Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with what malwarebytes identifies as "trojan.malpack"


  • This topic is locked This topic is locked
30 replies to this topic

#1 aj138

aj138

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 27 April 2016 - 05:08 PM

infected machine: xp sp3 pro edition
 
so i was browsing a forum that is pretty big in terms of number of members and is usually pretty safe to visit, but today i opened a page there and suddenly i noticed a blank untitled notepad page open/pop up. i hit cntrol alt delete and saw a reg32.dll and something else running - i was able to click and end the two processes from task manager. i then unplugged my ethernet cable and disconnected from the net. then i checked ccleaner's tools section to see whats on my start programs list (this is the first page i always check to see if ive been infected) and sure enough there were now three things listed "yes" to start upon next reboot (screencap attached below), to be safe i checked the three to "disable". but NOTE: fearing that these three start processes might initiate at next reboot inspite of being "disabled", i have NOT yet used DEFOGGER to disable cd emulations as is required, because i think defogger might require a restart/reboot to complete properly. anyway, then i ran rkill but it found nothing. i then ran malwarebytes (my defintions database is outdated by a few months) and it found 16 instances of "trojan/malpack". i did NOT ask it to delete or quarantine the files however, awaiting further instruction from the kind folks here...
 
note: i am posting using a different computer than the one that is infected. the infected pc continues to have a blank untitled notepad page pop up every 7 or 8 minutes or so. just in case it helps i have attached the malwarbytes log, and a screencap of the the three start items. thank you in advance for your help!
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:19-11-2015
Ran by Administrator (administrator) on USER-9E65B3AC6C (27-04-2016 16:43:53)
Running from C:\Program Files\Farber Recovery Scan Tool
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2007-04-19] (SUPERAntiSpyware.com)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll [2005-06-21] (Intel Corporation)
HKU\S-1-5-21-823518204-299502267-1606980848-500\...\Run: [1878868350] => regsvr32.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\EeyUmqo\AafuVlaf.dll"
HKU\S-1-5-21-823518204-299502267-1606980848-500\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs"
HKU\S-1-5-21-823518204-299502267-1606980848-500\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs"
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, OgcijwegGaqd.dll
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [77824 2006-12-20] (SuperAdBlocker.com)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-823518204-299502267-1606980848-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-823518204-299502267-1606980848-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> DefaultScope {21E66FFE-F2C2-493A-BAF7-CB900CF64D4A} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> {21E66FFE-F2C2-493A-BAF7-CB900CF64D4A} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-01-03] (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll [2012-08-17] (Sun Microsystems, Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2012-08-17] (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2012-08-17] (Sun Microsystems, Inc.)
Toolbar: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} hxxp://landrec.arlingtonva.us/public/alternatiff_1_7_6.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} hxxp://onbase.ci.palm-coast.fl.us//activex/OBXPopup.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2004-11-22] (Microsoft Corporation)
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll [2010-01-26] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll [2011-04-26] (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.5.1 -> C:\WINDOWS\system32\npDeployJava1.dll [2012-07-05] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll [2012-08-17] (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @nosltd.com/getPlus+®,version=1.6.2.102 -> C:\Program Files\NOS\bin\np_gp.dll [2011-03-29] (NOS Microsystems Ltd.)
FF Plugin: @veetle.com/vbp;version=0.9.17 -> C:\Program Files\Veetle\VLCBroadcast\npvbp.dll [No File]
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-01-03] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-06-28] [not signed]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-08-17] [not signed]
StartMenuInternet: FIREFOX.EXE - firefox.exe
Chrome:
=======
CHR HKLM\...\Chrome\Extension: [./0123456789:;<=>?@ABCDEFGHIJKLM] - C:\Documents and Settings\Administrator\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ <not found>
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2012-08-17] (Sun Microsystems, Inc.)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
R1 Cdr4_xp; C:\WINDOWS\system32\Drivers\Cdr4_xp.sys [44160 2004-06-24] (Roxio) [File not signed]
R1 Cdralw2k; C:\WINDOWS\system32\Drivers\Cdralw2k.sys [24832 2004-06-24] (Roxio) [File not signed]
R1 cdudf_xp; C:\WINDOWS\system32\Drivers\cdudf_xp.sys [289408 2004-06-24] (Roxio) [File not signed]
R1 DVDVRRdr_xp; C:\WINDOWS\system32\Drivers\DVDVRRdr_xp.sys [141184 2004-06-24] (Windows ® 2000 DDK provider) [File not signed]
R3 dvd_2K; C:\WINDOWS\system32\Drivers\dvd_2K.sys [23808 2004-06-24] (Roxio) [File not signed]
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [121560 2015-11-14] (Malwarebytes)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 mmc_2K; C:\WINDOWS\system32\Drivers\mmc_2K.sys [23808 2004-06-24] (Roxio) [File not signed]
S3 MPE; C:\WINDOWS\System32\DRIVERS\MPE.sys [15232 2008-04-14] (Microsoft Corporation)
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [30816 2008-05-23] (Intel Corporation )
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
S3 NPF; C:\WINDOWS\System32\drivers\npf.sys [50704 2009-10-20] (CACE Technologies, Inc.)
R1 pwd_2k; C:\WINDOWS\system32\Drivers\pwd_2k.sys [117632 2004-06-24] (Roxio) [File not signed]
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [5632 2006-10-10] () [File not signed]
S3 SASENUM; C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [4096 2006-02-16] (SuperAdBlocker, Inc.) [File not signed]
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [32256 2007-02-27] () [File not signed]
R1 UDFReadr; C:\WINDOWS\system32\Drivers\UDFReadr.sys [200704 2004-06-24] (Roxio)
R3 USB28xxBGA; C:\WINDOWS\System32\DRIVERS\emBDA.sys [292864 2006-09-12] (eMPIA Technology, Inc.)
R3 USB28xxOEM; C:\WINDOWS\System32\DRIVERS\emOEM.sys [7168 2006-08-21] (eMPIA Technology, Inc.)
S3 eapihdrv; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ehdrv.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-04-27 16:09 - 2016-04-27 16:09 - 00003020 _____ C:\Documents and Settings\Administrator\Desktop\Rkill2016april27.txt
2016-04-27 15:43 - 2016-04-27 16:40 - 00003020 _____ C:\Documents and Settings\Administrator\Desktop\Rkill.txt
2016-04-27 15:40 - 2016-04-27 15:40 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\{EDB4E91B-D34D-4DA7-806D-66F00F041C36}
2016-04-27 15:39 - 2016-04-27 15:43 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\EeyUmqo
2016-04-27 15:39 - 2016-04-27 15:39 - 00000003 _____ C:\Documents and Settings\All Users\Application Data\7198B9FF6497.dat
2016-04-14 23:58 - 2016-04-14 23:58 - 00001078 _____ C:\WINDOWS\wmsetup.log
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-04-27 16:44 - 2015-11-07 16:56 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\temp
