Jump to content

all programs and files are "gone"


boat

Recommended Posts

This is my wife's computer and she is freaking out. All programs and files have disappeared off the desktop. I have tried unhide with no luck and have used recuva to salvage some of her picture files.

Any help would be greatly appreciated.

Here is the dds file:

Alan

DDS (Ver_2012-11-07.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 0:24:11 on 2012-11-09

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.556 [GMT -5:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

C:\Program Files\IObit\Advanced SystemCare 6\Monitor.exe

C:\Program Files\Application Updater\ApplicationUpdater.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

c:\program files\coupon companion\coupon companion-bg.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=830B137001CC102401DF0351&src_id=30028&camp_id=2588&tb_version=1.0.7000.4(B)

uURLSearchHooks: <No Name>: - LocalServer32 - <no file>

BHO: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - <orphaned>

BHO: Coupon Companion: {11111111-1111-1111-1111-110011441193} - c:\program files\coupon companion\Coupon Companion.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {85F5CF95-EC8F-49fc-BB3F-38C79455CBA2} - <orphaned>

BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 6] "c:\program files\iobit\advanced systemcare 6\ASCTray.exe" /AutoStart

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_4_402_287_ActiveX.exe -update activex

mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start

mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [iObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart

mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRunOnce: [E0871241-84DE-4B7B-BB49-E3B368AEECEE] cmd.exe /C start /D "c:\docume~1\admini~1\locals~1\Temp" /B E0871241-84DE-4B7B-BB49-E3B368AEECEE.exe -postboot

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoffi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpomau08.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286638953453

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286638946687

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{96281561-4AEF-4B3B-B116-B123E7F76522} : DHCPNameServer = 75.75.75.75 75.75.76.76

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-9-23 14776]

R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2012-10-9 799112]

R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-9-23 821592]

S0 71733884;71733884;c:\windows\system32\drivers\57009216.sys --> c:\windows\system32\drivers\57009216.sys [?]

S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ascservice.exe --> c:\program files\iobit\advanced systemcare 5\ASCService.exe [?]

S2 PEVSystemStart;PEVSystemStart;"c:\combofix\pev.3xe" exec /i "c:\combofix\regt.3xe" /s "c:\combofix\cregb.dat" --> c:\combofix\pev.3XE [?]

S3 cpuz132;cpuz132;\??\c:\docume~1\admini~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\admini~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2012-11-1 246816]

S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2010-7-22 33024]

S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2012-11-1 30408]

S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2012-11-1 16248]

.

=============== Created Last 30 ================

.

2012-11-07 01:25:19 -------- d-----w- c:\documents and settings\administrator\application data\PandoraRecovery

2012-11-07 01:25:14 -------- d-----w- c:\program files\Pandora Recovery

2012-11-07 01:23:49 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Coupon Companion

2012-11-07 01:23:46 -------- d-----w- c:\program files\Coupon Companion

2012-11-07 00:12:08 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2012-11-07 00:12:08 -------- d-----w- c:\program files\Belarc

2012-11-07 00:01:54 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-11-07 00:00:57 41224 ----a-w- c:\windows\avastSS.scr

2012-11-07 00:00:27 -------- d-----w- c:\program files\AVAST Software

2012-11-07 00:00:27 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2012-11-06 23:30:33 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2012-11-06 23:30:16 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-11-06 23:30:12 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-06 23:30:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-06 22:18:28 98816 ----a-w- c:\windows\sed.exe

2012-11-06 22:18:28 256000 ----a-w- c:\windows\PEV.exe

2012-11-06 22:18:28 208896 ----a-w- c:\windows\MBR.exe

2012-11-06 04:29:27 -------- d-----w- C:\TDSSKiller_Quarantine

2012-11-05 02:55:34 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-11-01 23:45:47 -------- d-----w- c:\program files\PokerStars.NET

2012-10-19 21:00:38 -------- d-----w- c:\documents and settings\administrator\application data\Search Settings

2012-10-19 20:59:49 -------- d-----w- c:\program files\IObit Toolbar

2012-10-19 20:59:49 -------- d-----w- c:\program files\common files\Spigot

2012-10-19 20:59:49 -------- d-----w- c:\program files\Application Updater

.

