Bloodound.malPE.  I quarantined it.  But the problem wasn’t solved.

 

Since shortly after discovering the problem, I have not used my home computer to visit any financial sites or any other sites that require a log-in.  This includes my yahoo email.  I have been doing these things from the library.  I will check bleepingcomputer from my home cmputer.

 

Any help would be welcome.

 

Andy"

 

Here is the DDS .txt log

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 22:42:41 on 2014-01-16
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://us.mg205.mail.yahoo.com/neo/b/launch?fid=Inbox&order=down&tt=327&pSize=50&.rand=1285186620
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\16.8.3.6\CoIEPlg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\16.8.3.6\IPSBHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\16.8.3.6\CoIEPlg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\16.8.3.6\CoIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Internet Security] c:\documents and settings\all users\application data\avsecurity.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: malwarebytes.com
Trusted Zone: sourceforge.net
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1360519840765
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.3.6\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2014-01-17 04:21:11 40392 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ba114ee4-17f7-4aa3-b5ac-d50e976c9c78}\MpKsl46f33c6a.sys
2014-01-16 21:36:49 7760024 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ba114ee4-17f7-4aa3-b5ac-d50e976c9c78}\mpengine.dll
2014-01-14 23:38:28 7760024 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-01-07 02:42:36 -------- d-----w- c:\documents and settings\administrator\local settings\application data\NPE
2014-01-06 20:37:47 230048 ------w- c:\windows\system32\MpSigStub.exe
2014-01-06 20:08:34 275696 ----a-w- c:\windows\system32\mucltui.dll
2014-01-06 20:08:34 214256 ----a-w- c:\windows\system32\muweb.dll
2014-01-06 20:08:34 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2014-01-06 20:07:41 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PCHealth
2014-01-06 20:06:55 -------- d-----w- c:\program files\Microsoft Security Client
2014-01-05 18:37:45 -------- d--h--w- c:\windows\system32\GroupPolicy
2014-01-04 17:48:10 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2014-01-04 17:47:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2014-01-04 17:47:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-04 17:47:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-01-02 23:19:03 -------- d-----w- c:\program files\MyPC Backup
2014-01-02 18:14:07 -------- d-----w- c:\documents and settings\administrator\application data\DriverCure
2014-01-02 18:14:06 -------- d-----w- c:\documents and settings\administrator\application data\SparkTrust
2014-01-02 18:13:34 -------- d-----w- c:\documents and settings\all users\application data\SparkTrust
.
==================== Find3M  ====================
.
.
============= FINISH: 22:42:56.93 ===============

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 PM

Posted 21 January 2014 - 09:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

p.s.
Unless you need please do not change the Size of the fonts.

#3 amgesq

amgesq
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 21 January 2014 - 03:08 PM

Hi Nasdaq.  Tried to follow your instructions.  After the RogueKiller scan, 3 items were found and RogueKiller showed a warning about ”Root.Zekos.”  An IE window then opened and went to an adlice.com webpage for Zekos removal with Rogue Killer.  I didn’t click on anything on the page; I just closed it.  After I clicked “delete”, I never got a “deleting finished” (unless it came and went so fast I missed it);  instead it said I needed to restart the computer.  Upon restart, I got 2 RogueKiller reports and a new desktop folder “RK_Quarantine.”  Both reports are pasted below.  I also have posted below the names of the files in the RK_Quarantine folder. 

The AdwCleaner scan found 3 folders which I let it clean.  It also found 5 registry items and one  1 IE entry (my IE homepage) which I did not let it clean because I wasn’t sure what they were.  The AdwCleaner report follows the RogueKiller reports. 

Thanks for your help.  Andy

 

First Roguekiller report:

