Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer acting irregular


  • This topic is locked This topic is locked
25 replies to this topic

#1 67mike

67mike

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 25 June 2014 - 05:16 AM

Recently had issues with malware so I ran malwarebytes and it found and cleared a number of issues. I had the ICE-moneypak virus that malwarebytes seemed to have fixed, but even though computer is much better, it still seems as if something unwanted is running in the background and making my computer perform slow.

 

Tour help is GREATLY APPRECIATED!

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Gateway User at 4:59:43 on 2014-06-25
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2045.422 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ================
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\IProsetMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [UTmedia] regsvr32.exe "c:\documents and settings\gateway user\local settings\application data\utmedia\CNBP_226.DLL"
uRun: [KSS] "c:\program files\kaspersky lab\kaspersky security scan 2.0\kss.exe" /autorun
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [WinPatrol Rus, v24.3.2012.0 ] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: TaskbarNoNotification = dword:0
mPolicies-Explorer: MaxRecentDocs = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoWinKey = dword:0
mPolicies-Explorer: NoNetConnextDisconnect = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoSMConfigurePrograms = dword:0
mPolicies-Explorer: NoControlPanle = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: TaskbarNoNotification = dword:0
mPolicies-Explorer: HideSCAHealth = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-System: NoAdminPage = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{416F789F-1D5A-454B-B714-9DC92BF06A58} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.110\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R1 {0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt;{0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt;c:\windows\system32\drivers\{0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt.sys [2014-5-10 55232]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-22 55152]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2012-2-20 132768]
R2 KSS;Kaspersky Security Scan Service;c:\program files\kaspersky lab\kaspersky security scan 2.0\kss.exe [2012-12-7 202328]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [2008-2-8 40448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20130607.018\NAVENG.SYS [2013-6-7 93272]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20130607.018\NAVEX15.SYS [2013-6-7 1611992]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-9 1809720]
S2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-9 860472]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-3-5 23256]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-5-31 14336]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
S4 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2012-2-20 13592]
S4 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2014-06-25 07:33:52 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-06-25 07:33:20 -------- d-----w- C:\AdwCleaner
2014-06-23 19:51:05 -------- d-----w- c:\program files\Kaspersky Lab
2014-06-23 19:51:05 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2014-06-23 10:49:24 110296 ----a-w- c:\windows\system32\drivers\48230029.sys
2014-06-20 10:58:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2014-06-18 10:39:59 -------- d-----w- c:\documents and settings\gateway user\local settings\application data\UTmedia
2014-06-09 20:55:03 -------- d-----w- c:\documents and settings\gateway user\local settings\application data\PCHealth
2014-06-09 20:41:34 -------- d-sh--w- c:\windows\Installer
2014-06-09 20:32:32 13312 -c----w- c:\windows\system32\dllcache\xp_eos.exe
2014-06-09 20:32:32 13312 ------w- c:\windows\system32\xp_eos.exe
2014-06-09 20:32:09 8073384 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{51f306a9-b054-4eea-b856-3ee310a6dd3a}\mpengine.dll
2014-06-09 10:52:50 -------- d-sha-r- C:\cmdcons
2014-06-09 10:18:38 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2014-06-06 02:16:13 36035456 ----a-w- C:\asdsetup.exe
2014-06-06 01:39:53 -------- d---a-w- C:\$Anvi Rescue Disk$
2014-06-05 01:49:42 -------- d-----w- C:\found.000
2014-06-03 20:46:56 -------- d-----w- c:\documents and settings\all users\application data\669E4C92FAAD18858E21CBF7AB68797E
.
==================== Find3M  ====================
.
2014-06-25 09:49:45 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-12 12:26:02 53208 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 12:25:54 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-24 17:36:00 55232 ----a-w- c:\windows\system32\drivers\{0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt.sys
2014-03-31 14:35:10 231584 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH:  5:01:12.29 ===============
 


Edited by 67mike, 25 June 2014 - 05:18 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 25 June 2014 - 07:43 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Please post up the attach.txt and do the following:

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 67mike

67mike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 25 June 2014 - 03:31 PM

Do I need to zip this file for you to read it?

