Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP machine freezing on start-up / Am I now free of ZeroAccess?


  • This topic is locked This topic is locked
17 replies to this topic

#1 Mr_Frustrated

Mr_Frustrated

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 07 July 2014 - 04:44 PM

I have been running several scripts with help from "Boopme" under the heading "Windows XP machine freezes on startup" - please see my separate post.  Hence it's been suggested that there may be more to do, to check here, to see if I have any traces of the ZeroAccess malware.  

 

As suggested here is: 

 

DDS.txt

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.60.2
Run by Blakes at 22:32:58 on 2014-07-07
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.2046.827 [GMT 1:00]
.
AV: BullGuard Antivirus *Enabled/Updated* {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *Enabled* 
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NetMeter\NetMeter.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Edimax\11n USB Wireless LAN Utility\RtWLan.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.9012.1008\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
uRun: [] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe Run
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Lavasoft AdBlock] c:\program files\lavasoft\ad-aware adblocker (alpha)\AdBlocker.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [PCMService] "c:\program files\cyberlink\powercinema\PCMService.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "c:\program files\cyberlink\powerbackup\PBKScheduler.exe"
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\BullGuard.exe" -boot
mRun: [BullGuardUpdate2] c:\program files\bullguard ltd\bullguard\BullGuardUpdate2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\edimax~1.lnk - c:\program files\edimax\11n usb wireless lan utility\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.co.uk/s/v/55.11/uploader2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1349694367796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{2643E972-C04D-4597-A95A-F0F2F0F4B929} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{48138ECA-D2EE-4C09-9C5A-474E2256198C} : DHCPNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\896\G2AWinLogon.dll
AppInit_DLLs= c:\progra~1\bullgu~1\bullgu~1\BgAgent.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\35.0.1916.153\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R1 BdAgent;BullGuard Security Agent;c:\windows\system32\drivers\BdAgent.sys [2013-11-6 100944]
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [2013-11-6 64992]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [2013-11-28 793360]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [2013-11-28 19960]
R2 BsBackup;BullGuard backup service;c:\windows\system32\SvcHost.exe -k BullGuard_Backup [2019-3-7 14336]
R2 BsBhvScan;BullGuard Behavioural Detection;c:\program files\bullguard ltd\bullguard\BullGuardBhvScanner.exe [2014-1-13 466256]
R2 BsCache;BullGuard CODS service;c:\windows\system32\SvcHost.exe -k BullGuard_Cache [2019-3-7 14336]
R2 BsFileScan;BullGuard on-access service;c:\windows\system32\SvcHost.exe -k BullGuard [2019-3-7 14336]
R2 BsFire;BullGuard firewall service;c:\windows\system32\SvcHost.exe -k BullGuard [2019-3-7 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\system32\SvcHost.exe -k BullGuard_Proxy [2019-3-7 14336]
R2 BsMain;BullGuard main service;c:\windows\system32\SvcHost.exe -k BullGuard_Main [2019-3-7 14336]
R2 BsScanner;BullGuard scanning service;c:\program files\bullguard ltd\bullguard\BullGuardScanner.exe [2014-1-13 231760]
