[Not sure which infection this is? Java Exploit maybe..?]

Kevin: machine continues with same symptons, no changes. I re-ran kaspersky twice after I got it to update definitions,
logs are attached below.
I then decided to run Rogue Killer and it found a couple of reg items. The "disable reg tools" has been removed
before but keeps reinstalling. Is this part of an infection? Can you please review and advise? I think this nasty bug
is outsmarting all these scanners and going undetected.

Kaspersky-Log> Objects Scan: completed 10 hours ago   (events: 18, objects: 149646, time: 00:57:36)    
10/31/13 2:31 AM    Task completed            
10/31/13 2:31 AM    Deleted: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip        
10/31/13 2:31 AM    Detected: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe        
10/31/13 2:31 AM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr        
10/31/13 2:28 AM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com        
10/31/13 2:28 AM    Untreated: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe    Postponed    
10/31/13 2:28 AM    Detected: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe        
10/31/13 2:28 AM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr    Postponed    
10/31/13 2:28 AM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr        
10/31/13 2:28 AM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com    Postponed    
10/31/13 2:28 AM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com        
10/31/13 1:36 AM    Untreated: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe    Postponed    
10/31/13 1:36 AM    Detected: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe        
10/31/13 1:36 AM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr    Postponed    
10/31/13 1:36 AM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr        
10/31/13 1:36 AM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com    Postponed    
10/31/13 1:36 AM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com        
10/31/13 1:33 AM    Task started            
Objects Scan: completed <1 minute ago   (events: 2, objects: 149568, time: 00:53:43)    
10/31/13 12:55 PM    Task completed            
10/31/13 12:01 PM    Task started    

RogueKiller V8.7.6 [Oct 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User : Administrator [Admin rights]
Mode : Scan -- Date : 10/31/2013 14:44:04
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH][DLL] explorer.exe -- C:\Documents and Settings\Administrator\Desktop\zebranMalwarebytes' Anti-Malware\mbamext.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\RunOnce :  (A0) (cmd /c "C:\Documents and Settings\RICH\desktop\mbar\mbar.exe" /rdv /s [7]) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x2] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1    localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ( @ )  +++++
--- User ---
[MBR] 9c24779718baa28a177f1792c868d0f9
[bSP] 85f5c2091b2e329b4ea8d90f28511751 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 50225 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102861360 | Size: 102399 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10312013_144404.txt >>
RKreport[0]_D_10312013_025508.txt;RKreport[0]_H_10312013_025530.txt;RKreport[0]_S_10292013_224029.txt
RKreport[0]_S_10312013_025219.txt


 

[Not sure which infection this is? Java Exploit maybe..?]

Okay, this is really wierd but thats the utility you had me run so is this a false positive?? does this happen usually? also, I was not able to update it due to my wireless not connecting while running off the rescue disk.

 

Objects Scan: completed <1 minute ago   (events: 32, objects: 149196, time: 01:19:45)    
10/30/13 8:39 PM    Task completed            
10/30/13 8:39 PM    Deleted: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek/zoek.scr        
10/30/13 8:39 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek/zoek.scr        
10/30/13 8:39 PM    Deleted: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek/zoek.exe        
10/30/13 8:39 PM    Detected: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek/zoek.exe        
10/30/13 8:39 PM    Deleted: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek/zoek.com        
10/30/13 8:38 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek/zoek.com        
10/30/13 8:38 PM    Untreated: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe    Write not supported    
10/30/13 8:38 PM    Detected: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe        
10/30/13 8:38 PM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr    Write not supported    
10/30/13 8:38 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr        
10/30/13 8:38 PM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com    Write not supported    
10/30/13 8:13 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com        
10/30/13 8:13 PM    Untreated: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe    Postponed    
10/30/13 8:13 PM    Detected: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe        
10/30/13 8:13 PM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr    Postponed    
10/30/13 8:13 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr        
10/30/13 8:13 PM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com    Postponed    
10/30/13 8:13 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com        
10/30/13 7:23 PM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek/zoek.scr    Postponed    
10/30/13 7:23 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek/zoek.scr        
10/30/13 7:23 PM    Untreated: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek/zoek.exe    Postponed    
10/30/13 7:23 PM    Detected: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek/zoek.exe        
10/30/13 7:23 PM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek/zoek.com    Postponed    
10/30/13 7:23 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek/zoek.com        
10/30/13 7:22 PM    Untreated: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe    Postponed    
10/30/13 7:22 PM    Detected: Trojan-Dropper.Win32.Injector.jqjj    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.exe        
10/30/13 7:22 PM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr    Postponed    
10/30/13 7:22 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.scr        
10/30/13 7:22 PM    Untreated: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com    Postponed    
10/30/13 7:22 PM    Detected: Trojan-Dropper.Win32.Injector.jqku    C:/Documents and Settings/Administrator/desktop/zoek.zip/zoek.com        
10/30/13 7:19 PM    Task started            
 

[Not sure which infection this is? Java Exploit maybe..?]

