Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Laptop infected with Crypto Locker and other bad stuff


  • This topic is locked This topic is locked
4 replies to this topic

#1 karnaugh

karnaugh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 28 April 2014 - 11:37 AM

I think I removed Cryptolocker, but AV does not work.  The laptop is also infected with root.necars rootkits
Says it is blocked by group policy.
This is a personal laptop that has never been installed on a corporate network.
I can run MBAM through safe not regular mode.
 
I ran ComboFix and I think I fixed some stuff, but not sure.  
 
Here is the logfile from FRST
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-04-2014 03
Ran by Donna (administrator) on SEWING on 28-04-2014 09:57:19
Running from C:\Documents and Settings\Donna\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
 
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(ATI Technologies Inc.) C:\WINDOWS\system32\Ati2evxx.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Intel Corporation ) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(Intel® Corporation) C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\Ati2evxx.exe
(Microsoft Corporation) C:\WINDOWS\System32\SCardSvr.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
(ATI Technologies, Inc.) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
() C:\Program Files\Dell\QuickSet\quickset.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
(Sonic Solutions) C:\WINDOWS\system32\dla\tfswctrl.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
(Intel) C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
(InstallShield Software Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
() c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apntex.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\WMPNSCFG.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
() C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
(BVRP Software) C:\Program Files\Digital Line Detect\DLG.exe
(Broadcom Corp.) C:\WINDOWS\system32\basfipm.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Dell Inc.) C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
(Microsoft Corporation) C:\WINDOWS\system32\MsiExec.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [155648 2004-09-13] (Alps Electric Co., Ltd.)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [385024 2004-10-30] (Intel Corporation)
HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2005-05-12] (ATI Technologies, Inc.)
HKLM\...\Run: [Dell QuickSet] => C:\Program Files\Dell\QuickSet\quickset.exe [606208 2005-03-04] ()
HKLM\...\Run: [DVDLauncher] => C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [53248 2004-04-26] (CyberLink Corp.)
HKLM\...\Run: [UpdateManager] => C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [110592 2004-01-07] (Sonic Solutions)
HKLM\...\Run: [dla] => C:\WINDOWS\system32\dla\tfswctrl.exe [127035 2004-12-06] (Sonic Solutions)
HKLM\...\Run: [Share-to-Web Namespace Daemon] => c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [69632 2002-04-17] (Hewlett-Packard)
HKLM\...\Run: [Adobe Photo Downloader] => C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [57344 2005-06-07] (Adobe Systems Incorporated)
HKLM\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2004-06-16] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2004-06-16] (InstallShield Software Corporation)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [98304 2006-07-27] (Apple Computer, Inc.)
HKLM\...\Run: [PinnacleDriverCheck] => C:\WINDOWS\system32\PSDrvCheck.exe [406016 2003-11-10] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\IntelWireless: C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
Winlogon\Notify\WRNotifier: WRLogonNTF.dll [X]
HKU\S-1-5-21-1578982631-2026356072-1229932281-1005\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [204288 2006-10-18] (Microsoft Corporation)
HKU\S-1-5-21-1578982631-2026356072-1229932281-1005\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-11-24] (Google Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
Startup: C:\Documents and Settings\Donna\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - SHELL32.dll (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.ca/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
SearchScopes: HKCU - DefaultScope {BBACB24F-B089-4C63-8B56-6538EDBFAAD9} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7SUNC_enCA357
SearchScopes: HKCU - {3E7CC548-684C-44DA-B38E-0617C57A6ACF} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
SearchScopes: HKCU - {48D63E56-097A-44F7-BF31-6B7AAFE4BF49} URL = http://www.search.ask.com/web?tpid=ORJ&o=100000027&pf=V5&p2=&gct=sb&itbv=12.10.3.24&apn_uid=C01424E2-B03E-4F0E-9487-3C7245DEBB72&apn_ptnrs=U3&apn_dtid=OSJ000YYCA&apn_dbr=ie_8.0.6001.18702&doi=2014-02-13&trgb=IE&q={searchTerms}&psv=
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=360&chn=retail&geo=CA&ver=4
SearchScopes: HKCU - {BBACB24F-B089-4C63-8B56-6538EDBFAAD9} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7SUNC_enCA357
BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
Toolbar: HKCU - &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://roam.comptonpetroleum.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 64.59.135.133 64.59.128.120
 
