journo
-
Posts
25 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by journo
-
-
Ok, so this is disturbing. I'm getting exactly the same popups from Calculator, Lockapp etc, identified as trojan.fadeb.j by Malwarebytes.
But the really disturbing thing is that i'm also using a BLU device!
This is a device that I hardly use. It sits on my desk and hosts my old SIM card in case I receive a text.
No way I accidentally installed malware so it's highly worrying that this device/manufacturer may have a security flaw.
-
Ok, i've disabled Kaspersky but the browsers still dont work. Other programs seem fine like Outlook. But browsers and malwarebytes updater dont work.
p.s. I updated malwarebytes in safemode successfully.
-
Hi,
I think ive got some malware because my browsers are only working in Safe mode.
However, Malwarebytes didnt pick up anything. Its fully updated.
How should I proceed? Here are the DDS files.
Thanks
Dan
DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.11.2
Run by Gerard at 20:04:41 on 2013-02-05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.334 [GMT 0:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Gerard\Local Settings\Application Data\join.me\join.me.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TFncKy] TFncKy.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\gerard\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: NameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{89278D3F-6BE9-49D3-B65C-1BAE24114C8C} : DHCPNameServer = 192.168.1.254 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.56\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 43608]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-4-3 5888]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2013-1-3 288000]
S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2013-1-24 586584]
S1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]
S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 356376]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-5 398184]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-5 682344]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-10-25 24408]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-10-25 24920]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-5 21104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-5 40776]
.
=============== Created Last 30 ================
.
2013-02-05 19:32:13 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-02-05 19:32:12 -------- d-----w- c:\documents and settings\gerard\application data\Malwarebytes
2013-02-05 19:32:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-02-05 19:31:55 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-05 19:31:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\Repository
2013-02-04 19:26:50 -------- d-----w- c:\documents and settings\gerard\PrivacIE
2013-01-27 19:02:39 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys
2013-01-27 19:02:39 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys
2013-01-27 19:02:35 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2013-01-27 19:02:35 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys
2013-01-27 19:02:34 207360 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2013-01-27 19:02:34 207360 ----a-w- c:\windows\system32\drivers\Dot4.sys
2013-01-24 20:35:28 -------- d-----w- c:\documents and settings\gerard\local settings\application data\join.me
2013-01-24 20:34:41 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-24 20:28:45 -------- d-----w- c:\program files\Kaspersky Lab
2013-01-24 20:28:44 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2013-01-24 20:28:16 74072 ----a-w- c:\windows\system32\drivers\klflt.sys
.
==================== Find3M ====================
.
2013-01-27 09:49:27 43608 ----a-w- c:\windows\system32\drivers\kltdi.sys
2013-01-03 20:36:38 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-01-03 20:36:38 779704 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 20:04:56.64 ===============
DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.11.2
Run by Gerard at 20:04:41 on 2013-02-05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.334 [GMT 0:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Gerard\Local Settings\Application Data\join.me\join.me.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TFncKy] TFncKy.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\gerard\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: NameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{89278D3F-6BE9-49D3-B65C-1BAE24114C8C} : DHCPNameServer = 192.168.1.254 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.56\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 43608]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-4-3 5888]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2013-1-3 288000]
S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2013-1-24 586584]
S1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]
S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 356376]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-5 398184]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-5 682344]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-10-25 24408]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-10-25 24920]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-5 21104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-5 40776]
.
=============== Created Last 30 ================
.
2013-02-05 19:32:13 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-02-05 19:32:12 -------- d-----w- c:\documents and settings\gerard\application data\Malwarebytes
2013-02-05 19:32:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-02-05 19:31:55 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-05 19:31:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\Repository
2013-02-04 19:26:50 -------- d-----w- c:\documents and settings\gerard\PrivacIE
2013-01-27 19:02:39 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys
2013-01-27 19:02:39 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys
2013-01-27 19:02:35 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2013-01-27 19:02:35 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys
2013-01-27 19:02:34 207360 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2013-01-27 19:02:34 207360 ----a-w- c:\windows\system32\drivers\Dot4.sys
2013-01-24 20:35:28 -------- d-----w- c:\documents and settings\gerard\local settings\application data\join.me
2013-01-24 20:34:41 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-24 20:28:45 -------- d-----w- c:\program files\Kaspersky Lab
2013-01-24 20:28:44 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2013-01-24 20:28:16 74072 ----a-w- c:\windows\system32\drivers\klflt.sys
.
