Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer not shutting down, only able to use dds and brows in safe mode


  • This topic is locked This topic is locked
25 replies to this topic

#1 sportsfroma2

sportsfroma2

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 27 February 2014 - 10:45 PM

Hello,

 

at the request of my original thread in "am i infected": http://www.bleepingcomputer.com/forums/t/525632/computer-not-shutting-down-some-malware-found/

 

I followed steps 6-8 in the guide to run DDS, however DDS was not able to complete while in "normal" XP, mode it would only work in Safe Mode.

 

Here the screenshot of where it would get stuck (left it there for more than 30mins, tried multiple times, rebooted, etc)

 

YJZ5nPz.png

 

 

Anyway, here's the DDS results from XP SP3's safe mode:

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 22:25:38 on 2014-02-27
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1748 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
uRun: [Steam] "e:\program files\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\administrator\my documents\rca detective\RCADetective.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoSMMyPictures = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249879274671
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{6608C430-CBF0-42A1-9E64-187C58F2B1DE} : DHCPNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\33.0.1750.117\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\xpnfs4wb.default-1392871144062\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_43.dll
.
============= SERVICES / DRIVERS ===============
.
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 214696]
S1 MpKsl92efb2f2;MpKsl92efb2f2;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKsl92efb2f2.sys [2014-2-27 39464]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-9 1684736]
S3 rt2870;INTELLINET 802.11n Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== File Associations ===============
.
FileExt: .scr: DWGTrueViewScriptFile=c:\windows\system32\notepad.exe "%1"
ShellExec: FOXITR~1.EXE: print="c:\progra~1\foxits~1\foxitr~1\FOXITR~1.EXE"/p "%1"
ShellExec: FOXITR~1.EXE: printto="c:\progra~1\foxits~1\foxitr~1\FOXITR~1.EXE"/t "%1" "%2" "%3" "%4"
.
=============== Created Last 30 ================
.
2014-02-28 02:30:03    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKsl92efb2f2.sys
2014-02-28 02:12:38    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKsl2f126d21.sys
2014-02-28 02:00:13    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKsl74823d8e.sys
2014-02-27 04:15:44    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKsl72041a82.sys
2014-02-27 03:56:54    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKslb4ded025.sys
2014-02-27 03:45:31    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKslb143a9b3.sys
2014-02-27 03:36:26    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKsl6f52f615.sys
2014-02-27 02:57:05    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKsla8061674.sys
2014-02-27 02:44:36    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKsl22511f09.sys
2014-02-27 01:04:23    116224    -c--a-w-    c:\windows\system32\dllcache\xrxwiadr.dll
2014-02-27 01:04:21    23040    -c--a-w-    c:\windows\system32\dllcache\xrxwbtmp.dll
2014-02-27 01:04:20    18944    -c--a-w-    c:\windows\system32\dllcache\xrxscnui.dll
2014-02-27 01:04:18    27648    -c--a-w-    c:\windows\system32\dllcache\xrxftplt.exe
2014-02-27 01:04:15    4608    -c--a-w-    c:\windows\system32\dllcache\xrxflnch.exe
2014-02-27 01:02:58    19016    -c--a-w-    c:\windows\system32\dllcache\w926nd.sys
2014-02-27 01:01:58    50688    -c--a-w-    c:\windows\system32\dllcache\umaxscan.dll
2014-02-27 01:00:56    138528    -c--a-w-    c:\windows\system32\dllcache\tgiulnt5.sys
2014-02-27 00:59:59    16896    -c--a-w-    c:\windows\system32\dllcache\stcusb.sys
2014-02-27 00:58:58    28160    -c--a-w-    c:\windows\system32\dllcache\sm91w.dll
2014-02-27 00:57:58    17280    -c--a-w-    c:\windows\system32\dllcache\scr111.sys
2014-02-27 00:56:59    59136    -c--a-w-    c:\windows\system32\dllcache\rfcomm.sys
2014-02-27 00:55:58    121344    -c--a-w-    c:\windows\system32\dllcache\phvfwext.dll
2014-02-27 00:54:59    25088    -c--a-w-    c:\windows\system32\dllcache\ovca.sys
2014-02-27 00:53:58    13664    -c--a-w-    c:\windows\system32\dllcache\n9i128.sys
2014-02-27 00:52:57    15232    -c--a-w-    c:\windows\system32\dllcache\mpe.sys
2014-02-27 00:51:58    19016    -c--a-w-    c:\windows\system32\dllcache\ktc111.sys
2014-02-27 00:50:56    372824    -c--a-w-    c:\windows\system32\dllcache\iconf32.dll
2014-02-27 00:49:59    115807    -c--a-w-    c:\windows\system32\dllcache\hsf_fsks.sys
2014-02-27 00:48:58    92160    -c--a-w-    c:\windows\system32\dllcache\fuusd.dll
2014-02-27 00:47:59    283904    -c--a-w-    c:\windows\system32\dllcache\emu10k1m.sys
2014-02-27 00:46:59    29531    -c--a-w-    c:\windows\system32\dllcache\dgapci.sys
2014-02-27 00:45:59    39680    -c--a-w-    c:\windows\system32\dllcache\cb325.sys
2014-02-27 00:44:59    30671    -c--a-w-    c:\windows\system32\dllcache\ati1raxx.sys
2014-02-26 11:33:22    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\MpKsl6e652ef1.sys
2014-02-26 11:29:33    --------    d-----w-    C:\5c08871d453224f2b5fe2d7cc9
2014-02-26 02:27:40    7947048    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce1c76d5-de2a-487d-af00-743cceccd2bf}\mpengine.dll
2014-02-24 03:25:29    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2014-02-24 03:23:48    52312    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-02-24 03:20:53    --------    d-----w-    c:\windows\ERUNT
2014-02-20 03:30:48    7947048    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M  ====================
.
2014-01-27 00:31:04    410784    ----a-w-    c:\windows\system32\drivers\enystizj.sys
2014-01-26 18:24:19    410784    ----a-w-    c:\windows\system32\drivers\czuscbpy.sys
2014-01-26 18:23:28    410784    ----a-w-    c:\windows\system32\drivers\bfcdqnus.sys
2014-01-19 07:32:23    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-01-16 23:53:32    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-16 23:53:32    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-01-04 03:13:05    420864    ----a-w-    c:\windows\system32\vbscript.dll
.
============= FINISH: 22:26:41.71 ===============
 

