Jump to content

Ads playing in the background


slg1013

Recommended Posts

Hi,

Happy holidays to all...

We currently have ads (videos) that play in the background whenever we browse the internet. I've done a Malwarebytes scan that show no issues. I've attached that log as well as the attach.txt and dds.txt logs requested.

Thank you very much for your help,

Steve

========================================================================================================

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.23.07

Windows XP Service Pack 2 x86 NTFS

Internet Explorer 7.0.5730.11

jacob :: FR-FULLAG77-02 [administrator]

12/23/2012 9:25:19 PM

mbam-log-2012-12-23 (21-25-19).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 467688

Time elapsed: 1 hour(s), 1 minute(s), 50 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

=======================================================================================================

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 7.0.6000.16915 BrowserJavaVersion: 10.5.1

Run by jacob at 8:07:12 on 2012-12-24

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2023.1143 [GMT -8:00]

.

AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {62023A91-6924-406A-B25E-95154DCFF75D}

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\Explorer.EXE

C:\OfficeScan NT\pccntmon.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Logitech\Logitech WebCam Software\lws.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\winzip\WZQKPICK.EXE

C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\OfficeScan NT\ntrtscan.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\system32\Suss.exe

C:\OfficeScan NT\tmlisten.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\OfficeScan NT\CNTAoSMgr.exe

C:\WINDOWS\TEMP\ON4A45.EXE

C:\OfficeScan NT\tmproxy.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\McAfee Security Scan\2.0.181\mcchsvc.exe

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

C:\Documents and Settings\jacob\Application Data\Juniper Networks\Setup Client\junipersetupclient.exe

C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\WINDOWS\notepad.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=hp

uWindow Title = Microsoft Internet Explorer provided by Level 3 Communications LLC

uSearch Bar = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q={searchTerms}

uSearch Page = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q={searchTerms}

uSearchAssistant = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q={searchTerms}

BHO: <No Name>: {036C0B59-4C38-4A34-87B8-143ED167DAFa} - <no file>

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: InfoAtoms: {103089DA-0F31-4A8B-843F-7D24A7FE8345} - c:\program files\infoatoms\ie32\InfoAtomsClientIE.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_ActiveX.exe -update activex

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [OfficeScanNT Monitor] "c:\officescan nt\pccntmon.exe" -HideWindow

mRun: [updateSerialNumber] c:\windows\system32\updateserial.exe /s

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start

dRunOnce: [VPNSelect] c:\program files\1468_eras\install\vpnselect.exe

dRunOnce: [tscuninstall] c:\windows\system32\tscupgrd.exe

dRunOnce: [sWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1014020

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263358362593

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259617503062

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://d1ylr6sba64qi3.cloudfront.net/global/bin/srldetect_intel_4.1.66.0.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{8A444D1F-EE9F-48CA-B224-3121C2227343} : DHCPNameServer = 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jacob\application data\mozilla\firefox\profiles\i5xkbq6g.default\

FF - prefs.js: browser.startup.homepage - hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=hp

FF - prefs.js: browser.search.selectedEngine - Web Search

FF - prefs.js: keyword.URL - hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q=

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - plugin: c:\programs\java\jre6\bin\new_plugin\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\docume~1\jacob\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\docume~1\jacob\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]

R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-12-10 1435568]

R2 SU;SU Service;c:\windows\system32\Suss.exe [2006-5-8 17168]

R2 TmFilter;Trend Micro Filter;c:\officescan nt\tmxpflt.sys [2005-11-9 262416]

R2 TmPreFilter;Trend Micro PreFilter;c:\officescan nt\tmpreflt.sys [2005-11-9 36624]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-12-14 9049]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-7-27 36352]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-12-23 40776]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

R3 TmProxy;OfficeScan NT Proxy Service;c:\officescan nt\TmProxy.exe [2009-5-12 652552]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-12-14 115008]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]

S3 cdiskdun;cdiskdun;\??\c:\docume~1\jacob\locals~1\temp\cdiskdun.sys --> c:\docume~1\jacob\locals~1\temp\cdiskdun.sys [?]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-3-1 87936]

S4 WMPNetworkSvc32;Windows Media Player Network Sharing Service ; [x]

.

=============== Created Last 30 ================

.

2073-04-14 01:17:26 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe

2012-12-24 00:38:49 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-12-15 20:33:17 -------- d-----w- c:\program files\LogMeIn Hamachi

.

==================== Find3M ====================

.

2012-09-30 03:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

1999-06-25 16:55:30 149504 ----a-w- c:\program files\UNWISE.EXE

.

============= FINISH: 8:07:42.21 ===============

=======================================================================================================

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 5/30/2007 12:36:01 PM

System Uptime: 11/22/2012 8:50:45 AM (768 hours ago)

.

