Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kryptik.t infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 mashmash

mashmash

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 20 January 2014 - 08:57 AM

Hi,

 

My computer is infected with Kryptik.t, as shows in the registry at: HKCU\Software\Microsoft\CurrentVersion\Run:

 

The first entry is jave, data: wscript.exe //B "C:\Documents and Settings\xp\jave.vbs"

The second entry is supportt, data: wscript.exe //B "C:\Documents and Settings\xp\support.vbs"

 

Some logs of my machine can be seen here:

http://www.bleepingcomputer.com/forums/t/519991/nice-to-meet-you-kryptikt-infected-please-help/

 

Thanks for your help!

mashmash



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:30 AM

Posted 21 January 2014 - 03:38 PM

Good evening. :)

Please go here, follow step six, and then post accordingly into this thread.
 


So long, and thanks for all the fish.

 

 


#3 mashmash

mashmash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 22 January 2014 - 05:16 AM

Attached File  attach.txt   10.52KB   1 downloadsAttached File  attach.txt   10.52KB   1 downloadsHi Noviciate :)
 
attached are the logs
 
Thanks!!
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by xp at 12:07:30 on 2014-01-22
Microsoft Windows XP Professional  5.1.2600.3.1255.972.1037.18.1900.118 [GMT 2:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Enabled* 
.
============== Running Processes ================
.
C:\Program Files\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Samsung\Kies\Kies.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\xp\Application Data\Juniper Networks\Setup Client\JuniperSetupClient.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.co.il/
uURLSearchHooks: {e3e7c520-7571-4107-b480-83b6e41d42dd} - <orphaned>
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.130\McAfeeMSS_IE.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: עוזר הכניסה של Windows Live: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [KiesPreload] c:\program files\samsung\kies\Kies.exe /preload
uRun: [KiesAirMessage] c:\program files\samsung\kies\KiesAirMessage.exe -startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe
uRun: [supportt] wscript.exe //B "c:\documents and settings\xp\supportt.vbs"
uRun: [jave] wscript.exe //B "c:\documents and settings\xp\jave.vbs"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_9_900_170_Plugin.exe -update plugin
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRunOnce: [20131224] c:\program files\avast software\avast\setup\emupdate\5033ca56-2d6a-49e1-8f84-7774c72ea2dc.exe /check
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\94ae~1\d9f0~1\76ef~1\mcafee~1.lnk - c:\program files\mcafee security scan\3.8.130\SSScheduler.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301926567312
DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - hxxp://www.tapuz.co.il/irc/main/launcher.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 10.0.0.138
TCP: Interfaces\{013E04DE-9188-407B-89DD-31E6000AF92B} : DHCPNameServer = 10.0.0.138
TCP: Interfaces\{427365D7-C2DC-4DDF-BD1E-FFEFBD50B0C0} : DHCPNameServer = 10.0.0.138
TCP: Interfaces\{5C6B2680-9D93-40DB-971F-D28C1231B491} : NameServer = 192.168.10.200
TCP: Interfaces\{7B42650B-D9DE-4C09-84DE-52724FED7DCF} : NameServer = 192.168.10.200
TCP: Interfaces\{A720106D-E522-4C63-9B1E-CA954411E80B} : DHCPNameServer = 10.0.0.138
TCP: Interfaces\{B46D4AAC-F70B-4E70-A0EA-CEAD2C12870E} : DHCPNameServer = 192.168.10.2 80.179.52.100 80.179.55.100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\32.0.1700.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\xp\application data\mozilla\firefox\profiles\x2cwr4um.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.il/ig
FF - prefs.js: network.proxy.ftp - p-es1.biscience.com
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - p-es1.biscience.com
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - p-es1.biscience.com
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - p-es1.biscience.com
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - p-es1.biscience.com
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\xp\application data\mozilla\firefox\profiles\x2cwr4um.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\xp\local settings\application data\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\mcafee security scan\3.8.130\npMcAfeeMSS.dll
FF - plugin: c:\program files\nokia\nokia suite\npNokiaSuiteEnabler.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2014-1-2 12112]
R0 aswNdis2;avast! Firewall NDIS Driver;c:\windows\system32\drivers\aswNdis2.sys [2014-1-2 252336]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-1-2 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-1-2 180248]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2014-1-2 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-1-2 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-1-2 410528]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-2-29 36000]
R1 NEOFLTR_710_20169;Juniper Networks TDI Filter Driver (NEOFLTR_710_20169);c:\windows\system32\drivers\NEOFLTR_710_20169.SYS [2012-7-18 85064]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-2-29 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-2-29 110032]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-1-2 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-1-2 50344]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2014-1-2 113704]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-2-29 83392]
R2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\intel\wimax\bin\DMAgent.exe [2009-9-15 352256]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2013-2-15 233472]
R2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\intel\wimax\bin\AppSrv.exe [2009-9-15 1368064]
R3 bpenum;bpenum;c:\windows\system32\drivers\bpenum.sys [2009-9-15 189568]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2013-2-15 37344]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-4-4 125696]
R3 IntcDAud;שמע תצוגה של Intel®‎‎;c:\windows\system32\drivers\IntcDAud.sys [2011-4-4 215040]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2011-4-4 119408]
R3 JME;JMicron Ethernet Adapter NDIS5.1 Driver;c:\windows\system32\drivers\JME.sys [2011-8-2 65648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-9-5 171680]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-7-19 1684736]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-2-15 83168]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2013-2-15 20032]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-7-19 44032]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.8.130\McCHSvc.exe [2013-9-6 235216]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2012-8-4 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2012-8-4 8576]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-2-15 181344]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-1-7 1374464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 wrnxtlda;wrnxtlda; [x]
.
=============== File Associations ===============
.
ShellExec: switch.exe: open="c:\program files\nch software\switch\switch" "%L"
.
=============== Created Last 30 ================
.
2014-01-21 09:07:38 -------- d-----w- c:\program files\common files\Soda PDF 5
2014-01-09 19:58:43 -------- d-----w- c:\program files\ESET
2014-01-09 19:39:48 -------- d-----w- c:\windows\ERUNT
2014-01-09 19:23:35 -------- d-----w- C:\AdwCleaner
2014-01-02 15:34:40 -------- d-----w- c:\documents and settings\xp\application data\AVAST Software
2014-01-02 15:24:24 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-01-02 15:24:24 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-01-02 15:24:23 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-01-02 15:24:22 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-01-02 15:24:15 26136 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2014-01-02 15:24:14 252336 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2014-01-02 15:23:32 43152 ----a-w- c:\windows\avastSS.scr
2014-01-02 15:22:58 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2014-01-02 15:17:25 -------- d-----w- c:\program files\AVAST Software
2014-01-02 15:15:59 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
.
==================== Find3M  ====================
.
2014-01-19 12:14:20 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-01-19 12:14:19 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 12:08:48.47 ===============