R2 BsUpdate;BullGuard update service;c:\program files\bullguard ltd\bullguard\BullGuardUpdate.exe [2014-6-18 314704]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2014-1-16 36104]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2014-1-16 289032]
R3 vrvd5;vrvd5;c:\windows\system32\drivers\vrvd5.sys [2014-1-23 11296]
S2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [1999-2-16 52800]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-12-3 84248]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2013-7-13 20032]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2013-2-25 594048]
S3 S6U12Scanner;MUSTEK 1200 CU Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2007-9-9 14976]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-12-3 182680]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2005-12-2 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2005-12-2 51840]
.
=============== Created Last 30 ================
.
2019-03-07 17:56:59 99328 ----a-w- c:\windows\system32\winscard.dll
2019-03-07 17:53:51 -------- d-----w- C:\cmpnents
2014-07-07 21:28:55 688992 ------r- c:\program files\dds.com
2014-07-07 15:08:48 4009167 ----a-w- c:\program files\ServicesRepair (2).exe
2014-07-03 16:55:13 -------- d-----w- c:\program files\Tweaking.com
2014-07-03 16:51:24 5461664 ----a-w- c:\program files\tweaking.com_windows_repair_aio_setup.exe
2014-07-02 23:05:22 -------- d-----w- c:\program files\ESET
2014-07-02 23:03:32 2347384 ----a-w- c:\program files\esetsmartinstaller_enu.exe
2014-07-02 22:48:47 -------- d-----w- c:\windows\ERUNT
2014-07-02 22:44:48 1016261 ----a-w- c:\program files\JRT.exe
2014-07-02 18:41:16 401920 ----a-w- c:\program files\MiniToolBox.exe
2014-07-01 20:02:33 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-01 20:02:17 53208 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-01 20:02:17 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-07-01 20:02:17 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-07-01 20:02:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2014-07-01 17:26:52 17292208 ----a-w- c:\program files\mbam-setup.exe
2014-07-01 16:57:21 -------- d-----w- c:\program files\CPUID
2014-07-01 16:55:53 1141408 ----a-w- c:\program files\hwmonitor_1.25-setup.exe
2014-07-01 14:41:12 -------- d-----w- C:\I386
2014-07-01 14:08:45 26771088 ----a-w- c:\program files\SeaToolsforWindowsSetup.exe
2014-06-10 15:39:03 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
.
==================== Find3M  ====================
.
2014-07-04 12:29:29 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2014-06-18 14:09:47 63312 ----a-w- c:\windows\system32\BGLsp.dll
2014-06-18 14:09:47 140280 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2014-06-18 14:09:42 100944 ----a-w- c:\windows\system32\drivers\BdAgent.sys
2014-05-29 14:37:39 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-05-29 14:37:37 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-05-17 14:18:15 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-05-17 14:18:11 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-29 11:53:30 343456 ----a-w- c:\windows\system32\drivers\Trufos.sys
2014-01-05 16:34:00 5487016 ----a-w- c:\program files\Windows8-UpgradeAssistant.exe
2012-09-21 18:22:49 1634516 ----a-w- c:\program files\CHK-Mate_Setup.exe
2011-06-07 16:39:58 3020664 ----a-w- c:\program files\SyncToySetupPackage_v21_x86.exe
2011-06-05 12:35:11 11111936 ----a-w- c:\program files\PerSono_Suite_11313323.msi
2011-06-04 19:57:28 1029000 ----a-w- c:\program files\SkypeSetup.exe
2008-02-23 19:52:17 877281 ----a-w- c:\program files\MeshOnline.exe
2004-08-10 19:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2013-01-26 03:55:44 552448 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 22:34:07.64 ===============
 