==================== Find3M ====================
.
2013-01-27 09:49:27 43608 ----a-w- c:\windows\system32\drivers\kltdi.sys
2013-01-03 20:36:38 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-01-03 20:36:38 779704 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 20:04:56.64 ===============
-
Hi,
I'm unable to access some https files and ive noticed that my hosts file keeps being added to.
I remove the entries, but they come back a few minutes later.
Malwarebytes shows nothing.
eset online scanner shows nothing.
Symantec shows nothing.
Any ideas?
Heres the items from the hosts file if needed.
216.239.32.20 www.google.ae # bck9
216.239.32.20 www.google.at # bck9
216.239.32.20 www.google.be # bck9
216.239.32.20 www.google.ca # bck9
216.239.32.20 www.google.ch # bck9
216.239.32.20 www.google.cl # bck9
216.239.32.20 www.google.co.il # bck9
216.239.32.20 www.google.co.in # bck9
216.239.32.20 www.google.co.jp # bck9
216.239.32.20 www.google.co.kr # bck9
216.239.32.20 www.google.co.nz # bck9
216.239.32.20 www.google.co.uk # bck9
216.239.32.20 www.google.co.ve # bck9
216.239.32.20 www.google.co.za # bck9
216.239.32.20 www.google.com # bck9
216.239.32.20 www.google.com.ar # bck9
216.239.32.20 www.google.com.au # bck9
216.239.32.20 www.google.com.br # bck9
216.239.32.20 www.google.com.co # bck9
216.239.32.20 www.google.com.gr # bck9
216.239.32.20 www.google.com.hk # bck9
216.239.32.20 www.google.com.mx # bck9
216.239.32.20 www.google.com.my # bck9
216.239.32.20 www.google.com.pe # bck9
216.239.32.20 www.google.com.ph # bck9
216.239.32.20 www.google.com.pk # bck9
216.239.32.20 www.google.com.sg # bck9
216.239.32.20 www.google.com.tr # bck9
216.239.32.20 www.google.com.tw # bck9
216.239.32.20 www.google.com.ua # bck9
216.239.32.20 www.google.de # bck9
216.239.32.20 www.google.dk # bck9
216.239.32.20 www.google.es # bck9
216.239.32.20 www.google.fi # bck9
216.239.32.20 www.google.fr # bck9
216.239.32.20 www.google.it # bck9
216.239.32.20 www.google.lt # bck9
216.239.32.20 www.google.lv # bck9
216.239.32.20 www.google.nl # bck9
216.239.32.20 www.google.pl # bck9
216.239.32.20 www.google.pt # bck9
216.239.32.20 www.google.ro # bck9
216.239.32.20 www.google.ru # bck9
-
Thank you.
However since it was taking quite a while to remove, the user decided to wipe the PC and use the Restore Disks.
Hopefully that resolves the problem.
Thanks for your help with this.
Dan
-
Yes, I ran the script (with both spellings to make sure)
Both times it said that the service couldnt found.
The script finished successfully.
-
Hi,
Here are the results from the DDS program.
DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 23:15:47 on 2012-07-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1410 [GMT 1:00]
.
