Jump to content

hiesenberg

Honorary Members
 View Profile  See their activity

  • Posts

    44

  • Joined

  • Last visited

 Content Type 

Everything posted by hiesenberg

  1. hiesenberg
    Kevin: machine continues with same symptons, no changes. I re-ran kaspersky twice after I got it to update definitions, logs are attached below. I then decided to run Rogue Killer and it found a couple of reg items. The "disable reg tools" has been removed before but keeps reinstalling. Is this part of an infection? Can you please review and advise? I think this nasty bug is outsmarting all these scanners and going undetected. Kaspersky-Log> Objects Scan: completed 10 hours ago (events: 18, objects: 149646, time: 00:57:36) 10/31/13 2:31 AM Task completed 10/31/13 2:31 AM Deleted: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip 10/31/13 2:31 AM Detected: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe 10/31/13 2:31 AM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr 10/31/13 2:28 AM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com 10/31/13 2:28 AM Untreated: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe Postponed 10/31/13 2:28 AM Detected: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe 10/31/13 2:28 AM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr Postponed 10/31/13 2:28 AM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr 10/31/13 2:28 AM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com Postponed 10/31/13 2:28 AM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com 10/31/13 1:36 AM Untreated: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe Postponed 10/31/13 1:36 AM Detected: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe 10/31/13 1:36 AM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr Postponed 10/31/13 1:36 AM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr 10/31/13 1:36 AM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com Postponed 10/31/13 1:36 AM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com 10/31/13 1:33 AM Task started Objects Scan: completed <1 minute ago (events: 2, objects: 149568, time: 00:53:43) 10/31/13 12:55 PM Task completed 10/31/13 12:01 PM Task started RogueKiller V8.7.6 [Oct 28 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Safe mode with network support User : Administrator [Admin rights] Mode : Scan -- Date : 10/31/2013 14:44:04 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH][DLL] explorer.exe -- C:\Documents and Settings\Administrator\Desktop\zebranMalwarebytes' Anti-Malware\mbamext.dll [x] -> UNLOADED ¤¤¤ Registry Entries : 3 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\RunOnce : (A0) (cmd /c "C:\Documents and Settings\RICH\desktop\mbar\mbar.exe" /rdv /s [7]) -> FOUND [HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND [HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x2] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ( @ ) +++++ --- User --- [MBR] 9c24779718baa28a177f1792c868d0f9 [bSP] 85f5c2091b2e329b4ea8d90f28511751 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 50225 Mo 1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102861360 | Size: 102399 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_10312013_144404.txt >> RKreport[0]_D_10312013_025508.txt;RKreport[0]_H_10312013_025530.txt;RKreport[0]_S_10292013_224029.txt RKreport[0]_S_10312013_025219.txt
  2. hiesenberg
    Okay, this is really wierd but thats the utility you had me run so is this a false positive?? does this happen usually? also, I was not able to update it due to my wireless not connecting while running off the rescue disk. Objects Scan: completed <1 minute ago (events: 32, objects: 149196, time: 01:19:45) 10/30/13 8:39 PM Task completed 10/30/13 8:39 PM Deleted: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek/zoek.scr 10/30/13 8:39 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek/zoek.scr 10/30/13 8:39 PM Deleted: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek/zoek.exe 10/30/13 8:39 PM Detected: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek/zoek.exe 10/30/13 8:39 PM Deleted: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek/zoek.com 10/30/13 8:38 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek/zoek.com 10/30/13 8:38 PM Untreated: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe Write not supported 10/30/13 8:38 PM Detected: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe 10/30/13 8:38 PM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr Write not supported 10/30/13 8:38 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr 10/30/13 8:38 PM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com Write not supported 10/30/13 8:13 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com 10/30/13 8:13 PM Untreated: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe Postponed 10/30/13 8:13 PM Detected: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe 10/30/13 8:13 PM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr Postponed 10/30/13 8:13 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr 10/30/13 8:13 PM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com Postponed 10/30/13 8:13 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com 10/30/13 7:23 PM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek/zoek.scr Postponed 10/30/13 7:23 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek/zoek.scr 10/30/13 7:23 PM Untreated: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek/zoek.exe Postponed 10/30/13 7:23 PM Detected: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek/zoek.exe 10/30/13 7:23 PM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek/zoek.com Postponed 10/30/13 7:23 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek/zoek.com 10/30/13 7:22 PM Untreated: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe Postponed 10/30/13 7:22 PM Detected: Trojan-Dropper.Win32.Injector.jqjj C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe 10/30/13 7:22 PM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr Postponed 10/30/13 7:22 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr 10/30/13 7:22 PM Untreated: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com Postponed 10/30/13 7:22 PM Detected: Trojan-Dropper.Win32.Injector.jqku C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com 10/30/13 7:19 PM Task started
  3. hiesenberg
    Sounds good but I won't be able to run those steps until after work in the evening. Thanks!