==================== Find3M ====================

.

2012-10-10 01:30:20 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-10 01:30:19 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 0:24:22.79 ===============

Link to post
Share on other sites

  • Staff

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download
AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+

Gringo

Link to post
Share on other sites

Here is the checkup log

Results of screen317's Security Check version 0.99.54

Windows XP Service Pack 2 x86

Out of date service pack!!

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

Please wait while WMIC is being installed.d

i

s

p

l

a

y

N

a

m

e

ECHO is off.

a

v

a

s

t

!

ECHO is off.

A

n

t

i

v

i

r

u

s

ECHO is off.

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Adobe Reader 9 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

IObit IObit Malware Fighter IMFsrv.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 7%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

I forgot to say in my previous reply, I really appreciate your help Gringo.

I couldn't get the log from adwarecleaner. When it rebooted the computer there was no log.On my desktop there is no start or run (or anything).

Here is the log for the roguekiller program

RogueKiller V8.2.3 [11/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version

Started in : Normal mode

User : Administrator [Admin rights]

Mode : Remove -- Date : 11/10/2012 10:48:10

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[services][ROGUE ST] HKLM\[...]\ControlSet001\Services\71733884 (C:\WINDOWS\system32\drivers\57009216.sys) -> DELETED

[services][ROGUE ST] HKLM\[...]\ControlSet002\Services\71733884 (C:\WINDOWS\system32\drivers\57009216.sys) -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BEVE-00A0HT0 +++++

--- User ---

[MBR] 296ab82bc8a1456fdc4c98fd648140bf

[bSP] f0ec6ba2ca79e9bf9f20edad1eb61ddf : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305234 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_11102012_02d1048.txt >>

RKreport[1]_S_11102012_02d1047.txt ; RKreport[2]_D_11102012_02d1048.txt

Link to post
Share on other sites

Sorry Gringo, senior moment.I found a way to access the log:

# AdwCleaner v2.007 - Logfile created 11/10/2012 at 10:02:30

# Updated 06/11/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)

# User : Administrator - PAM-820260FD2A8

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DPMQC4IZ\adwcleaner[1].exe

# Option [Delete]

***** [services] *****

Stopped & Deleted : Application Updater

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\Administrator\Application Data\Search Settings

Folder Deleted : C:\Program Files\Application Updater

Folder Deleted : C:\Program Files\Common Files\spigot

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings

Key Deleted : HKCU\Software\Cr_Installer

Key Deleted : HKCU\Software\Crossrider

Key Deleted : HKCU\Software\InstalledBrowserExtensions

Key Deleted : HKCU\Software\Search Settings

Key Deleted : HKLM\Software\Application Updater

Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO

Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO.1

Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox

Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox.1

Key Deleted : HKLM\Software\Search Settings

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1542 octets] - [10/11/2012 10:01:18]

AdwCleaner[s1].txt - [1513 octets] - [10/11/2012 10:02:30]

########## EOF - C:\AdwCleaner[s1].txt - [1573 octets] ##########

Link to post
Share on other sites

  • Staff

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

I'm not sure if it worked properly. I can't access my security programs to disable them. Nothing goes up on my desktop.

Here is the log I got

ComboFix 12-11-09.02 - Administrator 11/10/2012 15:17:02.1.1 - x86

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\drivers\etc\hosts.ics

.

c:\windows\explorer.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2012-10-10 to 2012-11-10 )))))))))))))))))))))))))))))))

.

.