 
...and I am attaching generated from running DDS.com.  
 
ATTACH.TXT

 

Thanks for any feedback on the state of my machine.



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 08 July 2014 - 12:25 PM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • If any threats are found, don´t click the Cleanup button - rather save the log and post it up in your topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Mr_Frustrated

Mr_Frustrated
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 08 July 2014 - 02:27 PM

Hi Marius,  thanks for your help.

 

First issue / query: I started to extract downloaded program to my machine and got the following message - so far I've said "no", I believe the app is going to install and start, but I thought I'd check....

 

Registry value "appinit dlls" had been found which may be caused by rootkit activity.  Note press "no" button if you're not sure.  If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press "yes" should this message appear again.....Do you want to remove this value and restart the tool?  Yes / No. 

 

Any advice?  Thanks.



#4 Mr_Frustrated

Mr_Frustrated
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 09 July 2014 - 12:52 PM

Hi,

 

Having not seen any comments, I then chose "yes" when restarting this program.

 

Scan completed without issue and conclusion was positive:

 

"no malware found.   no clean-up required"

 

Here are the two log files

 

system-log.txt

 

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.6001.18702
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.400000 GHz
Memory total: 2145832960, free: 1039876096
 
=======================================
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.6001.18702
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.400000 GHz
Memory total: 2145832960, free: 1254064128
 
=======================================
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.6001.18702
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.400000 GHz
Memory total: 2145832960, free: 1260630016
 
=======================================
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.6001.18702
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.400000 GHz
Memory total: 2145832960, free: 1101971456
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.6001.18702
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.400000 GHz
Memory total: 2145832960, free: 1217613824
 
Downloaded database version: v2014.07.09.07
Downloaded database version: v2014.07.07.01
=======================================
Initializing...
------------ Kernel report ------------
     07/09/2014 18:29:02
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
jraid.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
Mup.sys
JGOGO.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\drivers\P17xfi.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\ctoss2k.sys
\SystemRoot\system32\DRIVERS\ctsfm2k.sys
\SystemRoot\system32\drivers\p17xfilt.sys
\SystemRoot\system32\DRIVERS\nvnetbus.sys
\SystemRoot\system32\DRIVERS\NVNRM.SYS
\SystemRoot\system32\DRIVERS\NVSNPU.SYS
\SystemRoot\system32\DRIVERS\ASACPI.sys
\SystemRoot\system32\DRIVERS\afw.sys
\SystemRoot\system32\DRIVERS\afwcore.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\vrvd5.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\NVENETFD.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\system32\DRIVERS\BdAgent.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\drivers\BdSpy.sys
\SystemRoot\system32\DRIVERS\NSKernel.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\NSNetmon.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\AegisP.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\Trufos.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\Drivers\MASPINT.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR6
Upper Device Object: 0xffffffff89b0bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007b\
Lower Device Object: 0xffffffff8996ed08
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR5
Upper Device Object: 0xffffffff8984dab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007a\
Lower Device Object: 0xffffffff89912d08
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR4
Upper Device Object: 0xffffffff897e77a8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000079\
Lower Device Object: 0xffffffff89915980
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff897e7030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000078\
Lower Device Object: 0xffffffff89837308
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a577ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-e\
Lower Device Object: 0xffffffff8a5b6d98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a577ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a550600, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a577ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a5a4f18, DeviceName: \Device\00000071\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a5b6d98, DeviceName: \Device\Ide\IdeDeviceP2T0L0-e\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: DA3B81F4
 
Partition information:
 
    Partition 0 type is Other (0x1c)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 9221247
 
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 9221310  Numsec = 615916035
    Partition file system is NTFS
    Partition is bootable
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 320072933376 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-62-625122448-625142448)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff897e7030, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8991a300, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff897e7030, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89837308, DeviceName: \Device\00000078\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff897e77a8, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89878660, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff897e77a8, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89915980, DeviceName: \Device\00000079\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xffffffff8984dab8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8984fc70, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8984dab8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89912d08, DeviceName: \Device\0000007a\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xffffffff89b0bab8, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89840b78, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89b0bab8, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8996ed08, DeviceName: \Device\0000007b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-1-9221310-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 
 
mbar-log-2014-07-09 (18-30-57).txt
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org
 
Database version: v2014.07.09.07
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Blakes :: MESHPC [administrator]
 
09/07/2014 18:30:57
mbar-log-2014-07-09 (18-30-57).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 297332
Time elapsed: 16 minute(s), 41 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
 


#5 Mr_Frustrated

Mr_Frustrated
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 09 July 2014 - 02:56 PM

....And then guess what, next time I start up my machine having posted these results, it freezes again - for the first time in several days - so that something is still not right??????



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 09 July 2014 - 03:58 PM

OK, let´s see if any malicious files are left behind.

Afterwards, we´ll have a look for your system files.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Mr_Frustrated

Mr_Frustrated
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 10 July 2014 - 04:11 AM

Hello,

 

I had run ESET under instructions from the previous helper Boopme in my other ticket.  The results then found three files in quarantine, but no other threats - see below.  The report then said that these files were deleted from the quarantine area.

 

C:\Documents and Settings\Blakes\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\logo.png-490c8874-53e9c595.zip a variant of Java/Exploit.CVE-2013-1493.FA trojan cleaned by deleting - quarantined
C:\Program Files\cbsidlm-cbsi4_1_2-Pandora_Recovery-10694796.exe a variant of Win32/CNETInstaller.A potentially unwanted application deleted - quarantined
C:\Program Files\FreeAudioConverter.exe Win32/OpenCandy potentially unsafe application deleted - quarantined
 

This time the scan found no threats.  Confusingly it listed the same three files as before (which I thought were already deleted?).  I did not tick to delete quarantined files, so that I think as a result no report was created and these files still sit in ESET quarantine?   Is there something funny about these files, we need to worry about?