Motherboard: Hewlett-Packard | | 0A58h

Processor: Intel® Core2 CPU 6300 @ 1.86GHz | XU1 PROCESSOR | 1860/1066mhz

Processor: Intel® Core2 CPU 6300 @ 1.86GHz | XU2 PROCESSOR | 1860/mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 75 GiB total, 16.003 GiB free.

D: is CDROM (CDFS)

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP886: 9/25/2012 5:27:47 PM - System Checkpoint

RP887: 9/26/2012 11:59:24 PM - System Checkpoint

RP888: 9/28/2012 1:06:12 AM - System Checkpoint

RP889: 9/30/2012 4:10:10 AM - System Checkpoint

RP890: 10/1/2012 4:26:45 AM - System Checkpoint

RP891: 10/3/2012 9:22:01 AM - System Checkpoint

RP892: 10/4/2012 3:30:27 PM - System Checkpoint

RP893: 10/5/2012 3:45:14 PM - System Checkpoint

RP894: 10/6/2012 4:31:44 PM - System Checkpoint

RP895: 10/7/2012 5:31:29 PM - System Checkpoint

RP896: 10/8/2012 6:24:25 PM - System Checkpoint

RP897: 10/9/2012 6:26:45 PM - System Checkpoint

RP898: 10/10/2012 7:23:38 PM - System Checkpoint

RP899: 10/11/2012 8:24:45 PM - System Checkpoint

RP900: 10/12/2012 9:24:45 PM - System Checkpoint

RP901: 10/13/2012 9:44:14 PM - System Checkpoint

RP902: 10/14/2012 10:44:14 PM - System Checkpoint

RP903: 10/15/2012 11:32:14 PM - System Checkpoint

RP904: 10/17/2012 12:56:14 AM - System Checkpoint

RP905: 10/18/2012 1:08:15 AM - System Checkpoint

RP906: 10/19/2012 1:43:13 AM - System Checkpoint

RP907: 10/20/2012 2:43:13 AM - System Checkpoint

RP908: 10/21/2012 3:43:14 AM - System Checkpoint

RP909: 10/22/2012 4:43:14 AM - System Checkpoint

RP910: 10/23/2012 8:35:59 PM - System Checkpoint

RP911: 10/24/2012 9:30:12 PM - System Checkpoint

RP912: 10/25/2012 9:41:48 PM - System Checkpoint

RP913: 10/26/2012 10:29:12 PM - System Checkpoint

RP914: 10/27/2012 11:41:12 PM - System Checkpoint

RP915: 10/29/2012 1:05:12 AM - System Checkpoint

RP916: 10/30/2012 1:41:42 AM - System Checkpoint

RP917: 10/31/2012 2:29:12 AM - System Checkpoint

RP918: 11/1/2012 3:29:12 AM - System Checkpoint

RP919: 11/2/2012 3:41:12 AM - System Checkpoint

RP920: 11/3/2012 4:41:12 AM - System Checkpoint

RP921: 11/4/2012 4:29:12 AM - System Checkpoint

RP922: 11/5/2012 5:29:12 AM - System Checkpoint

RP923: 11/6/2012 5:41:12 AM - System Checkpoint

RP924: 11/7/2012 10:10:09 AM - System Checkpoint

RP925: 11/8/2012 10:11:52 AM - System Checkpoint

RP926: 11/9/2012 10:24:19 AM - System Checkpoint

RP927: 11/10/2012 10:36:18 AM - System Checkpoint

RP928: 11/11/2012 11:58:49 AM - System Checkpoint

RP929: 11/12/2012 1:21:48 PM - System Checkpoint

RP930: 11/13/2012 1:35:16 PM - System Checkpoint

RP931: 11/14/2012 2:23:25 PM - System Checkpoint

RP932: 11/15/2012 5:52:41 PM - System Checkpoint

RP933: 11/16/2012 6:07:48 PM - System Checkpoint

RP934: 11/17/2012 3:37:41 PM - Removed Snap.Do

RP935: 11/18/2012 5:14:23 PM - System Checkpoint

RP936: 11/19/2012 5:43:55 PM - System Checkpoint

RP937: 11/21/2012 9:50:06 PM - System Checkpoint

RP938: 11/23/2012 10:29:11 AM - System Checkpoint

RP939: 11/24/2012 11:45:15 AM - System Checkpoint

RP940: 11/25/2012 12:14:25 PM - System Checkpoint

RP941: 11/26/2012 5:44:48 PM - System Checkpoint

RP942: 11/27/2012 10:33:14 PM - System Checkpoint

RP943: 11/28/2012 11:10:18 PM - System Checkpoint

RP944: 11/30/2012 1:09:17 AM - System Checkpoint

RP945: 12/1/2012 2:21:15 AM - System Checkpoint

RP946: 12/2/2012 3:21:14 AM - System Checkpoint

RP947: 12/3/2012 4:07:10 AM - System Checkpoint

RP948: 12/4/2012 5:06:09 AM - System Checkpoint

RP949: 12/5/2012 5:17:09 AM - System Checkpoint

RP950: 12/6/2012 6:17:09 AM - System Checkpoint

RP951: 12/7/2012 7:53:21 AM - System Checkpoint

RP952: 12/8/2012 7:38:04 PM - System Checkpoint

RP953: 12/10/2012 6:03:58 PM - System Checkpoint

RP954: 12/11/2012 9:11:14 PM - System Checkpoint

RP955: 12/12/2012 10:08:44 PM - System Checkpoint

RP956: 12/13/2012 10:56:47 PM - System Checkpoint

RP957: 12/15/2012 5:01:11 AM - System Checkpoint

RP958: 12/16/2012 5:54:42 AM - System Checkpoint

