Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by blaster worm


  • This topic is locked This topic is locked
34 replies to this topic

#1 necklacemaker

necklacemaker

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tacoma, WA
  • Local time:04:11 AM

Posted 29 March 2014 - 09:49 PM

When running secunia psi I was told I had an end-of-life Microsoft removal tool called Blaster/Nachi.  I tried to manually delete it, but it keeps reappearing...please help if you can - by the way, I do realize my pc is ancient, but don't have a new one yet :)

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.51.2
Run by Elizabeth at 19:25:21 on 2014-03-29
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2039.1165 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%25s
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~2.lnk - c:\program files\kingsoft\kingsoft office\office6\wpp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~3.lnk - c:\program files\kingsoft\kingsoft office\office6\et.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~1.lnk - c:\program files\kingsoft\kingsoft office\office6\wps.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\what's~1.lnk - c:\program files\kingsoft\kingsoft office\office6\whatsnew.txt
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~1\checkf~1.lnk - c:\program files\kingsoft\kingsoft office\wtoolex\wpsupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~1\config~1.lnk - c:\program files\kingsoft\kingsoft office\office6\ksomisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~1\uninst~1.lnk - c:\program files\kingsoft\kingsoft office\utility\uninst.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: NameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{9F8C8760-2540-4BDC-92E5-AC424F0776D1} : DHCPNameServer = 192.168.0.1 205.171.3.25
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\elizabeth\application data\mozilla\firefox\profiles\iv1foac8.default-1385006228515\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1207148.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1210150.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 214696]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-9-16 17968]
R1 MpKslb33883fe;MpKslb33883fe;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25d3538e-1387-4a22-9b29-d9178315716f}\MpKslb33883fe.sys [2014-3-29 39464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [2001-11-29 1432836]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2014-03-30 00:07:17    --------    d-----w-    c:\documents and settings\elizabeth\application data\ElevatedDiagnostics
2014-03-29 20:57:46    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25d3538e-1387-4a22-9b29-d9178315716f}\MpKslb33883fe.sys
2014-03-29 03:53:04    7969936    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25d3538e-1387-4a22-9b29-d9178315716f}\mpengine.dll
2014-03-28 03:38:45    7969936    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-03-27 09:02:46    --------    d-----w-    c:\windows\SHELLNEW
2014-03-27 08:12:09    --------    d-----w-    c:\documents and settings\elizabeth\local settings\application data\Secunia PSI
2014-03-27 08:11:55    --------    d-----w-    c:\program files\Secunia
2014-03-27 06:24:24    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2014-03-27 06:24:16    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-03-26 23:40:22    13312    -c----w-    c:\windows\system32\dllcache\xp_eos.exe
2014-03-26 23:40:22    13312    ------w-    c:\windows\system32\xp_eos.exe
2014-03-20 06:26:01    93808    ----a-w-    c:\program files\mozilla firefox\webapprt-stub.exe
2014-03-20 06:26:01    23186032    ----a-w-    c:\program files\mozilla firefox\xul.dll
.
==================== Find3M  ====================
.
2014-03-12 09:08:42    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 09:08:42    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-02-24 11:46:36    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-02-24 11:45:58    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2014-02-24 11:45:57    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-02-24 11:45:42    18944    ----a-w-    c:\windows\system32\corpol.dll
2014-02-24 10:54:21    385024    ----a-w-    c:\windows\system32\html.iec
2014-02-07 02:01:37    1879040    ----a-w-    c:\windows\system32\win32k.sys
2014-02-05 08:55:04    562688    ----a-w-    c:\windows\system32\qedit.dll
2014-01-19 07:32:23    231584    -c----w-    c:\windows\system32\MpSigStub.exe
2014-01-04 03:13:05    420864    ----a-w-    c:\windows\system32\vbscript.dll
.
============= FINISH: 19:26:28.23 ===============

Attached File  attach.txt   22.92KB   6 downloads

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:01:11 PM

Posted 30 March 2014 - 02:35 PM

Hello necklacemaker and  :welcome: on BC. 


