Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

c:\windows\System32\wbem\mofcomp.exe


  • This topic is locked This topic is locked
14 replies to this topic

#1 zube

zube

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 12 March 2014 - 07:19 AM

Hi,

        I was running a routine MBAM scan and it found this >

Registry Keys Detected: 1
HKLM\Software\InstallIQ (PUP.Optional.InstallBrain.A) -> Quarantined and deleted successfully

 

I then ran Combo Fix and this is the log from it:

ComboFix 14-03-10.01 -  03/12/2014   7:55.29.8 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6133.4844 [GMT -4:00]
Running from: f:\junk\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\System32\wbem\mofcomp.exe . . . is infected!!
.
c:\windows\SysWOW64\wbem\mofcomp.exe . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-12 to 2014-03-12  )))))))))))))))))))))))))))))))
.
.
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Ty\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Mikee\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Mike\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\AppData\AppData\Local\temp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-20 19:22 . 2012-08-10 15:01    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-20 19:22 . 2012-08-10 15:01    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-31 15:27 . 2009-05-29 03:29    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2013-12-31 15:27 . 2009-05-29 02:24    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2013-12-31 15:24 . 2009-05-29 02:24    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
R3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper    REG_MULTI_SZ       nosGetPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-10 19:22]
.
2014-03-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files (x86)\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
2014-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 20:26]
.
2014-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 20:26]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2008-12-26 6962208]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-12-26 1833504]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1612880]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 46.48.153.54:3128
IE: &Windows Live Search - c:\program files (x86)\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Mikee\AppData\Roaming\Mozilla\Firefox\Profiles\2rop22hw.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 122.129.118.186
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.autoDisableScopes - 14
.
.

 

 

So, this is saying i have system files infected. Any help would be appreciated ?



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 12 March 2014 - 07:59 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Combofix is no toy - don´t run it unless adviced to do so!

Please post up the whole log file.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 zube

zube
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 12 March 2014 - 02:18 PM

ComboFix 14-03-10.01 - Mikee 03/12/2014   7:55.29.8 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6133.4844 [GMT -4:00]
Running from: f:\junk\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\System32\wbem\mofcomp.exe . . . is infected!!
.
c:\windows\SysWOW64\wbem\mofcomp.exe . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-12 to 2014-03-12  )))))))))))))))))))))))))))))))
.
.
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Ty\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Mikee\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Mike\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-12 12:08 . 2014-03-12 12:08    --------    d-----w-    c:\users\AppData\AppData\Local\temp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-20 19:22 . 2012-08-10 15:01    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-20 19:22 . 2012-08-10 15:01    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-31 15:27 . 2009-05-29 03:29    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2013-12-31 15:27 . 2009-05-29 02:24    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2013-12-31 15:24 . 2009-05-29 02:24    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
R3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper    REG_MULTI_SZ       nosGetPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-10 19:22]
.
2014-03-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files (x86)\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
2014-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 20:26]
.
2014-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 20:26]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2008-12-26 6962208]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-12-26 1833504]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1612880]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 46.48.153.54:3128
IE: &Windows Live Search - c:\program files (x86)\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Mikee\AppData\Roaming\Mozilla\Firefox\Profiles\2rop22hw.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 122.129.118.186
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.autoDisableScopes - 14
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2014-03-12  08:09:52
ComboFix-quarantined-files.txt  2014-03-12 12:09
ComboFix2.txt  2014-03-02 22:32
ComboFix3.txt  2013-06-08 12:04
ComboFix4.txt  2013-05-26 01:59
ComboFix5.txt  2014-03-12 11:54
.
Pre-Run: 56,946,638,848 bytes free
Post-Run: 57,071,890,432 bytes free
.
- - End Of File - - 38D009DD3C061C4F2B59EA0056E63B82
5C616939100B85E558DA92B899A0FC36
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 13 March 2014 - 06:23 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 zube