Sounds good but I won't be able to run those steps until after work in the evening. Thanks!

[Not sure which infection this is? Java Exploit maybe..?]

kevin:

Here is a link to the 25 files I mentioned before, hopefully the link works: http://www.sendspace.com/file/su6uh4

let me know what is next. Thanks!

[Not sure which infection this is? Java Exploit maybe..?]

sorry, the pic would not upload to this site 

[Not sure which infection this is? Java Exploit maybe..?]

Kevin:

ran a clean-boot and same symptons appear only much quicker, like 1-2 mins after boot-up. I ran 2 searches, one for pf files and one for all files modified during that last start-up. not sure if this helps but please review:

only 5 files total created in prefetch = verclsid.exe, svchost.exe, wmiprvse.exe, explorer.exe, & ntosboot.pf

25 files modified during last start-up from 6:07pm to 6:10pm>

[Not sure which infection this is? Java Exploit maybe..?]

kevin:

Eset found no threats.. this is a well hidden critter my friend. where do we go from here? thanks.

[Not sure which infection this is? Java Exploit maybe..?]

SHA256: 3c267950f13cce412474c5228fc0e3d8d7f912e82464bd2ce6312a0326f84a80 File name: verclsid.exe Detection ratio: 0 / 47 Analysis date: 2013-10-28 23:39:52 UTC ( 0 minutes ago )

 

Publisher Microsoft Corporation

Product Microsoft® Windows® Operating System

Original name verclsid.exe

Internal name verclsid.exe

File version 5.1.2600.5512 (xpsp.080413-2105)

Description Verify Class ID

ExifTool file metadata

SubsystemVersion

5.0

InitializedDataSize

8192

ImageVersion

5.1

ProductName

Microsoft Windows Operating System

FileVersionNumber

5.1.2600.5512

UninitializedDataSize

0

LanguageCode

English (U.S.)

FileFlagsMask

0x003f

CharacterSet

Unicode

LinkerVersion

7.1

OriginalFilename

verclsid.exe

MIMEType

application/octet-stream

Subsystem

Windows GUI

FileVersion

5.1.2600.5512 (xpsp.080413-2105)

TimeStamp

2008:04:13 19:33:58+01:00

FileType

Win32 EXE

PEType

PE32

InternalName

verclsid.exe

FileAccessDate

2013:06:03 12:17:32+01:00

ProductVersion

5.1.2600.5512

FileDescription

Verify Class ID

OSVersion

5.1

Looks like our search continues..

[Not sure which infection this is? Java Exploit maybe..?]

question: can I remove/disable "verclsid.exe" without disrupting or damaging win os? Thanks!

[Not sure which infection this is? Java Exploit maybe..?]

Svchost still runs briefly upto 100% followed by the an obvious taskbar color change about 7mins after boot-up.

I wasn't completely sure of the name spelling since it was displayed for a quick second. here is the systemlook and Mbar in case you needed it:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:09 on 28/10/2013 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "verclid.exe"
No files found.

Searching for "verclsid.exe"
C:\WINDOWS\system32\verclsid.exe    --a---- 28672 bytes    [12:00 14/04/2008]    [12:00 14/04/2008] 91790D6749EBED90E2C40479C0A91879

-= EOF =-

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.10.28.06

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: RICH-BIZ [administrator]

10/28/2013 12:18:38 PM
mbar-log-2013-10-28 (12-18-38).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 212817
Time elapsed: 36 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

[Not sure which infection this is? Java Exploit maybe..?]

kevin:

Thanks for hanging in there. So I ran Mbam-root kit scan and nothing, no infections found. The only thing I noticed today was that the changing of taskbar color coincided with this process called "verclid.exe" which I saw start up and run for a moment in task-mgr while the suspicious behavior was going on. Hopefully this a good clue.. Are you familiar with this process at all? I will wait for your next steps. Thanks!

[Not sure which infection this is? Java Exploit maybe..?]