2012-11-07 01:25 . 2012-11-07 01:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\PandoraRecovery

2012-11-07 01:25 . 2012-11-09 02:37 -------- d-----w- c:\program files\Pandora Recovery

2012-11-07 01:23 . 2012-11-07 01:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Coupon Companion

2012-11-07 01:23 . 2012-11-10 16:22 -------- d-----w- c:\program files\Coupon Companion

2012-11-07 00:12 . 2012-11-07 00:12 -------- d-----w- c:\program files\Belarc

2012-11-07 00:12 . 2011-08-09 22:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2012-11-07 00:01 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-11-07 00:01 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-11-07 00:01 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-11-07 00:01 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2012-11-07 00:01 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-11-07 00:01 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2012-11-07 00:01 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys

2012-11-07 00:01 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2012-11-07 00:00 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr

2012-11-07 00:00 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe

2012-11-07 00:00 . 2012-11-07 00:00 -------- d-----w- c:\program files\AVAST Software

2012-11-07 00:00 . 2012-11-07 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2012-11-06 23:30 . 2012-11-06 23:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2012-11-06 23:30 . 2012-11-06 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-11-06 23:30 . 2012-11-06 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-06 23:30 . 2012-09-30 00:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-06 04:29 . 2012-11-06 04:29 -------- d-----w- C:\TDSSKiller_Quarantine

2012-11-05 02:55 . 2012-02-23 18:25 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-11-01 23:45 . 2012-11-04 01:35 -------- d-----w- c:\program files\PokerStars.NET

2012-10-19 20:59 . 2012-10-19 20:59 -------- d-----w- c:\program files\IObit Toolbar

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-10 01:30 . 2012-04-03 14:49 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-10 01:30 . 2012-04-03 14:49 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe

[-] 2006-02-28 . 74B0E361DF9E5BABA9C0BD4000703A3B . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[7] 2006-02-28 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 6"="c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2012-09-25 490880]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-09-28 4473728]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"E0871241-84DE-4B7B-BB49-E3B368AEECEE"="start" [X]

"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-09-30 766536]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hp officejet 4100 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe [2003-4-9 147456]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

.

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [x]

R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [x]

R3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [x]

R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys [x]

R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys [x]

S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [x]

S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-10 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 01:30]

.

2012-11-10 c:\windows\Tasks\ASC6_PerformanceMonitor.job

- c:\program files\IObit\Advanced SystemCare 6\Monitor.exe [2012-11-07 01:33]

.

2012-11-10 c:\windows\Tasks\avast! Emergency Update.job

- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-11-07 23:50]

.

2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 20:18]

.

2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 20:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=830B137001CC102401DF0351&src_id=30028&camp_id=2588&tb_version=1.0.7000.4(B)

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: download.com

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2} - (no file)

Toolbar-{A531D99C-5A22-449b-83DA-872725C6D0ED} - (no file)

SafeBoot-Wdf01000.sys

AddRemove-EaseUS Data Recovery Wizard Free Edition 5.6.1_is1 - e:\easeus data recovery wizard free edition 5.6.1\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-10 15:21

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-790525478-1177238915-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,36,b0,60,68,c7,58,48,8c,6f,40,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,c8,4d,d3,ed,9c,1f,41,9c,7e,d6,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,e6,a8,25,c1,02,9b,44,aa,1b,d4,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2012-11-10 15:23:47

ComboFix-quarantined-files.txt 2012-11-10 20:23

ComboFix2.txt 2012-11-06 22:31

.

Pre-Run: 307,932,344,320 bytes free

Post-Run: 307,942,633,472 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - BA8C2E99284634FB33E489948E57A8B6

Link to post
Share on other sites

ComboFix 12-11-09.02 - Administrator 11/10/2012 16:36:45.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.784 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\explorer.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2012-10-10 to 2012-11-10 )))))))))))))))))))))))))))))))

.

.