RP959: 12/17/2012 6:53:42 AM - System Checkpoint

RP960: 12/18/2012 5:42:29 PM - System Checkpoint

RP961: 12/19/2012 6:12:01 PM - System Checkpoint

RP962: 12/20/2012 8:32:01 PM - System Checkpoint

RP963: 12/21/2012 8:48:20 PM - System Checkpoint

RP964: 12/22/2012 9:07:12 PM - System Checkpoint

RP965: 12/23/2012 10:38:49 PM - System Checkpoint

.

==== Installed Programs ======================

.

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8

Adobe Shockwave Player

Age of Empires III

AstroViewer 3.1.3

CentraOne

Compatibility Pack for the 2007 Office system

Conexant D110 MDC V.92 Modem

Configuration Manager Client

DST_Client_Update

eRAS

GoldERas

Google Chrome

Google SketchUp 7

Google Toolbar for Internet Explorer

Google Update Helper

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Format SDK (KB902344)

Hotfix for Windows XP (KB896344)

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB935448)

InfoAtoms

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

InterVideo WinDVD

Java Auto Updater

Java 6 Update 30

Java 7 Update 5

JavaFX 2.1.1

Juniper Networks, Inc. Setup Client

Juniper Networks, Inc. Setup Client Activex Control

Juniper Terminal Services Client

l3c_screen_saver03Wd

Logitech Webcam Software

Logitech Webcam Software Driver Package

LogMeIn Hamachi

Macromedia Flash Player 8

Macromedia Shockwave Player

Malwarebytes Anti-Malware version 1.65.1.1000

McAfee Security Scan Plus

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft .NET Framework 3.0

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2003 Web Components

Microsoft Office Professional Edition 2003

Microsoft Office Visio Viewer 2003 (English)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft_Messenger_5_1

Microsoft_Net_FrameWork_1_1

Mozilla Firefox (3.0.15)

Mozilla Thunderbird (2.0.0.23)

MSXML 6 Service Pack 2 (KB954459)

NetMeeting_3.01_B5_(Win_NT)-1

Nortel Networks

Nortel Networks Contivity VPN Client

Pokemon Online

Pokemon Online 2.0.05d

QuickTime

RDC

Realtek High Definition Audio Driver

RMV_VPN_ENTRIES

RollerCoaster Tycoon® 3

SCCM_MIGRATION

Scratch

SDF_Security_Controls_V2

SDF_Security_Controls_V3

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893066)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB896688)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899588)

Security Update for Windows XP (KB899589)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911280)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917159)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971032)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB975025)

Skype Click to Call

Skype™ 5.10

SPORE™

StarCraft II

System Requirements Lab CYRI

System Requirements Lab for Intel

Texas Instruments PCIxx21/x515 drivers.

TI_Inst

Trend Micro OfficeScan Client

Update for Windows XP (KB896727)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB916595)

Update for Windows XP (KB920342)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB923845)

Update for Windows XP (KB925720)

Update for Windows XP (KB925876)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

Update for Windows XP (KB933360)

Update for Windows XP (KB973815)

VanDyke Software SecureCRT 4.0

WebFldrs XP

WIMGAPI

Windows Communication Foundation

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player Enterprise Deployment

Windows Messenger 5.1

Windows Presentation Foundation

Windows Workflow Foundation

Windows XP Hotfix - KB873333

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885626

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

Windows XP Hotfix - KB893086

WinRAR archiver

Winzip_9_0

World of Warcraft

XML Paper Specification Shared Components Pack 1.0

Yontoo Layers Client 1.10.01

.

==== Event Viewer Messages From Past Week ========

.

12/18/2012 5:14:08 PM, error: NETLOGON [5719] - No Domain Controller is available for domain LEVEL3 due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

.