 

__________________________

 

 

Recap of symptoms: Windows XP Pro Sp3 desktop, doesn't shut down, sluggish computer. When I use a web browser (tried firefox, chrome and even IE), all of them bring the system down to a crawl / not useable. Everything seems to work great in safe mode.

Attached Files


Edited by sportsfroma2, 27 February 2014 - 10:54 PM.


BC AdBot (Login to Remove)

 


#2 polskamachina

polskamachina

  • Malware Response Team
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 01 March 2014 - 10:52 PM

Hi sportsfroma2 :)
 
My name is polskamachina and I will be assisting you with your malware problems. Please give me some time to review your DDS log and other reports you collected from the, "Am I Infected Forum?"

 

What follows below are some ground rules for this forum:

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know.

I am in California at GMT-8 Hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

polskamachina



#3 polskamachina

polskamachina

  • Malware Response Team
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 03 March 2014 - 01:24 PM

Hi sportsfroma2 :)
 
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix You will need to have your internet connection enabled to run this tool properly.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
 
Let me know if you have any questions. How is your computer behaving now?
 
polskamachina



#4 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 03 March 2014 - 09:00 PM

Hello polskamachina! First off, thank you for taking a look at this :)

 

I was supposed to run combofix from "normal" mode (not safe mode) right?

 

Since you didn't spcecify safe mode I'm running it in "normal" mode - How long does combofix usualy run?

