Jump to content

Thanks for helping. ping.exe


Recommended Posts

I have a ping.exe popup about every 100 seconds.

MalwareBytes detects 2 rootkits in \System Volume Information\

but only when I ran the scan in safe mode.

Disinfect did not last. I do not have audio.

It prevents me from installing Microsoft Security Essentials, and does not allow me to look at my firewall. However, I can see I have a firewall by moving about in safe mode.

Attached is my DDS text. Thank you for helping me! ~willow~

DDS (Ver_2012-10-14.05) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by User at 23:40:05 on 2012-10-16

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.38 [GMT -6:00]

.

.

============== Running Processes ================

.

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k eapsvcs

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k netsvcs

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab

TCP: NameServer = 192.168.0.1 205.171.3.25

TCP: Interfaces\{18858CE0-7C46-4096-94BA-2794DAD47486} : DHCPNameServer = 192.168.15.1

TCP: Interfaces\{A6C89752-2FA4-4916-B0BE-03494BD3880D} : DHCPNameServer = 192.168.0.1 205.171.3.25

TCP: Interfaces\{B4139F04-C7AE-4233-B996-227482E15FB1} : DHCPNameServer = 192.168.0.1 205.171.3.25

Notify: AtiExtEvent - <no file>

Notify: NavLogon - <no file>

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-11 399432]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-11 676936]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-11 22856]

S2 ofcservice;Ccpwdsvc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-31 250808]

S3 KBCAM;JamC@m USB service;c:\windows\system32\drivers\KBCAM.sys [2008-12-11 16384]

S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2012-10-3 32384]

S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [2012-10-3 1034240]

.

=============== Created Last 30 ================

.

2012-10-11 14:29:36 -------- d-----w- C:\9cade25de7a102557e66b6a177

2012-10-11 13:57:07 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-11 13:52:25 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2012-10-11 13:36:09 -------- d-----w- c:\windows\system32\wbem\repository\FS

2012-10-11 13:36:09 -------- d-----w- c:\windows\system32\wbem\Repository

2012-10-10 22:56:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-10-09 02:19:38 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-10-09 02:08:49 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2012-10-03 23:23:19 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2012-10-03 23:23:17 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-10-03 23:23:17 3072 ------w- c:\windows\system32\iacenc.dll

2012-10-03 23:20:21 77824 ----a-r- c:\windows\system32\nvuenet.exe

2012-10-03 23:20:21 54784 ----a-r- c:\windows\system32\drivers\NVENET.sys

2012-10-03 23:14:59 -------- d-----w- c:\program files\HP

2012-10-03 22:15:56 -------- d-----w- c:\documents and settings\all users\application data\Geek Squad

2012-10-03 20:19:04 1034240 ----a-r- c:\windows\system32\drivers\AE2500xp.sys

2012-10-03 20:18:23 88696 ----a-r- c:\windows\system32\packet.dll

2012-10-03 20:18:23 68224 ----a-r- c:\windows\system32\WanPacket.dll

2012-10-03 20:18:23 53299 ----a-r- c:\windows\system32\pthreadVC.dll

2012-10-03 20:18:23 34064 ----a-r- c:\windows\system32\drivers\npf.sys

2012-10-03 20:18:23 240248 ----a-r- c:\windows\system32\wpcap.dll

2012-10-03 19:52:51 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys

2012-10-03 19:52:51 32384 ----a-w- c:\windows\system32\drivers\usb101et.sys

.

==================== Find3M ====================

.

2012-10-17 00:04:29 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-10-11 14:14:08 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-10-11 14:14:08 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec

2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll

.

============= FINISH: 23:41:22.95 ===============

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

Link to post
Share on other sites

Hi Mr. Charlie. What a comfort it is to co-pilot with a deity.

I'm unable to download the roguekiller.

A popup states that it is not a valid Win32 application.

I have exited my malwarebytes program & have no known programs running when I attempt to download, however I do have a USB optical mouse, no other USBs or externals connected.

Link to post
Share on other sites

Zipfile success!

RogueKiller V8.1.1 [10/01/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : User [Admin rights]

Mode : Scan -- Date : 10/17/2012 10:44:49

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HDS728080PLAT20 +++++

--- User ---

[MBR] 25b6f7f00ee924d129722e33c877ea12

[bSP] 6ab81512ed7b103b5f7d01d89b81ec91 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Once again please use the default font, don't use bold > Thanks

~~~~~~~~~~~~~~~~~~~~

Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes

~~~~~~~~~~~~~~~~~~

Then............

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

Mr. Charlie, I am humbled by the fumble with the messaging font. Thank you for your patience.

On a positive note: Thanks to your instruction, I'm looking pretty good over here.

