Jump to content

VTM0001

Honorary Members
 View Profile  See their activity

  • Posts

    21

  • Joined

  • Last visited

 Content Type 

Everything posted by VTM0001

  1. VTM0001
    It's not really important, and i know you are busy with other malware infections, but http://maddoktor2.com/forums/index.php simply isn't resolving in DNS. Do you know the IP address? FireFox: Server not found Firefox can't find the server at www.maddoktor2.com. Check the address for typing errors such as ww.example.com instead of www.example.com If you are unable to load any pages, check your computer's network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web. IE: This page can’t be displayedMake sure the web address http://maddoktor2.com is correct.Look for the page with your search engine.Refresh the page in a few minutes.None of these form posts were done on the infected machine, so it certainly isn't that. Am I the only one who can't access the URL? Maybe it is being blocked by my ISP for some reason.
  2. VTM0001
    There must be a DNS issue. I cannot get it to resolve, either using normal means or by using IP tools such as "What is my IP? This is what is returned from whatismyipaddress.com Subscribe to our newsletter and boost your IT I.Q. with IP news, hot tips, updates and more. Get yours today! We'll never share your address. You can opt out any time. This is a free publication. Please review our Privacy Policy. Hostname to IP address LookupThis tool will provide you the IP address (or addresses, if applicable) of the hostname (ie www.yahoo.com) that you enter below. Results: Lookup Hostname: maddoktor2.com Lookup IP Address: none
  3. VTM0001
    Just so you know, it doesn't appear that maddoktor2.com can be found. You might want to verify that the link is correct. Thanks!
  4. VTM0001
    MrC, Thanks so much for helping! It is, indeed, unfortunate that there are so many miscreants out there on the Internet that it has become necessary to have so many tools and so many forums dedicated to malware removal. Nonetheless, it is comforting to know that "you guys" are out there and so willing to help. Just a couple of parting notes. I will be going through the process of deleting the tools that we used. Hopefully OTC will get most of them. I will also be updating the downlevel or obsolete software to reduce he chances for another infection. Lastly, based on what was disclosed on the logs, I'd like your experienced opinion regarding what virus or viruses were present and where they might have been acquired. This machine does not connect to the Internet frequently (intentionally!) and almost never downloads anything other than, as an example, Firefox updates. At least I have now learned that EXPLORER.EXE can create connections to IP addresses without express permission, but MS must have their reasons, perhaps perverse, for doing that! Thanks again for your help and I genuinely appreciate all of your quick responses.
  5. VTM0001
    OK, I left the quarantined file in place. Security Check Results: Results of screen317's Security Check version 0.99.78 Windows XP Service Pack 3 x86 Internet Explorer 7 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Please wait while WMIC compiles updated MOF files.d i s p l a y N a m e ECHO is off. N o r t o n ECHO is off. A n t i V i r u s ECHO is off. Antivirus out of date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Java 7 Update 45 Adobe Flash Player 10 Flash Player out of Date! Adobe Flash Player 11.7.700.202 Adobe Reader 7 Adobe Reader out of Date! Mozilla Firefox (Firefox,. Firefox out of Date! ````````Process Check: objlist.exe by Laurent```````` Norton AntiVirus navapsvc.exe Norton AntiVirus SAVScan.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 18% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log`````````````````````` On to the clean-up? Thanks!
  6. VTM0001
    Hi, MalwareBytes FINALLY completed and it detected one object. Please verify that I should proceed and allow MalwareBytes to REMOVE this file. Thanks! Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2014.01.12.05 Windows XP Service Pack 3 x86 NTFS Internet Explorer 7.0.5730.11 Albert :: VTM_1 [administrator] 1/12/2014 9:34:17 AM MBAM-log-2014-01-12 (18-33-17).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 308762 Time elapsed: 4 hour(s), 2 minute(s), 58 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Qoobox\Quarantine\C\Documents and Settings\Albert\12345678.txt.vir (Trojan.Zbot.PWS) -> No action taken. (end)
  7. VTM0001
    I have updated MalwareBytes and adjusted the PUP setting, as you requested. The scan is currently in progress. As I recall, this scan will take some time, so I will post the results as soon as I can. If the scan runs for more than a hour or so, I may not be able to post the results until early this evening, as I will have to leave for a while this afternoon. Thanks again for all of your help with this.
  8. VTM0001
    I have allowed AdwCleaner to complete the "Clean Up" process. The logfile report follows. I know you want me to update MalwareBytes to do a final full scan, but do you think we are at the point where I can safely allow the machine to connect to the Internet? I'm being cautious because we both have spent a lot of time getting to this point and I'd hate to have to start over. One strange thing is that when AdwCleaner re-booted the system, Windows re-installed Roxio Easy Media Creator 7 automatically, with no action from me. I don't know if this is significant, but wanted to pass this along anyway. I do believe that this software has been installed on this system for a long time Thanks! # AdwCleaner v3.016 - Report created 12/01/2014 at 08:51:19 # Updated 23/12/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : Albert - VTM_1 # Running from : C:\Documents and Settings\Albert\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKCU\Software\Conduit Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 ***** [ Browsers ] ***** -\\ Internet Explorer v7.0.6000.16915 -\\ Mozilla Firefox v26.0 (en-US) [ File : C:\Documents and Settings\Albert\Application Data\Mozilla\Firefox\Profiles\ss17429f.default\prefs.js ] [ File : C:\Documents and Settings\KJM\Application Data\Mozilla\Firefox\Profiles\rbcbbeao.default\prefs.js ] ************************* AdwCleaner[R0].txt - [1218 octets] - [12/01/2014 08:08:27] AdwCleaner[s0].txt - [1145 octets] - [12/01/2014 08:51:19] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1205 octets] ##########
  9. VTM0001
    Good Morning! I have run AdwCleaner. Just to be sure, I'm attaching the AdwCleaner report for your review. I have not yet pressed the "Clean" button. # AdwCleaner v3.016 - Report created 12/01/2014 at 08:08:27 # Updated 23/12/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : Albert - VTM_1 # Running from : C:\Documents and Settings\Albert\Desktop\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\Conduit Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 ***** [ Browsers ] ***** -\\ Internet Explorer v7.0.6000.16915 -\\ Mozilla Firefox v26.0 (en-US) [ File : C:\Documents and Settings\Albert\Application Data\Mozilla\Firefox\Profiles\ss17429f.default\prefs.js ] [ File : C:\Documents and Settings\KJM\Application Data\Mozilla\Firefox\Profiles\rbcbbeao.default\prefs.js ] ************************* AdwCleaner[R0].txt - [1078 octets] - [12/01/2014 08:08:27] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1138 octets] ########## Nothing is showing up under either the "Folders" or "Files" tabs, so i guess that is a good thing, at this point.