RogueKiller V8.8.2 [Jan 17 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 01/21/2014 13:10:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Internet Security (C:\Documents and Settings\All Users\Application Data\avsecurity.exe [x][x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-57989841-299502267-725345543-500\[...]\Run : Internet Security (C:\Documents and Settings\All Users\Application Data\avsecurity.exe [x][x]) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[Root.Zekos][File] rpcss.dll : C:\WINDOWS\system32\rpcss.dll [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x80637C26 -> HOOKED (Unknown @ 0x82AF1A20)
[Address] SSDT[13] : NtAlertThread @ 0x80592EFA -> HOOKED (Unknown @ 0x82AF1AE0)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (Unknown @ 0x82A62868)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805E1DDB -> HOOKED (Unknown @ 0x82AF0BE8)
[Address] SSDT[31] : NtConnectPort @ 0x80590C5B -> HOOKED (Unknown @ 0x82DB9098)
[Address] SSDT[43] : NtCreateMutant @ 0x80580B62 -> HOOKED (Unknown @ 0x82AF17D0)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805E0922 -> HOOKED (Unknown @ 0x82AF0A08)
[Address] SSDT[53] : NtCreateThread @ 0x805860C0 -> HOOKED (Unknown @ 0x82C0C450)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x806632B5 -> HOOKED (Unknown @ 0x82AF0CC8)
[Address] SSDT[68] : NtDuplicateObject @ 0x8057DDAF -> HOOKED (Unknown @ 0x82A629F8)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805710BF -> HOOKED (Unknown @ 0x82A626C8)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x8059BB5D -> HOOKED (Unknown @ 0x82AF18A0)
[Address] SSDT[91] : NtImpersonateThread @ 0x805874C1 -> HOOKED (Unknown @ 0x82AF1960)
[Address] SSDT[97] : NtLoadDriver @ 0x805B06F6 -> HOOKED (Unknown @ 0x82C42A10)
[Address] SSDT[108] : NtMapViewOfSection @ 0x8057AA19 -> HOOKED (Unknown @ 0x82AF1F70)
[Address] SSDT[114] : NtOpenEvent @ 0x80589B69 -> HOOKED (Unknown @ 0x82AF1710)
[Address] SSDT[122] : NtOpenProcess @ 0x8057BB80 -> HOOKED (Unknown @ 0x82A62B58)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805784F6 -> HOOKED (Unknown @ 0x82A62938)
[Address] SSDT[125] : NtOpenSection @ 0x8057B96A -> HOOKED (Unknown @ 0x82AF0EF0)
[Address] SSDT[128] : NtOpenThread @ 0x80596A0F -> HOOKED (Unknown @ 0x82A62AC8)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x80582621 -> HOOKED (Unknown @ 0x82AF0AF8)
[Address] SSDT[206] : NtResumeThread @ 0x80586737 -> HOOKED (Unknown @ 0x82A611F8)
[Address] SSDT[213] : NtSetContextThread @ 0x8063628D -> HOOKED (Unknown @ 0x82AF1D20)
[Address] SSDT[228] : NtSetInformationProcess @ 0x80574B1F -> HOOKED (Unknown @ 0x82AF1DE0)
[Address] SSDT[240] : NtSetSystemInformation @ 0x805B2328 -> HOOKED (Unknown @ 0x82AF0DA8)
[Address] SSDT[253] : NtSuspendProcess @ 0x80637B6B -> HOOKED (Unknown @ 0x82AF0FD0)
[Address] SSDT[254] : NtSuspendThread @ 0x80637A87 -> HOOKED (Unknown @ 0x82AF1BA0)
[Address] SSDT[257] : NtTerminateProcess @ 0x8058E6B9 -> HOOKED (Unknown @ 0x82A601F8)
[Address] SSDT[258] : NtTerminateThread @ 0x80582DDA -> HOOKED (Unknown @ 0x82AF1C60)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x8057A5A1 -> HOOKED (Unknown @ 0x82AF1EB0)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805873F6 -> HOOKED (Unknown @ 0x82A62798)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x82CD40F8)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x82CCE300)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x82CCBAB8)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x82CD0A08)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x82CAEE60)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x82E916B0)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x82C99B58)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x82E90EE8)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x82CBF0C8)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x82CA1548)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Root.Zekos ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ( @ )  +++++
--- User ---
[MBR] 48ae04fceca9f80c004b9459fee739ea
[BSP] 8a0932d4fa2a8cd2551f5fa0de7efa69 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_01212014_131007.txt >>

 

Second RogueKiller report

RogueKiller V8.8.2 [Jan 17 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Remove -- Date : 01/21/2014 13:15:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Internet Security (C:\Documents and Settings\All Users\Application Data\avsecurity.exe [x][x]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-57989841-299502267-725345543-500\[...]\Run : Internet Security (C:\Documents and Settings\All Users\Application Data\avsecurity.exe [x][x]) -> [0x2] The system cannot find the file specified.
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[Root.Zekos][File] rpcss.dll : C:\WINDOWS\system32\rpcss.dll [-] --> REPLACED AT REBOOT -> (C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll)