FireFox:
========
FF Plugin: @java.com/DTPlugin,version=1.6.0_32 - C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-05-02]
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR StartupUrls: "hxxp://www.google.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\34.0.1847.116\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\34.0.1847.116\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\34.0.1847.116\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 6 U32) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Java Deployment Toolkit 6.0.320.5) - C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (OAVRedirectFallback Class) - C:\Documents and Settings\Donna\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla [2014-04-26]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Donna\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-09]
 
========================== Services (Whitelisted) =================
 
R2 BAsfIpM; C:\WINDOWS\system32\basfipm.exe [77824 2004-04-01] (Broadcom Corp.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2012-05-02] (Sun Microsystems, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
R2 NICCONFIGSVC; C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe [356352 2005-03-03] (Dell Inc.)
R2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [360521 2004-09-07] (Intel Corporation )
R2 WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [225353 2004-09-07] (Intel® Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [17056 2005-09-01] (Meetinghouse Data Communications)
R1 AFS2K; C:\WINDOWS\system32\Drivers\AFS2K.sys [35840 2004-10-07] (Oak Technology Inc.)
S3 akshasp; C:\WINDOWS\System32\DRIVERS\akshasp.sys [328448 2004-04-28] (Aladdin Knowledge Systems)
S3 aksusb; C:\WINDOWS\System32\DRIVERS\aksusb.sys [99968 2004-05-11] (Aladdin Knowledge Systems)
R1 APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2004-08-18] (Dell Inc)
R3 ASAPIW2K; C:\WINDOWS\System32\Drivers\ASAPIW2K.sys [11264 2003-11-28] (Pinnacle Systems GmbH)
R2 BASFND; C:\WINDOWS\system32\Drivers\BASFND.sys [6025 2003-04-24] (Broadcom Corporation)
R3 cdrdrv; C:\WINDOWS\System32\Drivers\Cdrdrv.sys [64000 2004-06-01] (Pinnacle Systems GmbH)
R2 drvnddm; C:\WINDOWS\System32\drivers\drvnddm.sys [40480 2004-11-23] (Sonic Solutions)
R3 GTIPCI21; C:\WINDOWS\System32\DRIVERS\gtipci21.sys [80384 2004-05-03] (Texas Instruments)
R2 Hardlock; C:\WINDOWS\system32\drivers\hardlock.sys [676864 2004-07-14] (Aladdin Knowledge Systems)
R2 Haspnt; C:\WINDOWS\system32\drivers\Haspnt.sys [47616 2005-11-10] (Aladdin Knowledge Systems)
R3 HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [208384 2005-05-03] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.SYS [1033728 2005-05-03] (Conexant Systems, Inc.)
R3 IWCA; C:\WINDOWS\System32\DRIVERS\iwca.sys [234496 2004-08-12] (Intel Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
R1 MpKsl8c762490; c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{05894634-03A5-48B4-946A-9E9FFAE2CE20}\MpKsl8c762490.sys [39464 2014-04-28] (Microsoft Corporation)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [11354 2004-08-31] (Intel Corporation)
R2 Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [73728 2001-06-21] (Rainbow Technologies, Inc.)
S3 Sntnlusb; C:\WINDOWS\System32\DRIVERS\SNTNLUSB.SYS [20032 2001-06-21] (Rainbow Technologies Inc.)
R1 sscdbhk5; C:\WINDOWS\System32\drivers\sscdbhk5.sys [5627 2004-07-14] (Sonic Solutions)
R1 ssrtln; C:\WINDOWS\System32\drivers\ssrtln.sys [23545 2004-07-14] (Sonic Solutions)
R3 STAC97; C:\WINDOWS\System32\drivers\STAC97.sys [273168 2005-03-10] (SigmaTel, Inc.)
R2 tfsnboio; C:\WINDOWS\System32\dla\tfsnboio.sys [25883 2004-12-06] (Sonic Solutions)
R2 tfsncofs; C:\WINDOWS\System32\dla\tfsncofs.sys [34843 2004-12-06] (Sonic Solutions)
R2 tfsndrct; C:\WINDOWS\System32\dla\tfsndrct.sys [4123 2004-12-06] (Sonic Solutions)
R2 tfsndres; C:\WINDOWS\System32\dla\tfsndres.sys [2239 2004-12-06] (Sonic Solutions)
R2 tfsnifs; C:\WINDOWS\System32\dla\tfsnifs.sys [86586 2004-12-06] (Sonic Solutions)
R2 tfsnopio; C:\WINDOWS\System32\dla\tfsnopio.sys [15227 2004-12-06] (Sonic Solutions)