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Xobni\XobniService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix\xflyvmro.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Project seed Toolbar: {7f4290b4-b183-4623-bba2-28f48d9bbd23} - c:\program files\project_seed\prxtbPro0.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
TB: Project seed Toolbar: {7f4290b4-b183-4623-bba2-28f48d9bbd23} - c:\program files\project_seed\prxtbPro0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [XflYvmro] c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix\xflyvmro.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [sMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [\\PC2\EPSON Stylus D68 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaae.exe /p29 "\\pc2\EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Google Updater] "c:\program files\google\google updater\GoogleUpdater.exe" -check_deprecation
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printe~1.lnk - c:\program files\sharp\printer status monitor\Smon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://manchesterserve/connectcomputer/nshelp.dll
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.11.254
TCP: Interfaces\{BC9C58A2-60A2-4E71-A074-F19F6A930625} : DhcpNameServer = 192.168.11.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - \\Manchesterserve\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\kxdjx1ig.default\
.
============= SERVICES / DRIVERS ===============
.
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2008-7-30 277736]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-1-6 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-5-18 47640]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-5-21 173352]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-3-19 2666880]
R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-8-11 46824]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-2-20 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-2-20 14336]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\admini~1.see\locals~1\temp\ftmgyjnb.sys --> c:\docume~1\admini~1.see\locals~1\temp\ftmgyjnb.sys [?]
S0 00677621;00677621;c:\windows\system32\drivers\68236726.sys --> c:\windows\system32\drivers\68236726.sys [?]
S2 ASFIPmon;Broadcom ASF IP Monitor;"c:\program files\broadcom\asfipmon\asfipmon.exe" -service --> c:\program files\broadcom\asfipmon\AsfIpMon.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-8 135664]
S2 WinDefend;Windows Defender;"c:\program files\windows defender\msmpeng.exe" --> c:\program files\windows defender\MsMpEng.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-16 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-8 135664]
S3 MBAMCatchMe;MBAMCatchMe;c:\program files\malwarebytes' anti-malware\catchme.sys [2008-3-26 27136]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-7-16 40776]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-07-17 09:37:29 -------- d-----w- c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix
2012-07-16 21:07:03 -------- d-----w- c:\program files\stinger
2012-07-16 18:16:21 -------- d-sha-r- C:\cmdcons
2012-07-16 14:03:10 98816 ----a-w- c:\windows\sed.exe
2012-07-16 14:03:10 518144 ----a-w- c:\windows\SWREG.exe
2012-07-16 14:03:10 256000 ----a-w- c:\windows\PEV.exe
2012-07-16 14:03:10 208896 ----a-w- c:\windows\MBR.exe
2012-07-16 14:01:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-16 05:56:59 9216 ----a-w- c:\windows\system32\dllcache\wamps51.dll
2012-07-16 05:55:58 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2012-07-16 05:54:58 230912 ----a-w- c:\windows\system32\dllcache\tosdvd03.sys
2012-07-16 05:53:57 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll
2012-07-16 05:52:59 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2012-07-16 05:51:59 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2012-07-16 05:50:58 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2012-07-16 05:49:59 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys
2012-07-16 05:48:58 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys
2012-07-16 05:48:56 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2012-07-16 05:48:53 48000 ----a-w- c:\windows\system32\dllcache\ovcam2.sys
2012-07-16 05:48:51 25088 ----a-w- c:\windows\system32\dllcache\ovca.sys
2012-07-16 05:48:49 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys
2012-07-16 05:48:46 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2012-07-16 05:48:43 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys
2012-07-16 05:48:38 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2012-07-16 05:48:29 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys
2012-07-16 05:48:11 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2012-07-16 05:48:09 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2012-07-16 05:46:58 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2012-07-16 05:45:41 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2012-07-16 05:45:36 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2012-07-16 05:45:36 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2012-07-16 05:45:04 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2012-07-16 05:45:00 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2012-07-16 05:44:59 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2012-07-16 05:44:20 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2012-07-16 05:44:09 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2012-07-16 05:42:58 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2012-07-16 05:41:58 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe
2012-07-16 05:40:58 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2012-07-16 05:39:59 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys
2012-07-16 05:38:58 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys
2012-07-16 05:37:59 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll
2012-07-16 05:36:59 272640 ----a-w- c:\windows\system32\dllcache\cinemclc.sys
2012-07-16 05:35:59 75136 ----a-w- c:\windows\system32\dllcache\atimpae.sys
2012-07-16 05:28:47 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-16 05:10:35 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-15 18:16:26 -------- d-----w- c:\program files\ESET
2012-06-26 20:58:04 -------- d-----w- \\Manchesterserve\Users\Administrator\Application Data\ElevatedDiagnostics
.