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x80637C26 -> HOOKED (Unknown @ 0x82AF1A20)
[Address] SSDT[13] : NtAlertThread @ 0x80592EFA -> HOOKED (Unknown @ 0x82AF1AE0)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (Unknown @ 0x82A62868)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805E1DDB -> HOOKED (Unknown @ 0x82AF0BE8)
[Address] SSDT[31] : NtConnectPort @ 0x80590C5B -> HOOKED (Unknown @ 0x82DB9098)
[Address] SSDT[43] : NtCreateMutant @ 0x80580B62 -> HOOKED (Unknown @ 0x82AF17D0)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805E0922 -> HOOKED (Unknown @ 0x82AF0A08)
[Address] SSDT[53] : NtCreateThread @ 0x805860C0 -> HOOKED (Unknown @ 0x82C0C450)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x806632B5 -> HOOKED (Unknown @ 0x82AF0CC8)
[Address] SSDT[68] : NtDuplicateObject @ 0x8057DDAF -> HOOKED (Unknown @ 0x82A629F8)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805710BF -> HOOKED (Unknown @ 0x82A626C8)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x8059BB5D -> HOOKED (Unknown @ 0x82AF18A0)
[Address] SSDT[91] : NtImpersonateThread @ 0x805874C1 -> HOOKED (Unknown @ 0x82AF1960)
[Address] SSDT[97] : NtLoadDriver @ 0x805B06F6 -> HOOKED (Unknown @ 0x82C42A10)
[Address] SSDT[108] : NtMapViewOfSection @ 0x8057AA19 -> HOOKED (Unknown @ 0x82AF1F70)
[Address] SSDT[114] : NtOpenEvent @ 0x80589B69 -> HOOKED (Unknown @ 0x82AF1710)
[Address] SSDT[122] : NtOpenProcess @ 0x8057BB80 -> HOOKED (Unknown @ 0x82A62B58)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805784F6 -> HOOKED (Unknown @ 0x82A62938)
[Address] SSDT[125] : NtOpenSection @ 0x8057B96A -> HOOKED (Unknown @ 0x82AF0EF0)
[Address] SSDT[128] : NtOpenThread @ 0x80596A0F -> HOOKED (Unknown @ 0x82A62AC8)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x80582621 -> HOOKED (Unknown @ 0x82AF0AF8)
[Address] SSDT[206] : NtResumeThread @ 0x80586737 -> HOOKED (Unknown @ 0x82A611F8)
[Address] SSDT[213] : NtSetContextThread @ 0x8063628D -> HOOKED (Unknown @ 0x82AF1D20)
[Address] SSDT[228] : NtSetInformationProcess @ 0x80574B1F -> HOOKED (Unknown @ 0x82AF1DE0)
[Address] SSDT[240] : NtSetSystemInformation @ 0x805B2328 -> HOOKED (Unknown @ 0x82AF0DA8)
[Address] SSDT[253] : NtSuspendProcess @ 0x80637B6B -> HOOKED (Unknown @ 0x82AF0FD0)
[Address] SSDT[254] : NtSuspendThread @ 0x80637A87 -> HOOKED (Unknown @ 0x82AF1BA0)
[Address] SSDT[257] : NtTerminateProcess @ 0x8058E6B9 -> HOOKED (Unknown @ 0x82A601F8)
[Address] SSDT[258] : NtTerminateThread @ 0x80582DDA -> HOOKED (Unknown @ 0x82AF1C60)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x8057A5A1 -> HOOKED (Unknown @ 0x82AF1EB0)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805873F6 -> HOOKED (Unknown @ 0x82A62798)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x82CD40F8)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x82CCE300)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x82CCBAB8)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x82CD0A08)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x82CAEE60)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x82E916B0)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x82C99B58)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x82E90EE8)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x82CBF0C8)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x82CA1548)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Root.Zekos ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ( @ )  +++++
--- User ---
[MBR] 48ae04fceca9f80c004b9459fee739ea
[BSP] 8a0932d4fa2a8cd2551f5fa0de7efa69 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_01212014_131521.txt >>
RKreport[0]_S_01212014_131007.txt