 

By the way: machine is now back to freezing at the end of every start up (that is: seeing desktop and startup programms still completing, then all freezes requiring reboot), i.e. since the Malwarebytes rootkit program ran.  Before that for a few days, i.e. after the other routines in the other ticket were done, it appeared to have stopped doing this.  I looked in the Event log, but can't see any useful info there or anywhere else......so don't seem to have fixed the underlying problem yet.

 

Thanks for your continued support!



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 13 July 2014 - 12:25 PM

OK, let´s try something else:

 

 

 

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Mr_Frustrated

Mr_Frustrated
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 14 July 2014 - 07:51 AM

Hi,

 

As requested, latest results:

 

ComboFix 14-07-14.01 - Blakes 14/07/2014  13:28:36.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.2046.1200 [GMT 1:00]
Running from: c:\documents and settings\Blakes\Desktop\ComboFix.exe
AV: BullGuard Antivirus *Disabled/Outdated* {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *Disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Blakes\GoToAssistDownloadHelper.exe
c:\documents and settings\Blakes\WINDOWS
c:\program files\mbar-1.07.0.1012.exe
c:\windows\~GLC0000.TMP
c:\windows\~GLC0001.TMP
c:\windows\~GLC0002.TMP
c:\windows\~GLC0003.TMP
c:\windows\~GLC0004.TMP
c:\windows\~GLC0005.TMP
c:\windows\system32\Cache
c:\windows\system32\FE05DA0D.dll
c:\windows\system32\FE05EFED.dll
c:\windows\system32\FE05F051.dll
c:\windows\system32\FE05F3D5.dll
c:\windows\system32\html
c:\windows\system32\html\blank.htm
c:\windows\system32\html\bot.htm
c:\windows\system32\html\innerframeset.htm
c:\windows\system32\html\left.htm
c:\windows\system32\html\main.htm
c:\windows\system32\html\middle.htm
c:\windows\system32\html\rightframeset.htm
c:\windows\system32\html\top.htm
c:\windows\system32\html\website.htm
c:\windows\system32\images
c:\windows\system32\images\3models.gif
c:\windows\system32\images\but3_off.gif
c:\windows\system32\images\but3_on.gif
c:\windows\system32\images\main_bot.gif
c:\windows\system32\images\main_mid.gif
c:\windows\system32\images\main_top.gif
c:\windows\system32\images\model1.gif
c:\windows\system32\images\panel_bot.gif
c:\windows\system32\images\panel_top.gif
c:\windows\system32\images\pc.gif
c:\windows\system32\images\pcw_award_cover.gif
c:\windows\system32\images\pcwcover.gif
c:\windows\system32\images\Thumbs.db
c:\windows\system32\images\topoff.gif
c:\windows\system32\images\topon.gif
c:\windows\system32\images\webscreen.gif
c:\windows\system32\SET8E.tmp
c:\windows\system32\SET9A.tmp
c:\windows\system32\SETA5.tmp
c:\windows\system32\SETA7.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETBF.tmp
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp2E.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-06-14 to 2014-07-14  )))))))))))))))))))))))))))))))
.
.
2019-03-07 17:56 . 2014-03-06 17:59 920064 -c--a-w- c:\windows\system32\dllcache\wininet.dll
2019-03-07 17:53 . 2019-03-07 17:53 -------- d-----w- C:\cmpnents
2014-07-10 08:07 . 2014-07-10 08:07 2347384 ----a-w- c:\program files\esetsmartinstaller_enu (1).exe
2014-07-01 20:02 . 2014-07-09 17:28 54232 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-01 20:02 . 2014-07-01 20:02 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-07-01 20:02 . 2014-07-01 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-07-01 20:02 . 2014-05-12 06:35 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-07-01 17:26 . 2014-07-01 17:27 17292208 ----a-w- c:\program files\mbam-setup.exe
2014-07-01 16:57 . 2014-07-01 16:57 -------- d-----w- c:\program files\CPUID
2014-07-01 16:55 . 2014-07-01 16:55 1141408 ----a-w- c:\program files\hwmonitor_1.25-setup.exe
2014-07-01 14:41 . 2014-07-01 14:43 -------- d-----w- C:\I386