2016-04-27 16:43 - 2015-11-08 03:46 - 00000000 ____D C:\FRST
2016-04-27 15:48 - 2015-08-15 17:43 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-04-27 15:46 - 2015-07-15 20:57 - 00000000 ____D C:\AdwCleaner
2016-04-27 15:39 - 2012-08-31 01:55 - 01812832 _____ C:\WINDOWS\WindowsUpdate.log
2016-04-27 15:34 - 2011-01-17 15:03 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\New Folder
2016-04-27 15:29 - 2010-10-28 23:17 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\trakAxvidmixes
2016-04-23 23:58 - 2010-03-01 21:02 - 00092672 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-04-23 21:34 - 2014-03-14 21:09 - 00000238 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2016-04-23 21:34 - 2010-07-23 04:21 - 00000159 _____ C:\WINDOWS\wiadebug.log
2016-04-23 21:34 - 2010-07-23 04:21 - 00000049 _____ C:\WINDOWS\wiaservc.log
2016-04-23 21:34 - 2010-02-19 15:35 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-04-23 21:34 - 2008-04-14 08:00 - 00002422 _____ C:\WINDOWS\system32\wpa.dbl
2016-04-23 17:08 - 2010-02-19 15:35 - 00032556 _____ C:\WINDOWS\SchedLgU.Txt
2016-04-23 17:08 - 2010-02-19 15:35 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2016-04-22 01:01 - 2015-03-06 01:46 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\vlc
2016-04-19 01:31 - 2008-04-14 08:00 - 00000435 _____ C:\WINDOWS\system.ini
2016-04-18 00:51 - 2015-03-10 13:15 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Audacity
2016-04-11 22:40 - 2012-04-03 00:28 - 00797376 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-04-11 22:40 - 2011-05-17 23:27 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-03-29 22:56 - 2010-02-19 19:07 - 00000000 __SHD C:\Documents and Settings\Administrator\UserData
==================== Files in the root of some directories =======
2010-10-31 04:18 - 2010-10-31 04:18 - 0022305 _____ () C:\Program Files\technobats.zip
2010-10-31 04:12 - 2010-10-31 04:12 - 0098103 _____ () C:\Program Files\Year Zero fonts.zip
2015-05-10 14:56 - 2015-05-24 18:39 - 0000313 _____ () C:\Documents and Settings\Administrator\Application Data\burnaware.ini
2012-01-27 02:21 - 2012-01-27 02:23 - 0008470 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\9e10e4c1
2011-10-14 18:42 - 2015-03-10 15:37 - 0176637 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\ars.cache
2012-02-06 19:59 - 2015-03-10 15:37 - 0219478 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\census.cache
2010-03-01 21:02 - 2016-04-23 23:58 - 0092672 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2010-06-09 00:28 - 2010-06-09 00:28 - 0000036 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
2011-09-22 01:12 - 2011-09-22 01:12 - 0000000 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\imageCache7.db
2008-02-05 17:28 - 2015-08-12 05:43 - 0000478 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\setup.txt.aaa
==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x86) Version:19-11-2015
Ran by Administrator (2016-04-27 16:44:46)
Running from C:\Program Files\Farber Recovery Scan Tool
Microsoft Windows XP Professional Service Pack 3 (X86) (2010-02-19 19:33:43)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-823518204-299502267-1606980848-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-823518204-299502267-1606980848-1004 - Limited - Enabled)
Guest (S-1-5-21-823518204-299502267-1606980848-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-823518204-299502267-1606980848-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-823518204-299502267-1606980848-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM\...\7-Zip) (Version: - )
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.0.0.0 - Adobe Systems Incorporated)
Acrobat.com (Version: 2.0.0 - Adobe Systems Incorporated) Hidden
Adobe Download Manager (HKLM\...\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}) (Version: 1.6.2.102 - NOS Microsystems Ltd.)
Adobe Flash Player 10 Plugin (HKLM\...\{AF36CE1D-FD2C-4BA0-93FA-1196785DD610}) (Version: 10.0.45.2 - Adobe Systems, Inc.)
Adobe Flash Player 21 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 21.0.0.213 - Adobe Systems Incorporated)
Adobe Reader X (10.1.2) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.2 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM\...\Adobe Shockwave Player) (Version: 11.5.9.620 - Adobe Systems, Inc.)
Any Video Converter 3.2.7 (HKLM\...\Any Video Converter_is1) (Version: - Any-Video-Converter.com)
Apple Application Support (HKLM\...\{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}) (Version: 2.0.1 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Audacity 1.3.10 (Unicode) (HKLM\...\Audacity 1.3 Beta (Unicode)_is1) (Version: - Audacity Team)
BurnAware Free 3.0.6 (HKLM\...\BurnAware Free_is1) (Version: - Burnaware Technologies)
CamStudio (HKLM\...\CamStudio) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 3.21 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6021.5000 - Microsoft Corporation)
Defraggler (HKLM\...\Defraggler) (Version: 2.00 - Piriform)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version: - )
ffdshow [rev 3154] [2009-12-09] (HKLM\...\ffdshow_is1) (Version: 1.0 - )
Free DVD Ripper 1.1.0.13 (HKLM\...\Free DVD Ripper_is1) (Version: - MediaTools.ws)
Free M4a to MP3 Converter 6.1 (HKLM\...\Free M4a to MP3 Converter_is1) (Version: - ManiacTools.com)
Freemake Video Converter version 2.3.1 (HKLM\...\Freemake Video Converter_is1) (Version: 2.3.1 - Ellora Assets Corporation)
Haali Media Splitter (HKLM\...\HaaliMkx) (Version: - )
HP SetRefresh (HKLM\...\{F5242227-2051-4158-AC42-0F2BAA3CD3D6}) (Version: 1.2.1.3 - Hewlett-Packard Company)
Image Grabber II.NET (HKLM\...\{F343FA04-CFC0-487C-A617-A5E8CF4D7B10}) (Version: 2.0.2 - MIDOCUS)
ImageGrab 5.0.6 en (HKLM\...\{FF990174-A68E-4B91-91C5-98C07785A62D}}_is1) (Version: 5.0.6 - Paul Glagla)
Index.dat Analyzer v2.5 (HKLM\...\Index.dat Analyzer_is1) (Version: 2.5 - Systenance Software)
Intel® Extreme Graphics Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version: - )
Intel® Network Connections 13.1.33.0 (HKLM\...\{DDD076BF-C5C3-468C-AA1B-F9A7E47446FE}) (Version: 13.1.33.0 - Intel)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: - )
Java™ 6 Update 32 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216032FF}) (Version: 6.0.320 - Oracle)
LADSPA_plugins-win-0.4.15 (HKLM\...\LADSPA_plugins-win_is1) (Version: - Audacity Team)
LAME v3.98.2 for Audacity (HKLM\...\LAME for Audacity_is1) (Version: - )
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version: - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version: - Microsoft Corporation)
Microsoft DirectX Transform optional components (HKLM\...\DXTXTRA) (Version: - )
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Roxio Easy Media Creator 7 Basic DVD Edition (HKLM\...\{747D1B34-A1FC-4EF3-A6AE-E86F39CEFDE5}) (Version: 7.1.0.95 - Roxio, Inc.)
StreamTorrent 1.0 (HKLM\...\StreamTorrent 1.0) (Version: - )
SUPERAntiSpyware Free Edition (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 3.7.0.1018 - SUPERAntiSpyware.com)
Unlocker 1.9.1 (HKLM\...\Unlocker) (Version: 1.9.1 - Cedrick Collomb)
Video Thumbnails Maker by Scorp (remove only) (HKLM\...\Video Thumbnails Maker) (Version: - )
VLC media player 1.1.5 (HKLM\...\VLC media player) (Version: 1.1.5 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live OneCare safety scanner (HKLM\...\Windows Live OneCare safety scanner) (Version: - )
Windows Management Framework Core (HKLM\...\KB968930) (Version: - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
WinPcap 4.1.1 (HKLM\...\WinPcapInst) (Version: 4.1.0.1753 - CACE Technologies)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