Attached Files



#4 67mike

67mike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 25 June 2014 - 04:20 PM

aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-06-25 15:48:54
-----------------------------
15:48:54.140    OS Version: Windows 5.1.2600 Service Pack 3
15:48:54.140    Number of processors: 4 586 0xF0B
15:48:54.156    ComputerName: HCGOULD  UserName:
15:49:02.203    Initialize success
15:49:02.562    VM: initialized successfully
15:49:02.796    VM: Intel CPU BiosDisabled
15:49:20.187    VM: disk I/O IASTOR.SYS
15:52:36.578    AVAST engine defs: 14062500
15:53:46.640    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:53:46.640    Disk 0 Vendor: ST325082 3.AA Size: 238475MB BusType: 8
15:53:46.906    Disk 0 MBR read successfully
15:53:46.906    Disk 0 MBR scan
15:53:46.984    Disk 0 unknown MBR code
15:53:46.984    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       234197 MB offset 8739360
15:53:46.984    Disk 0 Boot: NTFS     code=1
15:53:47.000    Disk 0 Partition 2 00     0B        FAT32 RECOVERY     4267 MB offset 63
15:53:47.000    Disk 0 scanning sectors +488376000
15:53:47.234    Disk 0 scanning C:\WINDOWS\system32\drivers
15:54:07.812    Service scanning
15:54:12.703    Service DcomLaunch C:\WINDOWS\system32\rpcss.dll **INFECTED** Win32:Injector-BVN [Trj]
15:54:26.984    Service RpcSs C:\WINDOWS\System32\rpcss.dll **INFECTED** Win32:Injector-BVN [Trj]
15:54:35.203    Modules scanning
15:54:45.453    Disk 0 trace - called modules:
15:54:45.484    ntoskrnl.exe CLASSPNP.SYS disk.sys IASTOR.SYS hal.dll
15:54:45.500    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88b11ab8]
15:54:45.500    3 CLASSPNP.SYS[f76d7fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a972028]
15:54:48.000    AVAST engine scan C:\WINDOWS
15:55:09.500    AVAST engine scan C:\WINDOWS\system32
15:56:50.109    File: C:\WINDOWS\system32\rpcss.dll  **INFECTED** Win32:Injector-BVN [Trj]
15:58:09.375    AVAST engine scan C:\WINDOWS\system32\drivers
15:58:28.703    AVAST engine scan C:\Documents and Settings\Gateway User
16:02:51.734    AVAST engine scan C:\Documents and Settings\All Users
16:05:09.062    Scan finished successfully
16:09:40.656    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Gateway User\Desktop\MBR.dat"
16:09:40.671    The log file has been saved successfully to "C:\Documents and Settings\Gateway User\Desktop\aswMBR.txt"

 

 

 

 

 

 

I did not click fix after the scan to remove the infected files.
 



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 26 June 2014 - 03:55 AM

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 67mike

67mike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 26 June 2014 - 06:52 AM

