Jump to content

Smart HDD... I think


Recommended Posts

  • Replies 67
  • Created
  • Last Reply

Top Posters In This Topic

Good afternoon SMiller,

My apologies for the delay. Now that I have finished exams I am back to working full time. :P

Please re-run RogueKiller, let it delete everything it finds and then post a fresh log in your reply.

Are there any current issues on your computer?

Link to post
Share on other sites

Dark Knight,

Hope the exams went well. I ran RK in NORMAL mode. I hit delete as instructe, but I still have the same problem with FreeCell. Here is the log:

RogueKiller V8.2.3 [11/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Rob [Admin rights]

Mode : Scan -- Date : 11/13/2012 22:02:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 13 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : ISUSPM ("C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" -scheduler) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1644491937-562591055-725345543-1003[...]\Run : ISUSPM ("C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" -scheduler) -> FOUND

[sTARTUP][sUSP PATH] Seagate Product Registration.lnk @Rob : C:\Documents and Settings\Rob\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[25] : NtClose @ 0x8056F8D7 -> HOOKED (Unknown @ 0xF7CB0484)

SSDT[41] : NtCreateKey @ 0x80578AB4 -> HOOKED (Unknown @ 0xF7CB043E)

SSDT[50] : NtCreateSection @ 0x8056DB66 -> HOOKED (Unknown @ 0xF7CB048E)

SSDT[53] : NtCreateThread @ 0x80584D39 -> HOOKED (Unknown @ 0xF7CB0434)

SSDT[63] : NtDeleteKey @ 0x8059A5C9 -> HOOKED (Unknown @ 0xF7CB0443)

SSDT[65] : NtDeleteValueKey @ 0x805991E8 -> HOOKED (Unknown @ 0xF7CB044D)

SSDT[68] : NtDuplicateObject @ 0x8057F18D -> HOOKED (Unknown @ 0xF7CB047F)

SSDT[98] : NtLoadKey @ 0x805B8287 -> HOOKED (Unknown @ 0xF7CB0452)

SSDT[122] : NtOpenProcess @ 0x8057F93A -> HOOKED (Unknown @ 0xF7CB0420)

SSDT[128] : NtOpenThread @ 0x80596743 -> HOOKED (Unknown @ 0xF7CB0425)

SSDT[193] : NtReplaceKey @ 0x806571A8 -> HOOKED (Unknown @ 0xF7CB045C)

SSDT[204] : NtRestoreKey @ 0x80656D3D -> HOOKED (Unknown @ 0xF7CB0457)

SSDT[213] : NtSetContextThread @ 0x80635EFB -> HOOKED (Unknown @ 0xF7CB0493)

SSDT[247] : NtSetValueKey @ 0x80580088 -> HOOKED (Unknown @ 0xF7CB0448)

SSDT[257] : NtTerminateProcess @ 0x8058E8B1 -> HOOKED (Unknown @ 0xF7CB042F)

S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xF7CB0498)

S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0xF7CB049D)

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600BEVE-00UYT0 +++++

--- User ---

[MBR] d78d6ae833efdcbc1642cb8365e128d3

[bSP] 09f3f30e050b0e78f4a273d6de7e96a6 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive3: WD Ext HDD 1021 USB Device +++++

--- User ---

[MBR] 6aff2b8f3ee9b4d7d8f72718b0599a79

[bSP] 3e4b2d5497fe55cd743d7f758a6de612 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive4: WDC WD16 00BB-00GUC0 USB Device +++++

--- User ---

[MBR] c981985ab4325682c14418f1e4da946f

[bSP] c27bff89ad152d5b85e14f435e81a8cd : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 152624 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[3]_S_11132012_02d2202.txt >>

RKreport[1]_S_11102012_02d2005.txt ; RKreport[2]_S_11122012_02d1745.txt ; RKreport[3]_S_11132012_02d2202.txt

Link to post
Share on other sites

Hey SMiller,

The exams went well thank you. Relieved they are done at last.

OK please give this a try regarding the FreeCell issue.