28-02-2016 16:28:50 System Checkpoint
02-03-2016 17:12:11 System Checkpoint
05-03-2016 13:04:38 Software Distribution Service 3.0
11-03-2016 11:43:38 System Checkpoint
12-03-2016 15:26:26 System Checkpoint
16-03-2016 14:22:49 System Checkpoint
20-03-2016 16:27:23 System Checkpoint
21-03-2016 23:53:48 Software Distribution Service 3.0
28-03-2016 14:59:07 System Checkpoint
01-04-2016 00:52:22 System Checkpoint
02-04-2016 01:11:59 System Checkpoint
03-04-2016 15:03:14 System Checkpoint
04-04-2016 16:10:49 System Checkpoint
05-04-2016 16:43:08 System Checkpoint
10-04-2016 07:19:06 System Checkpoint
12-04-2016 04:36:42 System Checkpoint
16-04-2016 00:46:54 System Checkpoint
18-04-2016 23:31:08 System Checkpoint
21-04-2016 17:10:52 System Checkpoint
26-04-2016 10:27:38 System Checkpoint

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-01-27 05:05 - 2015-07-15 18:27 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (Whitelisted) ==============

2010-07-04 17:32 - 2010-07-04 17:32 - 00010752 _____ () C:\Program Files\Unlocker\UnlockerCOM.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com


There are 7257 more sites.