2014-07-01 14:08 . 2014-07-01 14:08 26771088 ----a-w- c:\program files\SeaToolsforWindowsSetup.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-14 12:10 . 2014-01-22 11:40 140280 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2014-07-14 12:10 . 2013-11-18 11:17 63312 ----a-w- c:\windows\system32\BGLsp.dll
2014-07-08 19:16 . 2012-04-06 13:35 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-07-08 19:16 . 2011-10-07 09:59 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-06-18 14:09 . 2013-11-06 10:53 100944 ----a-w- c:\windows\system32\drivers\BdAgent.sys
2014-05-29 14:37 . 2014-05-29 14:37 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-05-29 14:37 . 2014-05-29 14:37 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-04-29 11:53 . 2014-04-29 11:54 343456 ----a-w- c:\windows\system32\drivers\Trufos.sys
2014-01-05 16:34 . 2014-01-05 16:33 5487016 ----a-w- c:\program files\Windows8-UpgradeAssistant.exe
2012-09-21 18:22 . 2012-09-21 18:22 1634516 ----a-w- c:\program files\CHK-Mate_Setup.exe
2011-06-07 16:39 . 2011-06-07 16:39 3020664 ----a-w- c:\program files\SyncToySetupPackage_v21_x86.exe
2011-06-05 12:35 . 2011-06-05 12:35 11111936 ----a-w- c:\program files\PerSono_Suite_11313323.msi
2011-06-04 19:57 . 2011-06-04 19:57 1029000 ----a-w- c:\program files\SkypeSetup.exe
2008-02-23 19:52 . 2008-02-23 19:52 877281 ----a-w- c:\program files\MeshOnline.exe
2004-08-10 19:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlayErr]
@="{8749448C-D907-45BF-A842-4D3898894AC8}"
[HKEY_CLASSES_ROOT\CLSID\{8749448C-D907-45BF-A842-4D3898894AC8}]
2014-07-14 12:10 275792 ----a-w- c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlayInProgress]
@="{3FFBF330-7839-476B-BE14-2C8597CE11B6}"
[HKEY_CLASSES_ROOT\CLSID\{3FFBF330-7839-476B-BE14-2C8597CE11B6}]
2014-07-14 12:10 275792 ----a-w- c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlaySynced]
@="{C62CF4DB-48CB-4B03-BFD0-30A29125FA49}"
[HKEY_CLASSES_ROOT\CLSID\{C62CF4DB-48CB-4B03-BFD0-30A29125FA49}]
2014-07-14 12:10 275792 ----a-w- c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-07-29 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 110744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 118784]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 122880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-06 7774208]
"nwiz"="nwiz.exe" [2006-11-06 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-06 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"P17Helper"="SPIRun.dll" [2006-07-03 10752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2013-12-11 311152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-18 959904]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2014-07-14 1048912]
"BullGuardUpdate2"="c:\program files\bullguard ltd\bullguard\BullGuardUpdate2.exe" [2014-07-14 2307920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-05-07 256896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Edimax 11n USB Wireless LAN Utility.lnk - c:\program files\Edimax\11n USB Wireless LAN Utility\RtWLan.exe /H [2013-2-25 966656]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2007-4-5 241664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2014-05-23 11:45 14232 ----a-w- c:\program files\Citrix\GoToAssist\896\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PsiWin 2.3 Connection Server.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PsiWin 2.3 Connection Server.lnk
backup=c:\windows\pss\PsiWin 2.3 Connection Server.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Blakes^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Blakes\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-09-19 00:02 7083056 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2005-09-19 00:02 7083056 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 08:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-01-26 10:38 866816 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Edimax\\11n USB Wireless LAN Utility\\RtWLan.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R1 BdAgent;BullGuard Security Agent;c:\windows\system32\drivers\BdAgent.sys [06/11/2013 11:53 100944]