Before proceeding any further, please follow these instructions to backup your Registry (in case it needs to be restored if something goes wrong):

  • Please go to Start>Run and type in regedit.
  • Click regedit to open the Registry Editor.
  • Go to the File tab.
  • Select Export.
  • Save the file as RegistryBackup.reg to the Desktop.

=====

Once you have completed the above steps, please follow these instructions to create a .reg file:

  • Please open Notepad and copy the following text (inside the Quote box) into a new text file:
    REGEDIT4
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids]
    "exefile"=hex(0):
  • Make sure Save as type is set to All Files (*.*).
  • Save it as RegistryFix.reg to your Desktop.
  • Now double-click RegistryFix.reg and allow it to merge with the Registry.
  • Please delete RegistryFix.reg when it has finished.

=====

Did that remove the issue?

Link to post
Share on other sites

Hey SMiller,

OK. Please delete your current copy of ComboFix.

Next, please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com).

  • There are 3 different versions. If one of them won't run then download and try to run the other one.
  • Vista and Win7 users need to right click and choose Run as Admin.
  • You only need to get one of them to run, not all of them.

rkill.exe

rkill.com

rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Before proceeding any further the processes that belong to Windows Recovery need to be terminated so that it does not interfere with the cleaning procedure.

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with Windows Recovery and other Rogue programs.

===

Please do not reboot your computer.

Then, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

DK,

Ran rkill and CF. Here is the log:

ComboFix 12-11-15.01 - Rob 11/15/2012 22:30:07.21.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.454 [GMT -8:00]

Running from: c:\documents and settings\Rob\Desktop\ComboFix.scr

Command switches used :: /S

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((( Files Created from 2012-10-16 to 2012-11-16 )))))))))))))))))))))))))))))))

.

.

2012-11-11 05:29 . 2012-11-11 05:29 -------- d-----w- C:\FRST

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\64508186.sys

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\99718478.sys

2012-11-08 07:25 . 2012-11-08 07:25 177496 ----a-w- c:\windows\system32\drivers\31255700.sys

2012-11-08 07:23 . 2012-11-08 07:23 177496 ----a-w- c:\windows\system32\drivers\00155280.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\54066471.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\59382407.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\23847152.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\28443356.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-02 22:52 . 2009-02-21 00:33 89680 ----a-w- c:\documents and settings\Rob\MSSSerif120.fon

2012-10-06 20:48 . 2012-04-03 20:23 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-06 20:48 . 2011-07-12 18:12 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-30 02:54 . 2012-08-15 05:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DownloadAccelerator"="c:\program files\STUFF\Download Accelerator Plus\DAP.EXE" [2012-08-15 2815488]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StacSysTray"="c:\program files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 102400]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]

2005-04-05 02:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2007-03-29 22:41 222128 ----a-w- c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-17 16:50 19968 ------w- c:\windows\LOGI_MWX.EXE

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/27/2010 8:09 PM 136360]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/17/2010 3:47 PM 47360]

S2 SigService;Sigmatel Service;c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe --> c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [?]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 10:29 AM 118106]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-16 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: &Clean Traces - c:\program files\STUFF\Download Accelerator Plus\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie.htm

IE: Download &all with DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

TCP: DhcpNameServer = 192.168.0.1

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-15 22:42

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c0,e0,d6,b4,b9,a1,21,c7,f5,b5,bc,c5,9c,55,e8,60,9d,3f,ce,d0,10,24,71,

30,0a,f7,e7,0c,f5,a5,a1,d0,da,3d,75,c8,97,9d,91,8a,77,88,6e,b4,6a,66,9c,b3,\

"??"=hex:59,52,4d,96,40,27,6e,8f,7c,35,3d,81,cd,0f,89,4c

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:c2,1e,91,d7,9c,ef,c0,ad,7f,a9,be,b9,ef,ec,85,23,86,18,f1,f2,41,

6c,29,51,55,a2,cd,23,74,8d,c0,a9,68,0c,02,cf,15,85,69,26,eb,9d,4f,2c,a3,09,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(908)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(1528)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-11-15 22:43:58

ComboFix-quarantined-files.txt 2012-11-16 06:43

ComboFix2.txt 2012-11-16 05:19

ComboFix3.txt 2012-11-09 07:59

ComboFix4.txt 2012-11-09 04:53

ComboFix5.txt 2012-11-16 05:23

.