 

So far it's been over an hour, and the computer is still at the "preparing log report. do not run any programs until ComboFix has finished" screen... it's been at the screen for at least 15minutes (possbily longer but I had stepped away from the computer while combofix was running, didn't want to get tempted to use the mouse or anything)



#5 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 03 March 2014 - 10:24 PM

ok I hope this worked ok:

 

ComboFix 14-03-03.02 - Administrator 03/03/2014  19:47:25.5.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1563 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-04 to 2014-03-04  )))))))))))))))))))))))))))))))
.
.
2014-03-04 00:45 . 2014-03-04 00:45    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsl9e31eadf.sys
2014-02-28 02:30 . 2014-02-28 02:30    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsl92efb2f2.sys
2014-02-28 02:12 . 2014-02-28 02:12    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsl2f126d21.sys
2014-02-28 02:00 . 2014-02-28 02:00    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsl74823d8e.sys
2014-02-27 04:15 . 2014-02-27 04:15    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsl72041a82.sys
2014-02-27 03:56 . 2014-02-27 03:56    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKslb4ded025.sys
2014-02-27 03:45 . 2014-02-27 03:45    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKslb143a9b3.sys
2014-02-27 03:36 . 2014-02-27 03:36    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsl6f52f615.sys
2014-02-27 02:57 . 2014-02-27 02:57    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsla8061674.sys
2014-02-27 02:44 . 2014-02-27 02:44    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsl22511f09.sys
2014-02-27 01:04 . 2008-04-14 10:42    116224    -c--a-w-    c:\windows\system32\dllcache\xrxwiadr.dll
2014-02-27 01:04 . 2001-08-18 03:36    23040    -c--a-w-    c:\windows\system32\dllcache\xrxwbtmp.dll
2014-02-27 01:04 . 2008-04-14 10:42    18944    -c--a-w-    c:\windows\system32\dllcache\xrxscnui.dll
2014-02-27 01:04 . 2001-08-18 03:37    27648    -c--a-w-    c:\windows\system32\dllcache\xrxftplt.exe
2014-02-27 01:04 . 2001-08-18 03:37    4608    -c--a-w-    c:\windows\system32\dllcache\xrxflnch.exe
2014-02-27 01:02 . 2001-08-17 17:13    19016    -c--a-w-    c:\windows\system32\dllcache\w926nd.sys
2014-02-27 01:01 . 2001-08-18 03:36    50688    -c--a-w-    c:\windows\system32\dllcache\umaxscan.dll
2014-02-27 01:00 . 2001-08-17 17:51    138528    -c--a-w-    c:\windows\system32\dllcache\tgiulnt5.sys
2014-02-27 00:59 . 2001-08-17 18:51    16896    -c--a-w-    c:\windows\system32\dllcache\stcusb.sys
2014-02-27 00:58 . 2001-08-18 03:36    28160    -c--a-w-    c:\windows\system32\dllcache\sm91w.dll
2014-02-27 00:57 . 2001-08-17 18:51    17280    -c--a-w-    c:\windows\system32\dllcache\scr111.sys
2014-02-27 00:56 . 2008-04-14 05:16    59136    -c--a-w-    c:\windows\system32\dllcache\rfcomm.sys
2014-02-27 00:55 . 2001-08-18 03:36    121344    -c--a-w-    c:\windows\system32\dllcache\phvfwext.dll
2014-02-27 00:54 . 2001-08-17 19:05    25088    -c--a-w-    c:\windows\system32\dllcache\ovca.sys
2014-02-27 00:53 . 2001-08-17 17:50    13664    -c--a-w-    c:\windows\system32\dllcache\n9i128.sys
2014-02-27 00:52 . 2008-04-14 05:16    15232    -c--a-w-    c:\windows\system32\dllcache\mpe.sys
2014-02-27 00:51 . 2001-08-17 17:12    19016    -c--a-w-    c:\windows\system32\dllcache\ktc111.sys
2014-02-27 00:50 . 2001-08-18 03:36    372824    -c--a-w-    c:\windows\system32\dllcache\iconf32.dll
2014-02-27 00:49 . 2001-08-17 18:28    115807    -c--a-w-    c:\windows\system32\dllcache\hsf_fsks.sys
2014-02-27 00:48 . 2001-08-18 03:36    92160    -c--a-w-    c:\windows\system32\dllcache\fuusd.dll
2014-02-27 00:47 . 2001-08-17 17:19    283904    -c--a-w-    c:\windows\system32\dllcache\emu10k1m.sys
2014-02-27 00:46 . 2001-08-17 17:17    29531    -c--a-w-    c:\windows\system32\dllcache\dgapci.sys
2014-02-27 00:45 . 2001-08-17 17:12    39680    -c--a-w-    c:\windows\system32\dllcache\cb325.sys