IE trusted site: HKU\S-1-5-21-823518204-299502267-1606980848-500\...\511virginia.org -> hxxps://www.511virginia.org
IE trusted site: HKU\S-1-5-21-823518204-299502267-1606980848-500\...\facebook.com -> hxxps://facebook.com
IE trusted site: HKU\S-1-5-21-823518204-299502267-1606980848-500\...\google.com -> hxxps://www.google.com
IE trusted site: HKU\S-1-5-21-823518204-299502267-1606980848-500\...\youtube.com -> hxxps://www.youtube.com

There are 5481 more sites.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-823518204-299502267-1606980848-500\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: Media is not connected to internet.
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^89274d8b.exe => C:\WINDOWS\pss\89274d8b.exeStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^SpywareGuard.lnk => C:\WINDOWS\pss\SpywareGuard.lnkStartup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup
MSCONFIG\startupreg: 1878868350 => regsvr32.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\EeyUmqo\AafuVlaf.dll"
MSCONFIG\startupreg: 771125BB-BCB0-4452-9725-C3B5E9668547 => cmd.exe /C start /D "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp" /B 771125BB-BCB0-4452-9725-C3B5E9668547.exe -postboot
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: DCERegBootClean => C:\WINDOWS\RegBootClean.exe -d
MSCONFIG\startupreg: DWQueuedReporting => "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
MSCONFIG\startupreg: FlashPlayerUpdate => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_20_0_0_270_ActiveX.exe -update activex
MSCONFIG\startupreg: HotKeysCmds => C:\WINDOWS\system32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\WINDOWS\system32\igfxtray.exe
MSCONFIG\startupreg: IntelPowerAgent13 => rundll32.exe shell32.dll, ShellExec_RunDLL C:\DOCUME~1\ALLUSE~1\APPLIC~1\B42608~1.EXE
MSCONFIG\startupreg: SetRefresh => C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: Uninstall Adobe Download Manager => "C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe" /Get1noarp
MSCONFIG\startupreg: WinResSync => C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\sessmgr.exe] => Disabled:@xpsp2res.dll,-22019

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/20/2016 02:29:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.23588, fault address 0x0014c493.
Processing media-specific event for [iexplore.exe!ws!]

Error: (12/21/2015 00:36:34 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.23588, fault address 0x0014c493.
Processing media-specific event for [iexplore.exe!ws!]

Error: (12/17/2015 07:29:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00002caf.
Processing media-specific event for [iexplore.exe!ws!]

Error: (11/14/2015 00:56:22 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module jvm.dll, version 20.7.0.2, fault address 0x0005e562.
Processing media-specific event for [iexplore.exe!ws!]

Error: (11/07/2015 03:10:39 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x10ff08e0.
Processing media-specific event for [iexplore.exe!ws!]

Error: (06/23/2015 04:21:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module flash32_17_0_0_188.ocx, version 17.0.0.188, fault address 0x006ab6ea.
Processing media-specific event for [iexplore.exe!ws!]

Error: (06/12/2015 04:32:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module flash32_17_0_0_188.ocx, version 17.0.0.188, fault address 0x006ab6ea.
Processing media-specific event for [iexplore.exe!ws!]

Error: (04/16/2015 10:46:31 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.23588, fault address 0x00088c83.
Processing media-specific event for [iexplore.exe!ws!]

Error: (02/16/2015 03:38:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.23588, fault address 0x0014c493.
Processing media-specific event for [iexplore.exe!ws!]

Error: (01/23/2015 05:41:37 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.23588, fault address 0x00029671.
Processing media-specific event for [iexplore.exe!ws!]


System errors:
=============
Error: (04/27/2016 03:07:46 PM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.7 on the
Network Card with network address 000BCD118F1E.

Error: (04/26/2016 10:08:55 AM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.7 on the
Network Card with network address 000BCD118F1E.

Error: (04/25/2016 10:02:27 AM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.7 on the
Network Card with network address 000BCD118F1E.

Error: (04/23/2016 03:44:29 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.

Error: (04/20/2016 10:34:10 PM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.6 on the
Network Card with network address 000BCD118F1E.

Error: (04/17/2016 11:16:59 PM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.8 on the
Network Card with network address 000BCD118F1E.

Error: (04/12/2016 11:03:47 PM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.8 on the
Network Card with network address 000BCD118F1E.

Error: (04/10/2016 06:13:02 AM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.6 on the
Network Card with network address 000BCD118F1E.

Error: (04/08/2016 11:13:37 PM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.6 on the
Network Card with network address 000BCD118F1E.

Error: (04/07/2016 06:37:06 PM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.6 on the
Network Card with network address 000BCD118F1E.


==================== Memory info ===========================

Processor: Intel® Pentium® 4 CPU 2.00GHz
Percentage of memory in use: 42%
Total physical RAM: 759.48 MB
Available physical RAM: 435.18 MB
Total Virtual: 1857.47 MB
Available Virtual: 1607.02 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:18.64 GB) (Free:1.41 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 18.6 GB) (Disk ID: B913B913)
Partition 1: (Active) - (Size=18.6 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 27 April 2016 - 06:07 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 27 April 2016 - 06:15 PM

Greetings aj138 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Nice work on your end.