  10. VTM0001
    OK, ComboFix completed overnight and here is the log that was produced: ComboFix 14-01-08.03 - Albert 01/11/2014 22:21:51.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.124 [GMT -6:00] Running from: c:\documents and settings\Albert\Desktop\ComboFix.exe . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Albert\12345678.txt c:\documents and settings\Albert\My Documents\~WRL2679.tmp c:\documents and settings\Albert\My Documents\~WRL2835.tmp c:\documents and settings\All Users\Application Data\DragToDiscUserNameE.txt C:\Thumbs.db c:\windows\EventSystem.log c:\windows\winhelp.ini . . ((((((((((((((((((((((((( Files Created from 2013-12-12 to 2014-01-12 ))))))))))))))))))))))))))))))) . . 2014-01-12 02:56 . 2014-01-12 02:56 -------- d-----w- C:\TEMP_BKUP 2014-01-11 18:13 . 2014-01-11 18:13 -------- d-----w- C:\FRST 2014-01-10 23:19 . 2014-01-11 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2014-01-10 23:18 . 2014-01-10 23:18 104664 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2013-12-28 23:36 . 2013-12-28 23:36 -------- d-----w- c:\documents and settings\KJM\Application Data\AT&T 2013-12-19 17:24 . 2013-12-19 17:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2013-12-17 21:57 . 2013-12-17 21:58 -------- d-----w- C:\Registry_Backups 2013-12-15 01:59 . 2014-01-10 23:17 51416 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-01-11 01:39 . 2014-01-11 01:39 82944 ----a-w- c:\windows\system32\drivers\WudfRd.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 77568 ----a-w- c:\windows\system32\drivers\WudfPf.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 19455 ----a-w- c:\windows\system32\drivers\wVchNTxx.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 12063 ----a-w- c:\windows\system32\drivers\wSiINTxx.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 4352 ----a-w- c:\windows\system32\drivers\wmilib.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 23615 ----a-w- c:\windows\system32\drivers\wCh7xxNT.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 25471 ----a-w- c:\windows\system32\drivers\wATV10nt.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 34560 ----a-w- c:\windows\system32\drivers\wanarp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 33599 ----a-w- c:\windows\system32\drivers\wATV04nt.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 29311 ----a-w- c:\windows\system32\drivers\wATV01nt.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 22271 ----a-w- c:\windows\system32\drivers\wATV06nt.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 19551 ----a-w- c:\windows\system32\drivers\wATV02NT.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 11871 ----a-w- c:\windows\system32\drivers\wADV09NT.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 14208 ----a-w- c:\windows\system32\drivers\wacompen.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 12415 ----a-w- c:\windows\system32\drivers\wADV01nt.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 12127 ----a-w- c:\windows\system32\drivers\wADV02NT.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 11807 ----a-w- c:\windows\system32\drivers\wADV07nt.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 11775 ----a-w- c:\windows\system32\drivers\wADV05NT.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 11295 ----a-w- c:\windows\system32\drivers\wADV08NT.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 64605 ----a-w- c:\windows\system32\drivers\vvoice.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 397502 ----a-w- c:\windows\system32\drivers\vpctcom.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 604253 ----a-w- c:\windows\system32\drivers\vmodem.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 81664 ----a-w- c:\windows\system32\drivers\videoprt.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 42240 ----a-w- c:\windows\system32\drivers\viaagp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 20992 ----a-w- c:\windows\system32\drivers\vga.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 89728 ----a-w- c:\windows\system32\drivers\usbvsp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 26368 ----a-w- c:\windows\system32\drivers\usbstor.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 20608 ----a-w- c:\windows\system32\drivers\usbuhci.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 143872 ----a-w- c:\windows\system32\drivers\usbport.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 121984 ----a-w- c:\windows\system32\drivers\usbvideo.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 59520 ----a-w- c:\windows\system32\drivers\usbhub.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 4736 ----a-w- c:\windows\system32\drivers\usbd.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 30208 ----a-w- c:\windows\system32\drivers\usbehci.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 15872 ----a-w- c:\windows\system32\drivers\usbintel.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 25728 ----a-w- c:\windows\system32\drivers\usbcamd2.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 25600 ----a-w- c:\windows\system32\drivers\usbcamd.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 12800 ----a-w- c:\windows\system32\drivers\usb8023x.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 12800 ----a-w- c:\windows\system32\drivers\usb8023.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 66048 ----a-w- c:\windows\system32\drivers\udfs.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 384768 ----a-w- c:\windows\system32\drivers\update.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 200832 ----a-w- c:\windows\system32\drivers\Udfreadr.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 44672 ----a-w- c:\windows\system32\drivers\uagp35.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 40840 ----a-w- c:\windows\system32\drivers\termdd.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 21896 ----a-w- c:\windows\system32\drivers\tdtcp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 19072 ----a-w- c:\windows\system32\drivers\tdi.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 12288 ----a-w- c:\windows\system32\drivers\tunmp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 12040 ----a-w- c:\windows\system32\drivers\tdpipe.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 225856 ----a-w- c:\windows\system32\drivers\tcpip6.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 18432 ----a-w- c:\windows\system32\drivers\tcpipBM.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 14976 ----a-w- c:\windows\system32\drivers\tape.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 267192 ----a-w- c:\windows\system32\drivers\symtdi.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 2397 ----a-w- c:\windows\system32\drivers\symlcbrd.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 17976 ----a-w- c:\windows\system32\drivers\symredrv.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 82432 ----a-w- c:\windows\system32\drivers\swnc8u12.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 66304 ----a-w- c:\windows\system32\drivers\swumx12.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 4352 ----a-w- c:\windows\system32\drivers\swenum.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 73472 ----a-w- c:\windows\system32\drivers\sr.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 49408 ----a-w- c:\windows\system32\drivers\stream.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 333952 ----a-w- c:\windows\system32\drivers\srv.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 6272 ----a-w- c:\windows\system32\drivers\splitter.