I will be helping with your computer problems.

Before starting please note the following:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know
  • Do not make any changes on your own to the computer (installing/uninstall programs, deleting files, modifying the registry, running scanners or other tools, etc.) without instructions to do it
  • Please read every post completely and perform all steps in the specified order. If you can't understand something or you encounter problems please stop and let me know
  • Do not attach logs, use code or quote boxes. Just copy and paste the text unless directed otherwise
  • Even if things appear to be better, it does not mean we have finished. Follow my instructions and reply back until I tell you that your computer is clean.
  • Please reply using the Add Reply button in the lower right hand corner of your screen

I'm analyzing your logs, I'll go back as soon as possible.:)


Regards 



#3 necklacemaker

necklacemaker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tacoma, WA
  • Local time:04:11 AM

Posted 30 March 2014 - 09:24 PM

Thank you! :)



#4 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:01:11 PM

Posted 01 April 2014 - 01:59 PM

Hello necklacemaker,

 

it seems there is nothing serious on your computer, but we have to something to solve your problems and improve your security level.  :)

 

For now please download AdwCleaner and JRT then:

 

1- Run AdwCleaner

  • Close all open programs and internet browsers
  • Double click on the AdwCleaner icon to run the tool
  • Click on the Scan button
  • Once the scan has finished, click on the Clean button
  • Press OK when asked to close all programs and follow the onscreen prompts
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process
  • After rebooting, the logfile report will open automatically, close it

2- Run JRT

  • Shut down your protection software now to avoid potential conflicts
  • Double click on the JRT icon to run the tool
  • When the black windows open, press any key to continue
  • On completion, the log file JRT.txt is saved to your desktop and will automatically open

In your next reply please post the contents of the C:\AdwCleaner\AdwCleaner[S0].txt and the JRT.txt files.

 

 

Regards

 


#5 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:01:11 PM

Posted 04 April 2014 - 01:20 PM

Hello necklacemaker,

 

are you still with us?

If you will not reply in the next two days, the topic will be closed.

 

 

Regards

 


#6 necklacemaker

necklacemaker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tacoma, WA
  • Local time:04:11 AM

Posted 04 April 2014 - 08:19 PM

Yes, I'm still here...sorry, have been busy with work.  I have run AdwCleaner, but have a question: what all constitues as protection software?  I'm sure microsoft security essentials is one (and should I shut this down permantly?)...but what about NoScript or Self-Destructing Cookies?  Does my firewall also fall under this list?  Sorry for all the questions...I'm also zombied out from lack of sleep...



#7 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:01:11 PM

Posted 05 April 2014 - 06:23 AM

Hi necklacemaker :),

 

security software have to be disabled only for the scan, then you have to re enable them. In this topic is described how to disable the most used security software.

 

Microsoft Security Essential should be disabled, and also SUPERantispyware if it is running.

About the firewall, it appears there isn't any third party firewall installed. Do you refer to the Windows Firewall, or the firewall inside the router? In this case you have nothing to do with them.

No need to act on the FireFox plugin installed, too.

 

 

Regards

 

 



#8 necklacemaker

necklacemaker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tacoma, WA
  • Local time:04:11 AM

Posted 06 April 2014 - 08:00 PM

# AdwCleaner v3.023 - Report created 06/04/2014 at 17:18:38
# Updated 01/04/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Elizabeth - LIZ
# Running from : C:\Documents and Settings\Elizabeth\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\iv1foac8.default-1385006228515\prefs.js ]


[ File : C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\zjt3si9m.test\prefs.js ]


*************************

AdwCleaner[R0].txt - [3661 octets] - [04/04/2014 17:43:16]
AdwCleaner[R1].txt - [1061 octets] - [06/04/2014 17:16:34]
AdwCleaner[S0].txt - [3704 octets] - [04/04/2014 17:48:00]
AdwCleaner[S1].txt - [984 octets] - [06/04/2014 17:18:38]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1043 octets] ##########
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Microsoft Windows XP x86
Ran by Elizabeth on Sun 04/06/2014 at 17:28:23.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [File] C:\user.js





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 04/06/2014 at 17:35:02.48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#9 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:01:11 PM

Posted 07 April 2014 - 01:34 PM

Hi necklacemaker :)

 

well done, but you have pasted the wrong AdwCleaner log.