  4. hiesenberg
    kevin: Here is a link to the 25 files I mentioned before, hopefully the link works: http://www.sendspace.com/file/su6uh4 let me know what is next. Thanks!
  5. hiesenberg
    sorry, the pic would not upload to this site
  6. hiesenberg
    Kevin: ran a clean-boot and same symptons appear only much quicker, like 1-2 mins after boot-up. I ran 2 searches, one for pf files and one for all files modified during that last start-up. not sure if this helps but please review: only 5 files total created in prefetch = verclsid.exe, svchost.exe, wmiprvse.exe, explorer.exe, & ntosboot.pf 25 files modified during last start-up from 6:07pm to 6:10pm>
  7. hiesenberg
    kevin: Eset found no threats.. this is a well hidden critter my friend. where do we go from here? thanks.
  8. hiesenberg
    SHA256: 3c267950f13cce412474c5228fc0e3d8d7f912e82464bd2ce6312a0326f84a80 File name: verclsid.exe Detection ratio: 0 / 47 Analysis date: 2013-10-28 23:39:52 UTC ( 0 minutes ago ) Publisher Microsoft CorporationProduct Microsoft® Windows® Operating SystemOriginal name verclsid.exeInternal name verclsid.exeFile version 5.1.2600.5512 (xpsp.080413-2105)Description Verify Class ID ExifTool file metadataSubsystemVersion5.0InitializedDataSize8192ImageVersion5.1ProductNameMicrosoft Windows Operating SystemFileVersionNumber5.1.2600.5512UninitializedDataSize0LanguageCodeEnglish (U.S.)FileFlagsMask0x003fCharacterSetUnicodeLinkerVersion7.1OriginalFilenameverclsid.exeMIMETypeapplication/octet-streamSubsystemWindows GUIFileVersion5.1.2600.5512 (xpsp.080413-2105)TimeStamp2008:04:13 19:33:58+01:00FileTypeWin32 EXEPETypePE32InternalNameverclsid.exeFileAccessDate2013:06:03 12:17:32+01:00ProductVersion5.1.2600.5512FileDescriptionVerify Class IDOSVersion5.1Looks like our search continues..
  9. hiesenberg
    question: can I remove/disable "verclsid.exe" without disrupting or damaging win os? Thanks!
  10. hiesenberg
    Svchost still runs briefly upto 100% followed by the an obvious taskbar color change about 7mins after boot-up. I wasn't completely sure of the name spelling since it was displayed for a quick second. here is the systemlook and Mbar in case you needed it: SystemLook 30.07.11 by jpshortstuff Log created at 18:09 on 28/10/2013 by Administrator Administrator - Elevation successful ========== filefind ========== Searching for "verclid.exe" No files found. Searching for "verclsid.exe" C:\WINDOWS\system32\verclsid.exe --a---- 28672 bytes [12:00 14/04/2008] [12:00 14/04/2008] 91790D6749EBED90E2C40479C0A91879 -= EOF =- Malwarebytes Anti-Rootkit BETA 1.07.0.1007 www.malwarebytes.org Database version: v2013.10.28.06 Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking) Internet Explorer 8.0.6001.18702 Administrator :: RICH-BIZ [administrator] 10/28/2013 12:18:38 PM mbar-log-2013-10-28 (12-18-38).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 212817 Time elapsed: 36 minute(s), 58 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end)
  11. hiesenberg
    kevin: Thanks for hanging in there. So I ran Mbam-root kit scan and nothing, no infections found. The only thing I noticed today was that the changing of taskbar color coincided with this process called "verclid.exe" which I saw start up and run for a moment in task-mgr while the suspicious behavior was going on. Hopefully this a good clue.. Are you familiar with this process at all? I will wait for your next steps. Thanks!
  12. hiesenberg
    Kevin: Thanks for your patience and expertise. I will be away from that pc for about 2 days so i cannot run those steps right away. I will reply as soon as possible. Have a great weekend!