==== End Of File ===========================

Link to post
Share on other sites

Please run the MGA Diagnostic Tool and post back the report it creates:


  • Download go.microsoft.com/fwlink/?linkid=52012]MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

Link to post
Share on other sites

Thanks for the help. Here is the output from MGADiag.

Diagnostic Report (1.9.0027.0):

-----------------------------------------

Windows Validation Data-->

Validation Status: Genuine

Validation Code: 0

Cached Validation Code: N/A

Windows Product Key: *****-*****-GR9XK-2B7R7-M9JDG

Windows Product Key Hash: /JfXvsiyipCYBuA5hXwPoYrH/80=

Windows Product ID: 76487-640-1853065-23814

Windows Product ID Type: 1

Windows License Type: Volume

Windows OS version: 5.1.2600.2.00010100.2.0.pro

ID: {E00A13DB-E857-4DA2-8109-02BC628FC7D7}(1)

Is Admin: Yes

TestCab: 0x0

LegitcheckControl ActiveX: Registered, 1.7.18.5

Signed By: Microsoft

Product Name: N/A

Architecture: N/A

Build lab: N/A

TTS Error: N/A

Validation Diagnostic: 025D1FF3-230-1

Resolution Status: N/A

Vista WgaER Data-->

ThreatID(s): N/A

Version: N/A

Windows XP Notifications Data-->

Cached Result: 0

File Exists: Yes

Version: 1.7.18.5

WgaTray.exe Signed By: Microsoft

WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->

Cached Result: N/A, hr = 0x80070002

Version: N/A, hr = 0x80070002

OGAExec.exe Signed By: N/A, hr = 0x80070002

OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->

Office Status: 100 Genuine

Microsoft Office Professional Edition 2003 - 100 Genuine

OGA Version: N/A, 0x80070002

Signed By: N/A, hr = 0x80070002

Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->

Proxy settings:

User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)

Default Browser: C:\Program Files\Google\Chrome\Application\chrome.exe

Download signed ActiveX controls: Prompt

Download unsigned ActiveX controls: Disabled

Run ActiveX controls and plug-ins: Allowed

Initialize and script ActiveX controls not marked as safe: Disabled

Allow scripting of Internet Explorer Webbrowser control: Disabled

Active scripting: Allowed

Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->

Office Details: <GenuineResults><MachineData><UGUID>{E00A13DB-E857-4DA2-8109-02BC628FC7D7}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-M9JDG</PKey><PID>76487-640-1853065-23814</PID><PIDType>1</PIDType><SID>S-1-5-21-1647371527-1279371858-1987657003</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq dc7700 Convertible Minitower</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786E1 v01.09</Version><SMBIOSVersion major="2" minor="4"/><Date>20070105000000.000000+000</Date></BIOS><HWID>CD8F3EDF0184607A</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>1</iJoin><SBID><stat>2</stat><msppid></msppid><name>Level 3 Communications</name><model>4.5.5-UACPI</model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.18.5"/><File Name="WgaLogon.dll" Version="1.7.18.5"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>84E89B10D4C4500</Val><Hash>unRgoZ38nX3xA6NeF353l5u6LzE=</Hash><Pid>73931-640-0574237-57379</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->

N/A

Windows Activation Technologies-->

N/A

HWID Data-->

N/A

OEM Activation 1.0 Data-->

BIOS string matches: yes

Marker string from BIOS: 7619:Compaq Computer Corporation|1198C:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|B978:Compaq Computer Corporation|119B3:Compaq Computer Corporation|119B3:Compaq Computer Corporation|1FFEA:Hewlett-Packard Company|B978:Hewlett-Packard Company

Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->

N/A

Link to post
Share on other sites

Thanks for the log, there is only Service Pack 2 (SP2) Why no Service Pak 3 (SP3), Any reason?

Continue as follows:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.blee...Bs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingc...opic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingc...to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller....dex.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Link to post
Share on other sites

This is an old work machine so I don't have complete control over the box. When I attempt to run Combofix, it complains about Trend Micro Office Scan needing to be disabled. Unfortunately, I don't have the password to do this. Is it still safe to run Combofix? It's giving a pretty ominous warning about running about my own risk.

Thanks

Link to post
Share on other sites

Hiya Steve,

Normally if you are using a company system we cannot offer help, you should really contact your own IT dept. I did report and ask for a Moderator to make a decision on this thread, as yet no intervention so I guess we can carry on.

It is essential that all security is turned OFF before Combofix is run, if not it could end up with a defunct system. In that situation all is lost. Are you able to either turn off or completely UNinstall the Security system?

Kevin....

Link to post
Share on other sites

I can't "unload OfficeScan" from it's menu. There is an officescan client that I can uninstall (in add/remove programs), but I'm not sure if that will completely disable the security system (i.e., I'm not convinced that the client is anything other than an interactive user interface). There are several "OfficeScan" services (in addition to a McAfee service) that I can turn off. Do you think that will be sufficient? Are there other tools that can be run instead of Combofix that might help with the ads issue?