R2 tfsnpool; C:\WINDOWS\System32\dla\tfsnpool.sys [6363 2004-12-06] (Sonic Solutions)
R2 tfsnudf; C:\WINDOWS\System32\dla\tfsnudf.sys [98714 2004-12-06] (Sonic Solutions)
R2 tfsnudfa; C:\WINDOWS\System32\dla\tfsnudfa.sys [100603 2004-12-06] (Sonic Solutions)
R0 VOBID; C:\WINDOWS\System32\DRIVERS\vobid.sys [29239 2003-08-01] (Pinnacle Systems)
R1 vobiw; C:\WINDOWS\system32\Drivers\vobiw.sys [188416 2004-07-06] (Pinnacle Systems GmbH)
R3 w29n51; C:\WINDOWS\System32\DRIVERS\w29n51.sys [3210496 2004-10-21] (Intel® Corporation)
S3 bvrp_pci; No ImagePath
S3 catchme; \??\C:\DOCUME~1\Donna\LOCALS~1\Temp\catchme.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TrueSight; \??\C:\WINDOWS\system32\TrueSight.sys [X]
U5 vobcom; C:\Windows\System32\Drivers\vobcom.sys [9728 2001-10-04] (VOB Computersysteme GmbH)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-05-13 18:29 - 2014-05-13 18:29 - 00000784 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-05-13 18:22 - 2014-05-13 18:22 - 00000000 __SHD () C:\WINDOWS\CSC
2014-05-13 18:13 - 2014-05-13 18:13 - 00000000 ____D () C:\WINDOWS\pss
2014-05-02 19:39 - 2014-05-02 19:46 - 00000000 ____D () C:\Program Files\GUM78.tmp
2014-05-02 19:39 - 2014-05-02 19:39 - 06000640 _____ () C:\Program Files\GUT79.tmp
2014-04-28 09:57 - 2014-04-28 09:57 - 00020851 _____ () C:\Documents and Settings\Donna\Desktop\FRST.txt
2014-04-28 09:57 - 2014-04-28 09:57 - 00000000 ____D () C:\FRST
2014-04-26 16:50 - 2014-04-26 16:49 - 01049088 _____ (Farbar) C:\Documents and Settings\Donna\Desktop\FRST.exe
2014-04-26 16:48 - 2014-04-26 16:48 - 00005225 _____ () C:\WINDOWS\KB2922229.log
2014-04-26 16:48 - 2014-04-26 16:48 - 00000000 ____D () C:\WINDOWS\LastGood
2014-04-26 16:23 - 2014-04-26 16:23 - 00011313 _____ () C:\ComboFix.txt
2014-04-26 16:12 - 2014-04-26 16:12 - 00000000 _RSHD () C:\cmdcons
2014-04-26 16:12 - 2005-09-18 12:48 - 00000211 _____ () C:\Boot.bak
2014-04-26 16:12 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-04-26 16:10 - 2014-04-26 16:24 - 00000000 ____D () C:\Qoobox
2014-04-26 16:10 - 2014-04-26 16:24 - 00000000 ____D () C:\ComboFix
2014-04-26 16:10 - 2011-06-26 00:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-04-26 16:10 - 2010-11-07 11:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-04-26 16:10 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-04-26 16:10 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-04-26 16:10 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-04-26 16:10 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-04-26 16:10 - 2000-08-30 18:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-04-26 16:10 - 2000-08-30 18:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-04-26 16:10 - 2000-08-30 18:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-04-26 16:09 - 2014-04-26 16:22 - 00000000 ____D () C:\WINDOWS\erdnt
2014-04-26 16:09 - 2014-04-26 16:09 - 05196309 ____R (Swearware) C:\Documents and Settings\Donna\Desktop\ComboFix.exe
2014-04-26 15:52 - 2014-04-26 15:48 - 03972608 _____ () C:\Documents and Settings\Donna\Desktop\RogueKiller.exe
2014-04-26 15:51 - 2014-04-26 15:55 - 00000000 ____D () C:\Documents and Settings\Donna\Desktop\RK_Quarantine
2014-04-08 15:21 - 2014-04-08 15:22 - 00131945 _____ () C:\WINDOWS\KB2925418-IE8.log
2014-04-08 15:21 - 2014-04-08 15:21 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2014-04-08 15:21 - 2014-04-08 15:21 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2014-04-08 11:38 - 2014-04-08 15:21 - 00128972 _____ () C:\WINDOWS\KB2929961.log
2014-04-08 11:37 - 2014-04-08 15:21 - 00131997 _____ () C:\WINDOWS\KB2930275.log
2014-04-03 16:25 - 2014-05-08 15:22 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-04-03 16:25 - 2014-04-26 16:41 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-04-03 16:23 - 2014-04-03 16:23 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2934207$
2014-04-03 16:22 - 2014-04-03 16:23 - 00004851 _____ () C:\WINDOWS\KB2934207.log
2014-04-03 16:20 - 2014-02-25 19:59 - 00013312 ____N (Microsoft Corporation) C:\WINDOWS\system32\xp_eos.exe
2014-04-03 16:20 - 2014-02-25 19:59 - 00013312 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xp_eos.exe
 