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 27/03/2009 11:55:14
System Uptime: 22/01/2014 03:51:49 (9 hours ago)
.
Motherboard: ASUSTeK Computer Inc.         |  | K52F
Processor: îòáã Intel Pentium II | Socket 989 | 2393/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 154 GiB total, 123.26 GiB free.
D: is FIXED (NTFS) - 144 GiB total, 143.692 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: I Simple Communications þþController
Device ID: PCI\VEN_8086&DEV_3B64&SUBSYS_1F271043&REV_06\3&11583659&0&B0
Manufacturer:
Name: I Simple Communications þþController
PNP Device ID: PCI\VEN_8086&DEV_3B64&SUBSYS_1F271043&REV_06\3&11583659&0&B0
Service:
.
Class GUID:
Description: BT-270
Device ID: USB\VID_0B05&PID_1788\74F06DA9AD0F
Manufacturer:
Name: BT-270
PNP Device ID: USB\VID_0B05&PID_1788\74F06DA9AD0F
Service:
.
==== System Restore Points ===================
.
RP360: 24/10/2013 15:16:17 - ð÷åãú áé÷åøú ùì äîòøëú
RP361: 27/10/2013 17:35:58 - ð÷åãú áé÷åøú ùì äîòøëú
RP362: 29/10/2013 11:47:54 - ð÷åãú áé÷åøú ùì äîòøëú
RP363: 30/10/2013 15:33:17 - ð÷åãú áé÷åøú ùì äîòøëú
RP364: 03/11/2013 10:45:11 - ð÷åãú áé÷åøú ùì äîòøëú
RP365: 04/11/2013 11:36:25 - ð÷åãú áé÷åøú ùì äîòøëú
RP366: 05/11/2013 12:30:39 - ð÷åãú áé÷åøú ùì äîòøëú
RP367: 06/11/2013 16:48:35 - ð÷åãú áé÷åøú ùì äîòøëú
RP368: 07/11/2013 17:06:06 - ð÷åãú áé÷åøú ùì äîòøëú
RP369: 10/11/2013 15:46:41 - ð÷åãú áé÷åøú ùì äîòøëú
RP370: 11/11/2013 17:15:01 - ð÷åãú áé÷åøú ùì äîòøëú
RP371: 14/11/2013 15:22:22 - ð÷åãú áé÷åøú ùì äîòøëú
RP372: 17/11/2013 17:17:04 - ð÷åãú áé÷åøú ùì äîòøëú
RP373: 19/11/2013 19:01:30 - ð÷åãú áé÷åøú ùì äîòøëú
RP374: 21/11/2013 11:12:51 - ð÷åãú áé÷åøú ùì äîòøëú
RP375: 24/11/2013 12:31:26 - ð÷åãú áé÷åøú ùì äîòøëú
RP376: 25/11/2013 14:51:46 - ð÷åãú áé÷åøú ùì äîòøëú
RP377: 27/11/2013 14:44:02 - ð÷åãú áé÷åøú ùì äîòøëú
RP378: 28/11/2013 15:09:43 - ð÷åãú áé÷åøú ùì äîòøëú
RP379: 29/11/2013 22:01:19 - ð÷åãú áé÷åøú ùì äîòøëú
RP380: 01/12/2013 17:11:38 - ð÷åãú áé÷åøú ùì äîòøëú
RP381: 02/12/2013 18:44:43 - ð÷åãú áé÷åøú ùì äîòøëú
RP382: 05/12/2013 11:23:51 - ð÷åãú áé÷åøú ùì äîòøëú
RP383: 09/12/2013 13:24:57 - ð÷åãú áé÷åøú ùì äîòøëú
RP384: 10/12/2013 15:32:38 - ð÷åãú áé÷åøú ùì äîòøëú
RP385: 11/12/2013 19:55:17 - ð÷åãú áé÷åøú ùì äîòøëú
RP386: 15/12/2013 12:52:07 - ð÷åãú áé÷åøú ùì äîòøëú
RP387: 16/12/2013 17:28:02 - ð÷åãú áé÷åøú ùì äîòøëú
RP388: 17/12/2013 18:00:16 - ð÷åãú áé÷åøú ùì äîòøëú
RP389: 19/12/2013 14:55:19 - ð÷åãú áé÷åøú ùì äîòøëú
RP390: 20/12/2013 16:04:20 - ð÷åãú áé÷åøú ùì äîòøëú
RP391: 22/12/2013 17:26:12 - ð÷åãú áé÷åøú ùì äîòøëú
RP392: 26/12/2013 09:58:54 - ð÷åãú áé÷åøú ùì äîòøëú
RP393: 28/12/2013 13:42:55 - ð÷åãú áé÷åøú ùì äîòøëú
RP394: 29/12/2013 15:08:21 - ð÷åãú áé÷åøú ùì äîòøëú
RP395: 30/12/2013 17:54:38 - ð÷åãú áé÷åøú ùì äîòøëú
RP396: 01/01/2014 12:33:35 - ð÷åãú áé÷åøú ùì äîòøëú
RP397: 02/01/2014 17:17:25 - avast! antivirus system restore point
RP398: 06/01/2014 13:36:10 - ð÷åãú áé÷åøú ùì äîòøëú
RP399: 07/01/2014 15:08:07 - ð÷åãú áé÷åøú ùì äîòøëú
RP400: 08/01/2014 20:46:44 - ð÷åãú áé÷åøú ùì äîòøëú
RP401: 09/01/2014 21:18:35 - ð÷åãú áé÷åøú ùì äîòøëú