Pre-Run: 11,424,497,664 bytes free

Post-Run: 11,412,631,552 bytes free

.

- - End Of File - - 9229520DAFD6F7632B97638303C8D83E

Link to post
Share on other sites

Hello SMiller,

Time to see if we can finally nip this infection in the bud.

Please run Rkill before proceeding.

Then, please follow these instructions to re-run ComboFix:

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

    killall::
    Registry::
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids]
    "exefile"=hex(0):
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post the ComboFix.txt in your next reply.

Link to post
Share on other sites

DK,

Thx for the quick reply. When I ran CF earlier, it alerted me to Avira being in the background. When I tried to close avguard.exe and avshadow.exe with Task Mgr, it would not allow me to do so. Are these the right processes and should I worry that they will interfere with the cleaning?

Thx, again.

Link to post
Share on other sites

DK,

I may have forgotten to run RKill before running the CF script, but hopefully, that didn't affect the outcome. That *&%@#!!!! FreeCell is still opening up with other programs. FYI, I usually hit the rack about midnight PST so take your time with this one and we'll talk tomorrow. Thx.

Here is the latest CF log:

ComboFix 12-11-15.01 - Rob 11/16/2012 0:18.22.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.522 [GMT -8:00]

Running from: c:\documents and settings\Rob\Desktop\ComboFix.scr

Command switches used :: /S

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((( Files Created from 2012-10-16 to 2012-11-16 )))))))))))))))))))))))))))))))

.

.

2012-11-11 05:29 . 2012-11-11 05:29 -------- d-----w- C:\FRST

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\64508186.sys

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\99718478.sys

2012-11-08 07:25 . 2012-11-08 07:25 177496 ----a-w- c:\windows\system32\drivers\31255700.sys

2012-11-08 07:23 . 2012-11-08 07:23 177496 ----a-w- c:\windows\system32\drivers\00155280.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\54066471.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\59382407.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\23847152.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\28443356.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-02 22:52 . 2009-02-21 00:33 89680 ----a-w- c:\documents and settings\Rob\MSSSerif120.fon

2012-10-06 20:48 . 2012-04-03 20:23 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-06 20:48 . 2011-07-12 18:12 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-30 02:54 . 2012-08-15 05:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DownloadAccelerator"="c:\program files\STUFF\Download Accelerator Plus\DAP.EXE" [2012-08-15 2815488]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StacSysTray"="c:\program files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 102400]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]

2005-04-05 02:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2007-03-29 22:41 222128 ----a-w- c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-17 16:50 19968 ------w- c:\windows\LOGI_MWX.EXE

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/27/2010 8:09 PM 136360]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/17/2010 3:47 PM 47360]

S2 SigService;Sigmatel Service;c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe --> c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [?]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 10:29 AM 118106]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-16 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: &Clean Traces - c:\program files\STUFF\Download Accelerator Plus\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie.htm

IE: Download &all with DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

TCP: DhcpNameServer = 192.168.0.1

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-16 00:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c0,e0,d6,b4,b9,a1,21,c7,f5,b5,bc,c5,9c,55,e8,60,9d,3f,ce,d0,10,24,71,

30,0a,f7,e7,0c,f5,a5,a1,d0,da,3d,75,c8,97,9d,91,8a,77,88,6e,b4,6a,66,9c,b3,\

"??"=hex:59,52,4d,96,40,27,6e,8f,7c,35,3d,81,cd,0f,89,4c

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:c2,1e,91,d7,9c,ef,c0,ad,7f,a9,be,b9,ef,ec,85,23,86,18,f1,f2,41,

6c,29,51,55,a2,cd,23,74,8d,c0,a9,68,0c,02,cf,15,85,69,26,eb,9d,4f,2c,a3,09,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(908)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(2812)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-11-16 00:32:55

ComboFix-quarantined-files.txt 2012-11-16 08:32

ComboFix2.txt 2012-11-16 06:43

ComboFix3.txt 2012-11-16 05:19

ComboFix4.txt 2012-11-09 07:59

ComboFix5.txt 2012-11-16 08:10

.