==================== Find3M ====================
.
2012-07-16 05:10:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 12:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 23:17:29.23 ===============
I couldnt copy and paste the attach.txt file because it was too large to post, so i've attached it instead.
Thanks
Dan
-
Hi Maurice,
Is this a typo?
sc delete MICORSOFT_WINDOWS_SERVICE
Thanks
Dan
-
I was following the previous topic instructions so thats where ComboFix came from.
I've deleted it now.
In the process of trying to delete the malware, I removed Symantec Endpoint Protection. It was blocking access to the malware files but the malware was causing SEP to repeatedly crash and therefore I was unable to Disable the AV.
After performing the CF steps, I'm still unable to access www.Malwarebytes.org, www.eset.com etc.
Please find the attachments requested.
Thanks for your help.
Dan
Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86 (UAC is disabled!)
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Please wait while WMIC is being installed.
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Windows Defender
Malwarebytes Anti-Malware version 1.62.0.1300
Java 6 Update 5
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (for.)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 27% Defragment your hard drive soon!
````````````````````End of Log``````````````````````
ComboFix 12-07-16.01 - Administrator 17/07/2012 10:24:31.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1687 [GMT 1:00]
Running from: \\MANCHESTERSERVE\Users\Administrator\Desktop\ComboFix.exe
Command switches used :: \\MANCHESTERSERVE\Users\Administrator\Desktop\CFScript.txt
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
FILE ::
"c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix\xflyvmro.exe"
.
file zipped: c:\documents and settings\shaya.SEEDMANCHESTER.000\Local Settings\Application Data\pytmlmix\xflyvmro.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\awseslek.log
c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\bwitqshb.log
c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\dgmbomnp.log
c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\epjlyeqf.log
c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\lymuqbib.log
c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\nrcdbcgr.log
c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\rgveijmc.log
c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\ygoqwlak.log
c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2012-06-17 to 2012-07-17 )))))))))))))))))))))))))))))))
.
.
2012-07-17 09:37 . 2012-07-17 09:37 -------- d-----w- c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix
2012-07-17 09:14 . 2012-07-17 09:15 -------- d-----w- c:\program files\ERUNT
2012-07-16 21:07 . 2012-07-16 21:08 -------- d-----w- c:\program files\stinger
2012-07-16 14:01 . 2012-07-16 21:05 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-16 05:54 . 2001-08-17 21:36 10240 ----a-w- c:\windows\system32\dllcache\swpdflt2.dll
2012-07-16 05:54 . 2001-08-17 21:36 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll
2012-07-16 05:52 . 2008-04-13 18:36 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2012-07-16 05:51 . 2001-08-17 21:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2012-07-16 05:50 . 2001-08-17 11:12 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2012-07-16 05:49 . 2008-04-13 18:40 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys
2012-07-16 05:48 . 2001-08-17 13:05 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys
2012-07-16 05:48 . 2001-08-17 13:05 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2012-07-16 05:48 . 2001-08-17 13:05 48000 ----a-w- c:\windows\system32\dllcache\ovcam2.sys
2012-07-16 05:48 . 2001-08-17 13:05 25088 ----a-w- c:\windows\system32\dllcache\ovca.sys
2012-07-16 05:48 . 2001-08-17 12:28 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys
2012-07-16 05:48 . 2001-08-17 11:12 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2012-07-16 05:48 . 2001-08-17 11:12 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys
2012-07-16 05:48 . 2001-08-17 11:20 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2012-07-16 05:48 . 2008-04-13 18:46 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys
2012-07-16 05:48 . 2001-08-17 11:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2012-07-16 05:48 . 2001-08-17 21:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2012-07-16 05:46 . 2001-08-17 13:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2012-07-16 05:45 . 2001-08-17 13:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2012-07-16 05:45 . 2008-04-13 18:54 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2012-07-16 05:45 . 2004-08-04 05:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2012-07-16 05:45 . 2001-08-17 13:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2012-07-16 05:45 . 2001-08-17 12:48 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2012-07-16 05:44 . 2008-04-13 18:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2012-07-16 05:44 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2012-07-16 05:44 . 2001-08-17 12:57 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2012-07-16 05:42 . 2001-08-17 11:12 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2012-07-16 05:41 . 2004-08-04 05:00 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe
2012-07-16 05:40 . 2001-08-17 12:28 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2012-07-16 05:39 . 2001-08-17 11:49 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys
2012-07-16 05:38 . 2001-08-17 11:19 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys
2012-07-16 05:37 . 2001-08-17 21:36 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll
2012-07-16 05:36 . 2001-08-17 13:02 272640 ----a-w- c:\windows\system32\dllcache\cinemclc.sys
2012-07-16 05:35 . 2001-08-17 11:49 75136 ----a-w- c:\windows\system32\dllcache\atimpae.sys
2012-07-16 05:28 . 2012-07-16 21:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-16 05:10 . 2012-07-16 05:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-15 18:16 . 2012-07-15 18:16 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-16 05:10 . 2012-02-21 20:59 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 12:46 . 2012-02-02 14:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19 . 2004-08-11 17:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2007-05-15 15:43 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-11 17:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-11 17:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19 . 2007-04-16 22:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2007-04-16 22:46 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2004-08-11 17:12 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2004-08-11 17:12 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2004-08-11 17:12 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2007-04-16 22:46 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2007-04-16 22:45 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2004-08-11 17:12 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2004-08-11 17:12 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2004-08-11 17:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2007-04-16 22:45 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2004-08-11 17:12 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2004-08-11 17:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-11 17:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-11 17:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-11 17:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-11 17:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-11 17:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2004-08-11 17:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2004-08-11 17:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-16_20.04.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-17 01:30 . 2012-07-17 01:30 22016 c:\windows\Installer\fbd1a7.msi
+ 2012-07-17 09:37 . 2012-07-17 09:37 65536 c:\windows\Installer\{5ACE69F0-A3E8-44EB-88C1-0A841E700180}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
- 2008-09-09 11:48 . 2008-09-09 11:48 65536 c:\windows\Installer\{5ACE69F0-A3E8-44eb-88C1-0A841E700180}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
+ 2012-07-17 09:15 . 2012-07-17 09:15 12288 c:\windows\erdnt\17-07-2012\Users\00000004\UsrClass.dat
+ 2012-07-17 09:15 . 2012-07-17 09:15 12288 c:\windows\erdnt\17-07-2012\Users\00000002\UsrClass.dat
+ 2009-11-11 23:28 . 2009-10-01 09:29 195440 c:\windows\system32\MpSigStub.exe
+ 2012-07-17 09:15 . 2012-07-17 09:15 151552 c:\windows\erdnt\17-07-2012\Users\00000006\UsrClass.dat
+ 2012-07-17 09:15 . 2012-07-17 09:15 241664 c:\windows\erdnt\17-07-2012\Users\00000003\NTUSER.DAT
+ 2012-07-17 09:15 . 2012-07-17 09:15 237568 c:\windows\erdnt\17-07-2012\Users\00000001\NTUSER.DAT
+ 2012-07-17 09:15 . 2005-10-20 11:02 163328 c:\windows\erdnt\17-07-2012\ERDNT.EXE
+ 2012-07-17 09:15 . 2012-07-17 09:15 3440640 c:\windows\erdnt\17-07-2012\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f4290b4-b183-4623-bba2-28f48d9bbd23}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Project_seed\prxtbPro0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7f4290b4-b183-4623-bba2-28f48d9bbd23}"= "c:\program files\Project_seed\prxtbPro0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7f4290b4-b183-4623-bba2-28f48d9bbd23}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7F4290B4-B183-4623-BBA2-28F48D9BBD23}"= "c:\program files\Project_seed\prxtbPro0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7f4290b4-b183-4623-bba2-28f48d9bbd23}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856]
"XflYvmro"="c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix\xflyvmro.exe" [bU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"\\PC2\EPSON Stylus D68 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE" [2005-01-25 98304]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-05-27 53248]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-08 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-09-12 161336]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]
.