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [06/11/2013 11:53 64992]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [28/11/2013 14:23 793360]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [28/11/2013 14:23 19960]
R2 BsBackup;BullGuard backup service;c:\windows\System32\SvcHost.exe -k BullGuard_Backup [07/03/2019 18:56 14336]
R2 BsBhvScan;BullGuard Behavioural Detection;c:\program files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe [13/01/2014 09:02 465744]
R2 BsCache;BullGuard CODS service;c:\windows\System32\SvcHost.exe -k BullGuard_Cache [07/03/2019 18:56 14336]
R2 BsFileScan;BullGuard on-access service;c:\windows\System32\SvcHost.exe -k BullGuard [07/03/2019 18:56 14336]
R2 BsFire;BullGuard firewall service;c:\windows\System32\SvcHost.exe -k BullGuard [07/03/2019 18:56 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\System32\SvcHost.exe -k BullGuard_Proxy [07/03/2019 18:56 14336]
R2 BsMain;BullGuard main service;c:\windows\System32\SvcHost.exe -k BullGuard_Main [07/03/2019 18:56 14336]
R2 BsScanner;BullGuard scanning service;c:\program files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [13/01/2014 09:02 231760]
R2 BsUpdate;BullGuard update service;c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [14/07/2014 13:07 314704]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [16/01/2014 15:47 36104]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [16/01/2014 15:47 289032]
R3 vrvd5;vrvd5;c:\windows\system32\drivers\vrvd5.sys [23/01/2014 12:14 11296]
S2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [16/02/1999 17:28 52800]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [03/12/2013 21:10 84248]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [13/07/2013 13:06 20032]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [25/02/2013 23:21 594048]
S3 S6U12Scanner;MUSTEK 1200 CU Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [09/09/2007 11:58 14976]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [03/12/2013 21:10 182680]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [02/12/2005 18:08 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [02/12/2005 18:08 51840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard_Main REG_MULTI_SZ   BsMain
BullGuard REG_MULTI_SZ   BsFileScan BsFire
BullGuard_Proxy REG_MULTI_SZ   BsMailProxy
BullGuard_Backup REG_MULTI_SZ   BsBackup
BullGuard_Cache REG_MULTI_SZ   BsCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-06-13 16:30 1091912 ----a-w- c:\program files\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 19:16]
.
2013-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2014-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-29 17:50]
.
2014-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-29 17:50]
.
2014-07-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-27 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bt.com\myoffice
Trusted Zone: google.co.uk\picasaweb
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-Lavasoft AdBlock - c:\program files\Lavasoft\Ad-Aware AdBlocker (Alpha)\AdBlocker.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
AddRemove-MyFreeCodec - c:\program files\MyFree Codec\1.0b beta\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-07-14 13:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\program files\Citrix\GoToAssist\896\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(4168)
c:\windows\system32\WININET.dll
c:\program files\BullGuard Ltd\BullGuard\spamfilter\LittleHook.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
c:\windows\system32\MSVCP110.dll
c:\windows\system32\MSVCR110.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\Rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Edimax\11n USB Wireless LAN Utility\RtWLan.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2014-07-14  13:40:58 - machine was rebooted
ComboFix-quarantined-files.txt  2014-07-14 12:40
.
Pre-Run: 248,237,977,600 bytes free
Post-Run: 248,579,026,944 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 19F172C28A00EE62CD73CB2F3F7C028B
564FD35314278444C09289C7D23E0635
 