Pre-Run: 11,393,458,176 bytes free

Post-Run: 11,407,208,448 bytes free

.

- - End Of File - - C1050382309FDB314645015BD6EEEDEC

Link to post
Share on other sites

Good evening SMiller,

Please download to your Desktop SystemLook by jpshortstuff from here.

Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:

:regfind
FreeCell

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note:
The log can also be found on your Desktop entitled
SystemLook.txt
.

Link to post
Share on other sites

DK,

Downloaded SystemLook. Had to chg it to .scr to get it to run. Loaded the script and here are the results:

Thx.

SystemLook 30.07.11 by jpshortstuff

Log created at 17:25 on 16/11/2012 by Rob

Administrator - Elevation successful

========== regfind ==========

Searching for "FreeCell"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="freecell"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\FreeCell]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]

"c"="C:\WINDOWS\system32\freecell.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]

"Application"="freecell.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]

"a"="freecell.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"C:\WINDOWS\system32\freecell.exe"="Entertainment Pack FreeCell Game"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"@%SystemRoot%\system32\shell32.dll,-22542"="Begins the Freecell card game."

[HKEY_CURRENT_USER\Software\Classes\Applications\freecell.exe]

[HKEY_CURRENT_USER\Software\Classes\Applications\freecell.exe\shell\open\command]

@=""C:\WINDOWS\system32\freecell.exe" "%1""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\freecell.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\freecell.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\freecell.exe]

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="freecell"

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Applets\FreeCell]

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]

"c"="C:\WINDOWS\system32\freecell.exe"

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]

"Application"="freecell.exe"

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]

"a"="freecell.exe"

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"C:\WINDOWS\system32\freecell.exe"="Entertainment Pack FreeCell Game"

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"@%SystemRoot%\system32\shell32.dll,-22542"="Begins the Freecell card game."

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Classes\Applications\freecell.exe]

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Classes\Applications\freecell.exe\shell\open\command]

@=""C:\WINDOWS\system32\freecell.exe" "%1""

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003_Classes\Applications\freecell.exe]

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003_Classes\Applications\freecell.exe\shell\open\command]

@=""C:\WINDOWS\system32\freecell.exe" "%1""

-= EOF =-

Link to post
Share on other sites

Good evening SMiller,

SystemLook has identified some rather interesting Registry changes concerning FreeCell. ;)

Please follow these instructions to re-run ComboFix:

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

    killall::
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
    "c"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]
    "Application"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]
    "a"=-
    [HKEY_CURRENT_USER\Software\Classes\Applications\freecell.exe\shell\open\command]
    @=-
    [HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]
    "Application"=-
    [HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]
    "a"=-
    [HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Classes\Applications\freecell.exe\shell\open\command]
    @=-
    [HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003_Classes\Applications\freecell.exe\shell\open\command]
    @=-
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post the ComboFix.txt in your next reply.

Has the issue been resolved?

Link to post
Share on other sites

DK,

Thx for the script. I ran it but still have the same problem. Here is the log:

ComboFix 12-11-15.01 - Rob 11/17/2012 20:21:06.23.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.640 [GMT -8:00]

Running from: c:\documents and settings\Rob\Desktop\ComboFix.scr

Command switches used :: /S

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((( Files Created from 2012-10-18 to 2012-11-18 )))))))))))))))))))))))))))))))

.

.