2014-02-27 00:44 . 2008-04-14 03:04    30671    -c--a-w-    c:\windows\system32\dllcache\ati1raxx.sys
2014-02-26 11:33 . 2014-02-26 11:33    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsl6e652ef1.sys
2014-02-26 11:29 . 2014-02-26 11:29    --------    d-----w-    C:\5c08871d453224f2b5fe2d7cc9
2014-02-26 02:27 . 2014-02-06 07:08    7947048    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\mpengine.dll
2014-02-24 03:25 . 2014-02-24 03:35    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-02-24 03:23 . 2014-02-24 03:23    52312    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-02-24 03:20 . 2014-02-24 03:20    --------    d-----w-    c:\windows\ERUNT
2014-02-20 03:30 . 2014-02-06 07:08    7947048    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-27 00:31 . 2014-01-27 00:31    410784    ----a-w-    c:\windows\system32\drivers\enystizj.sys
2014-01-26 18:24 . 2014-01-26 18:24    410784    ----a-w-    c:\windows\system32\drivers\czuscbpy.sys
2014-01-26 18:23 . 2014-01-26 18:23    410784    ----a-w-    c:\windows\system32\drivers\bfcdqnus.sys
2014-01-19 07:32 . 2010-08-04 21:40    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-01-16 23:53 . 2012-12-10 22:43    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-16 23:53 . 2012-12-10 22:43    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-01-04 03:13 . 2008-04-14 10:42    420864    ----a-w-    c:\windows\system32\vbscript.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-08-09 . AA611AE608A6CEAB1D13648D9834ED5A . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="e:\program files\Valve\Steam\steam.exe" [2014-02-25 1821888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-09 17881600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]
"nwiz"="nwiz.exe" [2009-03-28 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-09-22 564496]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-12-03 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-03 688218]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\michelle coe\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
RCA Detective.lnk - c:\documents and settings\Administrator\My Documents\RCA Detective\RCADetective.exe [2011-9-16 1069056]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsl9e31eadf;MpKsl9e31eadf;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE1C76D5-DE2A-487D-AF00-743CCECCD2BF}\MpKsl9e31eadf.sys [3/3/2014 7:45 PM 39464]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 11:21 AM 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/9/2009 4:09 PM 1684736]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL9E31EADF
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-02-25 02:31    1150280    ----a-w-    c:\program files\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 02:00]
.
2014-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 02:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: facebook.com\www
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xpnfs4wb.default-1392871144062\
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-03 19:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1604221776-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,64,4a,34,61,5c,58,4b,bf,d2,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,cc,8d,5d,eb,e3,67,47,ba,0a,f0,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,64,4a,34,61,5c,58,4b,bf,d2,8c,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,64,4a,34,61,5c,58,4b,bf,d2,8c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,64,4a,34,61,5c,58,4b,bf,d2,8c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\sxs.dll
.
- - - - - - - > 'explorer.exe'(3936)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\nvwddi.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2014-03-03  22:12:41
ComboFix-quarantined-files.txt  2014-03-04 03:12
.
Pre-Run: 107,551,158,272 bytes free
Post-Run: 107,593,248,768 bytes free
.
- - End Of File - - 579263FBA6F6C13619949563AF512795
8F558EB6672622401DA993E1E865C861
 