 

Contents of RK_Quarantine folder

HKEY_CURRENT_USER_Software_Microsoft_Windows_CurrentVersion_Run_Internet_S0
HKEY_LOCAL_MACHINE_Software_Microsoft_Windows_CurrentVersion_Explorer_HideDesktopIcons_NewStartPanel_{20D04FE0-0
HKEY_USERS_S-1-5-21-57989841-299502267-725345543-500_Software_Microsoft_Windows_CurrentVersion_Run_Internet_S0
PhysicalDrive0_User
QuarantineReport

 

contents of quarantine report
[Root.Zekos] Time : 21/01/2014 13:15:21
 --------------------------
ERROR [rpcss.dll.vir] -> C:\WINDOWS\system32\rpcss.dll

 

AdwCleaner report

# AdwCleaner v3.017 - Report created 21/01/2014 at 13:35:28
# Updated 12/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Administrator - OWNER-MMW299YXA
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\MyPC Backup
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\DriverCure
Folder Deleted : C:\Documents and Settings\Administrator\My Documents\PC Speed Maximizer

***** [ Shortcuts ] *****

***** [ Registry ] *****

[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1
[x] Not Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[x] Not Deleted : HKCU\Software\WEDLMNGR
[x] Not Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

[x] Not Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

*************************

AdwCleaner[R0].txt - [1564 octets] - [21/01/2014 13:23:42]
AdwCleaner[S0].txt - [1430 octets] - [21/01/2014 13:35:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1490 octets] ##########

 

 

 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 PM

Posted 22 January 2014 - 08:01 AM

I would run the AdwCleaner tool and remove these registry keys.

[x] Not Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[x] Not Deleted : HKCU\Software\WEDLMNGR
[x] Not Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

Restart the computer to complete the removal.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#5 amgesq

amgesq
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 22 January 2014 - 06:31 PM

Hi Nasdaq. Logs to follow.  Here is what I did and what happened.  As I said in my first post, had to DL the programs to a flash drive at the librar, then copied the programs to my home desktop.  They seemed to run fine. After having AdwCleaner remove those keys, and retarting, windows tries to install Scan Soft Paper Port 11.  I think I have this on a CD, so just canelled the installation. 

 

ComboFix siad it required an interent connection.  When I connect my DSL line, that's when the svchost.exe starts to eat up both CPU and memory.  I have been able to bypass this a little by ending that process and then running shutdown -a when I get the system shutdown message.  However, I did not do this when I ran ComboFix as I was not sure if it would interfere with ComboFix.  Because of this, the svchost.exe process used a lot (often 99%) of the CPU while Combofix was running, and the scan, etc by ComboFix took quite a while.  I did get the request to install the Microsoft Windows Recovery Console.  It asked if I had XP Home; since I have professional I clicked no.  The recovery consoel was then installed.  ComboFix finally finished, and I got the report.  When I ran Security Check, I got a box that said "AutoIt Error Line -1 Error : Variable must be of type object"  I checked OK in the message box and then Security Check ran.  That report follows the ComboFix report.

 

After all this, I restarted the computer again, and connected to the internet.  The svchost.exe process is still there chewing up the CPU and memory.  Based on my experience, It may take an hour or so, but I expect it eventually will shut down the system again.

 

Thanks  for your help.   Andy

 