RP402: 11/01/2014 18:23:02 - ð÷åãú áé÷åøú ùì äîòøëú
RP403: 13/01/2014 14:19:37 - ð÷åãú áé÷åøú ùì äîòøëú
RP404: 14/01/2014 14:48:07 - ð÷åãú áé÷åøú ùì äîòøëú
RP405: 15/01/2014 15:56:18 - ð÷åãú áé÷åøú ùì äîòøëú
RP406: 16/01/2014 22:55:21 - ð÷åãú áé÷åøú ùì äîòøëú
RP407: 19/01/2014 16:11:44 - ð÷åãú áé÷åøú ùì äîòøëú
RP408: 20/01/2014 16:42:55 - ð÷åãú áé÷åøú ùì äîòøëú
RP409: 22/01/2014 10:19:01 - ð÷åãú áé÷åøú ùì äîòøëú
.
==== Installed Programs ======================
.
òãëåï ÷øéèé òáåø Windows Media Player 11þ (KB959772)
òãëåï òáåø Windows XP (KB951978)ý
òãëåï òáåø Windows XP (KB955839)ý
òãëåï òáåø Windows XP (KB967715)ý
òãëåï àáèçä òáåø Windows Internet Explorer 7 (KB956390)ý
òãëåï àáèçä òáåø Windows Internet Explorer 7 (KB961260)ý
òãëåï àáèçä òáåø Windows Media Player 11þ (KB936782)
òãëåï àáèçä òáåø Windows Media Player 11þ (KB954154)
òãëåï àáèçä òáåø Windows Media Playerþ (KB952069)
òãëåï àáèçä òáåø Windows XP (KB923789)ý
òãëåï àáèçä òáåø Windows XP (KB938464-v2)ý
òãëåï àáèçä òáåø Windows XP (KB946648)ý
òãëåï àáèçä òáåø Windows XP (KB950760)ý
òãëåï àáèçä òáåø Windows XP (KB950762)ý
òãëåï àáèçä òáåø Windows XP (KB950974)ý
òãëåï àáèçä òáåø Windows XP (KB951066)ý
òãëåï àáèçä òáåø Windows XP (KB951376-v2)ý
òãëåï àáèçä òáåø Windows XP (KB951698)ý
òãëåï àáèçä òáåø Windows XP (KB951748)ý
òãëåï àáèçä òáåø Windows XP (KB952954)ý
òãëåï àáèçä òáåø Windows XP (KB954459)ý
òãëåï àáèçä òáåø Windows XP (KB954600)ý
òãëåï àáèçä òáåø Windows XP (KB955069)ý
òãëåï àáèçä òáåø Windows XP (KB956802)ý
òãëåï àáèçä òáåø Windows XP (KB956803)ý
òãëåï àáèçä òáåø Windows XP (KB956841)ý
òãëåï àáèçä òáåø Windows XP (KB957097)ý
òãëåï àáèçä òáåø Windows XP (KB958644)ý
òãëåï àáèçä òáåø Windows XP (KB958687)ý
òãëåï àáèçä òáåø Windows XP (KB958690)ý
òãëåï àáèçä òáåø Windows XP (KB960225)ý
òãëåï àáèçä òáåø Windows XP (KB960715)ý
òãëåï àáèçä òáåø Windows XPþ (KB941569)
úé÷åï çí òáåø Windows Media Player 11þ (KB939683)
úé÷åï çí òáåø Windows XP (KB952287)ý
Adobe Flash Player 11 Plugin
Adobe Flash Player 12 ActiveX
Adobe Reader XI (11.0.02)
AteraVPN
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
ATK Package
avast! Premier
Avira Free Antivirus
Bezeq-ADSL
Bonjour
Choice Guard
Citrix Online Launcher
Conexant HD Audio
ESET Online Scanner v3
Google Chrome
Google Update Helper
GoToMeeting 5.8.0.1189
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless WiMAX Software
JMicron Ethernet Adapter NDIS Driver
JMicron Flash Media Controller Driver
Juniper Networks Host Checker
Juniper Networks Secure Application Manager
Juniper Networks, Inc. Setup Client
Juniper Networks, Inc. Setup Client Activex Control
Juniper Terminal Services Client
K-Lite Codec Pack 5.4.4 (Full)
McAfee Security Scan Plus
Microsoft .NET Framework 2.0
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (Hebrew) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Hebrew) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (Hebrew) 2007
Microsoft Office InfoPath MUI (Hebrew) 2007
Microsoft Office OneNote MUI (Hebrew) 2007
Microsoft Office Outlook MUI (Hebrew) 2007