2012-11-11 05:29 . 2012-11-11 05:29 -------- d-----w- C:\FRST

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\64508186.sys

2012-11-08 19:43 . 2012-11-08 19:43 177496 ----a-w- c:\windows\system32\drivers\99718478.sys

2012-11-08 07:25 . 2012-11-08 07:25 177496 ----a-w- c:\windows\system32\drivers\31255700.sys

2012-11-08 07:23 . 2012-11-08 07:23 177496 ----a-w- c:\windows\system32\drivers\00155280.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\54066471.sys

2012-11-08 07:16 . 2012-11-08 07:16 177496 ----a-w- c:\windows\system32\drivers\59382407.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\23847152.sys

2012-11-08 07:15 . 2012-11-08 07:15 177496 ----a-w- c:\windows\system32\drivers\28443356.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-02 22:52 . 2009-02-21 00:33 89680 ----a-w- c:\documents and settings\Rob\MSSSerif120.fon

2012-10-06 20:48 . 2012-04-03 20:23 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-06 20:48 . 2011-07-12 18:12 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-30 02:54 . 2012-08-15 05:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DownloadAccelerator"="c:\program files\STUFF\Download Accelerator Plus\DAP.EXE" [2012-08-15 2815488]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StacSysTray"="c:\program files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 102400]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]

2005-04-05 02:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2007-03-29 22:41 222128 ----a-w- c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-17 16:50 19968 ------w- c:\windows\LOGI_MWX.EXE

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/27/2010 8:09 PM 136360]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/17/2010 3:47 PM 47360]

S2 SigService;Sigmatel Service;c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe --> c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [?]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 10:29 AM 118106]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-18 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: &Clean Traces - c:\program files\STUFF\Download Accelerator Plus\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie.htm

IE: Download &all with DAP - c:\program files\STUFF\Download Accelerator Plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

TCP: DhcpNameServer = 192.168.0.1

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-17 20:34

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c0,e0,d6,b4,b9,a1,21,c7,f5,b5,bc,c5,9c,55,e8,60,9d,3f,ce,d0,10,24,71,

30,0a,f7,e7,0c,f5,a5,a1,d0,da,3d,75,c8,97,9d,91,8a,77,88,6e,b4,6a,66,9c,b3,\

"??"=hex:59,52,4d,96,40,27,6e,8f,7c,35,3d,81,cd,0f,89,4c

.

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:c2,1e,91,d7,9c,ef,c0,ad,7f,a9,be,b9,ef,ec,85,23,86,18,f1,f2,41,

6c,29,51,55,a2,cd,23,74,8d,c0,a9,68,0c,02,cf,15,85,69,26,eb,9d,4f,2c,a3,09,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(908)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(2156)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-11-17 20:36:27

ComboFix-quarantined-files.txt 2012-11-18 04:36

ComboFix2.txt 2012-11-16 08:32

ComboFix3.txt 2012-11-16 06:43

ComboFix4.txt 2012-11-16 05:19

ComboFix5.txt 2012-11-18 04:19

.

Pre-Run: 11,189,329,920 bytes free

Post-Run: 11,281,166,336 bytes free

.

- - End Of File - - DA6EE9F705CFD5D1E60FB0B61656D40D

Link to post
Share on other sites

Good afternoon SMiller,

Please double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:

:regfind
FreeCell

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note:
The log can also be found on your Desktop entitled
SystemLook.txt
.

Link to post
Share on other sites

DK,

Thx for getting back with me. I also noticed all the reg entries for FreeCell last time. I have a new SysLook log for you:

SystemLook 30.07.11 by jpshortstuff

Log created at 22:44 on 17/11/2012 by Rob

Administrator - Elevation successful

========== regfind ==========

Searching for "FreeCell"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="freecell"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\FreeCell]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]

"c"="C:\WINDOWS\system32\freecell.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]

"Application"="freecell.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]

"a"="freecell.exe"

[HKEY_CURRENT_USER\Software\Classes\Applications\freecell.exe]

[HKEY_CURRENT_USER\Software\Classes\Applications\freecell.exe\shell\open\command]

@=""C:\WINDOWS\system32\freecell.exe" "%1""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\freecell.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\freecell.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\freecell.exe]

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="freecell"