c:\documents and settings\ilan\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [N/A]
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2012-5-3 13006952]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Printer Status Monitor.lnk - c:\program files\SHARP\Printer Status Monitor\Smon.exe [2011-1-6 180313]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-8-23 967960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix\xflyvmro.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-14 14:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
2010-04-22 10:55 49152 ----a-w- c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SN0XRCV]
2006-10-23 10:11 102400 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\SN0XRCV.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SN52IPRW]
2005-02-15 10:02 135168 ----a-w- c:\windows\system32\SN52SELC.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XflYvmro]
c:\documents and settings\shaya.SEEDMANCHESTER.000\Local Settings\Application Data\pytmlmix\xflyvmro.exe [bU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\temp\\HP_WebRelease\\Setup\\HPZnet01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [30/07/2008 06:51 277736]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [06/01/2011 16:45 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [21/05/2010 12:27 173352]
R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [19/03/2012 12:38 2666880]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [11/08/2009 23:31 46824]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [20/02/2008 15:08 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [20/02/2008 15:08 14336]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\ADMINI~1.SEE\LOCALS~1\Temp\ftmgyjnb.sys --> c:\docume~1\ADMINI~1.SEE\LOCALS~1\Temp\ftmgyjnb.sys [?]
S0 00677621;00677621;c:\windows\system32\drivers\68236726.sys --> c:\windows\system32\drivers\68236726.sys [?]
S2 ASFIPmon;Broadcom ASF IP Monitor;"c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe" -service --> c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/04/2010 15:30 135664]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [16/07/2012 06:10 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [08/04/2010 15:30 135664]
S3 MBAMCatchMe;MBAMCatchMe;c:\program files\Malwarebytes' Anti-Malware\catchme.sys [26/03/2008 11:58 27136]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [16/07/2012 06:28 40776]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 05:10]
.
2012-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-07-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-13 13:30]
.
2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 14:30]
.
2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 14:30]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.11.254
FF - ProfilePath - \\Manchesterserve\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\kxdjx1ig.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-PC Suite Tray - c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe
SafeBoot-00677621.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-17 10:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1918387015-3744224925-1604920466-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\LMIinit.dll
c:\program files\LogMeIn\x86\LMIhook.000.dll
c:\windows\system32\wininet.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(5844)
c:\windows\system32\WININET.dll
c:\program files\LogMeIn\x86\LMIhook.000.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\windows\system32\msiexec.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\TeamViewer\Version7\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version7\tv_w32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-07-17 10:42:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-17 09:42
ComboFix2.txt 2012-07-16 20:09
.
Pre-Run: 109,024,645,120 bytes free
Post-Run: 106,894,229,504 bytes free
.
- - End Of File - - 8F83AFB3399AAB5FBA40AB97F69828FA
Upload was successful
-
Correction. Its happening to all users on the computer.
-
Hi,
Thanks. I ran the flush.bat file but still can't access Malwarebytes and other security sites.
Please find the attached DDS results.
Its a friends PC. Its part of a domain. His login is called DOMAIN/shaya
Thanks
Dan
-
Post Merged
We look for post with 0 replies, so when you reply to your own topic, we assume you were being helped.
Please be patient, someone will assist you as soon as possible.
Hi,
Ive got a PC thats been having issues. Last time I had an issue, i was asked to run an online virus scan at www.eset.com however i'm now unable to access the site.
ping www.eset.com sends a ping to 127.0.0.1.
Ive checked the hosts file and its empty so no issue there.
Any idea how I can diagnose this?