Thanks again...

Link to post
Share on other sites

If we run any tools to scan/fix the system possibly TrendMicro office scan security will stop them from running. If you are prepared to run the risk of ending up with an unbootable system, that is your choice..

OK see what MBAR returns, this is diagnose only check:

1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the Update completes, select Next

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

MBAntiRKclean.png

11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

MBAntiRKclean1.png

12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

Image6.png

13. Select "Exit" to close down.

14. Copy and paste the two following logs from the mbar folder:

System - log

Mbar - log Date and time of scan will also be shown

Image10.png

Post those two logs in your reply.

Kevin....

Link to post
Share on other sites

Hi Kevin,

mbar found no malware. I've turned off the OfficeScanNT RealTime Scan service...

Here is the system-log.txt file

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 7.0.5730.11

Java version: 1.6.0_30

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 1.860000 GHz

Memory total: 2121515008, free: 978894848

------------ Kernel report ------------

12/27/2012 18:47:45

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

compbatt.sys

\WINDOWS\system32\DRIVERS\BATTC.SYS

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

intelide.sys

pcmcia.sys

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

VolSnap.sys

atapi.sys

iaStor.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltMgr.sys

sr.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

Mup.sys

\SystemRoot\system32\DRIVERS\smsmdm.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\igxpmp32.sys

\SystemRoot\system32\DRIVERS\HECI.sys

\SystemRoot\system32\DRIVERS\e1e5132.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\IFXTPM.SYS

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\eacfilt.sys

\SystemRoot\system32\DRIVERS\ipsecw2k.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\RtkHDAud.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\tmtdi.sys

\??\C:\DOCUME~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS

\??\C:\DOCUME~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\igxpgd32.dll

\SystemRoot\System32\igxprd32.dll

\SystemRoot\System32\igxpdv32.DLL

\SystemRoot\System32\igxpdx32.DLL

\SystemRoot\System32\ATMFD.DLL

\??\C:\OfficeScan NT\TmPreFlt.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\system32\DRIVERS\mrxdav.sys

\SystemRoot\System32\Drivers\ParVdm.SYS

\SystemRoot\system32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\mdmxsdk.sys

\SystemRoot\system32\DRIVERS\LVPr2Mon.sys

\SystemRoot\System32\Drivers\HTTP.sys

\SystemRoot\System32\Drivers\TDTCP.SYS

\SystemRoot\System32\Drivers\RDPWD.SYS

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\Fastfat.SYS

\SystemRoot\system32\DRIVERS\hamachi.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

\SystemRoot\system32\drivers\kmixer.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff8a848ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\

Lower Device Object: 0xffffffff8a889940

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.12.28.01

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff8a848ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8a8bee08, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8a848ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8a894f18, DeviceName: \Device\00000085\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8a889940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffe5585310, 0xffffffff8a848ab8, 0xffffffff89ab2ab8

Lower DeviceData: 0xffffffffe175f798, 0xffffffff8a889940, 0xffffffff895e4138

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\WINDOWS\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: CA8ECA8E

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 156296322

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 80026361856 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)...

Done!

Performing system, memory and registry scan...

Read File: File "C:\WINDOWS\$NtUninstallKB901214$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB891781$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB893066$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB893756$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB896422$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB896423$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB896423$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB896424$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB896428$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB896688$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB896727$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB898461$\updatebr.inf" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB899587$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB899587$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB899588$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB899588$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB899589$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB899589$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB899591$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB899591$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB900725$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB901017$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB901017$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB902400$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB904706$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB904706$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB905414$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB905414$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB905749$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB905749$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB908519$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB910437$\eula.txt" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB910437$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB912919$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB873339$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB885250$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB885836$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB886185$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB886185$\updatebr.inf" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB887742$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB887742$\updatebr.inf" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB888113$\update.ver" is compressed (flags = 1)

Read File: File "C:\WINDOWS\$NtUninstallKB888302$\update.ver" is compressed (flags = 1)

Done!

Scan finished

=======================================

Here is the mbar-log-2012-12-27 (19-00-23).txt file...

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2012.12.28.01

Windows XP Service Pack 2 x86 NTFS

Internet Explorer 7.0.5730.11

jacob :: FR-FULLAG77-02 [administrator]

12/27/2012 7:00:23 PM

mbar-log-2012-12-27 (19-00-23).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 27577

Time elapsed: 11 minute(s), 50 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

OK, continue on with Combofix:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Link to post
Share on other sites

Here is the Combofix log...