Kevin:

Thanks for your patience and expertise. I will be away from that pc for about 2 days so i cannot run those steps right away. I will reply as soon as possible.

Have a great weekend!

[Not sure which infection this is? Java Exploit maybe..?]

Kevin:
Pc seemed to be working normal for an extended period but then the symptons returned: svchost.exe
uses 90-100 of cpu, (like some program starts up), and then the desktop flickers and taskbar changes
colors for a second then reverts back to original color blue.

I thought we had it figured out but this bug is hiding somewhere
deep inside. Not sure if this helps but those symptons never occur during safe mode.

 A couple minor issues have popped up;
> no win search tool in normal, only in safe mode- might be disabled somehow?
> new message at every boot-up for "found new hardware", some pci modem.. have no clue.
For your reference,  the infection, "bundled toolbar ask application", was found by Eset
while scanning a restore point on the c: drive.
The only other combofix log is here>  (I hope this is the one you need)

2013-10-23 17:27:18 . 2013-10-23 17:27:18              562 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-mbamchameleon.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-70404671.sys.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-47500374.sys.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-36329121.sys.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-36290891.sys.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-15799350.sys.reg.dat
2013-10-23 17:24:34 . 2013-10-23 17:24:34           12,683 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-10-23 17:19:51 . 2013-10-23 17:19:51              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2013-10-23 17:17:52 . 2013-10-23 17:17:52               51 ----a-w-  C:\Qoobox\Quarantine\catchme.log

# AdwCleaner v3.010 - Report created 24/10/2013 at 13:07:46
# Updated 20/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : RICH - RICH-BIZ
# Running from : C:\Documents and Settings\RICH\desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default\prefs.js ]


[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\prefs.js ]


*************************

AdwCleaner[R0].txt - [1158 octets] - [17/09/2013 15:31:26]
AdwCleaner[R10].txt - [2204 octets] - [18/10/2013 10:38:50]
AdwCleaner[R11].txt - [2266 octets] - [18/10/2013 10:52:17]
AdwCleaner[R12].txt - [2222 octets] - [19/10/2013 01:57:38]
AdwCleaner[R13].txt - [2325 octets] - [19/10/2013 02:07:48]
AdwCleaner[R14].txt - [2465 octets] - [19/10/2013 16:38:37]
AdwCleaner[R15].txt - [2569 octets] - [19/10/2013 18:27:17]
AdwCleaner[R16].txt - [2709 octets] - [20/10/2013 14:44:41]
AdwCleaner[R17].txt - [1287 octets] - [24/10/2013 13:07:46]
AdwCleaner[R1].txt - [1280 octets] - [01/10/2013 12:21:48]
AdwCleaner[R2].txt - [1289 octets] - [03/10/2013 00:38:28]
AdwCleaner[R3].txt - [1485 octets] - [03/10/2013 18:52:17]
AdwCleaner[R4].txt - [1605 octets] - [04/10/2013 03:29:09]
AdwCleaner[R5].txt - [1725 octets] - [04/10/2013 13:25:15]
AdwCleaner[R6].txt - [1845 octets] - [16/10/2013 09:57:10]
AdwCleaner[R7].txt - [1798 octets] - [17/10/2013 10:58:17]
AdwCleaner[R8].txt - [1918 octets] - [17/10/2013 14:01:17]
AdwCleaner[R9].txt - [2020 octets] - [17/10/2013 19:32:47]
AdwCleaner[s0].txt - [1221 octets] - [17/09/2013 15:35:36]
AdwCleaner[s10].txt - [2387 octets] - [19/10/2013 02:09:23]
AdwCleaner[s11].txt - [2527 octets] - [19/10/2013 16:40:10]
AdwCleaner[s12].txt - [2631 octets] - [19/10/2013 18:28:19]
AdwCleaner[s13].txt - [2771 octets] - [20/10/2013 14:45:29]
AdwCleaner[s1].txt - [1343 octets] - [01/10/2013 12:24:23]
AdwCleaner[s2].txt - [1352 octets] - [03/10/2013 00:40:59]
AdwCleaner[s3].txt - [1546 octets] - [03/10/2013 18:54:12]
AdwCleaner[s4].txt - [1666 octets] - [04/10/2013 03:30:42]
AdwCleaner[s5].txt - [1786 octets] - [04/10/2013 13:26:27]
AdwCleaner[s6].txt - [1906 octets] - [16/10/2013 09:58:47]
AdwCleaner[s7].txt - [1859 octets] - [17/10/2013 10:59:07]
AdwCleaner[s8].txt - [1979 octets] - [17/10/2013 14:02:24]
AdwCleaner[s9].txt - [2282 octets] - [19/10/2013 02:05:00]

########## EOF - C:\AdwCleaner\AdwCleaner[R17].txt - [2732 octets] ##########

Results of screen317's Security Check version 0.99.73  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 ESET Online Scanner v3   
 Microsoft Security Essentials    
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Mozilla Firefox (24.0)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

[Not sure which infection this is? Java Exploit maybe..?]