Please do this. You can copy the Fixlist onto a USB and transfer it to your infected computer.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------

  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format and check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it to your Desktop as fixlist.txt. If FRST.exe is not on your Deskptop please move it to that location. (<<<Important)
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-823518204-299502267-1606980848-500\...\Run: [1878868350] => regsvr32.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\EeyUmqo\AafuVlaf.dll"
C:\Documents and Settings\Administrator\Local Settings\Application Data\EeyUmqo
HKU\S-1-5-21-823518204-299502267-1606980848-500\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs"
HKU\S-1-5-21-823518204-299502267-1606980848-500\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs"
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-823518204-299502267-1606980848-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL =
Toolbar: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
CHR HKLM\...\Chrome\Extension: [./0123456789:;<=>?@ABCDEFGHIJKLM] - C:\Documents and Settings\Administrator\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ <not found>
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S3 eapihdrv; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ehdrv.sys [X]
2016-04-27 15:40 - 2016-04-27 15:40 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\{EDB4E91B-D34D-4DA7-806D-66F00F041C36}
2016-04-27 15:39 - 2016-04-27 15:39 - 00000003 _____ C:\Documents and Settings\All Users\Application Data\7198B9FF6497.dat
cmd: regedit /e "%userprofile%\desktop\look.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
File: C:\Documents and Settings\Administrator\Local Settings\Application Data\9e10e4c1
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • A look.txt document will be placed on the Desktop. Copy and paste that information in your reply

===================================================

System Summary Information

--------------------

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

  • Fixlog
  • Look.txt
  • System Summary Information
  • Update on computer behavior

Edited by Oh My!, 27 April 2016 - 06:19 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 27 April 2016 - 07:13 PM

thank you OhMy!/Gary for your help, i am much obliged to you for your knowledge and generosity! :-)

 

ok so here is the fix log:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:19-11-2015
Ran by Administrator (2016-04-27 19:31:05) Run:3
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-823518204-299502267-1606980848-500\...\Run: [1878868350] => regsvr32.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\EeyUmqo\AafuVlaf.dll"
C:\Documents and Settings\Administrator\Local Settings\Application Data\EeyUmqo
HKU\S-1-5-21-823518204-299502267-1606980848-500\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs"
HKU\S-1-5-21-823518204-299502267-1606980848-500\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs"
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-823518204-299502267-1606980848-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL =
Toolbar: HKU\S-1-5-21-823518204-299502267-1606980848-500 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
CHR HKLM\...\Chrome\Extension: [./0123456789:;<=>?@ABCDEFGHIJKLM] - C:\Documents and Settings\Administrator\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ <not found>
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S3 eapihdrv; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ehdrv.sys [X]
2016-04-27 15:40 - 2016-04-27 15:40 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\{EDB4E91B-D34D-4DA7-806D-66F00F041C36}
2016-04-27 15:39 - 2016-04-27 15:39 - 00000003 _____ C:\Documents and Settings\All Users\Application Data\7198B9FF6497.dat
cmd: regedit /e "%userprofile%\desktop\look.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
File: C:\Documents and Settings\Administrator\Local Settings\Application Data\9e10e4c1
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-823518204-299502267-1606980848-500\Software\Microsoft\Windows\CurrentVersion\Run\\1878868350 => value removed successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\EeyUmqo => moved successfully
HKU\S-1-5-21-823518204-299502267-1606980848-500\Software\Microsoft\Windows\CurrentVersion\Run\\WinResSync => value removed successfully.
HKU\S-1-5-21-823518204-299502267-1606980848-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\WinResSync => value removed successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-823518204-299502267-1606980848-500\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKU\S-1-5-21-823518204-299502267-1606980848-500\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" => key removed successfully.
HKCR\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => key not found.
HKU\S-1-5-21-823518204-299502267-1606980848-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} => value removed successfully.
HKCR\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E} => key not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\./0123456789:;<=>?@ABCDEFGHIJKLM" => key removed successfully.
rpcapd => service removed successfully.
eapihdrv => service removed successfully.

"C:\Documents and Settings\All Users\Application Data\{EDB4E91B-D34D-4DA7-806D-66F00F041C36}" folder move:

Could not move "C:\Documents and Settings\All Users\Application Data\{EDB4E91B-D34D-4DA7-806D-66F00F041C36}" => Scheduled to move on reboot.

C:\Documents and Settings\All Users\Application Data\7198B9FF6497.dat => moved successfully

=========  regedit /e "%userprofile%\desktop\look.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" =========

========= End of CMD: =========

========================= File: C:\Documents and Settings\Administrator\Local Settings\Application Data\9e10e4c1 ========================

File not signed
MD5: 4E8F6A6D3E8F56A530579435A7C42B71
Creation and modification date: 2012-01-27 - 2012-01-27
Size: 0008470
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-04-27 19:33:37)

C:\Documents and Settings\All Users\Application Data\{EDB4E91B-D34D-4DA7-806D-66F00F041C36} => is moved successfully

==== End of Fixlog 19:33:37 ====

 

 

and the contents of LOOK:

 

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
  00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
  6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
  00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:000002dc
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000000
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
  54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
  00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:bb,2e,21,8b,f7,1a,ea,a5,ce,2d,e9,8e,3b,86,04,d1,62,31,30,34,64,\
  63,66,36,00,fd,07,00,06,45,00,00,34,fa,07,00,46,98,7c,75,20,fa,07,00,40,fd,\
  07,00,4c,fd,07,00,b0,f4,88,25,8f,07,04,c1,27,06,eb,b1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:65,a9,7d,c5,44,9c,eb,b2,5e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:36,da,7a,dc,ff,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:6e,71,33,41,c5,24,4f,93,ca,8c,2e,29,64,ad,9f,54

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:d8,6e,40,49,d0,f9,cc,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,a0,a1,10,27,9e,c8,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,a0,a1,10,27,9e,c8,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,a0,a1,10,27,9e,c8,01
"Type"=dword:00000031