ComboFix 14-01-22.01 - Administrator 01/22/2014  14:34:43.1.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data.LOG
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\LocalService\Local Settings\Application Data.LOG
c:\documents and settings\NetworkService\Local Settings\Application Data.LOG
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-22 to 2014-01-22  )))))))))))))))))))))))))))))))
.
.
2014-01-22 20:34 . 2014-01-22 20:34 40392 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1DAAAB82-625E-4BAB-913F-B4CDEC854B94}\MpKsl06d45650.sys
2014-01-22 20:08 . 2013-12-04 00:57 7760024 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1DAAAB82-625E-4BAB-913F-B4CDEC854B94}\mpengine.dll
2014-01-21 20:35 . 2014-01-21 20:35 1324 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\d3d9caps.tmp
2014-01-21 19:23 . 2014-01-22 16:35 -------- d-----w- C:\AdwCleaner
2014-01-21 19:05 . 2013-12-04 00:57 7760024 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-21 19:04 . 2014-01-21 19:04 26624 ----a-w- c:\windows\system32\TrueSight.sys
2014-01-18 01:33 . 2014-01-18 01:33 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2014-01-07 02:42 . 2014-01-07 03:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2014-01-06 20:37 . 2014-01-19 07:32 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-01-06 20:08 . 2012-06-02 21:18 275696 ----a-w- c:\windows\system32\mucltui.dll
2014-01-06 20:08 . 2012-06-02 21:18 214256 ----a-w- c:\windows\system32\muweb.dll
2014-01-06 20:07 . 2014-01-06 20:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2014-01-06 20:07 . 2014-01-06 20:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2014-01-06 20:06 . 2014-01-06 20:07 -------- d-----w- c:\program files\Microsoft Security Client
2014-01-05 18:37 . 2014-01-05 18:37 -------- d--h--w- c:\windows\system32\GroupPolicy
2014-01-04 17:48 . 2014-01-04 17:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2014-01-04 17:47 . 2014-01-04 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-01-04 17:47 . 2014-01-05 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-01-04 17:47 . 2013-04-04 20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-02 18:14 . 2014-01-02 18:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SparkTrust
2014-01-02 18:13 . 2014-01-05 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SparkTrust
2014-01-01 19:30 . 2014-01-01 19:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2014-01-01 19:29 . 2014-01-02 00:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2013-12-25 14:13 . 2013-12-25 14:13 -------- d-----w- c:\program files\7-Zip
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-02-09 . 0F4E82A1BCC9B139CAA9157D85CECC9C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . 3711BA620B5D824A546C30581458733E . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[7] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2003-07-16 . 493FCBED180DCACF0B5D4C8C29949CA9 . 260608 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2013-04-23 295512]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2013-2-12 36864]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2013-2-12 36864]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008030.006\SYMEFA.SYS [2010-01-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008030.006\BHDrvx86.sys [2010-01-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008030.006\ccHPx86.sys [2013-02-12 467592]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20140102.001\IDSxpx86.sys [2013-12-12 382608]
S1 MpKsl06d45650;MpKsl06d45650;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1DAAAB82-625E-4BAB-913F-B4CDEC854B94}\MpKsl06d45650.sys [2014-01-22 40392]
S2 mrtRate;mrtRate; [x]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [2011-09-22 117648]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-03-06 39056]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-11-19 108120]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL06D45650
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-22 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-10-23 21:01]
.
2014-01-22 c:\windows\Tasks\Norton Internet Security - Administrator - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\16.8.3.6\Navw32.exe [2013-02-12 00:35]
.
2014-01-22 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-57989841-299502267-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 16:36]
.
2014-01-22 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-57989841-299502267-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 16:36]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/?.src=ym&.done=http%3A%2F%2Fus.mg205.mail.yahoo.com%2Fneo%2Fb%2Flaunch%3Ffid%3DInbox%26order%3Ddown%26tt%3D327%26pSize%3D50%26.rand%3D1132811625
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: adobe.com\get3
Trusted Zone: ant.com\www
Trusted Zone: bleepingcomputer.com\www
Trusted Zone: dizzcloud.com
Trusted Zone: malwarebytes.com
Trusted Zone: microsoft.com\www
Trusted Zone: sourceforge.net
Trusted Zone: sparktrust.com\www
Trusted Zone: uploaded.net
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-22 15:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-57989841-299502267-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,da,3a,2b,9b,f5,a6,47,9f,8c,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e0,5e,68,1c,38,88,af,4b,84,db,7c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-01-22  15:15:05
ComboFix-quarantined-files.txt  2014-01-22 21:14
.
Pre-Run: 474,084,270,080 bytes free
Post-Run: 476,902,678,528 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 033E1DC0FD2936E8B503C0E10E50AC29
8F558EB6672622401DA993E1E865C861
 

Results of screen317's Security Check version 0.99.79 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
Please wait while WMIC is being installed.
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 19% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

Also, here's the report from AdwCleaner after removing the keys:

 

# AdwCleaner v3.017 - Report created 22/01/2014 at 10:35:03
# Updated 12/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Administrator - OWNER-MMW299YXA
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\WEDLMNGR
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