  13. hiesenberg
    Kevin: Pc seemed to be working normal for an extended period but then the symptons returned: svchost.exe uses 90-100 of cpu, (like some program starts up), and then the desktop flickers and taskbar changes colors for a second then reverts back to original color blue. I thought we had it figured out but this bug is hiding somewhere deep inside. Not sure if this helps but those symptons never occur during safe mode. A couple minor issues have popped up; > no win search tool in normal, only in safe mode- might be disabled somehow? > new message at every boot-up for "found new hardware", some pci modem.. have no clue. For your reference, the infection, "bundled toolbar ask application", was found by Eset while scanning a restore point on the c: drive. The only other combofix log is here> (I hope this is the one you need) 2013-10-23 17:27:18 . 2013-10-23 17:27:18 562 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-mbamchameleon.reg.dat 2013-10-23 17:27:17 . 2013-10-23 17:27:17 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-70404671.sys.reg.dat 2013-10-23 17:27:17 . 2013-10-23 17:27:17 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-47500374.sys.reg.dat 2013-10-23 17:27:17 . 2013-10-23 17:27:17 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-36329121.sys.reg.dat 2013-10-23 17:27:17 . 2013-10-23 17:27:17 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-36290891.sys.reg.dat 2013-10-23 17:27:17 . 2013-10-23 17:27:17 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-15799350.sys.reg.dat 2013-10-23 17:24:34 . 2013-10-23 17:24:34 12,683 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2013-10-23 17:19:51 . 2013-10-23 17:19:51 512 ----a-w- C:\Qoobox\Quarantine\MBR_HardDisk0.mbr 2013-10-23 17:17:52 . 2013-10-23 17:17:52 51 ----a-w- C:\Qoobox\Quarantine\catchme.log # AdwCleaner v3.010 - Report created 24/10/2013 at 13:07:46 # Updated 20/10/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : RICH - RICH-BIZ # Running from : C:\Documents and Settings\RICH\desktop\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 -\\ Mozilla Firefox v24.0 (en-US) [ File : C:\Documents and Settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default\prefs.js ] [ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\prefs.js ] ************************* AdwCleaner[R0].txt - [1158 octets] - [17/09/2013 15:31:26] AdwCleaner[R10].txt - [2204 octets] - [18/10/2013 10:38:50] AdwCleaner[R11].txt - [2266 octets] - [18/10/2013 10:52:17] AdwCleaner[R12].txt - [2222 octets] - [19/10/2013 01:57:38] AdwCleaner[R13].txt - [2325 octets] - [19/10/2013 02:07:48] AdwCleaner[R14].txt - [2465 octets] - [19/10/2013 16:38:37] AdwCleaner[R15].txt - [2569 octets] - [19/10/2013 18:27:17] AdwCleaner[R16].txt - [2709 octets] - [20/10/2013 14:44:41] AdwCleaner[R17].txt - [1287 octets] - [24/10/2013 13:07:46] AdwCleaner[R1].txt - [1280 octets] - [01/10/2013 12:21:48] AdwCleaner[R2].txt - [1289 octets] - [03/10/2013 00:38:28] AdwCleaner[R3].txt - [1485 octets] - [03/10/2013 18:52:17] AdwCleaner[R4].txt - [1605 octets] - [04/10/2013 03:29:09] AdwCleaner[R5].txt - [1725 octets] - [04/10/2013 13:25:15] AdwCleaner[R6].txt - [1845 octets] - [16/10/2013 09:57:10] AdwCleaner[R7].txt - [1798 octets] - [17/10/2013 10:58:17] AdwCleaner[R8].txt - [1918 octets] - [17/10/2013 14:01:17] AdwCleaner[R9].txt - [2020 octets] - [17/10/2013 19:32:47] AdwCleaner[s0].txt - [1221 octets] - [17/09/2013 15:35:36] AdwCleaner[s10].txt - [2387 octets] - [19/10/2013 02:09:23] AdwCleaner[s11].txt - [2527 octets] - [19/10/2013 16:40:10] AdwCleaner[s12].txt - [2631 octets] - [19/10/2013 18:28:19] AdwCleaner[s13].txt - [2771 octets] - [20/10/2013 14:45:29] AdwCleaner[s1].txt - [1343 octets] - [01/10/2013 12:24:23] AdwCleaner[s2].txt - [1352 octets] - [03/10/2013 00:40:59] AdwCleaner[s3].txt - [1546 octets] - [03/10/2013 18:54:12] AdwCleaner[s4].txt - [1666 octets] - [04/10/2013 03:30:42] AdwCleaner[s5].txt - [1786 octets] - [04/10/2013 13:26:27] AdwCleaner[s6].txt - [1906 octets] - [16/10/2013 09:58:47] AdwCleaner[s7].txt - [1859 octets] - [17/10/2013 10:59:07] AdwCleaner[s8].txt - [1979 octets] - [17/10/2013 14:02:24] AdwCleaner[s9].txt - [2282 octets] - [19/10/2013 02:05:00] ########## EOF - C:\AdwCleaner\AdwCleaner[R17].txt - [2732 octets] ########## Results of screen317's Security Check version 0.99.73 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! ESET Online Scanner v3 Microsoft Security Essentials `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Mozilla Firefox (24.0) ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log``````````````````````