First, the Listparts log:

ListParts by Farbar Version: 16-10-2012

Ran by User (administrator) on 17-10-2012 at 21:24:08

Windows XP (X86)

Running From: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\5800MX3B

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 94%

Total physical RAM: 447.36 MB

Available physical RAM: 24.14 MB

Total Pagefile: 722.53 MB

Available Pagefile: 365.43 MB

Total Virtual: 2047.88 MB

Available Virtual: 2000.08 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:74.52 GB) (Free:66.17 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 75 GB 0 B

Partitions of Disk 0:

===============

The disk management services could not complete the operation.

======================================================================================================

****** End Of Log ******

Link to post
Share on other sites

21:41:13.0359 0740 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47

21:41:13.0828 0740 ============================================================

21:41:13.0828 0740 Current date / time: 2012/10/17 21:41:13.0828

21:41:13.0828 0740 SystemInfo:

21:41:13.0828 0740

21:41:13.0828 0740 OS Version: 5.1.2600 ServicePack: 3.0

21:41:13.0828 0740 Product type: Workstation

21:41:13.0828 0740 ComputerName: SR1602HM

21:41:13.0828 0740 UserName: User

21:41:13.0828 0740 Windows directory: C:\WINDOWS

21:41:13.0828 0740 System windows directory: C:\WINDOWS

21:41:13.0828 0740 Processor architecture: Intel x86

21:41:13.0828 0740 Number of processors: 1

21:41:13.0828 0740 Page size: 0x1000

21:41:13.0828 0740 Boot type: Normal boot

21:41:13.0828 0740 ============================================================

21:41:16.0406 0740 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

21:41:16.0421 0740 ============================================================

21:41:16.0421 0740 \Device\Harddisk0\DR0:

21:41:16.0421 0740 MBR partitions:

21:41:16.0421 0740 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1

21:41:16.0421 0740 ============================================================

21:41:16.0468 0740 C: <-> \Device\Harddisk0\DR0\Partition1

21:41:16.0515 0740 ============================================================

21:41:16.0515 0740 Initialize success

21:41:16.0515 0740 ============================================================

21:42:28.0406 0908 Deinitialize success

Link to post
Share on other sites

TDSSKiller.2.8.13.0_17.10.2012_21.51.39_log.txt

Above, is large Log #2, as an attachment.

Below, Log #3:

21:57:32.0359 0580 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47

21:57:32.0953 0580 ============================================================

21:57:32.0953 0580 Current date / time: 2012/10/17 21:57:32.0953

21:57:32.0953 0580 SystemInfo:

21:57:32.0953 0580

21:57:32.0953 0580 OS Version: 5.1.2600 ServicePack: 3.0

21:57:32.0953 0580 Product type: Workstation

21:57:32.0953 0580 ComputerName: SR1602HM

21:57:32.0953 0580 UserName: User

21:57:32.0953 0580 Windows directory: C:\WINDOWS

21:57:32.0953 0580 System windows directory: C:\WINDOWS

21:57:32.0953 0580 Processor architecture: Intel x86

21:57:32.0953 0580 Number of processors: 1

21:57:32.0953 0580 Page size: 0x1000

21:57:32.0953 0580 Boot type: Normal boot

21:57:32.0953 0580 ============================================================

21:57:36.0875 0580 BG loaded

21:57:37.0312 0580 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

21:57:37.0359 0580 ============================================================

21:57:37.0359 0580 \Device\Harddisk0\DR0:

21:57:37.0359 0580 MBR partitions:

21:57:37.0359 0580 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1

21:57:37.0359 0580 ============================================================

21:57:37.0406 0580 C: <-> \Device\Harddisk0\DR0\Partition1

21:57:37.0515 0580 ============================================================

21:57:37.0515 0580 Initialize success

21:57:37.0515 0580 ============================================================

Link to post
Share on other sites

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Run TDSSKiller again and choose Delete for this one only: (no need to post the log)

21:55:24.0289 0200 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

21:55:24.0289 0200 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~~

Next...........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Chin Up & Carry On with cleanup, is my decision. I'm rolling with you, Mr. C.

I will reformat and reinstall OS once scrubbed.

The amount of cash a hacker could get from my hippy credit card should disabuse them of any lofty notions.

Combofix txt:

ComboFix 12-10-18.03 - User 10/18/2012 9:55.1.1 - x86

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\857806u6a536h330w210q4bgt1u2

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP

c:\windows\system\system32

c:\windows\system\system32\Drivers\kbcam.inf

c:\windows\system\system32\Drivers\kbcam.sys

c:\windows\system32\dds_trash_log.cmd

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_6TO4

.

.

((((((((((((((((((((((((( Files Created from 2012-09-18 to 2012-10-18 )))))))))))))))))))))))))))))))

.

.