#6 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 03 March 2014 - 10:43 PM

as for how the computer is running:

 

in normal mode, the computer is still freezing whenever I open any of the web browsers (Firefox or chrome) which makes replying to this topic from that computer a little difficult (I either respond from another computer like I am now or have to boot into safe mode w/ networking to post logs and that stuff there).

 

Also the computer still seemingly freezes when I try to shut it down in normal mode.



#7 polskamachina

polskamachina

  • Malware Response Team
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 05 March 2014 - 11:19 AM

Hi sportsfroma2 :)

 

 

I am sorry to hear that you're still experiencing freezing problems.

 

The answer to your question:

Since you didn't spcecify safe mode I'm running it in "normal" mode - How long does combofix usualy run?

 

ComboFix is optimized to run in normal mode. The fact that the scan took over an hour to complete may be a symptom of something but it's too early for me to determine that yet.

 

Plese let me know, other than opening your browser or trying to shut down the computer, does the system lock up occur when you open any other programs?

 

polskamachina



#8 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 05 March 2014 - 10:13 PM

ok so I was able to play a game of solitare, no problems.

 

however when I try to open a word file, word froze - it should be noted that the entire computer does not freeze, the mouse is still totally operational and I could actually play solitare with the frozen word window open.. just that word window doesn't do anything and i'm able to close it. THat's the same thing that happens when I try to use any web browser - the mouse is still responsive and I can access the start menu, etc - but the application window itself is unusable.

 

same thing is happened when I try a MSE quick scan - it just stops after a few seconds at "item scanned: 20"  - Item : c:\windows\explorer.exe

 

hope this helps.



#9 polskamachina

polskamachina

  • Malware Response Team
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 06 March 2014 - 11:01 AM

Hi sportsfroma2

 

Yes, that information is quite helpful. :thumbsup: Let me research your situation a bit more and I will get back to you.

 

polskamachina



#10 polskamachina

polskamachina

  • Malware Response Team
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 06 March 2014 - 03:01 PM

Hi sportsfroma2 :)

 

Please follow the directions below:
 
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:
 

File::
c:\windows\system32\drivers\enystizj.sys
c:\windows\system32\drivers\czuscbpy.sys
c:\windows\system32\drivers\bfcdqnus.sys

ClearJavaCache::

 
Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 
Let me know if you have any questions. Is your computer still freezing up?
 
polskamachina



#11 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 06 March 2014 - 03:49 PM

Thank you I will be trying this tonight. Just to make sure, what is the best way to turn mse off?

Edited by sportsfroma2, 06 March 2014 - 03:50 PM.


#12 polskamachina

polskamachina

  • Malware Response Team
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 06 March 2014 - 04:41 PM

Hi sportsfroma2 :)

 

You can right-click the MSE icon in the tray. Then select open. You will be presented with the main window of MSE. Click on the settings tab, then uncheck the box, Turn on real-time protection.

 

Remember to re-enable real-time protection after ComboFix has completed the task.

 

polskamachina



#13 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 06 March 2014 - 11:44 PM

log:

 