We need it before to proceed.

 

You can find it in C:\AdwCleaner\AdwCleaner[S0].txt 

 

Please post that log in your next reply.

 

 

Regards

 



#10 necklacemaker

necklacemaker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tacoma, WA
  • Local time:04:11 AM

Posted 08 April 2014 - 02:37 AM

# AdwCleaner v3.023 - Report created 04/04/2014 at 17:48:00
# Updated 01/04/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Elizabeth - LIZ
# Running from : C:\Documents and Settings\Elizabeth\My Documents\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\AI_RecycleBin
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Program Files\OApps
Folder Deleted : C:\WINDOWS\system32\AI_RecycleBin
Folder Deleted : C:\Documents and Settings\Elizabeth\Application Data\strongvault
File Deleted : C:\END

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Layers
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Layers.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\findlyrics
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\Tarma Installer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\iv1foac8.default-1385006228515\prefs.js ]

Line Deleted : user_pref("extensions.aniweather.timeShifted", 803829);

[ File : C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\zjt3si9m.test\prefs.js ]


*************************

AdwCleaner[R0].txt - [3661 octets] - [04/04/2014 17:43:16]
AdwCleaner[S0].txt - [3564 octets] - [04/04/2014 17:48:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3624 octets] ##########
 



#11 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:01:11 PM

Posted 09 April 2014 - 01:22 PM

Hello necklacemaker,

 

that's what I expected.  :)

 

Now we start to securing your machine to mitigate the risk of new infections.

Since XP is at the end of the support, we have to do something to make it more secure as possible.

 

Let's start with updating your installed software.

Please download Secunia PSI 3 from here, then uninstall your installed copy via Control Panel => Add/Remove Program => select Secunia PSI => click on Remove.

Next install the fresh copy of PSI, perform a scan with it, install all proposed updates and finally perform a new DDS scan.

 

In your next reply please paste the new DDS log and the latest attach.txt file.

Please also let me know if the installed copy of SUPER Antispyware is a Pro license or a free one, it's important for the next step.

 

 

Regards



#12 necklacemaker

necklacemaker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tacoma, WA
  • Local time:04:11 AM

Posted 11 April 2014 - 02:40 AM

Hello - question: how do you perform a dds scan?  I've installed the new PSI, run all the updates I could do (obviously can't update windows xp) - but I also couldn't update/delete the blaster nachi worm...PSI sent me to MS Malicious software removal tool...which didn't catch it, even with a full scan.  Also, should I remove MS security essentials?

 

thank you



#13 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:01:11 PM

Posted 11 April 2014 - 02:24 PM

Hello necklacemaker,

 

you already did a DDS scan before, and you posted results to your post#1. You have to do same things you did for that post. :)
You also can find instructions at point 6 of this topic.
 
About MS security essentials, we have to remove it but not now. Before to do it, among other things, we need to check the required logs (DDS and attach.txt).
 