2012-10-18 03:55 . 2012-10-18 14:33 -------- d-----w- C:\TDSSKiller_Quarantine

2012-10-11 14:29 . 2012-10-11 14:29 -------- d-----w- C:\9cade25de7a102557e66b6a177

2012-10-11 13:57 . 2012-09-07 23:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-11 13:52 . 2012-07-04 14:05 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2012-10-11 13:36 . 2012-10-11 13:36 -------- d-----w- c:\windows\system32\wbem\Repository

2012-10-10 22:56 . 2012-10-11 13:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-10-09 02:19 . 2012-08-28 15:14 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-10-09 02:08 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2012-10-03 23:28 . 2012-10-03 23:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2012-10-03 23:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2012-10-03 23:23 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-10-03 23:23 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-10-03 23:20 . 2003-04-21 21:18 77824 ----a-r- c:\windows\system32\nvuenet.exe

2012-10-03 23:20 . 2003-04-21 21:18 54784 ----a-r- c:\windows\system32\drivers\NVENET.sys

2012-10-03 23:14 . 2012-10-03 23:14 -------- d-----w- c:\program files\HP

2012-10-03 23:14 . 2012-10-03 23:14 -------- d-----w- c:\program files\Hewlett-Packard

2012-10-03 22:15 . 2012-10-03 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad

2012-10-03 20:19 . 2011-03-30 06:22 1034240 ----a-r- c:\windows\system32\drivers\AE2500xp.sys

2012-10-03 20:18 . 2007-11-06 19:22 34064 ----a-r- c:\windows\system32\drivers\npf.sys

2012-10-03 19:52 . 2004-08-04 04:31 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys

2012-10-03 19:52 . 2004-08-04 04:31 32384 ----a-w- c:\windows\system32\drivers\usb101et.sys

2012-10-03 19:14 . 2012-10-11 13:36 -------- d-----w- c:\documents and settings\Administrator

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-18 03:56 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-10-11 14:14 . 2012-03-31 13:31 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-11 14:14 . 2011-07-15 21:50 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-28 15:14 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2012-08-24 13:53 . 2004-08-04 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-01-18 20:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-01-16 08:12 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"MatSvc"=3 (0x3)

"JavaQuickStarterService"=2 (0x2)

"idsvc"=3 (0x3)

"gusvc"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/11/2012 7:57 AM 399432]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/11/2012 7:57 AM 676936]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/11/2012 7:57 AM 22856]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/31/2012 7:31 AM 250808]

S3 KBCAM;JamC@m USB service;c:\windows\system32\drivers\KBCAM.sys [12/11/2008 5:15 AM 16384]

S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [10/3/2012 1:52 PM 32384]

S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [10/3/2012 2:19 PM 1034240]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

scramby

arrayssl_vpn_service3,0,1,9

nmwcdc

icm10blk

acedrv07

IFP700

pimsgss

ilicensesvc

knobserv

tapvpn

pmem

obvious

A4S2600

SiSRaid2

WINFLASH

mbackmonitor

FireTDI

rtm

ofcservice

MSMQ

tmcomm

tmmbd

pdengine

eliservice

trufos

papyjoy

avc

ultra66

RTLE8023xp

mssql$microsoftsmlbiz

siswlsvc

Cardex

.

Contents of the 'Scheduled Tasks' folder

.

2012-10-18 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 14:14]

.

2012-10-18 c:\windows\Tasks\User_Feed_Synchronization-{F016FBAB-93A5-4668-BF1E-65AB09A30CE6}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: thejamcam.com\www

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Notify-AtiExtEvent - (no file)

Notify-NavLogon - (no file)

SafeBoot-30164547.sys

SafeBoot-54314066.sys

SafeBoot-61403485.sys

SafeBoot-82675482.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-10-18 10:06

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1078081533-1482476501-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3772)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

c:\windows\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2012-10-18 10:09:23 - machine was rebooted

ComboFix-quarantined-files.txt 2012-10-18 16:08

.

Pre-Run: 70,938,075,136 bytes free

Post-Run: 71,050,035,200 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 39DFD4AB0469DD787C14EFADD64F3AB9

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.10.19.01

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

User :: SR1602HM [administrator]

10/18/2012 7:39:15 PM

mbam-log-2012-10-18 (19-39-15).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 197548

Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Mr. C, the RogueKiller found 2 objects. However, I'm ignoring that and only posting the RK log, as instructed:

RogueKiller V8.1.1 [10/01/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : User [Admin rights]

Mode : Scan -- Date : 10/18/2012 20:37:41

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HDS728080PLAT20 +++++

--- User ---

[MBR] 25b6f7f00ee924d129722e33c877ea12

[bSP] 6ab81512ed7b103b5f7d01d89b81ec91 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

Link to post
Share on other sites

Looks Good....just get this one >>>

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~

Last scan............(checks for any adware on your system:

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC (be back in the am)

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.