Results for rc-installer.exe = looks clean. (that was a utility offered by the local isp provider)

VirusTotal
SHA256:     030d6fbd4ca5ac91f6aaf1200d157dac62f6d3366f3099ddff7625b54e58ce70
SHA1:     3e522228cfab5421e102d963a6bd0a2a549d5cd1
MD5:     294f1e0acdfe62add927dcb074507b40
File size:     1.2 MB ( 1207928 bytes )
File name:     rc-installer.exe
File type:     Win32 EXE
Detection ratio:     0 / 47
Analysis date:     2013-10-24 04:44:46 UTC ( 0 minutes ago )  
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE signature block
Publisher Alcatel-Lucent USA
Signature verification Signed file, verified signature
Signing date 5:44 AM 10/24/2013
Signers     
[+] Alcatel-Lucent USA
[+] VeriSign Class 3 Code Signing 2010 CA
[+] VeriSign
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI
MachineType
Intel 386 or later, and compatibles
TimeStamp
2009:12:05 23:50:41+01:00
FileType
Win32 EXE
PEType
PE32
CodeSize
23040
LinkerVersion
6.0
FileAccessDate
2013:10:24 05:43:59+01:00
EntryPoint
0x30cb
InitializedDataSize
119808
SubsystemVersion
4.0
ImageVersion
6.0
OSVersion
4.0
FileCreateDate
2013:10:24 05:43:59+01:00
UninitializedDataSize
1024
 

[Not sure which infection this is? Java Exploit maybe..?]

Kevin:
Things are looking good and I feel like great progress has been made. I was able to
do all steps thru normal start up mode. After the first re-boot the pc stalled and
displayed "windows cannot find CF2841.3exe." I cancelled that and it booted fine.
2 minutes later it gave me the old symptom of changing taskbar colors, so I rebooted
and was able to run Eset scan where it found an old infection, "win32bundled ask
toolbar". That scan ran uninterupted, amazingly, no taskbar color changes!!
Pc is working much, much better. I'm anxious to hear your review of the log. Also
interested to know what exactly I've been fighting against for the last month & 1/2?
Curious to know the name of whatever it was. Thanks!!

ComboFix 13-10-23.02 - RICH 10/23/2013  17:56:13.4.1 - x86
Running from: C:\Documents and Settings\Administrator\desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RICH\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\yomjo.sys"

I'm very sorry, I missed a step. I did not check "export to text file" but I can
tell you the infection found by eset was one I've seen before.
It is "Win32/Bundled.Toolbar.Ask D application". However, I did check it for removal.

[Not sure which infection this is? Java Exploit maybe..?]

kevin: here is the combo log. I ran it in safemode, I hope that works okay..? If we need to re-run it in reg just let me know.

Question: can you tell me if the Zoek scan found anything or made any major changes? Thanks!

 

ComboFix 13-10-23.02 - Administrator 10/23/2013  13:19:52.3.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.639.521 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\zebranMalwarebytes' Anti-Malware\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-23 to 2013-10-23  )))))))))))))))))))))))))))))))
.
.
2013-10-16 20:41 . 2013-06-10 01:59    216064    ----a-w-    c:\windows\system32\gcapi_dll.dll
2013-10-04 04:13 . 2013-10-22 00:04    47064    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-10-01 23:32 . 2013-10-01 23:31    1207928    ----a-w-    c:\program files\rc-installer.exe
2013-10-01 06:49 . 2013-10-01 06:49    --------    d-----w-    c:\program files\Microsoft Security Client
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-19 07:54 . 2013-09-19 07:40    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2013-09-17 15:26 . 2013-09-17 15:26    325960    ----a-w-    c:\program files\lua5.1.dll
2013-09-04 03:02 . 2013-07-19 00:22    1966080    ----a-w-    c:\program files\Repair_Windows.exe
2013-04-19 22:40 . 2013-04-19 22:40    11091432    ----a-w-    c:\program files\MSEInstall.exe
2013-03-25 03:24 . 2013-03-25 03:24    2483904    ----a-w-    c:\program files\Procmon.exe
2011-03-08 17:54 . 2013-07-19 00:22    229376    ----a-w-    c:\program files\pcwintech_tabs.ocx
2009-03-24 19:52 . 2013-07-19 00:22    1069376    ----a-w-    c:\program files\MSCOMCTL.OCX
2009-03-24 19:52 . 2013-07-19 00:22    136008    ----a-w-    c:\program files\msinet.ocx
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SiSPower"="SiSPower.dll" [2005-04-12 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"AlcxMonitor"=ALCXMNTR.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
S0 qcihrtv;qcihrtv;c:\windows\system32\drivers\yomjo.sys --> c:\windows\system32\drivers\yomjo.sys [?]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [5/15/2013 1:14 PM 45288]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [10/19/2013 3:33 AM 30976]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [10/4/2013 12:13 AM 47064]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [10/19/2013 2:54 AM 105176]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [5/9/2013 10:12 PM 594048]
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2013-04-16 01:09]
.
2013-10-23 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 15:11]
.
.
------- Supplementary Scan -------
.