ComboFix 14-03-05.01 - Administrator 03/06/2014  22:34:12.8.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1580 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\bfcdqnus.sys"
"c:\windows\system32\drivers\czuscbpy.sys"
"c:\windows\system32\drivers\enystizj.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-07 to 2014-03-07  )))))))))))))))))))))))))))))))
.
.
2014-03-07 04:01 . 2014-03-07 04:01    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12A7EF33-418E-4A1D-A000-60DACF455745}\MpKslda5a35ed.sys
2014-03-07 03:30 . 2014-03-07 03:30    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12A7EF33-418E-4A1D-A000-60DACF455745}\MpKsl5c7133be.sys
2014-03-07 03:16 . 2014-03-07 03:16    39464    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12A7EF33-418E-4A1D-A000-60DACF455745}\MpKslc2481e51.sys
2014-03-07 02:41 . 2014-02-06 07:08    7947048    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12A7EF33-418E-4A1D-A000-60DACF455745}\mpengine.dll
2014-03-07 02:10 . 2014-03-07 02:10    --------    d-----w-    c:\program files\ESET
2014-02-27 01:04 . 2008-04-14 10:42    116224    -c--a-w-    c:\windows\system32\dllcache\xrxwiadr.dll
2014-02-27 01:04 . 2001-08-18 03:36    23040    -c--a-w-    c:\windows\system32\dllcache\xrxwbtmp.dll
2014-02-27 01:04 . 2008-04-14 10:42    18944    -c--a-w-    c:\windows\system32\dllcache\xrxscnui.dll
2014-02-27 01:04 . 2001-08-18 03:37    27648    -c--a-w-    c:\windows\system32\dllcache\xrxftplt.exe
2014-02-27 01:04 . 2001-08-18 03:37    4608    -c--a-w-    c:\windows\system32\dllcache\xrxflnch.exe
2014-02-27 01:02 . 2001-08-17 17:13    19016    -c--a-w-    c:\windows\system32\dllcache\w926nd.sys
2014-02-27 01:01 . 2001-08-18 03:36    50688    -c--a-w-    c:\windows\system32\dllcache\umaxscan.dll
2014-02-27 01:00 . 2001-08-17 17:51    138528    -c--a-w-    c:\windows\system32\dllcache\tgiulnt5.sys
2014-02-27 00:59 . 2001-08-17 18:51    16896    -c--a-w-    c:\windows\system32\dllcache\stcusb.sys
2014-02-27 00:58 . 2001-08-18 03:36    28160    -c--a-w-    c:\windows\system32\dllcache\sm91w.dll
2014-02-27 00:57 . 2001-08-17 18:51    17280    -c--a-w-    c:\windows\system32\dllcache\scr111.sys
2014-02-27 00:56 . 2008-04-14 05:16    59136    -c--a-w-    c:\windows\system32\dllcache\rfcomm.sys
2014-02-27 00:55 . 2001-08-18 03:36    121344    -c--a-w-    c:\windows\system32\dllcache\phvfwext.dll
2014-02-27 00:54 . 2001-08-17 19:05    25088    -c--a-w-    c:\windows\system32\dllcache\ovca.sys
2014-02-27 00:53 . 2001-08-17 17:50    13664    -c--a-w-    c:\windows\system32\dllcache\n9i128.sys
2014-02-27 00:52 . 2008-04-14 05:16    15232    -c--a-w-    c:\windows\system32\dllcache\mpe.sys
2014-02-27 00:51 . 2001-08-17 17:12    19016    -c--a-w-    c:\windows\system32\dllcache\ktc111.sys
2014-02-27 00:50 . 2001-08-18 03:36    372824    -c--a-w-    c:\windows\system32\dllcache\iconf32.dll
2014-02-27 00:49 . 2001-08-17 18:28    115807    -c--a-w-    c:\windows\system32\dllcache\hsf_fsks.sys
2014-02-27 00:48 . 2001-08-18 03:36    92160    -c--a-w-    c:\windows\system32\dllcache\fuusd.dll
2014-02-27 00:47 . 2001-08-17 17:19    283904    -c--a-w-    c:\windows\system32\dllcache\emu10k1m.sys
2014-02-27 00:46 . 2001-08-17 17:17    29531    -c--a-w-    c:\windows\system32\dllcache\dgapci.sys
2014-02-27 00:45 . 2001-08-17 17:12    39680    -c--a-w-    c:\windows\system32\dllcache\cb325.sys
2014-02-27 00:44 . 2008-04-14 03:04    30671    -c--a-w-    c:\windows\system32\dllcache\ati1raxx.sys
2014-02-26 11:29 . 2014-02-26 11:29    --------    d-----w-    C:\5c08871d453224f2b5fe2d7cc9
2014-02-26 02:27 . 2014-02-06 07:08    7947048    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-02-24 03:25 . 2014-02-24 03:35    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-02-24 03:23 . 2014-02-24 03:23    52312    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-02-24 03:20 . 2014-02-24 03:20    --------    d-----w-    c:\windows\ERUNT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-05 23:26 . 2008-04-14 10:42    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-02-05 23:26 . 2008-04-14 10:41    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2014-02-05 23:26 . 2008-04-14 10:42    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-02-05 23:26 . 2008-04-14 10:41    18944    ----a-w-    c:\windows\system32\corpol.dll
2014-02-05 22:24 . 2008-04-14 05:07    385024    ----a-w-    c:\windows\system32\html.iec
2014-01-19 07:32 . 2010-08-04 21:40    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-01-16 23:53 . 2012-12-10 22:43    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-16 23:53 . 2012-12-10 22:43    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-01-04 03:13 . 2008-04-14 10:42    420864    ----a-w-    c:\windows\system32\vbscript.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-08-09 . AA611AE608A6CEAB1D13648D9834ED5A . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="e:\program files\Valve\Steam\steam.exe" [2014-02-25 1821888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-09 17881600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]
"nwiz"="nwiz.exe" [2009-03-28 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-09-22 564496]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-12-03 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-03 688218]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\michelle coe\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
RCA Detective.lnk - c:\documents and settings\Administrator\My Documents\RCA Detective\RCADetective.exe [2011-9-16 1069056]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKslda5a35ed;MpKslda5a35ed;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12A7EF33-418E-4A1D-A000-60DACF455745}\MpKslda5a35ed.sys [3/6/2014 11:01 PM 39464]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/9/2009 4:09 PM 1684736]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLDA5A35ED
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-07 01:27    1150280    ----a-w-    c:\program files\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 02:00]
.
2014-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 02:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: facebook.com\www
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xpnfs4wb.default-1392871144062\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-06 23:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1604221776-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,64,4a,34,61,5c,58,4b,bf,d2,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,cc,8d,5d,eb,e3,67,47,ba,0a,f0,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,64,4a,34,61,5c,58,4b,bf,d2,8c,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,64,4a,34,61,5c,58,4b,bf,d2,8c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,64,4a,34,61,5c,58,4b,bf,d2,8c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(5660)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\nvwddi.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\crypserv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Microsoft Security Client\MpCmdRun.exe
c:\program files\Microsoft Security Client\MpCmdRun.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2014-03-06  23:19:32 - machine was rebooted
ComboFix-quarantined-files.txt  2014-03-07 04:19
ComboFix2.txt  2014-03-07 02:04
ComboFix3.txt  2014-03-04 03:34
ComboFix4.txt  2014-03-04 03:12
.
Pre-Run: 106,607,853,568 bytes free
Post-Run: 106,807,283,712 bytes free
.
- - End Of File - - 140674DAEC59B2FC53545A1C52A6DC20
8F558EB6672622401DA993E1E865C861
 