zube
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2014 - 07:00 AM

ComboFix 14-03-10.01 - Mikee 03/13/2014   7:52.30.8 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6133.4931 [GMT -4:00]
Running from: f:\junk\ComboFix.exe
Command switches used :: f:\junk\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\System32\wbem\mofcomp.exe . . . is infected!!
.
c:\windows\SysWOW64\wbem\mofcomp.exe . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-13 to 2014-03-13  )))))))))))))))))))))))))))))))
.
.
2014-03-13 11:57 . 2014-03-13 11:57    --------    d-----w-    c:\users\Ty\AppData\Local\temp
2014-03-13 11:57 . 2014-03-13 11:57    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-03-13 11:57 . 2014-03-13 11:57    --------    d-----w-    c:\users\Mikee\AppData\Local\temp
2014-03-13 11:57 . 2014-03-13 11:57    --------    d-----w-    c:\users\Mike\AppData\Local\temp
2014-03-13 11:57 . 2014-03-13 11:57    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-13 11:57 . 2014-03-13 11:57    --------    d-----w-    c:\users\AppData\AppData\Local\temp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 19:22 . 2012-08-10 15:01    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 19:22 . 2012-08-10 15:01    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-31 15:27 . 2009-05-29 03:29    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2013-12-31 15:27 . 2009-05-29 02:24    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2013-12-31 15:24 . 2009-05-29 02:24    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
R3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper    REG_MULTI_SZ       nosGetPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-10 19:22]
.
2014-03-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files (x86)\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
2014-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 20:26]
.
2014-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 20:26]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2008-12-26 6962208]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-12-26 1833504]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1612880]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 46.48.153.54:3128
IE: &Windows Live Search - c:\program files (x86)\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Mikee\AppData\Roaming\Mozilla\Firefox\Profiles\2rop22hw.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 122.129.118.186
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.autoDisableScopes - 14
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2014-03-13  07:58:15
ComboFix-quarantined-files.txt  2014-03-13 11:58
ComboFix2.txt  2014-03-12 12:09
ComboFix3.txt  2014-03-02 22:32
ComboFix4.txt  2013-06-08 12:04
ComboFix5.txt  2014-03-13 11:42
.
Pre-Run: 57,128,673,280 bytes free
Post-Run: 57,070,260,224 bytes free
.
- - End Of File - - A41F55270800B1DE1D97717510F14821
5C616939100B85E558DA92B899A0FC36
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 13 March 2014 - 08:40 AM

Scan with SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    mofcomp.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 zube

zube
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2014 - 01:41 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 14:39 on 13/03/2014 by Mikee
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "mofcomp.exe"
C:\Windows\System32\wbem\mofcomp.exe    --a---- 19968 bytes    [02:48 21/01/2008]    [02:48 21/01/2008] A93B7BD95F23408228BCAF7D066BF925
C:\Windows\SysWOW64\wbem\mofcomp.exe    --a---- 19968 bytes    [02:48 21/01/2008]    [02:48 21/01/2008] A93B7BD95F23408228BCAF7D066BF925
C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_15729e98d7f61129\mofcomp.exe    --a---- 22528 bytes    [02:50 21/01/2008]    [02:50 21/01/2008] AEA1DE456B8BD0C334F5383FBA0C2B5A
C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6002.18005_none_175e17a4d517dc75\mofcomp.exe    --a---- 22528 bytes    [02:50 21/01/2008]    [02:50 21/01/2008] AEA1DE456B8BD0C334F5383FBA0C2B5A
C:\Windows\winsxs\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_1fc748eb0c56d324\mofcomp.exe    --a---- 19968 bytes    [02:48 21/01/2008]    [02:48 21/01/2008] A93B7BD95F23408228BCAF7D066BF925
C:\Windows\winsxs\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6002.18005_none_21b2c1f709789e70\mofcomp.exe    --a---- 19968 bytes    [02:48 21/01/2008]    [02:48 21/01/2008] A93B7BD95F23408228BCAF7D066BF925

-= EOF =-



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 15 March 2014 - 08:40 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 zube

zube
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 15 March 2014 - 09:56 AM

system did a restart on completion, here is the log

 