Microsoft Office PowerPoint MUI (Hebrew) 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Hebrew) 2007
Microsoft Office Proof (Russian) 2007
Microsoft Office Proofing (Hebrew) 2007
Microsoft Office Publisher MUI (Hebrew) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (Hebrew) 2007
Microsoft Office Word MUI (Hebrew) 2007
Microsoft Software Update for Web Folders  (Hebrew) 12
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft WinUsb 1.0
Microsoft_VC100_CRT_SP1_x86
Mozilla Firefox 26.0 (x86 he)
Mozilla Maintenance Service
MSVC80_x86_v2
MSVC90_x86
MSVCRT
Nero 8 Micro 8.1.1.3
Nokia Connectivity Cable Driver
Nokia Suite
PC Connectivity Solution
Platform
Prism Video File Converter
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
Segoe UI
Skype Click to Call
Skype™ 6.11
SWF Opener
Switch Sound File Converter
Total Commander (Remove or Repair)
USB2.0 UVC VGA WebCam
VIA Platform Device Manager
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows XP Service Pack 3
WinRAR archiver
ëìé ääòìàä ùì Windows Live
îñééò äëðéñä ùì Windows Live
çáéìú äú÷ðé Windows. - Nokia pccsmcfd “LegacyDriver”  (05/31/2012 7.1.2.0)
.
==== Event Viewer Messages From Past Week ========
.
21/01/2014 10:27:57, error: Service Control Manager [7000]  - The Parallel port driver service failed to start due to the following error:  þþàéï àôùøåú ìäôòéì àú äùéøåú, îàçø ùäåà àéðå æîéï àå îàçø ùìà îùåéëéí àìéå äú÷ðéí ôòéìéí.
20/01/2014 20:14:40, error: Dhcp [1002]  - The IP address lease 10.0.0.4 for the Network Card with network address 485D6037CA18 has been denied by the DHCP server 10.0.0.138 (The DHCP Server sent a DHCPNACK message).
20/01/2014 15:46:06, error: Dhcp [1002]  - The IP address lease 192.168.50.107 for the Network Card with network address 485D6037CA18 has been denied by the DHCP server 10.0.0.138 (The DHCP Server sent a DHCPNACK message).
20/01/2014 10:32:55, error: Service Control Manager [7000]  - The Parallel port driver service failed to start due to the following error:  þþàéï àôùøåú ìäôòéì àú äùéøåú, îàçø ùäåà àéðå æîéï àå îàçø ùìà îùåéëéí àìéå äú÷ðéí ôòéìéí.
19/01/2014 07:41:35, error: Service Control Manager [7000]  - The Parallel port driver service failed to start due to the following error:  þþàéï àôùøåú ìäôòéì àú äùéøåú, îàçø ùäåà àéðå æîéï àå îàçø ùìà îùåéëéí àìéå äú÷ðéí ôòéìéí.
16/01/2014 16:33:07, error: Service Control Manager [7000]  - The Parallel port driver service failed to start due to the following error:  þþàéï àôùøåú ìäôòéì àú äùéøåú, îàçø ùäåà àéðå æîéï àå îàçø ùìà îùåéëéí àìéå äú÷ðéí ôòéìéí.
15/01/2014 11:09:52, error: Service Control Manager [7000]  - The Parallel port driver service failed to start due to the following error:  þþàéï àôùøåú ìäôòéì àú äùéøåú, îàçø ùäåà àéðå æîéï àå îàçø ùìà îùåéëéí àìéå äú÷ðéí ôòéìéí.
15/01/2014 11:09:45, error: ACPIEC [1]  - þþ\Device\ACPIEC: çåîøú äá÷ø äîåèáò (EC) ìà äâéáä áîäìê ú÷åôú ôñ÷ äæîï. ééúëï ùæäå ñéîï ìùâéàä áçåîøä àå á÷åùçä ùì EC, àå á- BIOS äîåâãø áàåôï ùâåé åîðñä ìáöò âéùä ì- EC áöåøä ùàéðä îàåáèçú. îðäì ääú÷ï ùì EC éðñä ìáöò ùåá àú äèøðæ÷öéä ùðëùìä, àí äãáø àôùøé.
.
==== End Of File ===========================
 