ComboFix 12-12-28.02 - jacob 12/28/2012 11:23:14.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2023.1401 [GMT -8:00]

Running from: c:\documents and settings\jacob\Desktop\ComboFix.exe

AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {62023A91-6924-406A-B25E-95154DCFF75D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\green.steve\Application Data\Mozilla\Firefox\Profiles\6w224wla.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}

c:\documents and settings\green.steve\Application Data\Mozilla\Firefox\Profiles\6w224wla.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\chrome.manifest

c:\documents and settings\green.steve\Application Data\Mozilla\Firefox\Profiles\6w224wla.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\chrome\xulcache.jar

c:\documents and settings\green.steve\Application Data\Mozilla\Firefox\Profiles\6w224wla.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\defaults\preferences\xulcache.js

c:\documents and settings\green.steve\Application Data\Mozilla\Firefox\Profiles\6w224wla.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\install.rdf

c:\documents and settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}

c:\documents and settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\chrome.manifest

c:\documents and settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\chrome\xulcache.jar

c:\documents and settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\defaults\preferences\xulcache.js

c:\documents and settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\install.rdf

c:\documents and settings\jacob\My Documents\~WRL0214.tmp

c:\documents and settings\jacob\My Documents\~WRL0224.tmp

c:\documents and settings\jacob\My Documents\~WRL0226.tmp

c:\documents and settings\jacob\My Documents\~WRL0323.tmp

c:\documents and settings\jacob\My Documents\~WRL0597.tmp

c:\documents and settings\jacob\My Documents\~WRL0725.tmp

c:\documents and settings\jacob\My Documents\~WRL0791.tmp

c:\documents and settings\jacob\My Documents\~WRL1129.tmp

c:\documents and settings\jacob\My Documents\~WRL1386.tmp

c:\documents and settings\jacob\My Documents\~WRL1563.tmp

c:\documents and settings\jacob\My Documents\~WRL1603.tmp

c:\documents and settings\jacob\My Documents\~WRL1709.tmp

c:\documents and settings\jacob\My Documents\~WRL2144.tmp

c:\documents and settings\jacob\My Documents\~WRL2166.tmp

c:\documents and settings\jacob\My Documents\~WRL2327.tmp

c:\documents and settings\jacob\My Documents\~WRL2478.tmp

c:\documents and settings\jacob\My Documents\~WRL2709.tmp

c:\documents and settings\jacob\My Documents\~WRL2874.tmp

c:\documents and settings\jacob\My Documents\~WRL3067.tmp

c:\documents and settings\jacob\My Documents\~WRL3373.tmp

c:\documents and settings\jacob\My Documents\~WRL3533.tmp

c:\documents and settings\jacob\srulumeque.tmp

c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\rwaj9zs3.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}

c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\rwaj9zs3.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\chrome.manifest

c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\rwaj9zs3.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\chrome\xulcache.jar

c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\rwaj9zs3.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\defaults\preferences\xulcache.js

c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\rwaj9zs3.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\install.rdf

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-28 )))))))))))))))))))))))))))))))

.

.

2073-04-14 01:17 . 2006-11-22 04:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe

2012-12-28 02:46 . 2012-12-28 02:46 -------- d-----w- C:\MBAntiRK

2012-12-24 16:53 . 2012-12-24 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2012-12-15 20:33 . 2012-12-15 20:33 -------- d-----w- c:\program files\LogMeIn Hamachi

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-30 03:54 . 2009-12-01 04:22 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

1999-06-25 16:55 . 2005-12-14 23:00 149504 ----a-w- c:\program files\UNWISE.EXE

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{103089DA-0F31-4A8B-843F-7D24A7FE8345}]

2012-09-04 02:36 108112 ----a-w- c:\program files\InfoAtoms\IE32\InfoAtomsClientIE.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-17 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-14 155648]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"OfficeScanNT Monitor"="c:\officescan nt\pccntmon.exe" [2009-07-10 718120]

"UpdateSerialNumber"="c:\windows\system32\updateserial.exe" [2009-06-22 24576]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-12 143360]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-12 172032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-12 143360]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-09-30 981656]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-12-11 2254768]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"VPNSelect"="c:\program files\1468_Eras\Install\vpnselect.exe" [2006-07-27 174684]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\sam\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\LocalService\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\NetworkService\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\crowder.will\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\l3svc.2000inst\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\walton.james\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-22 40048]

Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

WinZip Quick Pick.lnk - c:\program files\winzip\WZQKPICK.EXE [2005-12-14 118784]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

.