ComboFix 14-06-24.01 - Gateway User 06/26/2014   6:37.4.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2045.734 [GMT -5:00]
Running from: c:\documents and settings\Gateway User\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-05-26 to 2014-06-26  )))))))))))))))))))))))))))))))
.
.
2014-06-25 07:33 . 2010-08-30 13:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-06-25 07:33 . 2014-06-25 10:23 -------- d-----w- C:\AdwCleaner
2014-06-23 19:51 . 2014-06-23 19:51 -------- d-----w- c:\program files\Kaspersky Lab
2014-06-23 19:51 . 2014-06-23 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2014-06-23 10:49 . 2014-06-23 10:49 110296 ----a-w- c:\windows\system32\drivers\48230029.sys
2014-06-20 10:58 . 2014-06-20 10:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2014-06-19 21:08 . 2014-06-19 21:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2014-06-18 10:39 . 2014-06-18 10:40 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\UTmedia
2014-06-09 20:55 . 2014-06-09 20:55 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\PCHealth
2014-06-09 20:41 . 2014-06-25 21:54 -------- d-sh--w- c:\windows\Installer
2014-06-09 20:32 . 2014-02-26 01:59 13312 -c----w- c:\windows\system32\dllcache\xp_eos.exe
2014-06-09 20:32 . 2014-02-26 01:59 13312 ------w- c:\windows\system32\xp_eos.exe
2014-06-09 20:32 . 2014-05-20 06:18 8073384 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{51F306A9-B054-4EEA-B856-3EE310A6DD3A}\mpengine.dll
2014-06-09 10:18 . 2014-06-09 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2014-06-06 02:16 . 2014-06-06 02:18 36035456 ----a-w- C:\asdsetup.exe
2014-06-06 01:39 . 2014-06-06 01:39 -------- d---a-w- C:\$Anvi Rescue Disk$
2014-06-05 01:49 . 2014-06-05 01:49 -------- d-----w- C:\found.000
2014-06-03 20:46 . 2014-06-09 10:11 -------- d-----w- c:\documents and settings\All Users\Application Data\669E4C92FAAD18858E21CBF7AB68797E
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-26 11:27 . 2014-04-09 20:58 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-12 12:26 . 2014-04-09 20:58 53208 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 12:25 . 2014-03-05 22:19 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-24 17:36 . 2014-05-10 08:53 55232 ----a-w- c:\windows\system32\drivers\{0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt.sys
2014-03-31 14:35 . 2009-10-02 20:18 231584 ------w- c:\windows\system32\MpSigStub.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\rpcss.dll
[7] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\erdnt\cache\rpcss.dll
[-] 2009-02-09 . 363ABF84C4B716D4E94B1DF0CD06C522 . 408576 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . C02A6B65AFAD2B1D85B2A864647A84F7 . 408576 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[7] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[7] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtUninstallKB956572_0$\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-29 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-04-29 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UTmedia"="c:\documents and settings\Gateway User\Local Settings\Application Data\UTmedia\CNBP_226.DLL" [2014-06-18 796672]
"KSS"="c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-12-07 202328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"= 00000000
"MaxRecentDocs"= 0 (0x0)
"NoWinKey"= 0 (0x0)
"NoNetConnextDisconnect"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoControlPanle"= 0 (0x0)
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gateway User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Gateway User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 07:52 59240 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 00:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
2001-10-08 18:59 45632 -c--a-w- c:\windows\system32\TaskSwitch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]
2004-02-09 00:30 73728 -c--a-w- c:\program files\Gateway\GWCares\gwcares.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 00:36 30040 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]
2011-10-17 21:12 284440 -c--a-w- c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2006-08-14 20:45 9138176 -c--a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-07 00:51 3885408 -c--a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
2007-09-14 00:22 5252936 -c--a-w- c:\program files\Spare Backup\SpareBackup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2007-04-10 21:46 709992 -c--a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"SeaPort"=2 (0x2)
"ose"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"idsvc"=3 (0x3)
"fsssvc"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"BBUpdate"=2 (0x2)
"BBSvc"=3 (0x3)
"MSCamSvc"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SmcService"=2 (0x2)
"McComponentHostService"=3 (0x3)
"iPod Service"=3 (0x3)
"IAStorDataMgrSvc"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Converter\\fcmediap.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Audio\\fcaudiop.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Screen\\fcscreenp.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Video\\fcvideop.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Video\\fctubep.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Torrent\\fctorrentp.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Torrent\\aria2c.exe"=
.
R1 {0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt;{0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt;c:\windows\system32\drivers\{0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt.sys [5/10/2014 3:53 AM 55232]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2/20/2012 7:47 PM 132768]
R2 KSS;Kaspersky Security Scan Service;c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [12/7/2012 3:16 PM 202328]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [4/9/2014 3:58 PM 1809720]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [2/8/2008 2:59 AM 40448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/5/2014 5:19 PM 23256]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [4/9/2014 3:58 PM 860472]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [5/31/2006 11:17 PM 14336]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2/20/2012 7:47 PM 13592]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ    nosGetPlusHelper
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-05 21:43 1165776 -c--a-w- c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-09 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-06-09 01:59]
.
2014-06-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-ccEvtMgr
SafeBoot-ccSetMgr
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-06-26 06:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\WININET.dll
c:\documents and settings\Gateway User\Local Settings\Application Data\UTmedia\CNBP_226.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2014-06-26  06:45:11
ComboFix-quarantined-files.txt  2014-06-26 11:45
ComboFix2.txt  2014-06-20 11:35
.
Pre-Run: 200,479,420,416 bytes free
Post-Run: 201,106,460,672 bytes free
.
- - End Of File - - E098841C0175E093CFEC0E82481A021D
 