==================== One Month Modified Files and Folders =======
 
2014-05-13 18:44 - 2007-12-12 15:01 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB941569$
2014-05-13 18:30 - 2009-03-07 17:30 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-05-13 18:29 - 2014-05-13 18:29 - 00000784 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-05-13 18:29 - 2009-03-07 17:30 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-05-13 18:22 - 2014-05-13 18:22 - 00000000 __SHD () C:\WINDOWS\CSC
2014-05-13 18:13 - 2014-05-13 18:13 - 00000000 ____D () C:\WINDOWS\pss
2014-05-13 18:09 - 2005-09-01 06:30 - 00000000 ____D () C:\i386
2014-05-13 18:05 - 2012-06-20 14:06 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-05-08 16:36 - 2005-11-10 17:26 - 00000000 ____D () C:\FTW
2014-05-08 16:35 - 2013-06-07 12:49 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Quilt Patterns Internet
2014-05-08 16:35 - 2013-01-21 15:12 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Wheatland Quilters
2014-05-08 16:35 - 2010-07-26 18:07 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Personal
2014-05-08 16:35 - 2008-12-30 21:09 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Taxi forms
2014-05-08 16:35 - 2007-09-20 20:16 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Quilt Designs
2014-05-08 16:35 - 2005-11-04 21:21 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Sewing
2014-05-08 16:33 - 2010-02-12 15:40 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-08 16:32 - 2009-12-30 16:35 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Free Internet Patterns
2014-05-08 16:32 - 2007-12-12 14:54 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\DJ's Quilting
2014-05-08 16:32 - 2006-08-23 22:43 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\E-Mails
2014-05-08 16:32 - 2005-11-04 21:38 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\MS Word
2014-05-08 16:32 - 2005-11-04 21:20 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Designs
2014-05-08 16:31 - 2011-10-11 16:44 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Cards
2014-05-08 16:31 - 2008-04-29 13:22 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\Block of the Month
2014-05-08 16:31 - 2007-05-02 12:06 - 00000000 ____D () C:\Documents and Settings\Donna\My Documents\CWL
2014-05-08 15:22 - 2014-04-03 16:25 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-05-07 15:59 - 2005-09-01 06:33 - 00001849 _____ () C:\WINDOWS\setupact.log
2014-05-07 15:51 - 2013-02-12 15:37 - 00001813 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2014-05-07 15:35 - 2005-09-01 06:32 - 00000000 ____D () C:\dell
2014-05-02 19:46 - 2014-05-02 19:39 - 00000000 ____D () C:\Program Files\GUM78.tmp
2014-05-02 19:39 - 2014-05-02 19:39 - 06000640 _____ () C:\Program Files\GUT79.tmp
2014-04-28 09:57 - 2014-04-28 09:57 - 00020851 _____ () C:\Documents and Settings\Donna\Desktop\FRST.txt
2014-04-28 09:57 - 2014-04-28 09:57 - 00000000 ____D () C:\FRST
2014-04-28 09:57 - 2007-03-26 22:21 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Microsoft Help
2014-04-28 09:57 - 2004-08-11 16:13 - 02092160 _____ () C:\WINDOWS\WindowsUpdate.log
2014-04-28 09:56 - 2014-01-05 15:24 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2014-04-26 16:49 - 2014-04-26 16:50 - 01049088 _____ (Farbar) C:\Documents and Settings\Donna\Desktop\FRST.exe
2014-04-26 16:48 - 2014-04-26 16:48 - 00005225 _____ () C:\WINDOWS\KB2922229.log
2014-04-26 16:48 - 2014-04-26 16:48 - 00000000 ____D () C:\WINDOWS\LastGood
2014-04-26 16:41 - 2014-04-03 16:25 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-04-26 16:41 - 2010-02-12 15:39 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-26 16:41 - 2004-08-11 16:20 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-04-26 16:41 - 2004-08-11 16:20 - 00000000 __SHD () C:\Documents and Settings\LocalService