  14. hiesenberg
    Results for rc-installer.exe = looks clean. (that was a utility offered by the local isp provider) VirusTotal SHA256: 030d6fbd4ca5ac91f6aaf1200d157dac62f6d3366f3099ddff7625b54e58ce70 SHA1: 3e522228cfab5421e102d963a6bd0a2a549d5cd1 MD5: 294f1e0acdfe62add927dcb074507b40 File size: 1.2 MB ( 1207928 bytes ) File name: rc-installer.exe File type: Win32 EXE Detection ratio: 0 / 47 Analysis date: 2013-10-24 04:44:46 UTC ( 0 minutes ago ) The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem. PE signature block Publisher Alcatel-Lucent USA Signature verification Signed file, verified signature Signing date 5:44 AM 10/24/2013 Signers [+] Alcatel-Lucent USA [+] VeriSign Class 3 Code Signing 2010 CA [+] VeriSign ExifTool file metadata MIMEType application/octet-stream Subsystem Windows GUI MachineType Intel 386 or later, and compatibles TimeStamp 2009:12:05 23:50:41+01:00 FileType Win32 EXE PEType PE32 CodeSize 23040 LinkerVersion 6.0 FileAccessDate 2013:10:24 05:43:59+01:00 EntryPoint 0x30cb InitializedDataSize 119808 SubsystemVersion 4.0 ImageVersion 6.0 OSVersion 4.0 FileCreateDate 2013:10:24 05:43:59+01:00 UninitializedDataSize 1024
  15. hiesenberg
    Kevin: Things are looking good and I feel like great progress has been made. I was able to do all steps thru normal start up mode. After the first re-boot the pc stalled and displayed "windows cannot find CF2841.3exe." I cancelled that and it booted fine. 2 minutes later it gave me the old symptom of changing taskbar colors, so I rebooted and was able to run Eset scan where it found an old infection, "win32bundled ask toolbar". That scan ran uninterupted, amazingly, no taskbar color changes!! Pc is working much, much better. I'm anxious to hear your review of the log. Also interested to know what exactly I've been fighting against for the last month & 1/2? Curious to know the name of whatever it was. Thanks!! ComboFix 13-10-23.02 - RICH 10/23/2013 17:56:13.4.1 - x86 Running from: C:\Documents and Settings\Administrator\desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\RICH\Desktop\CFScript.txt FILE :: "c:\windows\system32\drivers\yomjo.sys" I'm very sorry, I missed a step. I did not check "export to text file" but I can tell you the infection found by eset was one I've seen before. It is "Win32/Bundled.Toolbar.Ask D application". However, I did check it for removal.
  16. hiesenberg
    kevin: here is the combo log. I ran it in safemode, I hope that works okay..? If we need to re-run it in reg just let me know. Question: can you tell me if the Zoek scan found anything or made any major changes? Thanks! ComboFix 13-10-23.02 - Administrator 10/23/2013 13:19:52.3.1 - x86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.521 [GMT -4:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\zebranMalwarebytes' Anti-Malware\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((( Files Created from 2013-09-23 to 2013-10-23 ))))))))))))))))))))))))))))))) . . 2013-10-16 20:41 . 2013-06-10 01:59 216064 ----a-w- c:\windows\system32\gcapi_dll.dll 2013-10-04 04:13 . 2013-10-22 00:04 47064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2013-10-01 23:32 . 2013-10-01 23:31 1207928 ----a-w- c:\program files\rc-installer.exe 2013-10-01 06:49 . 2013-10-01 06:49 -------- d-----w- c:\program files\Microsoft Security Client . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-09-19 07:54 . 2013-09-19 07:40 181064 ----a-w- c:\windows\PSEXESVC.EXE 2013-09-17 15:26 . 2013-09-17 15:26 325960 ----a-w- c:\program files\lua5.1.dll 2013-09-04 03:02 . 2013-07-19 00:22 1966080 ----a-w- c:\program files\Repair_Windows.exe 2013-04-19 22:40 . 2013-04-19 22:40 11091432 ----a-w- c:\program files\MSEInstall.exe 2013-03-25 03:24 . 2013-03-25 03:24 2483904 ----a-w- c:\program files\Procmon.exe 2011-03-08 17:54 . 2013-07-19 00:22 229376 ----a-w- c:\program files\pcwintech_tabs.ocx 2009-03-24 19:52 . 2013-07-19 00:22 1069376 ----a-w- c:\program files\MSCOMCTL.OCX 2009-03-24 19:52 . 2013-07-19 00:22 136008 ----a-w- c:\program files\msinet.ocx . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "SiSPower"="SiSPower.dll" [2005-04-12 49152] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "AlcxMonitor"=ALCXMNTR.EXE . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "%windir%\\system32\\sessmgr.