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Applets\FreeCell]

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]

"c"="C:\WINDOWS\system32\freecell.exe"

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]

"Application"="freecell.exe"

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]

"a"="freecell.exe"

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Classes\Applications\freecell.exe]

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\Classes\Applications\freecell.exe\shell\open\command]

@=""C:\WINDOWS\system32\freecell.exe" "%1""

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003_Classes\Applications\freecell.exe]

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003_Classes\Applications\freecell.exe\shell\open\command]

@=""C:\WINDOWS\system32\freecell.exe" "%1""

-= EOF =-

Link to post
Share on other sites

Good evening SMiller,

It appears all the Keys I had you remove respawned. I think that the easiest option to fix this would be to uninstall FreeCell. I know you didn't want to before, but it will certainly be quicker and it should almost definitely fix the issue. If you still wish to foster on please let me know, but I don't want to drag this out when an easy solution could solve it all. :)

Link to post
Share on other sites

DK,

I don't have a problem uninstalling FreeCell, but I think I was hit with something else. As I booted my computer up tonight, I was not taken to my desktop. Instead, a message that pretended to be from the FBI said my computer had been blocked and for me to pay $200 to get it unblocked. When I booted into Safe mode with networking, the same thing happened except only a white screen showed up with no message. When I booted into Safe mode with NO networking, the same white screen appeared with no message. I know this message to be some kind of virus because I am using another computer on the same network to send you this message now.

I tried to raise Task Mgr to shut down the process but each time was unable to get it to pull up. I know you probably want to get this over with as we have been working on this for over a week, but your help to get to the desktop would be much appreciated. I do have a small USB drive I could use to download and run any other programs you deem necessary.

Thanks, again.

- Scott

Link to post
Share on other sites

Good afternoon SMiller,

Ah yes, the FBI Ransom Lock. Can be as annoying as ZA at times. <_<

Please read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:

Download Kaspersky Rescue Disk 10

How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?

How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

  • Please go to a clean computer
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • On the infected computer: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10?

Then, please print the following directions:

Boot from Kaspersky Rescue Disk 10:

Restart your computer and put the disk in the drive while booting.

Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.

Select the required interface language using the arrow-keys on your keyboard.

Press the Enter key on the keyboard.

In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode

Click Enter.

Click 'A' to accept the agreement.

Select operating system from dropdown menu (select Windows whatever).

Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:

Click My Update Center and update.

Back to other tab and click Start Object Scan.

When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.

On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.

On the upper right hand corner of the Detailed report window, click on the Save button.

After clicking Detailed Report and 'SAVE', a browse window opens.

Double-click on the \

Click 'disks'.

All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.

Click on the Save button.

The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

Link to post
Share on other sites

DK,

I am burning the ISO per your instructions. Do you want me to post the report? BTW, do you think I got the FBI Ransom one because my Malwarebytes and Avira don't open initially on startup as FreeCell opens instead of them? Just a thought. Also, I plan on buying the full version of Malwarebytes once my computer is clean. Would the full version had protected me against both of these attacks?

- Scott

Link to post
Share on other sites

Hey SMiller,

I am burning the ISO per your instructions. Do you want me to post the report?

Yes please.

BTW, do you think I got the FBI Ransom one because my Malwarebytes and Avira don't open initially on startup as FreeCell opens instead of them? Just a thought.

It is possible. It is also possible that the infection wasn't completely removed. Kaspersky should shed some light.

Also, I plan on buying the full version of Malwarebytes once my computer is clean. Would the full version had protected me against both of these attacks?

It will certainly help reduce your chances of being reinfected. Because malware writers are constantly writing new malware, security programs sometimes are a little behind in detecting the new variants. But it will definitely help. :)

- Scott

Link to post
Share on other sites

DK,

Thx for the answers. It took me so long to get back to you as the first disk worked, then froze, then worked, then froze, etc. I finally burned a second disk that seems to have worked properly. Now, should I DELETE or SKIP the results found by the Kaspersky Rescue Disk?

-Scott

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.