Edited by Noviciate, 22 January 2014 - 02:56 PM.
Log added from attachment.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:30 AM

Posted 22 January 2014 - 02:57 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.
 

  • Click the Run ESET Online Scanner button.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:
    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

 


So long, and thanks for all the fish.

 

 


#5 mashmash

mashmash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 24 January 2014 - 05:34 AM

Hi Noviciate,

 

ESET scan returned no results.

 

mashmash



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:30 AM

Posted 24 January 2014 - 02:57 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.

* Please note from the instructions page:

Disabling your Anti-Virus - CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.
 


So long, and thanks for all the fish.

 

 


#7 mashmash

mashmash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 25 January 2014 - 07:00 AM

Hi Noviciate,

 

downloaded CF and it installed the recovery panel. I then ran CF twice and both times Windows crashed and I got the blue screen with notifications:

1. Likely due to a faulty plug and play driver

2. BAD_POOL_HEADER

 

I did not run a third time.

 

Please advise.

 

Thanks,

mashmash



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:30 AM

Posted 25 January 2014 - 02:11 PM

Good evening. :)

Will you try it in Safe Mode.


So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:30 AM

Posted 30 January 2014 - 02:49 PM

As there has been no response for five days this thread is now closed.


So long, and thanks for all the fish.

 

 


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:30 AM

Posted 31 January 2014 - 03:19 PM

Topic unlocked at poster's request.

 

* Please note that if I lock it again, it will remain so.


So long, and thanks for all the fish.

 

 


#11 mashmash

mashmash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 01 February 2014 - 02:44 AM

Hi Noviciate,

 

Thanks for unlocking, I truly appreciate it!  :)

 

Ran CF in safe mode and it completed successfully, below is the log.

 

mashmash

 

 