ComboFix 14-03-13.01 - Mikee 03/15/2014  10:42:40.31.8 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6133.4834 [GMT -4:00]
Running from: f:\junk\ComboFix.exe
Command switches used :: f:\junk\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_15729e98d7f61129\mofcomp.exe --> c:\windows\System32\wbem\mofcomp.exe
c:\windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_15729e98d7f61129\mofcomp.exe --> c:\windows\SysWOW64\wbem\mofcomp.exe
.
(((((((((((((((((((((((((   Files Created from 2014-02-15 to 2014-03-15  )))))))))))))))))))))))))))))))
.
.
2014-03-15 14:47 . 2014-03-15 14:49    --------    d-----w-    c:\users\Mikee\AppData\Local\temp
2014-03-15 14:47 . 2014-03-15 14:47    --------    d-----w-    c:\users\Ty\AppData\Local\temp
2014-03-15 14:47 . 2014-03-15 14:47    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-03-15 14:47 . 2014-03-15 14:47    --------    d-----w-    c:\users\Mike\AppData\Local\temp
2014-03-15 14:47 . 2014-03-15 14:47    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-15 14:47 . 2014-03-15 14:47    --------    d-----w-    c:\users\AppData\AppData\Local\temp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 19:22 . 2012-08-10 15:01    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 19:22 . 2012-08-10 15:01    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-31 15:27 . 2009-05-29 03:29    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2013-12-31 15:27 . 2009-05-29 02:24    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2013-12-31 15:24 . 2009-05-29 02:24    291128    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
R3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper    REG_MULTI_SZ       nosGetPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-10 19:22]
.
2014-03-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files (x86)\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
2014-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 20:26]
.
2014-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-28 20:26]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2008-12-26 6962208]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-12-26 1833504]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1612880]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 46.48.153.54:3128
IE: &Windows Live Search - c:\program files (x86)\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Mikee\AppData\Roaming\Mozilla\Firefox\Profiles\2rop22hw.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 122.129.118.186
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.autoDisableScopes - 14
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Kodak\printer\center\KodakSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2014-03-15  10:52:55 - machine was rebooted
ComboFix-quarantined-files.txt  2014-03-15 14:52
ComboFix2.txt  2014-03-13 11:58
ComboFix3.txt  2014-03-12 12:09
ComboFix4.txt  2014-03-02 22:32
ComboFix5.txt  2014-03-15 14:40
.
Pre-Run: 57,123,217,408 bytes free
Post-Run: 57,055,277,056 bytes free
.
- - End Of File - - 3A3EA8203A624561F78A20BE6227E700
5C616939100B85E558DA92B899A0FC36
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 15 March 2014 - 02:43 PM

No Antivirus Program installed!

I don't see an Anti Virus Program running on your machine.

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

Two good antivirus programs free for non-commercial home use are
Avast!
or
Microsoft Security Essentials

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 zube

zube
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 16 March 2014 - 09:03 AM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.12.06

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 7.0.6002.18005
Mikee :: MIKE-PC [administrator]

3/16/2014 8:59:37 AM
mbam-log-2014-03-16 (08-59-37).txt

Scan type: Full scan (C:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 502635
Time elapsed: 58 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} (PUP.Optional.Conduit) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll (PUP.Optional.Conduit) -> Quarantined and deleted successfully.
F:\Junk\applianflv.exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
F:\Junk\applianflv_4418(1).exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
F:\Junk\applianflv_4418.exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
F:\Junk\instacodecs_4446(1).exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
F:\Junk\instacodecs_4446.exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
F:\Junk\SoftonicDownloader_for_voice-changer-software.exe (PUP.Optional.Softonic.A) -> Quarantined and deleted successfully.

(end)
 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 17 March 2014 - 03:28 AM

Look´s good!

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 zube

zube
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 17 March 2014 - 06:50 AM

i tried the link for the scanner and i get this message:  "The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

 

also, i tried using IE and it wont connect to that addy either.

 

??
      
      
      
      
      
 



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 17 March 2014 - 06:55 AM

Please reboot into safe mode with networking and try again


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 23 March 2014 - 12:58 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users