2014-04-26 16:41 - 2004-08-11 16:09 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-04-26 16:41 - 2004-08-11 16:09 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-04-26 16:41 - 2004-08-11 16:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-04-26 16:40 - 2005-09-18 12:48 - 00000278 ___SH () C:\Documents and Settings\Donna\ntuser.ini
2014-04-26 16:24 - 2014-04-26 16:10 - 00000000 ____D () C:\Qoobox
2014-04-26 16:24 - 2014-04-26 16:10 - 00000000 ____D () C:\ComboFix
2014-04-26 16:23 - 2014-04-26 16:23 - 00011313 _____ () C:\ComboFix.txt
2014-04-26 16:22 - 2014-04-26 16:09 - 00000000 ____D () C:\WINDOWS\erdnt
2014-04-26 16:22 - 2004-08-11 16:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-04-26 16:21 - 2005-09-18 12:48 - 00000000 ____D () C:\Documents and Settings\Donna
2014-04-26 16:12 - 2014-04-26 16:12 - 00000000 _RSHD () C:\cmdcons
2014-04-26 16:12 - 2005-09-01 06:32 - 00000327 __RSH () C:\boot.ini
2014-04-26 16:09 - 2014-04-26 16:09 - 05196309 ____R (Swearware) C:\Documents and Settings\Donna\Desktop\ComboFix.exe
2014-04-26 15:55 - 2014-04-26 15:51 - 00000000 ____D () C:\Documents and Settings\Donna\Desktop\RK_Quarantine
2014-04-26 15:51 - 2007-08-27 17:03 - 00397155 _____ () C:\WINDOWS\setupapi.log
2014-04-26 15:48 - 2014-04-26 15:52 - 03972608 _____ () C:\Documents and Settings\Donna\Desktop\RogueKiller.exe
2014-04-26 15:44 - 2004-08-11 16:20 - 00032526 _____ () C:\WINDOWS\SchedLgU.Txt
2014-04-17 10:22 - 2013-08-16 23:19 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-04-17 10:19 - 2005-09-18 13:01 - 87350280 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-04-15 20:07 - 2004-08-11 16:00 - 00000953 _____ () C:\WINDOWS\win.ini
2014-04-09 10:55 - 2011-01-23 10:54 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-04-09 10:55 - 2004-08-11 16:06 - 00428592 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-04-08 15:22 - 2014-04-08 15:21 - 00131945 _____ () C:\WINDOWS\KB2925418-IE8.log
2014-04-08 15:22 - 2005-09-01 06:49 - 00407968 _____ () C:\WINDOWS\updspapi.log
2014-04-08 15:22 - 2004-08-11 16:07 - 03185650 _____ () C:\WINDOWS\FaxSetup.log
2014-04-08 15:22 - 2004-08-11 16:07 - 01528945 _____ () C:\WINDOWS\ocgen.log
2014-04-08 15:22 - 2004-08-11 16:07 - 01495901 _____ () C:\WINDOWS\iis6.log
2014-04-08 15:22 - 2004-08-11 16:07 - 01457721 _____ () C:\WINDOWS\tsoc.log
2014-04-08 15:22 - 2004-08-11 16:07 - 01034487 _____ () C:\WINDOWS\comsetup.log
2014-04-08 15:22 - 2004-08-11 16:07 - 00984810 _____ () C:\WINDOWS\msmqinst.log
2014-04-08 15:22 - 2004-08-11 16:07 - 00626482 _____ () C:\WINDOWS\ntdtcsetup.log
2014-04-08 15:22 - 2004-08-11 16:07 - 00556867 _____ () C:\WINDOWS\netfxocm.log
2014-04-08 15:22 - 2004-08-11 16:07 - 00219363 _____ () C:\WINDOWS\MedCtrOC.log
2014-04-08 15:22 - 2004-08-11 16:07 - 00170195 _____ () C:\WINDOWS\ocmsn.log
2014-04-08 15:22 - 2004-08-11 16:07 - 00160332 _____ () C:\WINDOWS\tabletoc.log
2014-04-08 15:22 - 2004-08-11 16:07 - 00159148 _____ () C:\WINDOWS\msgsocm.log
2014-04-08 15:22 - 2004-08-11 16:07 - 00001355 _____ () C:\WINDOWS\imsins.log
2014-04-08 15:21 - 2014-04-08 15:21 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2014-04-08 15:21 - 2014-04-08 15:21 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2014-04-08 15:21 - 2014-04-08 11:38 - 00128972 _____ () C:\WINDOWS\KB2929961.log
2014-04-08 15:21 - 2014-04-08 11:37 - 00131997 _____ () C:\WINDOWS\KB2930275.log
2014-04-08 15:21 - 2004-08-11 16:07 - 00001355 _____ () C:\WINDOWS\imsins.BAK
2014-04-08 12:03 - 2012-06-20 14:05 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-04-08 12:03 - 2011-06-30 14:34 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-04-03 16:23 - 2014-04-03 16:23 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2934207$
2014-04-03 16:23 - 2014-04-03 16:22 - 00004851 _____ () C:\WINDOWS\KB2934207.log
2014-04-03 13:19 - 2004-08-11 16:07 - 00579078 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
 