Also can't seem to open malwarebytes.
This only seems to happen when one specific user is logged in.
Other users can run the online eset scanner and malwarebytes without any problems.
The computer is on a domain.
Thanks
Dan
Just noticed that i'm unable to get onto the malwarebytes website too.
-
Thanks for all your hard work. Hopefully after the reinstall, all will be fine!
I'll be sure to run a scan disk to check it for errors.
-
Hi,
I just wanted to update you that the user was using it today, installed Google drive which asked him to perform a reboot.
Then there were a series of messages that mentioned the words 'deleting files' and indexes.
Then the PC stopped booting and continuously showed the blue screen, even safe mode and last known good config.
Running Recuva on it to rescue the data, then i'll reinstall windows.
Not sure what the cause was. Could it have been the viruses?
Thanks
Dan
-
Hi,
Sorry for the delay.
Here are the results:-
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=9008ce58ac188f4d9a6ef5f36fc5dad2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-29 08:58:46
# local_time=2012-05-29 09:58:46 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 117 117 0 0
# scanned=117647
# found=85
# cleaned=85
# scan_time=6582
C:\Documents and Settings\az\Local Settings\Temp\ICReinstall\cnet2_swfflv_player_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\az.SEEDLONDON\Application Data\MediaWmplay\FlashPlugin\FlashUtil192_ActiveX.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\az.SEEDLONDON\Application Data\Sun\Java\Deployment\cache\6.0\55\25e91f37-78bea34a multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\az.SEEDLONDON\My Documents\Windows\NTdZMGTHzjoD\taskhost.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\0FB177C9.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\4Z7DPS8WE8M2test1.exe.vir a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\bzvqex.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\C4BBZhkcmdX.exe.vir a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\Driver.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\evdfes.exe.vir a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\fvrhs.exe.vir a variant of Win32/Kryptik.AEFU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\hglphv.exe.vir a variant of Win32/TrojanDownloader.Zurgop.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\hptlyz.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\hxafcl.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\jdjkwl.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\jljter.exe.vir a variant of Win32/Injector.RET trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\jpcwmb.exe.vir a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\kfoczt.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\kzmlbp.exe.vir a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\luqmrt.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\pbgulj.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\qlhlyi.exe.vir a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\swmbst.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\VV0IYPGKU6TI7MhkcmdX.exe.vir a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\wtapbx.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\xbgfcn.exe.vir a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\Winupdate\windefender.exe.vir a variant of MSIL/Injector.AAT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\Ykkuw\uvdiw.exe.vir a variant of Win32/Kryptik.AFTN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Local Settings\Application Data\184181752012Gerichtsdokumente.exe.vir a variant of Win32/Injector.OQZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Local Settings\Application Data\2056191752012t123.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\taskhost.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Shield.exe.vir a variant of Win32/Injector.RNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP227\A0036381.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP235\A0037863.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP239\A0039968.exe a variant of Win32/Kryptik.ADUH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP247\A0042221.exe probably a variant of Win32/CoinMiner.L trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP248\A0042243.exe Win32/Spy.Zbot.AAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP254\A0043558.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP255\A0043592.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP261\A0043875.exe a variant of Win32/Kryptik.AFHB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP262\A0043910.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP262\A0043911.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP262\A0043925.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043926.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043942.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043943.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043944.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP264\A0043949.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP264\A0043950.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP265\A0044915.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP265\A0044916.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP265\A0044917.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP267\A0044927.exe a variant of Win32/Injector.OQZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0046863.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0046864.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0046865.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047139.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047151.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047168.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047169.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047170.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047171.exe a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047173.exe a variant of Win32/Kryptik.AEFU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047175.exe a variant of Win32/TrojanDownloader.Zurgop.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047176.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047177.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047178.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047179.exe a variant of Win32/Injector.RET trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047180.exe a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047182.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047183.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047184.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047187.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047190.exe a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047191.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047193.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047194.exe a variant of MSIL/Injector.AAT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047195.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047196.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047197.exe a variant of Win32/Kryptik.AFTN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047198.exe a variant of Win32/Injector.OQZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047199.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047205.exe a variant of Win32/Injector.RNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047207.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP274\A0050980.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Thanks
Dan
-
-
Sorry for the delay.