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 . S0 qcihrtv;qcihrtv;c:\windows\system32\drivers\yomjo.sys --> c:\windows\system32\drivers\yomjo.sys [?] S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [5/15/2013 1:14 PM 45288] S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [10/19/2013 3:33 AM 30976] S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [10/4/2013 12:13 AM 47064] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [10/19/2013 2:54 AM 105176] S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [5/9/2013 10:12 PM 594048] . Contents of the 'Scheduled Tasks' folder . 2013-10-03 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2013-04-16 01:09] . 2013-10-23 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 15:11] . . ------- Supplementary Scan ------- . Trusted Zone: $talisma_url$ FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\ FF - prefs.js: browser.startup.homepage - hxxps://accounts.google.com/ServiceLogin?service=mail&passive=true&continue=http://mail.google.com/mail/x/ogb/gp/?tab%3Dwm&scc=1&ltmpl=ecobh&nui=5&btmpl=mobile&emr=1 FF - ExtSQL: 2013-09-19 16:03; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi . - - - - ORPHANS REMOVED - - - - . SafeBoot-15799350.sys SafeBoot-36290891.sys SafeBoot-36329121.sys SafeBoot-47500374.sys SafeBoot-70404671.sys SafeBoot-mbamchameleon . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-10-23 13:26 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) @SACL=(02 0000) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,0a,91,87,b9,73,4a,42,8a,7f,56,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,0a,91,87,b9,73,4a,42,8a,7f,56,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,0a,91,87,b9,73,4a,42,8a,7f,56,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(172) c:\windows\system32\WININET.dll . Completion time: 2013-10-23 13:28:17 ComboFix-quarantined-files.txt 2013-10-23 17:28 . Pre-Run: 95,591,141,376 bytes free Post-Run: 95,584,747,520 bytes free . - - End Of File - - 5550C8463BF20716BBCF3090353D8200 8F558EB6672622401DA993E1E865C861
  17. hiesenberg
    Kevin, see attached sample file, (I hope I did this right). I will have to run combo later, a little busy at work rt now. Thx! sample_20131022_0908.zip
  18. hiesenberg
    Thank you very much for your time and trying to help me. I am not aware of any p2p software running on my p/c. also, a couple of scanners have been renamed such as "iexplore3.exe" etc, during previous attempts to remove the virus. I had to run this in safe mode as the machine was super slow in regular mode. I hope that was okay. Thanks Again! Zoek.exe Version 4.0.0.5 Updated 22-October-2013 Tool run by Administrator on Tue 10/22/2013 at 20:59:37.75. Microsoft Windows XP 5.1.2600 Service Pack 3 x86 WMI=failure Running in: Safe Mode NETWORK No Internet Access Detected Launched: C:\Documents and Settings\Administrator\Desktop\zoek\zoek.com [script inserted] ==== System Restore Info ====================== Failed to create System Restore Point. ==== Suspicious Entries Found ====================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004" "445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005" "137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001" "138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002" "3389:TCP"="3389:TCP:*:Disabled:@xpsp2res.dll,-22009" "1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007" "2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008" ==== Creating Sample_20131022_0908.zip ====================== Copied folder C:\Documents and Settings\All Users\Application Data\AVAST Software to sample\AVAST Software C:\Documents and Settings\All Users\Desktop\sample_20131022_0908.zip created successfully ==== Deleting CLSID Registry Keys ====================== ==== Deleting CLSID Registry Values ====================== ==== Running Processes ====================== C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe -k DcomLaunch C:\WINDOWS\system32\svchost.exe -k rpcss C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService ==== Deleting Services ====================== ==== FireFox Fix ====================== ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921 user.js not found ---- Lines Customized removed from prefs.js ---- ---- Lines Customized modified from prefs.js ---- ---- FireFox user.js and prefs.js backups ---- prefs_20131022_0908_.backup ProfilePath: C:\Documents and Settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default user.js not found ---- Lines Customized removed from prefs.js ---- user_pref("extensions.testpilot.alreadyCustomizedToolbar", true); ---- Lines Customized modified from prefs.js ---- ---- FireFox user.js and prefs.js backups ---- prefs_20131022_0908_.backup ==== Deleting Files \ Folders ====================== C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) deleted C:\Program Files\GUT13.tmp deleted C:\Program Files\GUM12.tmp deleted "C:\Documents and Settings\Administrator\Application Data\Sun" deleted ==== System Specs ====================== Operating System: Microsoft Windows XP Home Edition 5.1.2600 Service Pack 3 Manufacturer: Compaq Presario 061 - Model: PX796AA-ABA SR1517CL NA530 Install Date: 4/19/2013 5:12:06 PM Last Boot: 10/22/2013 8:43:49 PM Processor: AMD Sempron Processor 3000+ Number of Processors: 1 Work Station Bootmode: Fail-safe with network boot Total RAM: 639 MB ( - 0) Computername: RICH-BIZ Domain: MSHOME User: Administrator (Administrator account) Local Disk: C:\ - NTFS - 99 GB (free 89 GB) Removable Disk: E:\ - - GB (free GB) Removable Disk: F:\ - - GB (free GB) Removable Disk: G:\ - - GB (free GB) Removable Disk: H:\ - - GB (free GB) CD \ DVD Drive: I:\ Local Disk: J:\ - NTFS - 49 GB (free 48 GB) Bootdevice: \Device\HarddiskVolume1 Windows update: Country: United States Language: ENU ==== System Specs (Software) ====================== Anti-Virus: Microsoft Security Essentials On-access scanning disabled (Updated) Internet Explorer version: 8.0.6001.18702 Mozilla Firefox version: 24.0 (x86 en-US) ==== Files Recently Created / Modified ====================== ====== C:\WINDOWS ==== ====== C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp ==== 2013-10-20 18:50:34 2E0323A94915FAAB10A25F3BABF82584 157696 ----a-w- C:\Documents and Settings\Administrator\Local Settings\Temp\jrt\erunt\ERUNT.EXE ====== Java Cache ===== ====== C:\WINDOWS\system32 ===== 2013-10-16 20:41:06 D496480A00ABDE0655C0FDCE9530B43E 216064 ----a-w- C:\WINDOWS\System32\gcapi_dll.dll ====== C:\WINDOWS\system32\drivers ===== 2013-10-19 07:33:21 CE77439BAF613019D6B7658292D1E4A6 30976 ----a-w- C:\WINDOWS\System32\drivers\hitmanpro37.sys 2013-10-19 06:54:19 5C47D60938E77822A2C8D25102C63CE2 105176 ----a-w- C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys 2013-10-04 04:13:08 805C6F337968C7271F0421D0A386C8EE 47064 ----a-w- C:\WINDOWS\System32\drivers\mbamchameleon.sys ====== C:\WINDOWS\Tasks ====== 2013-10-04 05:37:12 CBCF58977265A7C390376B49B398FC2B 384 ---ha-w- C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job ====== C:\WINDOWS\Temp ====== ======= C:\Program Files ===== 2013-10-01 23:32:15 1207928 ----a-w- C:\Program Files\rc-installer.exe ======= C: ===== ====== C:\Documents and Settings\Administrator\Application Data ====== 2013-10-18 15:16:34 -------- d-----r- C:\Documents and Settings\RICH\Start Menu\Programs\Administrative Tools 2013-09-23 17:26:24 -------- d-----w- C:\Documents and Settings\RICH\Application Data\Motive ====== C:\Documents and Settings\Administrator ====== 2013-10-19 22:12:27 2E2000AB851DB75EA8E27E3A621B61FC 180000 ----a-w- C:\Documents and Settings\RICH\desktop\google.exe5.exe 2013-10-19 21:13:41 2E2000AB851DB75EA8E27E3A621B61FC 180000 ----a-w- C:\Documents and Settings\Administrator\desktop\google.exe5.exe 2013-10-19 19:14:12 7DC87AC83F18ECDCF80886274B60EB0B 3053416 ------w- C:\Documents and Settings\Administrator\desktop\NPE.exe 2013-10-19 13:29:02 -------- d-sh--w- C:\Documents and Settings\NetworkService\Cookies 2013-10-19 05:53:16 -------- d-sh--w- C:\Documents and Settings\LocalService\Cookies 2013-10-17 17:59:54 2084AC9305E20BE7141DAC46902C5427 1050644 ----a-w- C:\Documents and Settings\Administrator\desktop\adwcleaner.exe ====== C: exe-files == 2013-10-20 18:50:34 2E0323A94915FAAB10A25F3BABF82584 157696 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\erunt\ERUNT.EXE 2013-10-19 22:12:27 2E2000AB851DB75EA8E27E3A621B61FC 180000 ----a-w- C:\Documents and Settings\RICH\desktop\google.exe5.exe 2013-10-19 21:23:32 EFDE3843DDE0D1D30161FF27A17D135C 4121952 ----a-w- C:\Documents and Settings\Administrator\desktop\KasperskyTDSSKillerPortable\App\TDSSKiller\tdsskiller.exe 2013-10-19 21:13:41 2E2000AB851DB75EA8E27E3A621B61FC 180000 ----a-w- C:\Documents and Settings\Administrator\desktop\google.exe5.exe 2013-10-19 20:33:22 BB3CB855C5939C6391842EE73F600B9A 1033335 ----a-w- C:\Documents and Settings\Administrator\desktop\ZJRT2\googleplay.exe 2013-10-19 19:14:12 7DC87AC83F18ECDCF80886274B60EB0B 3053416 ------w- C:\Documents and Settings\Administrator\desktop\NPE.exe 2013-10-19 07:20:17 D41D8CD98F00B204E9800998ECF8427E 0 ----a-w- C:\Documents and Settings\Administrator\desktop\mbar\HitmanPro.exe 2013-10-19 06:53:10 4503803B9BEF66A375A44029E8BC6725 12576792 ----a-w- C:\Documents and