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 5888 ----a-w- c:\windows\system32\drivers\smbali.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 25344 ----a-w- c:\windows\system32\drivers\sonydcam.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 23153 ----a-w- c:\windows\system32\drivers\SMC1211.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 13240 ----a-w- c:\windows\system32\drivers\slwdmsup.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 95424 ----a-w- c:\windows\system32\drivers\slnthal.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 404990 ----a-w- c:\windows\system32\drivers\slntamr.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 40960 ----a-w- c:\windows\system32\drivers\sisagp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 129535 ----a-w- c:\windows\system32\drivers\slnt7554.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 11392 ----a-w- c:\windows\system32\drivers\sfloppy.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 64512 ----a-w- c:\windows\system32\drivers\serial.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 15744 ----a-w- c:\windows\system32\drivers\serenum.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 11904 ----a-w- c:\windows\system32\drivers\sffdisk.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 11008 ----a-w- c:\windows\system32\drivers\sffp_sd.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 10240 ----a-w- c:\windows\system32\drivers\sffp_mmc.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 20480 ----a-w- c:\windows\system32\drivers\secdrv.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 96384 ----a-w- c:\windows\system32\drivers\scsiport.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 79232 ----a-w- c:\windows\system32\drivers\sdbus.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 166912 ----a-w- c:\windows\system32\drivers\s3gnbm.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 30592 ----a-w- c:\windows\system32\drivers\rndismpx.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 30592 ----a-w- c:\windows\system32\drivers\rndismp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 203136 ----a-w- c:\windows\system32\drivers\rmcast.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 59136 ----a-w- c:\windows\system32\drivers\rfcomm.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 57600 ----a-w- c:\windows\system32\drivers\redbook.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 26368 ----a-w- c:\windows\system32\drivers\RimSerial.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 13776 ----a-w- c:\windows\system32\drivers\recagent.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 175744 ----a-w- c:\windows\system32\drivers\rdbss.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 51328 ----a-w- c:\windows\system32\drivers\rasl2tp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 48384 ----a-w- c:\windows\system32\drivers\raspptp.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys.bak 2014-01-11 01:39 . 2014-01-11 01:39 16512 ----a-w- c:\windows\system32\drivers\raspti.sys.bak 2010-03-31 15:09 . 2014-01-09 19:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll 2010-04-08 17:36 . 2014-01-09 19:16 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328] "NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-28 270648] "AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-04-06 22528] . c:\documents and settings\Albert\Start Menu\Programs\Startup\ Lotus SmartSuite 97 Registration.lnk - c:\lotus\register\remind32.exe [1995-11-6 45056] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service] 2004-10-14 16:17 45056 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC] 2001-10-10 23:14 28672 ----a-w- c:\program files\COMPAQ\Easy Access Button Support\STARTEAK.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG] 2004-10-27 22:07 987136 ----a-w- c:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2007-04-27 14:41 282624 ----a-w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 2004-11-17 17:21 1691648 ----a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG] 2003-08-27 20:20 94208 ----a-r- c:\windows\SM1bg.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] 2006-12-01 22:17 100056 ----a-w- c:\progra~1\SYMNET~1\SNDMon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uadplt] 2012-08-07 12:31 362496 ----a-w- c:\documents and settings\Albert\Application Data\uadplt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= . S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?] S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [10/6/2004 10:39 AM 348352] S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [10/4/2004 6:28 AM 43392] S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [7/11/2001 11:06 AM 23153] S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [3/26/2007 1:21 PM 82432] S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [3/26/2007 1:21 PM 66304] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 57701802 *Deregistered* - 57701802 . Contents of the 'Scheduled Tasks' folder . 2010-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 18:42] . 2011-05-06 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Albert.job - c:\progra~1\NORTON~1\NAVW32.EXE [2003-08-17 00:22] . 2009-11-15 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-12-01 23:17] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: cmom.com\mx FF - ProfilePath - c:\documents and settings\Albert\Application Data\Mozilla\Firefox\Profiles\ss17429f.default\ FF - prefs.js: network.proxy.type - 0 FF - ExtSQL: !HIDDEN! 2009-09-03 09:23; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . SafeBoot-32122695.sys SafeBoot-57701802.sys MSConfigStartUp-Enypv - c:\documents and settings\Albert\Application Data\Xariwy\yxaso.exe MSConfigStartUp-Noovufb - c:\documents and settings\Albert\Application Data\Woexyxy\qolon.exe MSConfigStartUp-Syybwo - c:\documents and settings\Albert\Application Data\Eqgiiqoh\vaityb.exe MSConfigStartUp-Teytelcy - c:\documents and settings\Albert\Application Data\Ovroulob\udpia.exe MSConfigStartUp-Unhoneludakusae - c:\documents and settings\Albert\Application Data\Nohyamri\mocayl.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2014-01-11 22:51 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrueSight] "ImagePath"="\??\" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1547161642-688789844-1060284298-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . Completion time: 2014-01-11 22:59:59 ComboFix-quarantined-files.txt 2014-01-12 04:59 . Pre-Run: 562,036,736 bytes free Post-Run: 729,968,640 bytes free . - - End Of File - - E2A2BB55873068780DC4E7FA06642B15 8F558EB6672622401DA993E1E865C861
  11. VTM0001
    I have started to run ComboFix. However, ComboFix complained that the Recovery Console was not installed, so it WANTED to download / install it. Because of the nature of the original problem (many simultaneous connections to a wide variety of IP addresses), I replied "NO" and did not allow it. The machine is still isolated. ComboFix appeared to continue the scanning process, however it is taking far longer than the 10 minute time that the program estimated for the initial part of the process. I am allowing it to continue to run at this point, since you indicated it might take 30-45 minutes, maybe longer, as the machine has a relatively slow processor. ComboFix has now been running for nearly an hour and has not yet displayed the message indicating that the clock settings are being changed. I will allow it to run overnight and, hopefully, it will complete by morning. Thanks!