ComboFix 14-01-29.01 - xp 01/30/2014  23:23:44.4.4 - x86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1255.972.1037.18.1900.1638 [GMT 2:00]
Running from: c:\documents and settings\xp\שולחן העבודה\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\xp\14.exe
D:\AUTORUN.INF
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-28 to 2014-01-30  )))))))))))))))))))))))))))))))
.
.
2014-01-30 21:15 . 2014-01-30 21:15 -------- d-----w- c:\windows\LastGood.Tmp
2014-01-21 09:07 . 2014-01-21 09:07 -------- d-----w- c:\program files\Common Files\Soda PDF 5
2014-01-09 19:58 . 2014-01-09 19:58 -------- d-----w- c:\program files\ESET
2014-01-09 19:39 . 2014-01-09 19:39 -------- d-----w- c:\windows\ERUNT
2014-01-09 19:23 . 2014-01-09 19:25 -------- d-----w- C:\AdwCleaner
2014-01-02 15:15 . 2014-01-30 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-22 12:12 . 2013-06-13 07:51 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-01-22 12:12 . 2011-08-22 00:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2012-12-20 1476104]
"supportt"="wscript.exe" [2008-05-08 155648]
"jave"="wscript.exe" [2008-05-08 155648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\תפריט התחלה\תוכניות\הפעלה\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 273296]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
m–|\ [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Bezeq-ADSL fts.exe]
2004-01-07 11:37 77312 ----a-w- c:\program files\Bezeq\Bezeq-ADSL\fts.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATKHOTKEY]
2009-10-26 07:10 174720 ----a-w- c:\program files\ASUS\ATK Package\ATK Hotkey\HControl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATKMEDIA]
2009-08-19 17:31 170624 ----a-w- c:\program files\ASUS\ATK Package\ATK Media\DMedia.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATKOSD2]
2009-10-26 17:29 6998656 ----a-w- c:\program files\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 02:17 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 22:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HControlUser]
2009-06-19 07:29 105016 ----a-w- c:\program files\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-06-05 06:39 33628160 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-12-04 08:24 173592 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-12-04 08:25 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWirelessWiMAX]
2009-09-16 13:48 1437696 ----a-w- c:\program files\Intel\WiMAX\Bin\WiMAXCU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-12-20 16:44 310280 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaSuite.exe]
2012-08-03 13:06 1086376 ----a-w- c:\program files\Nokia\Nokia Suite\NokiaSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-12-04 08:24 144920 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-21 06:01 17881600 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-11-14 14:42 20584608 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Intel\\WiMAX\\Bin\\AppSrv.exe"=
"c:\\Program Files\\Intel\\WiMAX\\Bin\\DMAgent.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\ATERA Networks\\AteraVPN\\AteraConnect.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"37676:TCP"= 37676:TCP:*:Disabled:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:*:Disabled:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:*:Disabled:ooVoo UDP port 37677
"37678:TCP"= 37678:TCP:*:Disabled:ooVoo TCP port 37678
"37678:UDP"= 37678:UDP:*:Disabled:ooVoo UDP port 37678
"37679:UDP"= 37679:UDP:*:Disabled:ooVoo UDP port 37679
.
S1 NEOFLTR_710_20169;Juniper Networks TDI Filter Driver (NEOFLTR_710_20169);c:\windows\system32\drivers\NEOFLTR_710_20169.SYS [18/07/2012 17:31 85064]
S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [15/09/2009 20:51 352256]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [15/02/2013 13:27 233472]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [05/09/2013 10:34 171680]
S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [15/09/2009 20:56 1368064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [19/07/2010 11:54 1684736]
S3 bpenum;bpenum;c:\windows\system32\drivers\bpenum.sys [15/09/2009 20:46 189568]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [15/02/2013 19:06 83168]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [15/02/2013 13:14 20032]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [15/02/2013 13:27 37344]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [04/04/2011 16:07 125696]
S3 IntcDAud;שמע תצוגה של Intel®‎‎;c:\windows\system32\drivers\IntcDAud.sys [04/04/2011 16:07 215040]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [04/04/2011 16:22 119408]