 

 

computer status: NO improvement, all previous problems (lockups and unable to shut down) continue to persist.

 

 

more information: I spoke to my buddy again, and he said this has been going on for over a month - not sure if that helps or not but figured i'd pass on info.. he didn't mention this starting up after anything specific though, so no other clues.

 

thanks again for all your help



#14 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 March 2014 - 12:29 AM

Alright, sorry I was getting anxious so I ran VIPRE Rescue, and it found a number of things (I believe around 90, many of which were conduit-toolbar rleated items) however, I thought there would be a log/report or something, but I can not find or or i did not know where to look to find its log.
 
 
Then I ran the the Emsisoft Emergency Kit Scanner:
 
Emsisoft Emergency Kit - Version 4.0
Last update: 3/8/2014 11:14:46 PM
User account: NICK\Administrator

Scan settings:

Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\, E:\

Detect PUPs:   On
Scan archives:    On
ADS Scan:    On
File extension filter:    Off
Advanced caching:    On
Direct disk access:    Off

Scan start:    3/8/2014 11:16:14 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
C:\Documents and Settings\Administrator\Desktop\Old Firefox Data\y8lqpqv5.default\extensions\4fd666f12e53e@4fd666f12e576.info\content\jsext.js     detected: Gen:Adware.MPlug.1 (B )
C:\Documents and Settings\Administrator\Desktop\Old Firefox Data\y8lqpqv5.default\extensions\4fd666fd9bb59@4fd666fd9bb91.info\content\jsext.js     detected: Gen:Adware.MPlug.1 (B )
C:\Documents and Settings\Administrator\Desktop\Old Firefox Data\y8lqpqv5.default\extensions\4fd66a6283aeb@4fd66a6283b26.info\content\jsext.js     detected: Gen:Adware.MPlug.1 (B )
C:\VIPRERESCUE\Quarantine\{064F711C-E322-411E-A1D1-78AEFCE88F1B}_ENC2 -> (Quarantine-PE)     detected: Win32.Virtob.Gen.12 (B )
C:\VIPRERESCUE\Quarantine\{3C796065-215F-4D75-8F8E-FCAF8DCA1647}_ENC2 -> (Quarantine-PE)     detected: Win32.Virtob.Gen.12 (B )
C:\VIPRERESCUE\Quarantine\{47B08BA5-A81F-4AF6-9A06-8ABFCD18A54E}_ENC2 -> (Quarantine-PE)     detected: Win32.Virtob.Gen.12 (B )
C:\VIPRERESCUE\Quarantine\{B4DCF884-5105-4531-A5E6-3E9A33B506EC}_ENC2 -> (Quarantine-PE)     detected: Win32.Virtob.Gen.12 (B )
C:\WINDOWS\system32\c_7265210.nls     detected: Trojan.Simda.B (B )
E:\System Volume Information\_restore{B99C1D78-A8E0-4692-8153-05AA2E7A526A}\RP923\A0161481.exe     detected: Win32.Virtob.Gen.12 (B )
E:\System Volume Information\_restore{B99C1D78-A8E0-4692-8153-05AA2E7A526A}\RP923\A0161482.exe     detected: Win32.Virtob.Gen.12 (B )
E:\System Volume Information\_restore{B99C1D78-A8E0-4692-8153-05AA2E7A526A}\RP923\A0161483.exe     detected: Win32.Virtob.Gen.12 (B )
E:\System Volume Information\_restore{B99C1D78-A8E0-4692-8153-05AA2E7A526A}\RP923\A0161484.exe     detected: Win32.Virtob.Gen.12 (B )