2012-11-07 01:25 . 2012-11-07 01:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\PandoraRecovery

2012-11-07 01:25 . 2012-11-09 02:37 -------- d-----w- c:\program files\Pandora Recovery

2012-11-07 01:23 . 2012-11-07 01:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Coupon Companion

2012-11-07 01:23 . 2012-11-10 16:22 -------- d-----w- c:\program files\Coupon Companion

2012-11-07 00:12 . 2012-11-07 00:12 -------- d-----w- c:\program files\Belarc

2012-11-07 00:12 . 2011-08-09 22:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2012-11-07 00:01 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-11-07 00:01 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-11-07 00:01 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-11-07 00:01 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2012-11-07 00:01 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-11-07 00:01 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2012-11-07 00:01 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys

2012-11-07 00:01 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2012-11-07 00:00 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr

2012-11-07 00:00 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe

2012-11-07 00:00 . 2012-11-07 00:00 -------- d-----w- c:\program files\AVAST Software

2012-11-07 00:00 . 2012-11-07 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2012-11-06 23:30 . 2012-11-06 23:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2012-11-06 23:30 . 2012-11-06 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-11-06 23:30 . 2012-11-06 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-06 23:30 . 2012-09-30 00:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-06 04:29 . 2012-11-06 04:29 -------- d-----w- C:\TDSSKiller_Quarantine

2012-11-05 02:55 . 2012-02-23 18:25 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-11-01 23:45 . 2012-11-04 01:35 -------- d-----w- c:\program files\PokerStars.NET

2012-10-19 20:59 . 2012-10-19 20:59 -------- d-----w- c:\program files\IObit Toolbar

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-10 01:30 . 2012-04-03 14:49 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-10 01:30 . 2012-04-03 14:49 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe

[-] 2006-02-28 . 74B0E361DF9E5BABA9C0BD4000703A3B . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[7] 2006-02-28 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 6"="c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2012-09-25 490880]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-09-28 4473728]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"E0871241-84DE-4B7B-BB49-E3B368AEECEE"="start" [X]

"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-09-30 766536]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hp officejet 4100 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe [2003-4-9 147456]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

.

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [9/23/2011 5:29 PM 14776]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [9/23/2011 5:28 PM 821592]

S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe --> c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [?]

S3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [11/1/2012 10:07 PM 246816]

S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [7/22/2010 6:18 AM 33024]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [11/1/2012 10:07 PM 30408]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [11/1/2012 10:07 PM 16248]

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-10 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 01:30]

.

2012-11-10 c:\windows\Tasks\ASC6_PerformanceMonitor.job

- c:\program files\IObit\Advanced SystemCare 6\Monitor.exe [2012-11-07 01:33]

.

2012-11-10 c:\windows\Tasks\avast! Emergency Update.job

- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-11-07 23:50]

.

2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 20:18]

.

2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 20:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=830B137001CC102401DF0351&src_id=30028&camp_id=2588&tb_version=1.0.7000.4(B)

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: download.com

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-10 16:42

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-790525478-1177238915-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,36,b0,60,68,c7,58,48,8c,6f,40,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,c8,4d,d3,ed,9c,1f,41,9c,7e,d6,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,e6,a8,25,c1,02,9b,44,aa,1b,d4,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2012-11-10 16:44:08

ComboFix-quarantined-files.txt 2012-11-10 21:44

ComboFix2.txt 2012-11-10 20:23

ComboFix3.txt 2012-11-06 22:31

.

Pre-Run: 307,911,725,056 bytes free

Post-Run: 307,935,338,496 bytes free

.

- - End Of File - - B1645A6CB1D8E42ABF787A7CFF6B9F62I ran it again and it said avast was running but when I try to open avast but I get an error saying it's not installed.

Here is the new log. I can't tell if it's any different.

Link to post
Share on other sites

  • Staff

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:


:filefind
explorer.exe
svchost.exe
winlogon.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Sorry I didn't understand.