*************************

AdwCleaner[R0].txt - [1564 octets] - [21/01/2014 13:23:42]
AdwCleaner[R1].txt - [1473 octets] - [22/01/2014 10:33:24]
AdwCleaner[S0].txt - [1570 octets] - [21/01/2014 13:35:28]
AdwCleaner[S1].txt - [1311 octets] - [22/01/2014 10:35:03]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1371 octets] ##########



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 PM

Posted 23 January 2014 - 09:36 AM

>>> Run Jotti's malware scan: Please copy this line (in bold):
c:\windows\system32\rpcss.dll
  • Go to Jotti's malware scan
  • and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Capture.JPG
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
Please copy and paste these Permalink in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

#7 amgesq

amgesq
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 23 January 2014 - 09:49 AM

Hi Nasdaq.  When I right clicked, I didn't get copy the link;  instead I got copy shortcut.  But it seemed to work!.  Here's the link.     Andy

 

http://virusscan.jotti.org/en/scanresult/7ae884ca15c18d7e2007a303ee3520d13c7007cb



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 PM

Posted 23 January 2014 - 11:51 AM

The file is corrupted.
Let change it for a good file.

Open notepad and copy/paste the text in the quote box below into it:

FCOPY::
c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll | c:\windows\system32\rpcss.dll

Save this as CFScript.txt on your desktop.

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Restart the computer normally.

Let me know what problem persists.

#9 amgesq

amgesq
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 23 January 2014 - 12:57 PM

Nasdaq, I think we are making progress.  I did as you instructed, except i did not (forgot) turn off the Microsoft Security Essentials firewall.  When I clicked and dragged the script, ComboFix said there was a newer version and asked if I wanted to update.  I clicked yes, it updated and then ran.  The log follows. Now i have restarted and no longer see an svchost.exe process eating up CPU and memory.  The largest such process (there are 7 of them) is sitting at around 22000K of memory and no CPU usage.  Andy

 