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 14 July 2014 - 10:10 AM

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

  • Click the StartBtn.gif button
  • Click My Computer.
  • Right-click on the drive that you wish to check > Properties > Tools tab
  • In the "Error checking" section, click on Check now.
  • Place a checkmark in both boxes > Start.
  • If the disk you have chosen is the Windows system disk:
  • A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
  • Click Schedule disk check > OK and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
  • This will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.


A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

  • Click the StartBtn.gif button
  • Click Run.
  • Type "eventvwr" without the quotes and press the key.
  • The Event Viewer window will open.
  • In the left pane, expand "Event Viewer (local)" then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Winlogon", with an entry corresponding to the date and time of the disk check.
  • Click on that Winlogon entry to select it.
  • In the box below "Description", Copy all of the contents.
  • Paste the contents into your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Mr_Frustrated

Mr_Frustrated
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 14 July 2014 - 01:21 PM

Hello,

 

Attached the chkdsk results. However are we going in a circle? I seem to be repeating myself with ESET and now this step, both were already done under the old ticket.  Can you tell me something about what you see or don't see so far - is there any improvement? Thanks. 
 
By the way: after Combofix and before chhdsk PC still locks up at the end of start up - but not every time!
 
...I was thinking about checking the PC hard disk too.  To do this I need to download Microsoft.net Framework 4 for the Seagate tools to work - can I do this at this point?  Thanks.
 

Checking file system on C:

The type of the file system is NTFS.

Volume label is Windows.

 

A disk check has been scheduled.

Windows will now check the disk.                        

Cleaning up minor inconsistencies on the drive.

Cleaning up 81 unused index entries from index $SII of file 0x9.

Cleaning up 81 unused index entries from index $SDH of file 0x9.

Cleaning up 81 unused security descriptors.

CHKDSK is verifying file data (stage 4 of 5)...

File data verification completed.

CHKDSK is verifying free space (stage 5 of 5)...

Free space verification is complete.

 

307958017 KB total disk space.

  64758352 KB in 173555 files.

     61988 KB in 21562 indexes.

         0 KB in bad sectors.

    368129 KB in use by the system.

     65536 KB occupied by the log file.

 242769548 KB available on disk.

 

      4096 bytes in each allocation unit.

  76989504 total allocation units on disk.

  60692387 allocation units available on disk.

 

Internal Info:

b0 6a 03 00 38 fa 02 00 9d 5b 04 00 00 00 00 00  .j..8....[......

c2 0f 00 00 02 00 00 00 2b 0e 00 00 00 00 00 00  ........+.......

34 a4 1c 10 00 00 00 00 a4 9d bc 88 00 00 00 00  4...............

68 37 56 2d 00 00 00 00 e4 7c f2 c4 05 00 00 00  h7V-.....|......

6c e6 3e 97 09 00 00 00 f2 fb b9 29 10 00 00 00  l.>........)....

50 db 0d 8f 00 00 00 00 10 3d 07 00 f3 a5 02 00  P........=......

00 00 00 00 00 40 89 70 0f 00 00 00 3a 54 00 00  .....@.p....:T..

 

Windows has finished checking your disk.

Please wait while your computer restarts.

 

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 15 July 2014 - 06:22 AM

I don´t think you have a faulty hard drive.

Combofix removed several files but none of them could be responsible for your system lock ups.

Also, there are not other remainings to be seen.

 

I´d check the hardware for faulty devices at a local vendor.

If there aren´t any of them, Windows should be reinstalled.

 

I cannot see anything suspicious within the logs.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Mr_Frustrated

Mr_Frustrated
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 16 July 2014 - 03:19 PM

Thanks for your help with this.  Finally, can I check a few other points:
  • Was there any "malware" found, by Combofix, is that what you mention in your last comment?  What about in the previous checks using the other software, it is hard for me to understand the log reports -what did they find?  Do I need to do anything to prevent more problems like this?
  • What about "system file check" - you talked about checking system files with me in an earlier post.  I tried to run this process at the suggestion of the other advisor, but a message states this requires the XP installation CD.  I now have SP3 based on Windows online automatic updates. I only have an XP CD which is at SP2 level.  Hence this process cannot complete.  Is there somewhere on Bleeping that someone can help solve this difficulty (if this forum is not the right place)?  I would also need to fix this issue to be able to reinstall Windows I think?


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 17 July 2014 - 02:33 AM

Yes some malware was found by the tools and has been removed. To prevent that, I´ll post some recommendations.

The system file check could fix some errors but you told the other helper that you don´t have the right disk.

 

If you want to create a setup disk including Service Pack 3, you´ll find a tutorial here.

 

When finished, we may try to fix the corrupt system files with it.

 

If you want to have the pc checked, do that. Feel free to come back anytime.

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Mr_Frustrated

Mr_Frustrated
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 21 July 2014 - 07:04 AM

Thanks for the useful feedback.

 

...So now using Nlite I have a folder with SP3 and XP installation CD combined.  I was planning to run sfc /scannow to see what this improves.  You mentioned in your reply ...we may try to fix the corrupt system files with it....what were you thinking about with this point, can you explain?   Thanks. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users