:SystemLook 30.07.11 by jpshortstuff

Log created at 19:57 on 10/11/2012 by Administrator

Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe "

C:\WINDOWS\explorer.exe --a---- 1032192 bytes [12:00 28/02/2006] [12:00 28/02/2006] 74B0E361DF9E5BABA9C0BD4000703A3B

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --a---- 1033728 bytes [21:13 19/08/2010] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1032192 bytes [12:00 28/02/2006] [12:00 28/02/2006] A0732187050030AE399B241436565E64

Searching for "svchost.exe "

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 218184 bytes [23:30 06/11/2012] [00:54 30/09/2012] 8846E87210AD131CF71E3E2E49F647B0

C:\WINDOWS\erdnt\cache\svchost.exe --a---- 14336 bytes [22:28 06/11/2012] [12:00 28/02/2006] 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe --a---- 14336 bytes [21:15 19/08/2010] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [12:00 28/02/2006] [12:00 28/02/2006] 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\dllcache\svchost.exe --a--c- 14336 bytes [12:00 28/02/2006] [12:00 28/02/2006] 8F078AE4ED187AAABC0A305146DE6716

Searching for "winlogon.exe"

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 218184 bytes [23:30 06/11/2012] [00:54 30/09/2012] 8846E87210AD131CF71E3E2E49F647B0

C:\WINDOWS\erdnt\cache\winlogon.exe --a---- 502272 bytes [22:28 06/11/2012] [12:00 28/02/2006] 01C3346C241652F43AED8E2149881BFE

C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe --a---- 507904 bytes [21:15 19/08/2010] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

C:\WINDOWS\system32\winlogon.exe --a---- 502272 bytes [12:00 28/02/2006] [12:00 28/02/2006] 01C3346C241652F43AED8E2149881BFE

C:\WINDOWS\system32\dllcache\winlogon.exe --a--c- 502272 bytes [12:00 28/02/2006] [12:00 28/02/2006] 01C3346C241652F43AED8E2149881BFE

-= EOF =-

Link to post
Share on other sites

  • Staff

Greetings

Lets run this now.

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:

CopyFile:
C:\WINDOWS\system32\dllcache\explorer.exe C:\WINDOWS\explorer.exe

  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

Link to post
Share on other sites

Hi Gringo,

It looks like everything came back. I have a very happy wife on my hands...thanks. I'm not sure what files on blitzbank you need. Here is the one on the C-drive that I see. Your are awesome!.

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application

CopyFileOnReboot: sourceFile = "\??\c:\windows\system32\dllcache\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"

Link to post
Share on other sites

  • Staff

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  1. report from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now after running the script?

Gringo

Link to post
Share on other sites

ComboFix 12-11-09.02 - Administrator 11/12/2012 14:56:10.4.1 - x86

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-10-12 to 2012-11-12 )))))))))))))))))))))))))))))))

.

.

2012-11-07 01:25 . 2012-11-07 01:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\PandoraRecovery

2012-11-07 01:25 . 2012-11-09 02:37 -------- d-----w- c:\program files\Pandora Recovery

2012-11-07 01:23 . 2012-11-07 01:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Coupon Companion

2012-11-07 01:23 . 2012-11-10 16:22 -------- d-----w- c:\program files\Coupon Companion

2012-11-07 00:12 . 2012-11-07 00:12 -------- d-----w- c:\program files\Belarc

2012-11-07 00:12 . 2011-08-09 22:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2012-11-07 00:01 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-11-07 00:01 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-11-07 00:01 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-11-07 00:01 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2012-11-07 00:01 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-11-07 00:01 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2012-11-07 00:01 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys

2012-11-07 00:01 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2012-11-07 00:00 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr

2012-11-07 00:00 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe

2012-11-07 00:00 . 2012-11-07 00:00 -------- d-----w- c:\program files\AVAST Software

2012-11-07 00:00 . 2012-11-07 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2012-11-06 23:30 . 2012-11-06 23:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2012-11-06 23:30 . 2012-11-06 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-11-06 23:30 . 2012-11-06 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-06 23:30 . 2012-09-30 00:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-06 04:29 . 2012-11-06 04:29 -------- d-----w- C:\TDSSKiller_Quarantine