 

 

 

regarding overall behavior - because i halted all activity (as in browsing or running filez like music/video) the only malfunction i was able to see were those untitled notepad pop ups. while waiting for your reply, and before applying any of the fixes you suggested, i attempted to "save as" one of the blank pop ups, and it disappeared (gave no option of where or what to save it as), but the pop ups stopped. minutes later i ran your fixes and as part of the process the computer restarted, and so far i have not seen anymore notepad pop ups, but i have not yet attempted to use the computer so its hard to say if anything is different. because nothing was happening that i could see, im not sure if the malware was supposed to have any sort of noticeable activity. also, i caught it as soon as it got on the pc, and i halted two of its processes and i unplugged from the internet, so im not sure what ugly thing was possibly going to start manifesting in a way i could see or feel, but nothing ever did. via the new startup items i knew i was infected and twas confirmed when malwarbytes detected it, but im not sure what it was doing or intending to do! fortunately it was not encrypting my files - that was the first thing i checked - given how that had happened to me twice in two weeks a few months ago.

 

so i cant say for sure if the pc is ok. mind you, this is meant to be a prompt and quick reply since you were so kind enough to get to me so fast. but i will definitely update you with the pc's behavior - after you've given me a green light that its ok to resume using it. many thanks again for your help gary!

 

:-)

aj

 

 

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 27 April 2016 - 07:39 PM

It is my pleasure to work together on this.

I would like you to connect to the Internet now then do these things.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
C:\Documents and Settings\Administrator\Local Settings\Application Data\9e10e4c1
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Copy/paste the following in the Search Field
OgcijwegGaqd.dll
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

ComboFix Windows XP

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.
  • Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer

ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Note: If after disabling Combofix warns you an Antivirus program is still running ignore the warning and run Combofix.
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Query_RC.gif

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware
----------

Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

----------

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Search.txt
  • Combofix log
  • Update on performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 27 April 2016 - 10:37 PM

ok, so i ran into a problem, a couple actually: first, i had the farbar tool saved in mutliple (3) locations, including desktop. i saved the fixlist to desktop, but when trying to (right-click) run as admin, it kept saying it couldnt find a fixlist and told me it needed to be in the same folder as the tool. so i put copies of fixlist in all 3 locations, but still same failed result. so i deleted all copies of the tool, redownloaded it new to desktop, and even deleted fixlist and saved it new to desktop. tried to (right-click) run as admin and got an "auto.it error - unable to open the script file" it said. so instead of running as admin, i simply ran it as is (double click icon), and here is the-

 

 

FARBAR fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:27-04-2016
Ran by Administrator (2016-04-27 22:37:27) Run:4
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
C:\Documents and Settings\Administrator\Local Settings\Application Data\9e10e4c1
*****************

C:\Documents and Settings\Administrator\Local Settings\Application Data\9e10e4c1 => moved successfully

==== End of Fixlog 22:37:27 ====

 

 

 

then searched and here is result (search term bolded/hi-lighted by me):

 

Farbar Recovery Scan Tool (x86) Version:27-04-2016
Ran by Administrator (2016-04-27 22:40:33)
Running from C:\Documents and Settings\Administrator\Desktop
Boot Mode: Normal

================== Search Files: "OgcijwegGaqd.dll" =============

====== End of Search ======

 

 

 

 

and here is combofix log:

 

ComboFix 16-04-22.01 - Administrator 04/27/2016  22:49:35.16.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.759.446 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2016-03-28 to 2016-04-28  )))))))))))))))))))))))))))))))
.
.
2016-04-27 23:31 . 2016-04-28 02:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-04-27 19:48 . 2015-08-15 21:43 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-04-12 02:40 . 2012-04-03 04:28 797376 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-04-12 02:40 . 2011-05-18 03:27 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinResSync"="c:\documents and settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 21:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, OgcijwegGaqd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^89274d8b.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\89274d8b.exe
backup=c:\windows\pss\89274d8b.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\771125BB-BCB0-4452-9725-C3B5E9668547]
start [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinResSync]
c:\documents and settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1878868350]
2016-04-27 23:31 225792 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo\AafuVlaf.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DCERegBootClean]
2011-03-22 06:07 102400 ----a-w- c:\windows\RegBootClean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-03-13 20:38 39264 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-22 00:44 126976 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-22 00:48 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelPowerAgent13]
2012-06-08 14:26 8462848 ----a-w- c:\windows\system32\shell32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
2003-11-21 01:01 525824 ----a-w- c:\program files\COMPAQ\SetRefresh\SetRefresh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall Adobe Download Manager]
2011-03-29 19:42 40344 ----a-w- c:\program files\NOS\bin\getPlusUninst_Adobe.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 5:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 4:39 PM 32256]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/2/2010 5:49 PM 23256]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [8/15/2015 5:43 PM 1135416]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [7/15/2015 7:34 PM 121560]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 8:00 AM 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 9:51 PM 4096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ    nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2016-04-27 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-09 01:59]
.
2016-02-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-09 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 511virginia.org\www
Trusted Zone: depositfiles.com
Trusted Zone: facebook.com
Trusted Zone: google.com\www
Trusted Zone: invisionfree.com\z3
Trusted Zone: keepvid.com
Trusted Zone: pilotsfor911truth.org
Trusted Zone: planetsuzy.org
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxp://onbase.ci.palm-coast.fl.us//activex/OBXPopup.cab
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil32_20_0_0_270_ActiveX.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-04-27 23:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-823518204-299502267-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,b2,89,21,7d,b2,b1,47,b3,87,b6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,b2,89,21,7d,b2,b1,47,b3,87,b6,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,0a,60,74,ca,02,55,49,be,49,34,\
.
[HKEY_USERS\S-1-5-21-823518204-299502267-1606980848-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-823518204-299502267-1606980848-500_Classes\CLSID\{A2640A8F-8E69-45AD-9D63-7DE2BE6701EE}\InprocServer32]
@Denied: (C D 2 3 6) (Everyone)
@Allowed: (Read) (Administrator)
"ThreadingModel"="Apartment"
@="c:\\Documents and Settings\\All Users\\Application Data\\{EDB4E91B-D34D-4DA7-806D-66F00F041C36}\\rasadhlp.dll"
.
[HKEY_USERS\S-1-5-21-823518204-299502267-1606980848-500_Classes\Drive\ShellEx\FolderExtensions\{A2640A8F-8E69-45AD-9D63-7DE2BE6701EE}]
@Denied: (C D 2 3 6) (Everyone)
@Allowed: (Read) (Administrator)
"DriveMask"=dword:ffffffff
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A2640A8F-8E69-45AD-9D63-7DE2BE6701EE}\InprocServer32]
@Denied: (C D 2 3 6) (Everyone)
"ThreadingModel"="Apartment"
@="c:\\Documents and Settings\\All Users\\Application Data\\{EDB4E91B-D34D-4DA7-806D-66F00F041C36}\\rasadhlp.dll"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_21_0_0_213_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_21_0_0_213_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Drive\shellex\FolderExtensions\{A2640A8F-8E69-45AD-9D63-7DE2BE6701EE}]
@Denied: (C D 2 3 6) (Everyone)
"DriveMask"=dword:ffffffff
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3764)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2016-04-27  23:20:56
ComboFix-quarantined-files.txt  2016-04-28 03:20
.
Pre-Run: 1,301,237,760 bytes free
Post-Run: 2,040,029,184 bytes free
.
- - End Of File - - EE13FBEDEB9598A55AF0E1D1A226C9B5
8F558EB6672622401DA993E1E865C861
 