Trusted Zone: $talisma_url$


FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\
FF - prefs.js: browser.startup.homepage - hxxps://accounts.google.com/ServiceLogin?service=mail&passive=true&continue=http://mail.google.com/mail/x/ogb/gp/?tab%3Dwm&scc=1&ltmpl=ecobh&nui=5&btmpl=mobile&emr=1
FF - ExtSQL: 2013-09-19 16:03; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-15799350.sys
SafeBoot-36290891.sys
SafeBoot-36329121.sys
SafeBoot-47500374.sys
SafeBoot-70404671.sys
SafeBoot-mbamchameleon
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-23 13:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@SACL=(02 0000)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,0a,91,87,b9,73,4a,42,8a,7f,56,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,0a,91,87,b9,73,4a,42,8a,7f,56,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,0a,91,87,b9,73,4a,42,8a,7f,56,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(172)
c:\windows\system32\WININET.dll
.
Completion time: 2013-10-23  13:28:17
ComboFix-quarantined-files.txt  2013-10-23 17:28
.
Pre-Run: 95,591,141,376 bytes free
Post-Run: 95,584,747,520 bytes free
.
- - End Of File - - 5550C8463BF20716BBCF3090353D8200
8F558EB6672622401DA993E1E865C861
 

[Not sure which infection this is? Java Exploit maybe..?]

Kevin, see attached sample file, (I hope I did this right).

I will have to run combo later, a little busy at work rt now. Thx!

sample_20131022_0908.zip

[Not sure which infection this is? Java Exploit maybe..?]

Thank you very much for your time and trying to help me. I am not aware of any p2p software running on my p/c. also, a couple of scanners have been renamed such as "iexplore3.exe" etc, during previous attempts to remove the virus. I had to run this in safe mode as the machine was super slow in regular mode. I hope that was okay. Thanks Again!

 

Zoek.exe Version 4.0.0.5 Updated 22-October-2013

Tool run by Administrator on Tue 10/22/2013 at 20:59:37.75.
Microsoft Windows XP 5.1.2600 Service Pack 3 x86 WMI=failure
Running in: Safe Mode NETWORK No Internet Access Detected
Launched: C:\Documents and Settings\Administrator\Desktop\zoek\zoek.com [script inserted]

==== System Restore Info ======================

Failed to create System Restore Point.

==== Suspicious Entries Found ======================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"3389:TCP"="3389:TCP:*:Disabled:@xpsp2res.dll,-22009"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"

==== Creating Sample_20131022_0908.zip ======================
 
Copied folder C:\Documents and Settings\All Users\Application Data\AVAST Software to sample\AVAST Software

C:\Documents and Settings\All Users\Desktop\sample_20131022_0908.zip created successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Running Processes ======================

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService

==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921

user.js not found
---- Lines Customized removed from prefs.js ----


---- Lines Customized modified from prefs.js ----


---- FireFox user.js and prefs.js backups ----

prefs_20131022_0908_.backup

ProfilePath: C:\Documents and Settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default

user.js not found
---- Lines Customized removed from prefs.js ----

user_pref("extensions.testpilot.alreadyCustomizedToolbar", true);

---- Lines Customized modified from prefs.js ----


---- FireFox user.js and prefs.js backups ----

prefs_20131022_0908_.backup

==== Deleting Files \ Folders ======================

C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) deleted
C:\Program Files\GUT13.tmp deleted
C:\Program Files\GUM12.tmp deleted
"C:\Documents and Settings\Administrator\Application Data\Sun" deleted