2012-11-05 02:55 . 2012-02-23 18:25 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-11-01 23:45 . 2012-11-11 23:34 -------- d-----w- c:\program files\PokerStars.NET

2012-10-19 20:59 . 2012-10-19 20:59 -------- d-----w- c:\program files\IObit Toolbar

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-11 22:46 . 2006-02-28 12:00 1032192 ----a-w- c:\windows\explorer.exe

2012-10-10 01:30 . 2012-04-03 14:49 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-10 01:30 . 2012-04-03 14:49 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 6"="c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2012-09-25 490880]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-09-28 4473728]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

.

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [x]

R3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [x]

S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [x]

S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [x]

S3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [x]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys [x]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 01:30]

.

2012-11-12 c:\windows\Tasks\ASC6_PerformanceMonitor.job

- c:\program files\IObit\Advanced SystemCare 6\Monitor.exe [2012-11-07 01:33]

.

2012-11-12 c:\windows\Tasks\avast! Emergency Update.job

- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-11-07 23:50]

.

2012-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 20:18]

.

2012-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 20:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=830B137001CC102401DF0351&src_id=30028&camp_id=2588&tb_version=1.0.7000.4(B)

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: download.com

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-12 15:01

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-790525478-1177238915-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,36,b0,60,68,c7,58,48,8c,6f,40,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,c8,4d,d3,ed,9c,1f,41,9c,7e,d6,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,e6,a8,25,c1,02,9b,44,aa,1b,d4,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(30584)

c:\windows\system32\ieframe.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2012-11-12 15:03:40

ComboFix-quarantined-files.txt 2012-11-12 20:03

ComboFix2.txt 2012-11-12 14:46

ComboFix3.txt 2012-11-10 21:44

ComboFix4.txt 2012-11-10 20:23

ComboFix5.txt 2012-11-12 19:55

.

Pre-Run: 307,923,656,704 bytes free

Post-Run: 307,919,245,312 bytes free

.

- - End Of File - - 4F7D43067ADFBC37AE22C935D642324F

Link to post
Share on other sites

  • Staff

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box


C:\Qoobox\Add-Remove Programs.txt

  • click ok

copy and paste the report into this topic for me to review

Gringo

Link to post
Share on other sites

Adobe Flash Player 11 ActiveX

Adobe Reader 9.4.6

Advanced SystemCare 6

ALOT Appbar

avast! Free Antivirus

Belarc Advisor 8.2

Coupon Companion

Game Booster

Google Earth Plug-in

Google Update Helper

Hotfix for Windows XP (KB896256)

Hotfix for Windows XP (KB909095)

Hotfix for Windows XP (KB912436)

Hotfix for Windows XP (KB915326)

Hotfix for Windows XP (KB918005)

HP Broadband Wireless Modules

hp officejet 4100 series

HP PCMCIA Smart Card Reader

HP Photo and Imaging 2.0 - All-in-One

HP Photo and Imaging 2.0 - All-in-One Drivers

HP Photo and Imaging 2.0 - hp officejet 4100 series

HP ProtectTools Security Manager

HP Quick Launch Buttons 6.40 B2

IObit Malware Fighter

IObit Toolbar v6.5

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 2.0

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

MSN

PandoraRecovery (Remove Only)

PokerStars.net

RICOH R5C853 Driver Ver.1.00.02

Smart Defrag 2

SoundMAX

Update for Windows XP (KB911164)

WebFldrs XP

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 8

Windows XP Hotfix - KB883667

Windows XP Hotfix - KB885464

Windows XP Hotfix - KB885855

Windows XP Hotfix - KB888239

Windows XP Hotfix - KB888402

Windows XP Hotfix - KB889673

Windows XP Hotfix - KB892559

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.