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 30 June 2014 - 02:33 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is saved to.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 67mike

67mike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 30 June 2014 - 05:51 AM

ComboFix 14-06-30.01 - Gateway User 06/30/2014   5:35.5.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2045.455 [GMT -5:00]
Running from: c:\documents and settings\Gateway User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gateway User\Desktop\CFScript.txt
 * Created a new restore point
.
file zipped: c:\windows\system32\drivers\{0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt.sys
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\{0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt.sys
.
.
--------------- FCopy ---------------
.
c:\windows\erdnt\cache\rpcss.dll --> c:\windows\system32\rpcss.dll
c:\windows\erdnt\cache\rpcss.dll --> c:\windows\system32\dllcache\rpcss.dll
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_{0782648B-1717-4FEF-AC58-8CB3CE03ADB3}GT
-------\Service_{0782648b-1717-4fef-ac58-8cb3ce03adb3}Gt
.
.
(((((((((((((((((((((((((   Files Created from 2014-05-28 to 2014-06-30  )))))))))))))))))))))))))))))))
.
.
2014-06-25 07:33 . 2010-08-30 13:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-06-25 07:33 . 2014-06-25 10:23 -------- d-----w- C:\AdwCleaner
2014-06-23 19:51 . 2014-06-23 19:51 -------- d-----w- c:\program files\Kaspersky Lab
2014-06-23 19:51 . 2014-06-23 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2014-06-23 10:49 . 2014-06-23 10:49 110296 ----a-w- c:\windows\system32\drivers\48230029.sys
2014-06-20 10:58 . 2014-06-20 10:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2014-06-19 21:08 . 2014-06-19 21:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2014-06-18 10:39 . 2014-06-18 10:40 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\UTmedia
2014-06-09 20:55 . 2014-06-09 20:55 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\PCHealth
2014-06-09 20:41 . 2014-06-25 21:54 -------- d-sh--w- c:\windows\Installer
2014-06-09 20:32 . 2014-02-26 01:59 13312 -c----w- c:\windows\system32\dllcache\xp_eos.exe
2014-06-09 20:32 . 2014-02-26 01:59 13312 ------w- c:\windows\system32\xp_eos.exe
2014-06-09 20:32 . 2014-05-20 06:18 8073384 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{51F306A9-B054-4EEA-B856-3EE310A6DD3A}\mpengine.dll
2014-06-09 10:18 . 2014-06-09 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2014-06-06 02:16 . 2014-06-06 02:18 36035456 ----a-w- C:\asdsetup.exe
2014-06-06 01:39 . 2014-06-06 01:39 -------- d---a-w- C:\$Anvi Rescue Disk$
2014-06-05 01:49 . 2014-06-05 01:49 -------- d-----w- C:\found.000
2014-06-03 20:46 . 2014-06-09 10:11 -------- d-----w- c:\documents and settings\All Users\Application Data\669E4C92FAAD18858E21CBF7AB68797E
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-30 07:25 . 2014-04-09 20:58 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-12 12:26 . 2014-04-09 20:58 53208 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 12:25 . 2014-03-05 22:19 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UTmedia"="c:\documents and settings\Gateway User\Local Settings\Application Data\UTmedia\CNBP_226.DLL" [2014-06-18 796672]
"KSS"="c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-12-07 202328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"= 00000000
"MaxRecentDocs"= 0 (0x0)
"NoWinKey"= 0 (0x0)
"NoNetConnextDisconnect"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoControlPanle"= 0 (0x0)
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gateway User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Gateway User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 07:52 59240 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 00:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
2001-10-08 18:59 45632 -c--a-w- c:\windows\system32\TaskSwitch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Extended Warranty]
2004-02-09 00:30 73728 -c--a-w- c:\program files\Gateway\GWCares\gwcares.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 00:36 30040 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]
2011-10-17 21:12 284440 -c--a-w- c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2006-08-14 20:45 9138176 -c--a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-07 00:51 3885408 -c--a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
2007-09-14 00:22 5252936 -c--a-w- c:\program files\Spare Backup\SpareBackup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2007-04-10 21:46 709992 -c--a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"SeaPort"=2 (0x2)
"ose"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"idsvc"=3 (0x3)
"fsssvc"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"BBUpdate"=2 (0x2)
"BBSvc"=3 (0x3)
"MSCamSvc"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SmcService"=2 (0x2)
"McComponentHostService"=3 (0x3)
"iPod Service"=3 (0x3)
"IAStorDataMgrSvc"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Converter\\fcmediap.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Audio\\fcaudiop.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Screen\\fcscreenp.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Video\\fcvideop.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Video\\fctubep.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Torrent\\fctorrentp.exe"=
"c:\\Program Files\\Applian Technologies\\Freecorder 8 Applications\\Torrent\\aria2c.exe"=
.
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2/20/2012 7:47 PM 132768]
R2 KSS;Kaspersky Security Scan Service;c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [12/7/2012 3:16 PM 202328]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [4/9/2014 3:58 PM 1809720]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [2/8/2008 2:59 AM 40448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/5/2014 5:19 PM 23256]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [4/9/2014 3:58 PM 860472]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [5/31/2006 11:17 PM 14336]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2/20/2012 7:47 PM 13592]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ    nosGetPlusHelper
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-05 21:43 1165776 -c--a-w- c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-09 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-06-09 01:59]
.
2014-06-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-06-30 05:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1596)
c:\windows\system32\WININET.dll
c:\documents and settings\Gateway User\Local Settings\Application Data\UTmedia\CNBP_226.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\regsvr32.exe
c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2014-06-30  05:49:20 - machine was rebooted
ComboFix-quarantined-files.txt  2014-06-30 10:49
ComboFix2.txt  2014-06-26 11:45
ComboFix3.txt  2014-06-20 11:35
.
Pre-Run: 199,015,759,872 bytes free
Post-Run: 200,936,185,856 bytes free
.
- - End Of File - - 2C22DF01927DABF1444AA95C2EB67D48
 