==== System Specs ======================

Operating System: Microsoft Windows XP Home Edition 5.1.2600 Service Pack 3
Manufacturer: Compaq Presario 061 - Model: PX796AA-ABA SR1517CL NA530
Install Date: 4/19/2013 5:12:06 PM
Last Boot: 10/22/2013 8:43:49 PM
Processor: AMD Sempron Processor 3000+
Number of Processors: 1
Work Station
Bootmode: Fail-safe with network boot
Total RAM: 639 MB ( - 0)
Computername: RICH-BIZ
Domain: MSHOME
User: Administrator (Administrator account)
Local Disk:        C:\ - NTFS - 99 GB (free 89 GB)
Removable Disk:    E:\ -  -  GB (free  GB)
Removable Disk:    F:\ -  -  GB (free  GB)
Removable Disk:    G:\ -  -  GB (free  GB)
Removable Disk:    H:\ -  -  GB (free  GB)
CD \ DVD Drive:    I:\
Local Disk:        J:\ - NTFS - 49 GB (free 48 GB)
Bootdevice: \Device\HarddiskVolume1
Windows update:
Country: United States
Language: ENU

==== System Specs (Software) ======================

Anti-Virus: Microsoft Security Essentials On-access scanning disabled (Updated)
Internet Explorer version: 8.0.6001.18702
Mozilla Firefox version: 24.0 (x86 en-US)

==== Files Recently Created / Modified ======================

====== C:\WINDOWS ====
====== C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp ====
2013-10-20 18:50:34    2E0323A94915FAAB10A25F3BABF82584    157696    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\Temp\jrt\erunt\ERUNT.EXE
====== Java Cache =====
====== C:\WINDOWS\system32 =====
2013-10-16 20:41:06    D496480A00ABDE0655C0FDCE9530B43E    216064    ----a-w-    C:\WINDOWS\System32\gcapi_dll.dll
====== C:\WINDOWS\system32\drivers =====
2013-10-19 07:33:21    CE77439BAF613019D6B7658292D1E4A6    30976    ----a-w-    C:\WINDOWS\System32\drivers\hitmanpro37.sys
2013-10-19 06:54:19    5C47D60938E77822A2C8D25102C63CE2    105176    ----a-w-    C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys
2013-10-04 04:13:08    805C6F337968C7271F0421D0A386C8EE    47064    ----a-w-    C:\WINDOWS\System32\drivers\mbamchameleon.sys
====== C:\WINDOWS\Tasks ======
2013-10-04 05:37:12    CBCF58977265A7C390376B49B398FC2B    384    ---ha-w-    C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
====== C:\WINDOWS\Temp ======
======= C:\Program Files =====
2013-10-01 23:32:15    1207928    ----a-w-    C:\Program Files\rc-installer.exe
======= C: =====
====== C:\Documents and Settings\Administrator\Application Data ======
2013-10-18 15:16:34    --------    d-----r-    C:\Documents and Settings\RICH\Start Menu\Programs\Administrative Tools
2013-09-23 17:26:24    --------    d-----w-    C:\Documents and Settings\RICH\Application Data\Motive
====== C:\Documents and Settings\Administrator ======
2013-10-19 22:12:27    2E2000AB851DB75EA8E27E3A621B61FC    180000    ----a-w-    C:\Documents and Settings\RICH\desktop\google.exe5.exe
2013-10-19 21:13:41    2E2000AB851DB75EA8E27E3A621B61FC    180000    ----a-w-    C:\Documents and Settings\Administrator\desktop\google.exe5.exe
2013-10-19 19:14:12    7DC87AC83F18ECDCF80886274B60EB0B    3053416    ------w-    C:\Documents and Settings\Administrator\desktop\NPE.exe
2013-10-19 13:29:02    --------    d-sh--w-    C:\Documents and Settings\NetworkService\Cookies
2013-10-19 05:53:16    --------    d-sh--w-    C:\Documents and Settings\LocalService\Cookies
2013-10-17 17:59:54    2084AC9305E20BE7141DAC46902C5427    1050644    ----a-w-    C:\Documents and Settings\Administrator\desktop\adwcleaner.exe