 

 

 

overall, the pc seems ok - still havent had a chance to really use it as i normally would so i dont know for sure if any performance issues exist/remain... but thanks again for all your help thus far. i am ready for further instructions...

 

aj


Edited by aj138, 27 April 2016 - 10:42 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 28 April 2016 - 02:46 PM

Greetings,

My pleasure.

My apologies about the Run as administrator. You have Windows XP (uncommon) and on that system everything is run as an administrator automatically.

Please do these things for me.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
Folder: c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo
File: c:\documents and settings\Administrator\Start Menu\Programs\Startup\89274d8b.exe
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

SystemLook by jpshortstuff

--------------------
  • Right-click SystemLook.exe and select Run as administrator...
  • Copy the content of the following codebox into the main textfield:
:regfind
OgcijwegGaqd.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Copy and paste the contents of the report in your reply or, if necessary, zip and attach the file.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • SystemLook log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 01 May 2016 - 02:08 PM

as requested, fixlog first:

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version:27-04-2016
Ran by Administrator (2016-04-30 15:01:52) Run:5
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Folder: c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo
File: c:\documents and settings\Administrator\Start Menu\Programs\Startup\89274d8b.exe
emptytemp:
*****************

========================= Folder: c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo ========================

2016-04-27 19:31 - 2016-04-27 19:31 - 0225792 _____ () c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo\AafuVlaf.dll
2016-04-27 22:34 - 2016-04-27 22:34 - 0027067 _____ () c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo\AepiNxohr
2016-04-27 22:34 - 2016-04-27 22:34 - 0011488 _____ () c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo\IereZlus
2016-04-27 22:34 - 2016-04-27 22:34 - 0099304 _____ () c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo\Kabej
2016-04-27 22:23 - 2016-04-27 22:23 - 20989952 _____ () c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo\QacaGxutx
2016-04-27 22:27 - 2016-04-27 22:27 - 0034278 _____ () c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo\QucoQged
2016-04-27 22:27 - 2016-04-27 22:27 - 0089594 _____ () c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo\WinaGdop

====== End of Folder: ======

========================= File: c:\documents and settings\Administrator\Start Menu\Programs\Startup\89274d8b.exe ========================

"c:\documents and settings\Administrator\Start Menu\Programs\Startup\89274d8b.exe" => not found.
====== End of File: ======

EmptyTemp: => 205.9 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 15:02:06 ====

 

 

 

 

then the SysLook:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 14:44 on 01/05/2016 by Administrator
Administrator - Elevation successful

========== regfind ==========

Searching for "OgcijwegGaqd.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, OgcijwegGaqd.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, OgcijwegGaqd.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, OgcijwegGaqd.dll"

-= EOF =-

 

 

 

sorry for late reply, and again, thanks for your help.