Settings\Administrator\desktop\mbar\iexplore3.exe 2013-10-19 05:47:52 60CEFABAC2C573B266B567534CE7567E 1178424 ----a-w- C:\Documents and Settings\RICH\desktop\mbar\Iexplore3.exe 2013-10-17 17:59:54 2084AC9305E20BE7141DAC46902C5427 1050644 ----a-w- C:\Documents and Settings\Administrator\desktop\adwcleaner.exe 2013-10-17 16:15:48 602C842C9B9063DB76B09E1F8FFE25EA 1678013 ----a-w- C:\Documents and Settings\Administrator\desktop\mbar\pc-decrapifier-2.3.1.exe 2013-10-16 20:41:06 C17DA0BE97FC9F3C05FDE7BF3C5618D1 96216 ----a-w- C:\Program Files\Foxit Software\Foxit Reader\Shell Extensions\FoxitPrevhost.exe 2013-10-16 20:41:04 8D233BE097AE8993231B4AF89C0FC43B 7682112 ----a-w- C:\Program Files\Foxit Software\Foxit Reader\Foxit Updater.exe 2013-10-16 20:41:01 BA628CB4B2EFE4FDFB327EC84AE4A51C 33846336 ----a-w- C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe 2013-10-16 20:41:00 EC25836B753F4033C280E65CBA387E2B 60480 ----a-w- C:\Program Files\Foxit Software\Foxit Reader\plugins\Creator\FXC_ProxyProcess.exe 2013-10-16 20:41:00 8991085E81E66C4204CE8ADAE52631AA 759872 ----a-w- C:\Program Files\Foxit Software\Foxit Reader\UninstallPrint.exe 2013-10-16 20:40:57 D4945107DF8F56CC4DC858C0694C13E2 26688 ----a-w- C:\Program Files\Foxit Software\Foxit Reader\Checkupdate\Checkupdate.exe 2013-10-16 13:55:55 BB3CB855C5939C6391842EE73F600B9A 1033335 ----a-w- C:\Documents and Settings\RICH\desktop\mbar\iexplore.exe === C: other files == 2013-10-23 01:08:08 57D04532D2F29BF8B1F977A7CB94AA24 664 ----a-w- C:\Documents and Settings\All Users\Desktop\sample_20131022_0908.zip 2013-10-23 00:59:50 0BE568FD1E7D6C6D64D2272649F5C716 111 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\scripttest.vbs 2013-10-20 18:50:34 FC4F97736048914DC32849E3AE23B70D 16063 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\get.bat 2013-10-20 18:50:34 F8AB3BC726E938E05E57039DCE160BC2 16848 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\chrome.bat 2013-10-20 18:50:34 CC6C23C02BE66014AD87F2678BBB3A1D 8117 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\modules.bat 2013-10-20 18:50:34 BCC12F911E90790A4A83A60DD5878A9B 148311 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\misc.bat 2013-10-20 18:50:34 BAD6C67C870CC81C48DBA53089929884 153331 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\firefox.bat 2013-10-20 18:50:34 B964B792D3692699CD7D4FDB63EE470E 1239 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\FWPolicy.bat 2013-10-20 18:50:34 B45931E5313CB14CAA0F2BC3DA30E6FC 29648 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\ask.bat 2013-10-20 18:50:34 80D02380F1AC33E459324B088392A1EC 732 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\ev_clear.bat 2013-10-20 18:50:34 75C9C20DD9839BF287B43B0E179822DC 31414 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\iexplore.bat 2013-10-20 18:50:34 654E9FE74B930A454EE5BDE165794B65 85 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\delorphans.bat 2013-10-20 18:50:34 58605DA3492FB918D3D40B1FB88046AE 39471 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\prelim.bat 2013-10-20 18:50:34 372EA6F783198102CF5779072EE78C79 24751 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\searchlnk.bat 2013-10-20 18:50:34 286ED57FC6A61371F719AA9C3BA654BE 10261 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\JRT.bat 2013-10-20 18:50:34 1FBF882AA934A741530741FC134872A3 1243 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\TDL4.bat 2013-10-20 18:50:34 14D6EE8B672684E2232FB430D8C4A928 18668 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\medfos.bat 2013-10-20 18:50:34 0D5CD85FCC11F21ABFF551FA629746CD 8713 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\runvalues.bat 2013-10-20 18:50:34 0768E560CCD86C18F35FAD29DCEA7B80 1820 ----a-w- C:\Documents and Settings\Administrator\Local Settings\temp\jrt\delfolders.bat 2013-10-19 07:33:21 CE77439BAF613019D6B7658292D1E4A6 30976 ----a-w- C:\WINDOWS\system32\drivers\hitmanpro37.sys 2013-10-19 06:54:19 5C47D60938E77822A2C8D25102C63CE2 105176 ----a-w- C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys ==== Startup Registry Enabled ====================== [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe -t" [HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe -t" [HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Windows\CurrentVersion\runonce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" "SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent" "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" "itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" "MSC"="c:\Program Files\Microsoft