Scanned    189263
Found    13

Scan end:    3/9/2014 12:20:39 AM
Scan time:    1:04:25

C:\WINDOWS\system32\c_7265210.nls    Deleted Trojan.Simda.B (B )
C:\VIPRERESCUE\Quarantine\{064F711C-E322-411E-A1D1-78AEFCE88F1B}_ENC2    Deleted Win32.Virtob.Gen.12 (B )
C:\VIPRERESCUE\Quarantine\{3C796065-215F-4D75-8F8E-FCAF8DCA1647}_ENC2    Deleted Win32.Virtob.Gen.12 (B )
C:\VIPRERESCUE\Quarantine\{47B08BA5-A81F-4AF6-9A06-8ABFCD18A54E}_ENC2    Deleted Win32.Virtob.Gen.12 (B )
C:\VIPRERESCUE\Quarantine\{B4DCF884-5105-4531-A5E6-3E9A33B506EC}_ENC2    Deleted Win32.Virtob.Gen.12 (B )
E:\System Volume Information\_restore{B99C1D78-A8E0-4692-8153-05AA2E7A526A}\RP923\A0161481.exe    Deleted Win32.Virtob.Gen.12 ( B )
E:\System Volume Information\_restore{B99C1D78-A8E0-4692-8153-05AA2E7A526A}\RP923\A0161482.exe    Deleted Win32.Virtob.Gen.12 ( B )
E:\System Volume Information\_restore{B99C1D78-A8E0-4692-8153-05AA2E7A526A}\RP923\A0161483.exe    Deleted Win32.Virtob.Gen.12 (B )
E:\System Volume Information\_restore{B99C1D78-A8E0-4692-8153-05AA2E7A526A}\RP923\A0161484.exe    Deleted Win32.Virtob.Gen.12 (B )
C:\Documents and Settings\Administrator\Desktop\Old Firefox Data\y8lqpqv5.default\extensions\4fd666f12e53e@4fd666f12e576.info\content\jsext.js    Deleted Gen:Adware.MPlug.1 (B )
C:\Documents and Settings\Administrator\Desktop\Old Firefox Data\y8lqpqv5.default\extensions\4fd666fd9bb59@4fd666fd9bb91.info\content\jsext.js    Deleted Gen:Adware.MPlug.1 (B )
C:\Documents and Settings\Administrator\Desktop\Old Firefox Data\y8lqpqv5.default\extensions\4fd66a6283aeb@4fd66a6283b26.info\content\jsext.js    Deleted Gen:Adware.MPlug.1 (B )
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    Deleted Setting.DisableRegistryTools (A)

Deleted    13

#15 polskamachina

polskamachina

  • Malware Response Team
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 09 March 2014 - 01:02 AM

Hi sportsfroma2 :)

 

I can understand your anxiety waiting for the next step. All I can ask you now is, is your machine still locking up?

 

polskamachina






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users