I lost remote access to the computer when I ran combofix.
The local user had to sort it out.
There is no combofix.txt file in c:\ so I assume that Windows crashed while trying to run it.
Thanks
Dan
-
Hi,
Please find the malware bytes log attached.
I have removed the items it found.
Thanks
Dan
-
First, have you intentionally installed any BitCoin-mining software on your computer? While this is indeed legitimate software, it's often installed by cybercriminals alongside their malware... if you aren't familiar with it, we should erase it from your system.
Never heard of BitCoin. The user may have installed it, but if its suspicious, i'd rather remove it. They can always reinstall. Could it be part of Covenant Eyes?
Second, Did you knowingly install this application:
Covenant Eyes "internet accountability" software
Yes, that was knowingly installed.
Next, do you recognize the following folders (in bold)?
- c:\documents and settings\az.SEEDLONDON\Application Data\Security
- c:\documents and settings\az.SEEDLONDON\Application Data\System
Please let me know .
No i dont. And I dont recognise the files within those folders either. Only system\cg has files in it:-
Directory of C:\Documents and Settings\az.SEEDLONDON\Application Data\System\CG
17/05/2012 18:32 <DIR> .
17/05/2012 18:32 <DIR> ..
17/05/2012 18:30 249,344 libcurl-4.dll
17/05/2012 18:31 87,054 libpdcurses.dll
17/05/2012 18:31 177,207 libusb-1.0.dll
17/05/2012 18:31 57,960 OpenCL.dll
17/05/2012 18:32 13,648 phatk120223.cl
17/05/2012 18:32 44,730 poclbm120327.cl
17/05/2012 18:32 68,096 pthreadGC2-w32.dll
17/05/2012 18:32 68,096 pthreadGC2.dll
17/05/2012 18:30 124,928 winapi.exe
9 File(s) 891,063 bytes
2 Dir(s) 69,349,888,000 bytes free
Let's run a scan with Malwarebytes:
Running scan. I'll post the results when it completes.
- c:\documents and settings\az.SEEDLONDON\Application Data\Security
-
Hi D-FRED-BROWN,
I believe it completed successfully, but the PC did restart when I wasnt watching so I dont know if that was a planned restart as part of the combofix routine.
However, it seems to have resolved the problem.
Please find the combofix.txt file attached.
Thanks for your help.
Dan
-
No. i'm working on the PC remotely so lost the connection before it displayed the error.
I'll try to take a look at Windows Events in the morning to see if i can spot anything.
Thanks
Dan
-
It crashed again. It takes a while for it to restart and LogMeIn to reconnect so I'll have to continue tomorrow.
Thanks for your help so far.
-
windows crashed when running ComboFix. Trying again.
Please find the other files attached.
TDSSKiller.2.7.36.0_21.05.2012_21.11.22_log.txt
TDSSKiller.2.7.36.0_21.05.2012_23.17.11_log.txt
Thanks
Dan
-
Hi,
I have a computer that had a virus. The virus changed the winlogon from userinit.exe to something else so that i couldnt log in. I sorted that out by correcting the registry.
The virus also caused the redirect from www.malwarebytes.org to www.hotmail.com, so I had to downloaded and installed malwarebytes via usb key.
Malwarebytes Free is now reporting that the computer is clean but the redirect is still in place. The free trial of Malwarebytes Pro has stopped reporting suspicious traffic so i believe its removed properly.
I've checked the hosts file and its empty apart from the default settings.
Ive also run kaspersky tdds and deleted what it found.
Many thanks
Dan
Android/Trojan.Fadeb.j on system apps
in Mobile Malware Removal Help & Support
Posted
Furthermore, I manually disabled the fake Calculator app prior to running the Malwarebytes scan. Only to discover that it somehow re-enabled itself.