R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [12/10/2012 5:29 PM 1435568]

R2 SU;SU Service;c:\windows\system32\Suss.exe [5/8/2006 8:54 AM 17168]

R2 TmPreFilter;Trend Micro PreFilter;c:\officescan nt\tmpreflt.sys [11/9/2005 6:34 PM 36624]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/14/2005 2:56 PM 9049]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/27/2006 2:59 PM 36352]

R3 TmProxy;OfficeScan NT Proxy Service;c:\officescan nt\TmProxy.exe [5/12/2009 4:38 PM 652552]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/14/2005 2:56 PM 115008]

S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:14 PM 160944]

S2 TmFilter;Trend Micro Filter;c:\officescan nt\tmxpflt.sys [11/9/2005 6:34 PM 262416]

S3 cdiskdun;cdiskdun;\??\c:\docume~1\jacob\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\jacob\LOCALS~1\Temp\cdiskdun.sys [?]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/1/2006 10:21 AM 87936]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 4:49 AM 227232]

S4 WMPNetworkSvc32;Windows Media Player Network Sharing Service ; [x]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]

2009-08-29 07:36 124928 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-22 16:44]

.

2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-22 16:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=hp

uSearchAssistant = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q={searchTerms}

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\

FF - prefs.js: browser.startup.homepage - hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=hp

FF - prefs.js: browser.search.selectedEngine - Web Search

FF - prefs.js: keyword.URL - hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q=

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{036C0B59-4C38-4A34-87B8-143ED167DAFa} - (no file)

HKU-Default-RunOnce-SWHelper - c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe

SafeBoot-klmdb.sys

AddRemove-DST_Client_Update - c:\windows\INSTLOGS\UNWISE.EXE

AddRemove-RMV_VPN_ENTRIES - c:\windows\INSTLOGS\UNWISE.EXE

AddRemove-SCCM_MIGRATION - c:\windows\INSTLOGS\UNWISE.EXE

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-28 11:29

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc32]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1647371527-1279371858-1987657003-1062\Software\SecuROM\License information*]

"datasecu"=hex:b2,9c,13,16,41,76,d1,2d,54,40,54,30,18,38,e5,92,70,c8,1e,ae,1f,

ae,75,f7,2d,43,71,19,93,9c,22,41,6a,ac,df,50,29,e6,d9,35,be,59,ad,30,12,dc,\

"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3836)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\SCardSvr.exe

c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\officescan nt\tmlisten.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\msiexec.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\officescan nt\CNTAoSMgr.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\system32\mmc.exe

.

**************************************************************************

.

Completion time: 2012-12-28 11:35:50 - machine was rebooted

ComboFix-quarantined-files.txt 2012-12-28 19:35

.

Pre-Run: 17,125,810,176 bytes free

Post-Run: 21,947,228,160 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 1F4ACA5EF52657338AB366EF96824C14

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:


ClearJavaCache::
File::
c:\program files\UNWISE.EXE
DDS::
uStart Page = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=hp
uSearchAssistant = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q={searchTerms}
FireFox::
FF - ProfilePath - c:\documents and settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\
FF - prefs.js: browser.startup.homepage - hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=hp
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: keyword.URL - hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q=

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report here

Post those two logs, also give an update on current issues/concerns...

Kevin

Link to post
Share on other sites

Hi Kevin.

Thanks again for all your help...

The current issues are the same. When browsing the internet, video ads randomly pop up and play (it happens, for example, nearly every time I refresh this page). When playing youtube videos, sometimes 5 or 6 video ads all start playing at the same time...

The eset online scan found 11 threats...

Steve

Here is the combofix log

ComboFix 12-12-28.02 - jacob 12/28/2012 14:57:53.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2023.1446 [GMT -8:00]

Running from: c:\documents and settings\jacob\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\jacob\Desktop\CFScript.txt

AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {62023A91-6924-406A-B25E-95154DCFF75D}

.

FILE ::

"c:\program files\UNWISE.EXE"

.

.

((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-28 )))))))))))))))))))))))))))))))

.

.

2073-04-14 01:17 . 2006-11-22 04:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe

2012-12-28 02:46 . 2012-12-28 02:46 -------- d-----w- C:\MBAntiRK

2012-12-24 16:53 . 2012-12-24 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2012-12-15 20:33 . 2012-12-15 20:33 -------- d-----w- c:\program files\LogMeIn Hamachi

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-30 03:54 . 2009-12-01 04:22 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

1999-06-25 16:55 . 2005-12-14 23:00 149504 ----a-w- c:\program files\UNWISE.EXE

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{103089DA-0F31-4A8B-843F-7D24A7FE8345}]

2012-09-04 02:36 108112 ----a-w- c:\program files\InfoAtoms\IE32\InfoAtomsClientIE.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-17 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-14 155648]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"OfficeScanNT Monitor"="c:\officescan nt\pccntmon.exe" [2009-07-10 718120]

"UpdateSerialNumber"="c:\windows\system32\updateserial.exe" [2009-06-22 24576]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-12 143360]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-12 172032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-12 143360]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-09-30 981656]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-12-11 2254768]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"VPNSelect"="c:\program files\1468_Eras\Install\vpnselect.exe" [2006-07-27 174684]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\sam\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\LocalService\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\NetworkService\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\crowder.will\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\l3svc.2000inst\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\walton.james\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-22 40048]

Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

WinZip Quick Pick.lnk - c:\program files\winzip\WZQKPICK.EXE [2005-12-14 118784]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

ERAS.lnk - c:\program files\nortel networks\GroupSettings.EXE [2005-12-14 105707]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

.