Please also let me know about SUPER Antispyware:

Please also let me know if the installed copy of SUPER Antispyware is a Pro license or a free one, it's important for the next step



Regards



#14 necklacemaker

necklacemaker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tacoma, WA
  • Local time:04:11 AM

Posted 11 April 2014 - 10:41 PM

Hello, - my Super Antispyware is the free version:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.51.2
Run by Elizabeth at 20:28:56 on 2014-04-11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2039.1250 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%25s
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~2.lnk - c:\program files\kingsoft\kingsoft office\office6\wpp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~3.lnk - c:\program files\kingsoft\kingsoft office\office6\et.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~1.lnk - c:\program files\kingsoft\kingsoft office\office6\wps.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\what's~1.lnk - c:\program files\kingsoft\kingsoft office\office6\whatsnew.txt
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~1\checkf~1.lnk - c:\program files\kingsoft\kingsoft office\wtoolex\wpsupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~1\config~1.lnk - c:\program files\kingsoft\kingsoft office\office6\ksomisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kingso~1\kingso~1\uninst~1.lnk - c:\program files\kingsoft\kingsoft office\utility\uninst.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: NameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{9F8C8760-2540-4BDC-92E5-AC424F0776D1} : DHCPNameServer = 192.168.0.1 205.171.3.25
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\elizabeth\application data\mozilla\firefox\profiles\iv1foac8.default-1385006228515\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1207148.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1210150.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_182.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 231960]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-9-16 17968]
R1 MpKsl51d48291;MpKsl51d48291;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{12ebed10-f6bb-42ea-97ad-4c83ab942a82}\MpKsl51d48291.sys [2014-4-11 39464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2013-12-6 1229528]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf_x86.sys [2013-12-6 16024]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2013-12-6 662232]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [2001-11-29 1432836]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2014-04-12 03:07:10    39464    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{12ebed10-f6bb-42ea-97ad-4c83ab942a82}\MpKsl51d48291.sys
2014-04-11 07:06:43    7969936    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{12ebed10-f6bb-42ea-97ad-4c83ab942a82}\mpengine.dll
2014-04-09 17:58:09    7969936    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-04-07 00:28:21    --------    d-----w-    c:\windows\ERUNT
2014-04-05 00:38:19    --------    d-----w-    C:\AdwCleaner
2014-03-30 00:07:17    --------    d-----w-    c:\documents and settings\elizabeth\application data\ElevatedDiagnostics
2014-03-27 09:02:46    --------    d-----w-    c:\windows\SHELLNEW
2014-03-27 08:12:09    --------    d-----w-    c:\documents and settings\elizabeth\local settings\application data\Secunia PSI
2014-03-27 08:11:55    --------    d-----w-    c:\program files\Secunia
2014-03-27 06:24:24    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2014-03-27 06:24:16    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-03-26 23:40:22    13312    -c----w-    c:\windows\system32\dllcache\xp_eos.exe
2014-03-26 23:40:22    13312    ------w-    c:\windows\system32\xp_eos.exe
2014-03-20 06:26:01    93808    ----a-w-    c:\program files\mozilla firefox\webapprt-stub.exe
2014-03-20 06:26:01    23186032    ----a-w-    c:\program files\mozilla firefox\xul.dll
.
==================== Find3M  ====================
.
2014-04-10 04:21:38    692400    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-04-10 04:21:37    70832    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-06 17:59:23    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-03-06 17:59:22    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2014-03-06 17:59:22    18944    ----a-w-    c:\windows\system32\corpol.dll
2014-03-06 17:59:22    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-03-06 00:46:54    385024    ----a-w-    c:\windows\system32\html.iec
2014-02-07 02:01:37    1879040    ----a-w-    c:\windows\system32\win32k.sys
2014-02-05 08:55:04    562688    ----a-w-    c:\windows\system32\qedit.dll
2014-01-25 08:19:42    231960    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2014-01-19 07:32:23    231584    -c----w-    c:\windows\system32\MpSigStub.exe
.
============= FINISH: 20:29:34.60 ===============

 


Edited by necklacemaker, 11 April 2014 - 10:49 PM.


#15 necklacemaker

necklacemaker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tacoma, WA
  • Local time:04:11 AM

Posted 11 April 2014 - 10:59 PM

Attached File  attach.zip   4.62KB   4 downloads






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users