ComboFix 14-01-23.02 - Administrator 01/23/2014  11:24:57.2.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll --> c:\windows\system32\rpcss.dll
.
(((((((((((((((((((((((((   Files Created from 2013-12-23 to 2014-01-23  )))))))))))))))))))))))))))))))
.
.
2014-01-23 08:20 . 2014-01-23 08:20 62576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1DAAAB82-625E-4BAB-913F-B4CDEC854B94}\offreg.dll
2014-01-22 23:05 . 2014-01-22 23:05 40392 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1DAAAB82-625E-4BAB-913F-B4CDEC854B94}\MpKsle18c39bb.sys
2014-01-22 20:08 . 2013-12-04 00:57 7760024 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1DAAAB82-625E-4BAB-913F-B4CDEC854B94}\mpengine.dll
2014-01-21 20:35 . 2014-01-21 20:35 1324 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\d3d9caps.tmp
2014-01-21 19:23 . 2014-01-22 16:35 -------- d-----w- C:\AdwCleaner
2014-01-21 19:05 . 2013-12-04 00:57 7760024 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-21 19:04 . 2014-01-21 19:04 26624 ----a-w- c:\windows\system32\TrueSight.sys
2014-01-18 01:33 . 2014-01-18 01:33 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2014-01-07 02:42 . 2014-01-07 03:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2014-01-06 20:37 . 2014-01-19 07:32 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-01-06 20:08 . 2012-06-02 21:18 275696 ----a-w- c:\windows\system32\mucltui.dll
2014-01-06 20:08 . 2012-06-02 21:18 214256 ----a-w- c:\windows\system32\muweb.dll
2014-01-06 20:07 . 2014-01-06 20:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2014-01-06 20:07 . 2014-01-06 20:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2014-01-06 20:06 . 2014-01-06 20:07 -------- d-----w- c:\program files\Microsoft Security Client
2014-01-05 18:37 . 2014-01-05 18:37 -------- d--h--w- c:\windows\system32\GroupPolicy
2014-01-04 17:48 . 2014-01-04 17:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2014-01-04 17:47 . 2014-01-04 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-01-04 17:47 . 2014-01-05 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-01-04 17:47 . 2013-04-04 20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-02 18:14 . 2014-01-02 18:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SparkTrust
2014-01-02 18:13 . 2014-01-05 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SparkTrust
2014-01-01 19:30 . 2014-01-01 19:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2014-01-01 19:29 . 2014-01-02 00:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2013-12-25 14:13 . 2013-12-25 14:13 -------- d-----w- c:\program files\7-Zip
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2013-04-23 295512]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2013-2-12 36864]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2013-2-12 36864]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008030.006\SYMEFA.SYS [2010-01-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008030.006\BHDrvx86.sys [2010-01-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008030.006\ccHPx86.sys [2013-02-12 467592]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20140102.001\IDSxpx86.sys [2013-12-12 382608]
S1 MpKsle18c39bb;MpKsle18c39bb;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1DAAAB82-625E-4BAB-913F-B4CDEC854B94}\MpKsle18c39bb.sys [2014-01-22 40392]
S2 mrtRate;mrtRate; [x]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [2011-09-22 117648]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-03-06 39056]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-11-19 108120]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLE18C39BB
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-23 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-10-23 21:01]
.
2014-01-23 c:\windows\Tasks\Norton Internet Security - Administrator - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\16.8.3.6\Navw32.exe [2013-02-12 00:35]
.
2014-01-22 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-57989841-299502267-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 16:36]
.
2014-01-22 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-57989841-299502267-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 16:36]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/?.src=ym&.done=http%3A%2F%2Fus.mg205.mail.yahoo.com%2Fneo%2Fb%2Flaunch%3Ffid%3DInbox%26order%3Ddown%26tt%3D327%26pSize%3D50%26.rand%3D1132811625
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: adobe.com\get3
Trusted Zone: ant.com\www
Trusted Zone: bleepingcomputer.com\www
Trusted Zone: dizzcloud.com
Trusted Zone: malwarebytes.com
Trusted Zone: microsoft.com\www
Trusted Zone: sourceforge.net
Trusted Zone: sparktrust.com\www
Trusted Zone: uploaded.net
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-23 11:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-57989841-299502267-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,da,3a,2b,9b,f5,a6,47,9f,8c,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e0,5e,68,1c,38,88,af,4b,84,db,7c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-01-23  11:40:02
ComboFix-quarantined-files.txt  2014-01-23 17:39
ComboFix2.txt  2014-01-22 21:15
.
Pre-Run: 476,582,285,312 bytes free
Post-Run: 476,744,318,976 bytes free
.
- - End Of File - - 9AAA51D90CE36B575954E22C8F8DB05B
8F558EB6672622401DA993E1E865C861
 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 PM

Posted 23 January 2014 - 01:44 PM

Use the computer and in 2 or 3 days let me know of any issues.

#11 amgesq

amgesq
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 23 January 2014 - 02:08 PM

OK,  Do you think it would be safe to visit and login to financial sites now, or should I wait for a few days?

Thanks for all your help.

 

Andy



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 PM

Posted 24 January 2014 - 09:25 AM

Change your passwords on the Financial sites to be safe.

#13 amgesq

amgesq
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 26 January 2014 - 02:28 PM

Nasdaq.  No issues so far.  I've even left the computer on and connected to the internet the last 2 nights and the problem hasn't come back.  Andy



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 PM

Posted 27 January 2014 - 08:55 AM



If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===


Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful add-ons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#15 amgesq

amgesq
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 27 January 2014 - 12:15 PM

Nasdaq, thanks for your help.  I'll run Combofix/Uninstall as soon as I post this reply.  As for the other recommendations, I have read through you post once, but haven't gone through the tutorials or read Tony Klein's article yet.  I will do so shortly.  But I can make a couple of observations.

 

I have been using Norton Internet Security, but that subscription is up and frankly it seems to be doing very little.  So I will not renew it.  I downloaded both Malwarebytes and Microsoft Security Essentials at my sister's suggestion when this problem popped up and plan to keep them and get rid of Norton.  Will a simple uninstall through the control panel completely remove the Norton stuff?  I have heard that Norton can be difficult to remove. 

 

During the course of getting rid of this virus/trojan/whatever it was, I downloaded a number of programs either at your request or the request of Aussie Addict in my Am I infected Post.  Not sure if I should keep these of remove them; they include:  Security Check; Adwcleaner, DDS, RogueKiller 32; TDSSRootkit Killer.

 

Thanks again, Andy






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users