:-)

 



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 01 May 2016 - 03:01 PM

Greetings,

Thanks for the information. Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Registry Fix

-------------------
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type Notepad and press Enter
  • Copy/paste the following text inside the code box into a new notepad document.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
  • Click File, then Save As... .
  • Click Desktop on the left.
  • In the box File Name, input fix.reg.
  • Click Save.
  • Double click fix.reg and answer Yes to the prompts. You should receive the message that the entries have been successfully merged. If not, post back with the error message.
  • Delete fix.reg after use.
  • Reboot your computer
===================================================

SystemLook by jpshortstuff

--------------------
  • Right-click SystemLook.exe and select Run as administrator...
  • Copy the content of the following codebox into the main textfield:
:filefind
89274d8b.exe
:regfind
OgcijwegGaqd.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Did the registry fix merge properly?
  • SystemLook report
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 04 May 2016 - 08:12 AM

1 - fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:27-04-2016
Ran by Administrator (2016-05-04 09:07:01) Run:6
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo
*****************

c:\documents and settings\Administrator\Local Settings\Application Data\EeyUmqo => moved successfully

==== End of Fixlog 09:07:01 ====

 

 

 

2 - doubleclicked registry fix and it was successful - but i did NOT restart pc before doing syslook - sorry.

      i will now restart and then do syslook again...

 

 

3 - syslook (after a proper restart):

 

SystemLook 30.07.11 by jpshortstuff
Log created at 09:29 on 04/05/2016 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "89274d8b.exe"
No files found.

========== regfind ==========

Searching for "OgcijwegGaqd.dll"
No data found.

-= EOF =-

 

 

 

4 - computer seems to be behaving normal

 

 

 

many thanks gary!

:-)


Edited by aj138, 04 May 2016 - 08:32 AM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 04 May 2016 - 08:38 AM

My pleasure.

We are almost there. Please do this.

===================================================

Emsisoft Emergency Kit Scan

--------------------
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double-click icon then click Install
  • A Window should open highlighting Start Emergency Kit Scanner
  • Double click that icon and allow the program to load
  • Click Yes to run an online update
  • Once the update is completed select Settings under Scan
  • Uncheck Join the Emsisoft Anti-Malware Network
  • Click Scan at the top
  • Click Yes to detect Potentially Unwanted Programs
  • Click Malware Scan
  • Once completed click View Report
  • Save the file to your Desktop using the default file name
  • Click Quarantine selected (all should be selected by default)
  • Copy and paste the report in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon then click Run
  • Press any key to launch the program
  • Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • When completed a Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Emsisoft report
  • Security Check report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 06 May 2016 - 04:19 PM

as requested:

 

1- Emsisoft Emergency Kit Scan
 

Emsisoft Emergency Kit - Version 10.0
Last update: 5/6/2016 4:42:26 AM
User account: USER-9E65B3AC6C\Administrator

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 5/6/2016 3:09:19 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

Scanned 72023
Found 1

Scan end: 5/6/2016 3:21:06 PM
Scan time: 0:11:47

Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  Setting.DisableRegistryTools (A)

Quarantined 1

 

 

2 - screen317's Security Check
 

 Results of screen317's Security Check version 1.014 --- 12/23/15 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware Free Edition  
 CCleaner    
 Java™ 6 Update 32 
 Java version 32-bit out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Reader 10.1.2 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 23% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

 

 

 

-as always, many thanks for your continued help gary! much appreciated!

;-)



#12 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 06 May 2016 - 04:25 PM

note, i previously had updated my java, but ran into an issue of it saying there were multiple instances running (even though i had removed all of the old one using a program from java that was supposed to fully clean/remove it), so the updated version wouldnt work properly. as a result i am using a very vulnerable, super-old, version of java. if u check my previous posts, you will see i was crypto-ransomed twice in the span of two weeks, and in that thread i was given instructions on how to properly update my java - i just havent gotten around to it. i mention that to save you the trouble gary, of instructing me how to do it... thanks!



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 06 May 2016 - 05:30 PM

Thanks for the information. Please do this.

===================================================

Update Adobe Reader

--------------------

Your Adobe Reader is out of date and a security concern. Here is some excellent information and a video which explains the importance of minimizing the risk of infection through compromised PDF files.
  • Please visit Adobe Reader
  • Uncheck the McAfee optional offer
  • Click Install now
  • Save the file to your desktop
  • Double click the installation icon
  • Select Run
  • When completed click Finish
  • Press the Windows key + R at the same time
  • Type appwiz.cpl, press Enter, and allow the Programs list to populate
  • Uninstall every Adobe Reader program except the one just downloaded and installed
===================================================

Update Adobe Flash Player

--------------------
  • Download Adobe Flash Player here and save it to your desktop. Uncheck "Yes, install McAfee Security Scan Plus - optional"
  • Close any open browsers
  • Click on Install Now
  • Click Save File and save the file to your Desktop
  • Double click the Desktop icon
  • Select either Allow Adobe to install updates (recommended) or Notify me to install updates then click Next
  • When completed click Finish
===================================================

Checking Disk Fragmentation Level - Windows XP

--------------------
  • Click Start, All Programs, Accessories, System Tools, then Disk Defragmenter
  • Under Volume select the C: drive
  • Click Analyze
  • If recommended click Defragment disk
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Did the programs update properly
  • Did you Defrag your hard drive?
  • Any remaining issues?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 aj138

aj138
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 07 May 2016 - 02:33 AM

hi gary, i havent had a chance yet to update the two progz, and the pc seems to be running ok, BUT - this item is (back) on the startup list:

 

Yes HKCU:Run WinResSync Microsoft Corporation C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\f5dc3f8cfc4b2e02defb.rs"

 

 

-and im pretty sure that "winressync" was the part of the original infection's doing... and appears to be back somehow... please advise me on what i should do next, thanks!

 

 

also - by the way - should i uninstall combofix (or whats left of it) yet?


Edited by aj138, 07 May 2016 - 02:44 AM.


#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:41 AM

Posted 07 May 2016 - 05:40 PM

Greetings,

We are not ready to uninstall anything yet.

Does Rapid Sketch sound familiar at all?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users