S3 JME;JMicron Ethernet Adapter NDIS5.1 Driver;c:\windows\system32\drivers\JME.sys [02/08/2011 22:31 65648]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [19/07/2010 10:26 44032]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe [06/09/2013 19:29 235216]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [04/08/2012 10:50 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [04/08/2012 10:50 8576]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [15/02/2013 19:06 181344]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [07/01/2010 16:06 1374464]
S3 wrnxtlda;wrnxtlda; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-29 08:22 1211672 ----a-w- c:\program files\Google\Chrome\Application\32.0.1700.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-13 12:12]
.
2014-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-24 08:46]
.
2014-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-24 08:46]
.
2014-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-484763869-725345543-1005Core.job
- c:\documents and settings\MASHA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-17 18:44]
.
2014-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-484763869-725345543-1005UA.job
- c:\documents and settings\MASHA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-17 18:44]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 10.0.0.138
TCP: Interfaces\{5C6B2680-9D93-40DB-971F-D28C1231B491}: NameServer = 192.168.10.200
TCP: Interfaces\{7B42650B-D9DE-4C09-84DE-52724FED7DCF}: NameServer = 192.168.10.200
DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - hxxp://www.tapuz.co.il/irc/main/launcher.cab
FF - ProfilePath - c:\documents and settings\xp\Application Data\Mozilla\Firefox\Profiles\x2cwr4um.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.il/ig
FF - prefs.js: network.proxy.ftp - p-uk1.biscience.com
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - p-uk1.biscience.com
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - p-uk1.biscience.com
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - p-uk1.biscience.com
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - p-uk1.biscience.com
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{e3e7c520-7571-4107-b480-83b6e41d42dd} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{E3E7C520-7571-4107-B480-83B6E41D42DD} - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
HKCU-Run-KiesAirMessage - c:\program files\Samsung\Kies\KiesAirMessage.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Prism - c:\program files\NCH Software\Prism\prism.exe
AddRemove-Switch - c:\program files\NCH Software\Switch\switch.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-30 23:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,84,aa,79,20,42,f0,4e,85,da,2b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,84,aa,79,20,42,f0,4e,85,da,2b,\
.
[HKEY_USERS\S-1-5-21-1659004503-484763869-725345543-1003\Software\Microsoft\ M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\devmgmt.msc"
"File2"="c:\\WINDOWS\\system32\\compmgmt.msc"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-01-30  23:42:14
ComboFix-quarantined-files.txt  2014-01-30 21:42
.
Pre-Run: 137,588,367,360 bytes free
Post-Run: 137,753,075,712 bytes free
.
- - End Of File - - 21666D1EC670E72EEF59446042A27352
8F558EB6672622401DA993E1E865C861


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:30 AM

Posted 01 February 2014 - 03:49 PM

Good evening. :)

Download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Quick Scan button and allow it to do it's thing.
  • Once complete, it should open two Notepad Windows - OTL.Txt and Extras.Txt
  • It should also save copies in the same location as OTL.
  • I want you to copy and paste the contents of OTL.txt that should appear into one reply and Extras.Txt into another.
  • The length of the two logs sometimes results in the end being chopped off if you post both in one reply.


So long, and thanks for all the fish.

 

 


#13 mashmash

mashmash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 05 February 2014 - 06:54 AM

Hi Noviciate,

 

I will have results of the above tomorrow,

I apologize for my slow reply - but I'm on it :)

 

 

Thanks!



#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:30 AM

Posted 06 February 2014 - 03:10 PM

As the requested information hasn't been posted within a five day period this thread is locked once again.


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users