Security Client\msseces.exe -hide -runkey" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] ==== Task Scheduler Jobs ====================== C:\WINDOWS\tasks\GlaryInitialize.job --a------ C:\Program Files\Glary Utilities\initialize.exe [03/29/2013 09:09 PM] C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job --ah----- C:\Program Files\Microsoft Security Client\MpCmdRun.exe [01/27/2013 11:11 AM] ==== Firefox Extensions Registry ====================== [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [] ==== Firefox Extensions ====================== ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921 - Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi ProfilePath: C:\Documents and Settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default - Undetermined - C:\Program Files\Mozilla Firefox\extensions\mcciwbch@motive.com - Instrument Test - %ProfilePath%\extensions\testpilot@labs.mozilla.com.xpi AppDir: C:\Program Files\Mozilla Firefox - Default - %AppDir%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} - Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ==== Firefox Plugins ====================== Profilepath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921 ADC539F67D3198679F480974EE203678 - C:\WINDOWS\system32\npDeployJava1.dll - Java Deployment Toolkit 7.0.210.11 28000D7EEB2FD95A36E1A7539F599C3B - C:\Program Files\Windows Media Player\npdrmv2.dll - Microsoft® DRM 5D41BCD19A3D90E4EBB58A6BFB79E4F7 - C:\Program Files\Windows Media Player\npdsplay.dll - Windows Media Player Plug-in Dynamic Link Library 8B6884E3E1E5F8ABA5FA0C6A2B13181D - C:\Program Files\Windows Media Player\npwmsdrm.dll - Microsoft® DRM 68A131335A20B343923A2957EB1E413D - C:\WINDOWS\system32\npptools.dll - Microsoft® Windows® Operating System ==== Set IE to Default ====================== Old Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://www.bleepingcomputer.com/forums/t/505084/alureon-was-found-but-keeps-coming-back-is-there-any-hope/?hl=%2Balureon#entry3141538" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] No DefaultScope Set For HKCU New Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://www.bleepingcomputer.com/forums/t/505084/alureon-was-found-but-keeps-coming-back-is-there-any-hope/?hl=%2Balureon#entry3141538" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" ==== All HKCU SearchScopes ====================== HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes {0633EE93-D776-472f-A0FF-E1416B8B2E3A} @ieframe.dll,-12512 Url="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" {230BE758-416D-487D-8008-70D941C4D111} Google Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}" {6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}" ==== HijackThis Entries ====================== O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file) O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [Report] C:\AdwCleaner\AdwCleaner[s13].txt O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1366731346250 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe ==== Empty IE Cache ====================== C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 emptied successfully C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot ==== Empty FireFox Cache ====================== C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\Cache emptied successfully ==== Empty Chrome Cache ====================== No Chrome User Data found ==== Empty All Flash Cache ====================== No Flash Cache Found ==== Empty All Java Cache ====================== Java Cache cleared successfully ==== After Reboot ====================== ==== Empty Temp Folders ====================== C:\WINDOWS\Temp successfully emptied C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp successfully emptied ==== Empty Recycle Bin ====================== C:\RECYCLER successfully emptied ==== Deleting Files / Folders ====================== "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not found ==== EOF on Tue 10/22/2013 at 21:33:52.62 ======================
  19. hiesenberg
    Really not sure what this is.. Various infections found & cleaned but strange behavior continues. So far, there has been Open Candy, Java exploit & Ibryte PUP removed but pc still acts like it's hijacked. Svchost using 90-100 of CPU and desktop screen flashes, changes color, & task bar splits in two. Mbam, tdss killer, & adwcleaner are a few of the many scans already run. Your help is kindly appreciated! Thanks! (winXP, 32 bit, hp desktop w/dsl wireless)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.