  12. VTM0001
    I am going to have to do the ComboFix tomorrow, as I need to leave for work in a few minutes. I want to thank you for your help, so far. If you will be here tomorrow, I should be back around 8:00 AM, CST. I'll at least do the ComboFix and leave you the results. Thanks, again!
  13. VTM0001
    Here are the results of the FRST fix and TDSSKILLER: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-01-2014 03 Ran by Albert at 2014-01-11 13:07:00 Run:1 Running from F:\FARBAR Boot Mode: Normal ============================================== Content of fixlist: ***************** HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION HKLM\...\InprocServer32: [Default-wbemess] wbemess.dll HKCU\...0c966feabec1\InprocServer32: [Default-shell32] HKCU\...409d6c4515e9\InprocServer32: [Default-shell32] SHELL32.dll HKU\KJM\...\Run: [unhoneludakusae] - "C:\Documents and Settings\Albert\Application Data\Nohyamri\mocayl.exe" C:\Documents and Settings\Albert\Local Settings\Temp\suwqecx\suycbvr\wow.dll C:\Documents and Settings\Albert\Local Settings\Temp\ahiinb.exe C:\Documents and Settings\Albert\Local Settings\Temp\eject.exe C:\Documents and Settings\Albert\Local Settings\Temp\firefoxjre_exe.exe C:\Documents and Settings\Albert\Local Settings\Temp\hiinm.exe C:\Documents and Settings\Albert\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe C:\Documents and Settings\Albert\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe C:\Documents and Settings\Albert\Local Settings\Temp\jre-7u40-windows-i586-iftw.exe C:\Documents and Settings\Albert\Local Settings\Temp\LRPatch.exe C:\Documents and Settings\Albert\Local Settings\Temp\LRSetup.exe C:\Documents and Settings\Albert\Local Settings\Temp\ntdll_dump.dll C:\Documents and Settings\Albert\Application Data\Nohyamri C:\Documents and Settings\Albert\Local Settings\Temp\suwqecx ***************** HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => Value was restored successfully. HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key deleted successfully. HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully. If the key returned, move the associated file, reboot and list the key for deletion. HKU\KJM\Software\Microsoft\Windows\CurrentVersion\Run\\Unhoneludakusae => Value deleted successfully. C:\Documents and Settings\Albert\Local Settings\Temp\suwqecx\suycbvr\wow.dll => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\ahiinb.exe => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\eject.exe => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\firefoxjre_exe.exe => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\hiinm.exe => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\jre-7u40-windows-i586-iftw.exe => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\LRPatch.exe => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\LRSetup.exe => Moved successfully. C:\Documents and Settings\Albert\Local Settings\Temp\ntdll_dump.dll => Moved successfully. "C:\Documents and Settings\Albert\Application Data\Nohyamri" => File/Directory not found. C:\Documents and Settings\Albert\Local Settings\Temp\suwqecx => Moved successfully. ==== End of Fixlog ==== TDSSKILLER found a number of objects. SKIP was selected for all of them except the last one where CURE was defaulted. The three TDSSKILLER logs are attached. TDSSKiller.3.0.0.19_11.01.2014_13.08.35_log.txt TDSSKiller.3.0.0.19_11.01.2014_13.17.46_log.txt TDSSKiller.3.0.0.19_11.01.2014_13.58.32_log.txt
  14. VTM0001
    Here are the logs from the FARBAR tool. ADDITION.TXT Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-01-2014 03 Ran by Albert at 2014-01-11 12:17:04 Running from F:\FARBAR Boot Mode: Normal ========================================================== ==================== Security Center ======================== AV: Norton AntiVirus (Disabled - Up to date) {B5510F6F-87E1-47F7-A411-360BC453007C} ==================== Installed Programs ====================== Adobe Flash Player 10 ActiveX (Version: 10.0.32.18 - Adobe Systems Incorporated) Adobe Flash Player 11 Plugin (Version: 11.7.700.202 - Adobe Systems Incorporated) Adobe Reader 7.0.8 (Version: 7.0.8 - Adobe Systems Incorporated) AirPlus XtremeG (Version: - D-Link) AirPlus XtremeG (Version: - D-Link) Hidden ANIO Service (Version: - ) ANIWZCS2 Service (Version: - ) Apple Mobile Device Support (Version: 1.0.0.86 - Apple Inc.) Apple Software Update (Version: 2.0.0.21 - Apple Inc.) AT&T Communication Manager (Version: 6.2.10.0 - AT&T) CC_ccStart (Version: 2.0.0.635 - Symantec Corporation) Hidden ccCommon (Version: 2.0.0.635 - Symantec) Hidden Critical Update for Windows Media Player 11 (KB959772) (Version: - Microsoft Corporation) Cypress USB Mass Storage Driver Installation (Version: - ) Easy Access Button Support (Version: - ) eMusic Download Manager 4.1.4 (Version: 4.1.4 - eMusic, Inc.) getPlus® for Adobe (Version: 1.5.2.35 - NOS Microsystems Ltd.) iTunes (Version: 7.3.0.54 - Apple Inc.) Java 7 Update 45 (Version: 7.0.450 - Oracle) Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden LiveReg (Symantec Corporation) (Version: 2.4.2.2295 - Symantec Corporation) LiveUpdate 1.90 (Symantec Corporation) (Version: 1.90.14.0 - Symantec Corporation) Lotus SmartSuite 97 (Version: - ) Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300 - Malwarebytes Corporation) Microsoft .NET Framework 1.1 (Version: - ) Microsoft .NET Framework 1.1 (Version: 1.1.4322 - Microsoft) Hidden Microsoft .NET Framework 1.1 Security Update (KB953297) (Version: - ) Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729 - Microsoft Corporation) Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729 - Microsoft Corporation) Microsoft .NET Framework 3.5 SP1 (Version: - Microsoft Corporation) Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden Microsoft Base Smart Card Cryptographic Service Provider Package (Version: - Microsoft Corporation) Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1 - Microsoft Corporation) Microsoft Internationalized Domain Names Mitigation APIs (Version: - Microsoft Corporation) Hidden Microsoft National Language Support Downlevel APIs (Version: - Microsoft Corporation) Hidden Microsoft Office 2000 SR-1 Premium (Version: 9.00.9327 - Microsoft Corporation) Microsoft Office Standard Edition 2003 (Version: 11.0.5614.0 - Microsoft Corporation) Microsoft User-Mode Driver Framework Feature Pack 1.0 (Version: - Microsoft Corporation) Mozilla Firefox 26.0 (x86 en-US) (Version: 26.0 - Mozilla) Mozilla Maintenance Service (Version: 26.0 - Mozilla) MSRedist (Version: 1.0.0.0 - Symantec Corp) Hidden MSXML 4.0 SP2 (KB925672) (Version: 4.20.9839.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 6 Service Pack 2 (KB954459) (Version: 6.20.1099.0 - Microsoft Corporation) Napster (Version: 2.0.7.2 - Napster) Nokia Connectivity Adapter Cable DKU-5 (Version: - ) Norton AntiVirus 2004 (Symantec Corporation) (Version: 10.00.00 - Symantec Corporation) Norton AntiVirus 2004 (Version: 10.00.00 - Symantec Corporation) Hidden Norton AntiVirus Parent MSI (Version: 10.0.0 - Symantec Corp.) Hidden Norton AntiVirus SYMLT MSI (Version: 10.0.0 - Symantec Corp.) Hidden Norton WMI Update (Version: 2005.1.2.20 - Symantec Corporation) QuickTime (Version: 7.1.6.200 - Apple Computer, Inc.) Roxio Burn Engine (Version: 1.2.0000 - Roxio Inc.,) Hidden Roxio Easy Media Creator 7 (Version: 7.1.1.189 - Roxio, Inc.) Sibelius Scorch (ActiveX Only) (Version: 6.1.0 - Sibelius Software) Sibelius Scorch (Firefox, Opera, Netscape only) (Version: 6.2.0 - Sibelius Software) Symantec Network Drivers Update (Version: 5.5.1.6 - Symantec Corporation) Hidden Symantec pcAnywhere (Version: 11.0.1 - Symantec) Symantec Script Blocking Installer (Version: 1.0.0 - Symantec) Hidden SymNet (Version: 4.7.1 - Symantec Corp) Hidden Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1 - Microsoft Corporation) Update for Windows Internet Explorer 7 (KB976749) (Version: 1 - Microsoft Corporation) Update for Windows XP (KB951978) (Version: 1 - Microsoft Corporation) Update for Windows XP (KB955839) (Version: 1 - Microsoft Corporation) Update for Windows XP (KB967715) (Version: 1 - Microsoft Corporation) Update for Windows XP (KB968389) (Version: 1 - Microsoft Corporation) Update for Windows XP (KB973815) (Version: 1 - Microsoft Corporation) USB Storage Adapter FX (SM1) (Version: - ) WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden Whiz FTP 1.0 (Version: 1.0 - WhizSoftware.com) Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0 - Microsoft Corporation) Windows Genuine Advantage Validation Tool (KB892130) (Version: - Microsoft Corporation) Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2 - Microsoft Corporation) Windows Imaging Component (Version: 3.0.0.0 - Microsoft Corporation) Windows Internet Explorer 7 (Version: 20061027.150806 - Microsoft Corporation) Windows Media Format 11 runtime (Version: - ) Windows Media Format 11 runtime (Version: - Microsoft Corporation) Hidden Windows Media Format SDK Hotfix - KB891122 (Version: - Microsoft Corporation) Hidden Windows Media Player 11 (Version: - ) Windows Media Player 11 (Version: - Microsoft Corporation) Hidden Windows Presentation Foundation (Version: 3.0.6920.0 - Microsoft Corporation) Hidden Windows XP Service Pack 3 (Version: 20080414.031525 - Microsoft Corporation) XML Paper Specification Shared Components Pack 1.0 (Version: - Microsoft Corporation) Hidden ==================== Restore Points ========================= 18-12-2013 03:37:11 System Checkpoint 19-12-2013 04:12:12 System Checkpoint 20-12-2013 15:57:25 System Checkpoint 21-12-2013 17:48:48 System Checkpoint 22-12-2013 19:40:14 System Checkpoint 23-12-2013 23:33:52 System Checkpoint 26-12-2013 01:31:54 System Checkpoint 