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 30 June 2014 - 05:58 AM

Then proceed with malwarebytes, please


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 67mike

67mike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 30 June 2014 - 06:12 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Update, 6/30/2014 6:01:31 AM, SYSTEM, HCGOULD, Manual, Malware Database, 2014.6.30.4, 2014.6.30.5,

(end)

 

 

 

 

 

 

 

 

Malwarebytes scan came up clean



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 30 June 2014 - 06:18 AM

Please post the whole content of the file.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 67mike

67mike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 30 June 2014 - 06:18 AM

The combofix scan came up with  unknown malware. It was automatically zipped and submitted.



#13 67mike

67mike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 30 June 2014 - 07:43 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/30/2014
Scan Time: 7:34:20 AM
Logfile: malbytes.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.30.05
Rootkit Database: v2014.06.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Gateway User

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 329645
Time Elapsed: 6 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 30 June 2014 - 08:35 AM

I´ve adviced Combofix to zip and upload a suspicious file.

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 67mike

67mike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 30 June 2014 - 04:04 PM

C:\Documents and Settings\Gateway User\Local Settings\Application Data\UTmedia\CNBP_226.DLL a variant of Win32/Packed.Themida.AAJ trojan
C:\Documents and Settings\Gateway User\My Documents\solid-install\InstallManagerX.exe Win32/InstallMonetizer.AW potentially unwanted application
C:\Program Files\Laplink\PCmover\ThirdParty\registrybooster.exe probably a variant of Win32/RegistryBooster potentially unwanted application
Operating memory a variant of Win32/Packed.Themida.AAJ trojan
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users