====== C: exe-files ==
2013-10-20 18:50:34    2E0323A94915FAAB10A25F3BABF82584    157696    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\erunt\ERUNT.EXE
2013-10-19 22:12:27    2E2000AB851DB75EA8E27E3A621B61FC    180000    ----a-w-    C:\Documents and Settings\RICH\desktop\google.exe5.exe
2013-10-19 21:23:32    EFDE3843DDE0D1D30161FF27A17D135C    4121952    ----a-w-    C:\Documents and Settings\Administrator\desktop\KasperskyTDSSKillerPortable\App\TDSSKiller\tdsskiller.exe
2013-10-19 21:13:41    2E2000AB851DB75EA8E27E3A621B61FC    180000    ----a-w-    C:\Documents and Settings\Administrator\desktop\google.exe5.exe
2013-10-19 20:33:22    BB3CB855C5939C6391842EE73F600B9A    1033335    ----a-w-    C:\Documents and Settings\Administrator\desktop\ZJRT2\googleplay.exe
2013-10-19 19:14:12    7DC87AC83F18ECDCF80886274B60EB0B    3053416    ------w-    C:\Documents and Settings\Administrator\desktop\NPE.exe
2013-10-19 07:20:17    D41D8CD98F00B204E9800998ECF8427E    0    ----a-w-    C:\Documents and Settings\Administrator\desktop\mbar\HitmanPro.exe
2013-10-19 06:53:10    4503803B9BEF66A375A44029E8BC6725    12576792    ----a-w-    C:\Documents and Settings\Administrator\desktop\mbar\iexplore3.exe
2013-10-19 05:47:52    60CEFABAC2C573B266B567534CE7567E    1178424    ----a-w-    C:\Documents and Settings\RICH\desktop\mbar\Iexplore3.exe
2013-10-17 17:59:54    2084AC9305E20BE7141DAC46902C5427    1050644    ----a-w-    C:\Documents and Settings\Administrator\desktop\adwcleaner.exe
2013-10-17 16:15:48    602C842C9B9063DB76B09E1F8FFE25EA    1678013    ----a-w-    C:\Documents and Settings\Administrator\desktop\mbar\pc-decrapifier-2.3.1.exe
2013-10-16 20:41:06    C17DA0BE97FC9F3C05FDE7BF3C5618D1    96216    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\Shell Extensions\FoxitPrevhost.exe
2013-10-16 20:41:04    8D233BE097AE8993231B4AF89C0FC43B    7682112    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\Foxit Updater.exe
2013-10-16 20:41:01    BA628CB4B2EFE4FDFB327EC84AE4A51C    33846336    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
2013-10-16 20:41:00    EC25836B753F4033C280E65CBA387E2B    60480    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\plugins\Creator\FXC_ProxyProcess.exe
2013-10-16 20:41:00    8991085E81E66C4204CE8ADAE52631AA    759872    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\UninstallPrint.exe
2013-10-16 20:40:57    D4945107DF8F56CC4DC858C0694C13E2    26688    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\Checkupdate\Checkupdate.exe
2013-10-16 13:55:55    BB3CB855C5939C6391842EE73F600B9A    1033335    ----a-w-    C:\Documents and Settings\RICH\desktop\mbar\iexplore.exe
=== C: other files ==
2013-10-23 01:08:08    57D04532D2F29BF8B1F977A7CB94AA24    664    ----a-w-    C:\Documents and Settings\All Users\Desktop\sample_20131022_0908.zip
2013-10-23 00:59:50    0BE568FD1E7D6C6D64D2272649F5C716    111    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\scripttest.vbs
2013-10-20 18:50:34    FC4F97736048914DC32849E3AE23B70D    16063    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\get.bat
2013-10-20 18:50:34    F8AB3BC726E938E05E57039DCE160BC2    16848    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\chrome.bat
2013-10-20 18:50:34    CC6C23C02BE66014AD87F2678BBB3A1D    8117    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\modules.bat
2013-10-20 18:50:34    BCC12F911E90790A4A83A60DD5878A9B    148311    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\misc.bat
2013-10-20 18:50:34    BAD6C67C870CC81C48DBA53089929884    153331    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\firefox.bat
2013-10-20 18:50:34    B964B792D3692699CD7D4FDB63EE470E    1239    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\FWPolicy.bat
2013-10-20 18:50:34    B45931E5313CB14CAA0F2BC3DA30E6FC    29648    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\ask.bat
2013-10-20 18:50:34    80D02380F1AC33E459324B088392A1EC    732    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\ev_clear.bat
2013-10-20 18:50:34    75C9C20DD9839BF287B43B0E179822DC    31414    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\iexplore.bat
2013-10-20 18:50:34    654E9FE74B930A454EE5BDE165794B65    85    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\delorphans.bat
2013-10-20 18:50:34    58605DA3492FB918D3D40B1FB88046AE    39471    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\prelim.bat
2013-10-20 18:50:34    372EA6F783198102CF5779072EE78C79    24751    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\searchlnk.bat
2013-10-20 18:50:34    286ED57FC6A61371F719AA9C3BA654BE    10261    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\JRT.bat
2013-10-20 18:50:34    1FBF882AA934A741530741FC134872A3    1243    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\TDL4.bat
2013-10-20 18:50:34    14D6EE8B672684E2232FB430D8C4A928    18668    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\medfos.bat
2013-10-20 18:50:34    0D5CD85FCC11F21ABFF551FA629746CD    8713    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\runvalues.bat
2013-10-20 18:50:34    0768E560CCD86C18F35FAD29DCEA7B80    1820    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\delfolders.bat
2013-10-19 07:33:21    CE77439BAF613019D6B7658292D1E4A6    30976    ----a-w-    C:\WINDOWS\system32\drivers\hitmanpro37.sys
2013-10-19 06:54:19    5C47D60938E77822A2C8D25102C63CE2    105176    ----a-w-    C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys

==== Startup Registry Enabled ======================

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe -t"

[HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe -t"

[HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Windows\CurrentVersion\runonce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe"
"MSC"="c:\Program Files\Microsoft Security Client\msseces.exe -hide -runkey"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

==== Task Scheduler Jobs ======================

C:\WINDOWS\tasks\GlaryInitialize.job --a------ C:\Program Files\Glary Utilities\initialize.exe [03/29/2013 09:09 PM]
C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job --ah----- C:\Program Files\Microsoft Security Client\MpCmdRun.exe [01/27/2013 11:11 AM]

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" []

==== Firefox Extensions ======================

ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

ProfilePath: C:\Documents and Settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default
- Undetermined - C:\Program Files\Mozilla Firefox\extensions\mcciwbch@motive.com
- Instrument Test - %ProfilePath%\extensions\testpilot@labs.mozilla.com.xpi

AppDir: C:\Program Files\Mozilla Firefox
- Default - %AppDir%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921
ADC539F67D3198679F480974EE203678    - C:\WINDOWS\system32\npDeployJava1.dll -    Java Deployment Toolkit 7.0.210.11
28000D7EEB2FD95A36E1A7539F599C3B    - C:\Program Files\Windows Media Player\npdrmv2.dll -    Microsoft® DRM
5D41BCD19A3D90E4EBB58A6BFB79E4F7    - C:\Program Files\Windows Media Player\npdsplay.dll -    Windows Media Player Plug-in Dynamic Link Library
8B6884E3E1E5F8ABA5FA0C6A2B13181D    - C:\Program Files\Windows Media Player\npwmsdrm.dll -    Microsoft® DRM
68A131335A20B343923A2957EB1E413D    - C:\WINDOWS\system32\npptools.dll -    Microsoft® Windows® Operating System


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.bleepingcomputer.com/forums/t/505084/alureon-was-found-but-keeps-coming-back-is-there-any-hope/?hl=%2Balureon#entry3141538"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
No DefaultScope Set For HKCU

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.bleepingcomputer.com/forums/t/505084/alureon-was-found-but-keeps-coming-back-is-there-any-hope/?hl=%2Balureon#entry3141538"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} @ieframe.dll,-12512  Url="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC"
{230BE758-416D-487D-8008-70D941C4D111} Google  Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google  Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}"

==== HijackThis Entries ======================

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Report] C:\AdwCleaner\AdwCleaner[s13].txt
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1366731346250
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

==== Empty IE Cache ======================

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 emptied successfully
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\Cache emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\RECYCLER successfully emptied

==== Deleting Files / Folders ======================

"C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not found

==== EOF on Tue 10/22/2013 at 21:33:52.62 ======================
 

[Not sure which infection this is? Java Exploit maybe..?]

Really not sure what this is.. Various infections found & cleaned but strange behavior continues. So far, there has been Open Candy, Java exploit & Ibryte PUP removed but pc still acts like it's hijacked.

Svchost using 90-100 of CPU
and desktop screen flashes, changes color, & task bar splits in two.  Mbam, tdss killer, & adwcleaner are a few of the many scans already run. Your help is kindly appreciated! Thanks!

(winXP, 32 bit, hp desktop w/dsl wireless)