27-12-2013 01:52:25 System Checkpoint 28-12-2013 02:32:23 System Checkpoint 29-12-2013 03:19:49 System Checkpoint 30-12-2013 14:27:23 System Checkpoint 31-12-2013 16:20:33 System Checkpoint 01-01-2014 17:54:39 System Checkpoint 02-01-2014 23:27:42 System Checkpoint 03-01-2014 23:59:40 System Checkpoint 05-01-2014 02:03:28 System Checkpoint 06-01-2014 19:25:08 System Checkpoint 08-01-2014 02:12:02 System Checkpoint 09-01-2014 03:46:04 System Checkpoint 10-01-2014 03:50:44 System Checkpoint 11-01-2014 01:24:36 Malwarebytes Anti-Rootkit Restore Point ==================== Hosts content: ========================== 2012-07-02 14:29 - 2012-07-12 16:50 - 00000795 ____A C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Scheduled Tasks (whitelisted) ============= Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe Task: C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Albert.job => C:\PROGRA~1\NORTON~1\NAVW32.EXE Task: C:\WINDOWS\Tasks\Symantec NetDetect.job => C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE ==================== Loaded Modules (whitelisted) ============= ==================== Alternate Data Streams (whitelisted) ========= ==================== Safe Mode (whitelisted) =================== ==================== Faulty Device Manager Devices ============= Name: SMC EZ Card 10/100 PCI (SMC1211 Series) Description: SMC EZ Card 10/100 PCI (SMC1211 Series) Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318} Manufacturer: SMC Service: SMC1211 Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. ==================== Event log errors: ========================= Application errors: ================== Error: (10/04/2013 03:20:32 PM) (Source: Application Error) (User: ) Description: Faulting application plugin-container.exe, version 23.0.1.4974, faulting module mozalloc.dll, version 23.0.1.4974, fault address 0x00001988. Processing media-specific event for [plugin-container.exe!ws!] Error: (09/18/2013 07:38:46 AM) (Source: Application Hang) (User: ) Description: Hanging application notepad.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (09/18/2013 07:38:46 AM) (Source: Application Hang) (User: ) Description: Hanging application notepad.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (09/02/2013 05:02:05 PM) (Source: Application Hang) (User: ) Description: Hanging application iexplore.exe, version 7.0.6000.16915, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (08/19/2013 10:33:20 PM) (Source: Application Hang) (User: ) Description: Hanging application EXCEL.EXE, version 11.0.5612.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (08/19/2013 10:33:20 PM) (Source: Application Hang) (User: ) Description: Hanging application EXCEL.EXE, version 11.0.5612.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (08/19/2013 10:33:20 PM) (Source: Application Hang) (User: ) Description: Hanging application EXCEL.EXE, version 11.0.5612.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (07/24/2013 09:32:18 AM) (Source: Application Hang) (User: ) Description: Hanging application firefox.exe, version 21.0.0.4879, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (07/10/2013 07:21:17 PM) (Source: Application Hang) (User: ) Description: Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (07/10/2013 07:21:17 PM) (Source: Application Hang) (User: ) Description: Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000. System errors: ============= Error: (01/11/2014 08:33:57 AM) (Source: 0) (User: ) Description: AMLI0x750x74 - 0x76 Error: (01/11/2014 08:33:57 AM) (Source: 0) (User: ) Description: AMLI0x740x74 - 0x76 Error: (01/10/2014 04:17:13 PM) (Source: 0) (User: ) Description: \Device\Ide\IdePort0 Error: (01/10/2014 04:11:01 PM) (Source: 0) (User: ) Description: \Device\Ide\IdePort0 Error: (01/10/2014 04:10:29 PM) (Source: 0) (User: ) Description: \Device\Ide\IdePort0 Error: (01/10/2014 04:06:59 PM) (Source: 0) (User: ) Description: \Device\Ide\IdePort0 Error: (01/10/2014 03:08:48 PM) (Source: 0) (User: ) Description: \Device\Ide\IdePort0 Error: (01/10/2014 02:54:11 PM) (Source: 0) (User: ) Description: AMLI0x750x74 - 0x76 Error: (01/10/2014 02:54:11 PM) (Source: 0) (User: ) Description: AMLI0x740x74 - 0x76 Error: (01/10/2014 02:47:32 PM) (Source: 0) (User: ) Description: \Device\Ide\IdePort0 Microsoft Office Sessions: ========================= Error: (10/04/2013 03:20:32 PM) (Source: Application Error)(User: ) Description: plugin-container.exe23.0.1.4974mozalloc.dll23.0.1.497400001988 Error: (09/18/2013 07:38:46 AM) (Source: Application Hang)(User: ) Description: notepad.exe5.1.2600.5512hungapp0.0.0.000000000 Error: (09/18/2013 07:38:46 AM) (Source: Application Hang)(User: ) Description: notepad.exe5.1.2600.5512hungapp0.0.0.000000000 Error: (09/02/2013 05:02:05 PM) (Source: Application Hang)(User: ) Description: iexplore.exe7.0.6000.16915hungapp0.0.0.000000000 Error: (08/19/2013 10:33:20 PM) (Source: Application Hang)(User: ) Description: EXCEL.EXE11.0.5612.0hungapp0.0.0.000000000 Error: (08/19/2013 10:33:20 PM) (Source: Application Hang)(User: ) Description: EXCEL.EXE11.0.5612.0hungapp0.0.0.000000000 Error: (08/19/2013 10:33:20 PM) (Source: Application Hang)(User: ) Description: EXCEL.EXE11.0.5612.0hungapp0.0.0.000000000 Error: (07/24/2013 09:32:18 AM) (Source: Application Hang)(User: ) Description: firefox.exe21.0.0.4879hungapp0.0.0.000000000 Error: (07/10/2013 07:21:17 PM) (Source: Application Hang)(User: ) Description: explorer.exe6.0.2900.5512hungapp0.0.0.000000000 Error: (07/10/2013 07:21:17 PM) (Source: Application Hang)(User: ) Description: explorer.exe6.0.2900.5512hungapp0.0.0.000000000 ==================== Memory info =========================== Percentage of memory in use: 58% Total physical RAM: 510.45 MB Available physical RAM: 209.77 MB Total Pagefile: 1246.06 MB Available Pagefile: 997.2 MB Total Virtual: 2047.88 MB Available Virtual: 1952.68 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:13.98 GB) (Free:0.63 GB) NTFS ==>[Drive with boot components (Windows XP)] Drive f: () (Removable) (Total:7.45 GB) (Free:7.39 GB) FAT32 ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows XP) (Size: 14 GB) (Disk ID: 9800481F) Partition 1: (Active) - (Size=14 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 7 GB) (Disk ID: 00000000) Partition 1: (Not Active) - (Size=7 GB) - (Type=0B) ==================== End Of Log ============================ FRST.TXT is attached due to larger size.FRST.txt
  15. VTM0001
    I downloaded DDS.COM again and ran it again. The dialog box still indicated that ONLY ATTACH.TXT was created. I searched for DDS.TXT on the entire drive and nothing was found. This log is apparently NOT getting created. Also, although it is probably not important at this point, Windows gives me a "Access Denied" slap when trying to open the System Volume Information folder. And yes, the hidden and system file "views" are set to show those files. This is the latest "ATTACH.TXT" . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 11/15/2006 4:49:41 PM System Uptime: 1/11/2014 8:29:56 AM (3 hours ago) . Motherboard: Compaq | | 06C0h Processor: Intel Celeron processor | J1 | 598/66mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 14 GiB total, 0.675 GiB free. E: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: SMC EZ Card 10/100 PCI (SMC1211 Series) Device ID: PCI\VEN_1113&DEV_1211&SUBSYS_12111113&REV_10\4&24AB0D93&0&48F0 Manufacturer: SMC Name: SMC EZ Card 10/100 PCI (SMC1211 Series) PNP Device ID: PCI\VEN_1113&DEV_1211&SUBSYS_12111113&REV_10\4&24AB0D93&0&48F0 Service: SMC1211 . ==== System Restore Points =================== . RP1284: 12/17/2013 9:37:11 PM - System Checkpoint RP1285: 12/18/2013 10:12:12 PM - System Checkpoint RP1286: 12/20/2013 9:57:25 AM - System Checkpoint RP1287: 12/21/2013 11:48:48 AM - System Checkpoint RP1288: 12/22/2013 1:40:14 PM - System Checkpoint RP1289: 12/23/2013 5:33:52 PM - System Checkpoint RP1290: 12/25/2013 7:31:54 PM - System Checkpoint RP1291: 12/26/2013 7:52:25 PM - System Checkpoint RP1292: 12/27/2013 8:32:23 PM - System Checkpoint RP1293: 12/28/2013 9:19:49 PM - System Checkpoint RP1294: 12/30/2013 8:27:23 AM - System Checkpoint RP1295: 12/31/2013 10:20:33 AM - System Checkpoint RP1296: 1/1/2014 11:54:39 AM - System Checkpoint RP1297: 1/2/2014 5:27:42 PM - System Checkpoint RP1298: 1/3/2014 5:59:40 PM - System Checkpoint RP1299: 1/4/2014 8:03:28 PM - System Checkpoint RP1300: 1/6/2014 1:25:08 PM - System Checkpoint RP1301: 1/7/2014 8:12:02 PM - System Checkpoint RP1302: 1/8/2014 9:46:04 PM - System Checkpoint RP1303: 1/9/2014 9:50:44 PM - System Checkpoint RP1304: 1/10/2014 7:24:36 PM - Malwarebytes Anti-Rootkit Restore Point . ==== Image File Execution Options ============= . IFEO: Your Image File Name Here without a path - ntsd -d . ==== Installed Programs ====================== . . ==== End Of File ===========================
  16. VTM0001
    I did search for DDS.TXT and nothing was found. The dialog box at the end if DDS only indicated the creation of ATTACH.TXT. I'll go ahead and delete the oldest restore points, as you are suggesting. Next? Thanks!
  17. VTM0001
    When I initially ran DDS, it did not appear to create a DDS.TXT file. While I thought that was strange, I sent what I had. I have just run DDS again and it reports that it has created 1 log file, attach.txt, in the dialog box that opens when the program completes. I have deleted the folder structure: [ZeroAccess][Folder] U : C:\Documents and Settings\Albert\Local Settings\Application Data\{9296831f-6042-ae39-72a1-6f99a1860743}\U [-] --> FOUND [ZeroAccess][Folder] L : C:\Documents and Settings\Albert\Local Settings\Application Data\{9296831f-6042-ae39-72a1-6f99a1860743}\L [-] --> FOUND as you said I could. Thanks!