Files to move or delete:
====================
C:\Documents and Settings\Donna\hpothb07.dat
 
 
==================== Bamital & volsnap Check =================
 
C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================

Edit: Moved topic from Windows XP to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:49 AM

Posted 03 May 2014 - 09:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
SearchScopes: HKCU - {48D63E56-097A-44F7-BF31-6B7AAFE4BF49} URL = http://www.search.ask.com/web?tpid=ORJ&o=100000027&pf=V5&p2=&gct=sb&itbv=12.10.3.24&apn_uid=C01424E2-B03E-4F0E-9487-3C7245DEBB72&apn_ptnrs=U3&apn_dtid=OSJ000YYCA&apn_dbr=ie_8.0.6001.18702&doi=2014-02-13&trgb=IE&q={searchTerms}&psv=
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=360&chn=retail&geo=CA&ver=4
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
S3 catchme; \??\C:\DOCUME~1\Donna\LOCALS~1\Temp\catchme.sys [X]
U3 TrueSight; \??\C:\WINDOWS\system32\TrueSight.sys [X]

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Uncheck the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please post the logs and let me know what problem persists.

#3 karnaugh

karnaugh
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 04 May 2014 - 09:49 PM

AdwCleaner

 

# AdwCleaner v3.207 - Report created 04/05/2014 at 20:40:14
# Updated 05/05/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Donna - SEWING
# Running from : C:\Documents and Settings\Donna\Desktop\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Documents and Settings\All Users\Application Data\apn
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
-\\ Google Chrome v34.0.1847.116
 
[ File : C:\Documents and Settings\Donna\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [4254 octets] - [04/05/2014 20:37:56]
AdwCleaner[S0].txt - [4243 octets] - [04/05/2014 20:40:14]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4303 octets] ##########
 
 
 
 
Checkup:
 

 Results of screen317's Security Check version 0.99.82  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java™ 6 Update 32  
 Java 2 Runtime Environment, SE v1.4.2_03 
 Java version out of Date! 
 Adobe Reader XI  
 Google Chrome 33.0.1750.154  
 Google Chrome 34.0.1847.116  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 1% 
````````````````````End of Log`````````````````````` 
 
 
 
FRST:
 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-04-2014 03
Ran by Donna at 2014-05-04 20:32:03 Run:1
Running from C:\Documents and Settings\Donna\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
 
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=360&chn=retail&geo=CA&ver=4
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
S3 catchme; \??\C:\DOCUME~1\Donna\LOCALS~1\Temp\catchme.sys [X]
U3 TrueSight; \??\C:\WINDOWS\system32\TrueSight.sys [X]
 
end
*****************
 
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{48D63E56-097A-44F7-BF31-6B7AAFE4BF49} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{48D63E56-097A-44F7-BF31-6B7AAFE4BF49} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Value deleted successfully.
HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Key deleted successfully.
C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll not found.
c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll not found.
catchme => Service deleted successfully.
TrueSight => Service deleted successfully.
 
==== End of Fixlog ====
 
So far things look better.  I am able to install and use and AV now.
Thanks
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:49 AM

Posted 05 May 2014 - 08:50 AM

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u55.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 6 Update 32
Java 2 Runtime Environment, SE v1.4.2_03


===

If all is well:

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful add-ons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:49 AM

Posted 10 May 2014 - 08:55 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users