  18. VTM0001
    Hi, Just wanted to follow up to see if i had given you what you need to proceed to the next step. Also FWIW, I looked at these: [ZeroAccess][Folder] U : C:\Documents and Settings\Albert\Local Settings\Application Data\{9296831f-6042-ae39-72a1-6f99a1860743}\U [-] --> FOUND [ZeroAccess][Folder] L : C:\Documents and Settings\Albert\Local Settings\Application Data\{9296831f-6042-ae39-72a1-6f99a1860743}\L [-] --> FOUND The folders are present, but are empty, possibly left over from a previous issue. No files are contained within this folder structure. Thanks!
  19. VTM0001
    . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 11/15/2006 4:49:41 PM System Uptime: 1/10/2014 2:50:10 PM (5 hours ago) . Motherboard: Compaq | | 06C0h Processor: Intel Celeron processor | J1 | 598/66mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 14 GiB total, 0.673 GiB free. D: is Removable E: is CDROM () F: is Removable . ==== Disabled Device Manager Items ============= . Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: SMC EZ Card 10/100 PCI (SMC1211 Series) Device ID: PCI\VEN_1113&DEV_1211&SUBSYS_12111113&REV_10\4&24AB0D93&0&48F0 Manufacturer: SMC Name: SMC EZ Card 10/100 PCI (SMC1211 Series) PNP Device ID: PCI\VEN_1113&DEV_1211&SUBSYS_12111113&REV_10\4&24AB0D93&0&48F0 Service: SMC1211 . ==== System Restore Points =================== . RP1284: 12/17/2013 9:37:11 PM - System Checkpoint RP1285: 12/18/2013 10:12:12 PM - System Checkpoint RP1286: 12/20/2013 9:57:25 AM - System Checkpoint RP1287: 12/21/2013 11:48:48 AM - System Checkpoint RP1288: 12/22/2013 1:40:14 PM - System Checkpoint RP1289: 12/23/2013 5:33:52 PM - System Checkpoint RP1290: 12/25/2013 7:31:54 PM - System Checkpoint RP1291: 12/26/2013 7:52:25 PM - System Checkpoint RP1292: 12/27/2013 8:32:23 PM - System Checkpoint RP1293: 12/28/2013 9:19:49 PM - System Checkpoint RP1294: 12/30/2013 8:27:23 AM - System Checkpoint RP1295: 12/31/2013 10:20:33 AM - System Checkpoint RP1296: 1/1/2014 11:54:39 AM - System Checkpoint RP1297: 1/2/2014 5:27:42 PM - System Checkpoint RP1298: 1/3/2014 5:59:40 PM - System Checkpoint RP1299: 1/4/2014 8:03:28 PM - System Checkpoint RP1300: 1/6/2014 1:25:08 PM - System Checkpoint RP1301: 1/7/2014 8:12:02 PM - System Checkpoint RP1302: 1/8/2014 9:46:04 PM - System Checkpoint RP1303: 1/9/2014 9:50:44 PM - System Checkpoint RP1304: 1/10/2014 7:24:36 PM - Malwarebytes Anti-Rootkit Restore Point . ==== Image File Execution Options ============= . IFEO: Your Image File Name Here without a path - ntsd -d . ==== Installed Programs ====================== . . ==== End Of File =========================== RogueKiller V8.8.0 [Dec 27 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Albert [Admin rights] Mode : Scan -- Date : 01/10/2014 19:40:08 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤ [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Browser Addons : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][Folder] U : C:\Documents and Settings\Albert\Local Settings\Application Data\{9296831f-6042-ae39-72a1-6f99a1860743}\U [-] --> FOUND [ZeroAccess][Folder] L : C:\Documents and Settings\Albert\Local Settings\Application Data\{9296831f-6042-ae39-72a1-6f99a1860743}\L [-] --> FOUND ¤¤¤ Driver : [NOT LOADED 0xc0000033] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) QUANTUM FIREBALLlct15 15 +++++ --- User --- [MBR] b41d2588dead6740e4b076f52cbdfa37 [bSP] addccc32774d68cd54e4c5a347637dfc : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 14315 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) SanDisk Cruzer USB Device +++++ --- User --- [MBR] a124dc1f32b91ceacb765c7a5ad6ec2e [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo User = LL1 ... OK! Error reading LL2 MBR! ([0x32] The request is not supported. ) +++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) SanDisk Cruzer Switch USB Device +++++ --- User --- [MBR] 33a0f33fb7e7f518f64aedcb9dad35b0 [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 7633 Mo User = LL1 ... OK! Error reading LL2 MBR! ([0x32] The request is not supported. ) Finished : << RKreport[0]_S_01102014_194008.txt >>
  20. VTM0001
    I am getting ready to run DDS, but have a couple of questions: - Can these tools be run from a "jump drive" rather than from the desktop? The PC in question is an older one and disk space is really scarce. - Does the PC need to have Internet access for the tools to install / operate? Because of the nature of the problem, I have this machine isolated from the Internet. Thanks!
  21. VTM0001
    This may or may not be an "infection", but the activity is suspicious. Everything on the PC (Windows XP, SP3 seems to work normally, except for the fact that explorer.exe is creating a large number (25-30) simultaneous TCP connections on TCP port 80 and transferring significant numbers data packets. This did happen one time previously, but running MBAM and MBAR seemed to resolve the issue. The IP addresses being contacted do look to be legitimate (Google, Akamai, and other US-based cloud-hosting locations, etc.), but today the problem seems to have returned whereby excessive bandwidth is being consumed. I can see no reason why explorer.exe should want to create all of these connections. Just as an aside, this was happening without any browsers being launched. EXPLORER.EXE was the source of the questionable connections, in all cases. MBAM turned up nothing. Thanks!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.