R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [12/10/2012 5:29 PM 1435568]

R2 SU;SU Service;c:\windows\system32\Suss.exe [5/8/2006 8:54 AM 17168]

R2 TmPreFilter;Trend Micro PreFilter;c:\officescan nt\tmpreflt.sys [11/9/2005 6:34 PM 36624]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/14/2005 2:56 PM 9049]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/27/2006 2:59 PM 36352]

R3 TmProxy;OfficeScan NT Proxy Service;c:\officescan nt\TmProxy.exe [5/12/2009 4:38 PM 652552]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\jacob\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/14/2005 2:56 PM 115008]

S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:14 PM 160944]

S2 TmFilter;Trend Micro Filter;c:\officescan nt\tmxpflt.sys [11/9/2005 6:34 PM 262416]

S3 cdiskdun;cdiskdun;\??\c:\docume~1\jacob\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\jacob\LOCALS~1\Temp\cdiskdun.sys [?]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/1/2006 10:21 AM 87936]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 4:49 AM 227232]

S4 WMPNetworkSvc32;Windows Media Player Network Sharing Service ; [x]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]

2009-08-29 07:36 124928 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-22 16:44]

.

2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-22 16:44]

.

.

------- Supplementary Scan -------

.

uSearchAssistant = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q={searchTerms}

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-28 15:04

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc32]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1647371527-1279371858-1987657003-1062\Software\SecuROM\License information*]

"datasecu"=hex:b2,9c,13,16,41,76,d1,2d,54,40,54,30,18,38,e5,92,70,c8,1e,ae,1f,

ae,75,f7,2d,43,71,19,93,9c,22,41,6a,ac,df,50,29,e6,d9,35,be,59,ad,30,12,dc,\

"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1436)

c:\windows\system32\igfxdev.dll

.

- - - - - - - > 'explorer.exe'(700)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-12-28 15:06:03

ComboFix-quarantined-files.txt 2012-12-28 23:05

ComboFix2.txt 2012-12-28 19:35

.

Pre-Run: 21,948,309,504 bytes free

Post-Run: 21,922,131,968 bytes free

.

- - End Of File - - 8ADFFB9380D61121FCB0317C2D069F9C

Here is the eset online scan log

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll Win32/Adware.Yontoo application

C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\plugin@yontoo.com\content\overlay.js Win32/Adware.Yontoo application

C:\Documents and Settings\jacob\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\ebnehkddfiaomejkimgflklafgimlgia\contentscript.js Win32/TrojanDownloader.Tracur.F trojan

C:\Documents and Settings\jacob\My Documents\Downloads\Pokemon-Online-v2.0.05-Setup.exe a variant of Win32/InstallCore.D application

C:\Documents and Settings\jacob\Pokemon Online\Themes\Classic\menu\cnet2_operapassview_zip.exe a variant of Win32/InstallCore.D application

C:\Qoobox\Quarantine\C\Documents and Settings\green.steve\Application Data\Mozilla\Firefox\Profiles\6w224wla.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan

C:\Qoobox\Quarantine\C\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan

C:\Qoobox\Quarantine\C\Documents and Settings\steve\Application Data\Mozilla\Firefox\Profiles\rwaj9zs3.default\extensions\{5424256e-69b9-4361-8623-d55fc480f93b}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan

C:\System Volume Information\_restore{EB7F1B06-164C-4636-B503-2DC3C06962D0}\RP969\A0062687.manifest Win32/TrojanDownloader.Tracur.F trojan

C:\System Volume Information\_restore{EB7F1B06-164C-4636-B503-2DC3C06962D0}\RP969\A0062688.manifest Win32/TrojanDownloader.Tracur.F trojan

C:\System Volume Information\_restore{EB7F1B06-164C-4636-B503-2DC3C06962D0}\RP969\A0062689.manifest Win32/TrojanDownloader.Tracur.F trojan

Link to post
Share on other sites

download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    ipconfig /flushdns /c
    C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
    C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\plugin@yontoo.com\content\overlay.js
    C:\Documents and Settings\jacob\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\ebnehkddfiaomejkimgflklafgimlgia\contentscript.js
    C:\Documents and Settings\jacob\My Documents\Downloads\Pokemon-Online-v2.0.05-Setup.exe
    C:\Documents and Settings\jacob\Pokemon Online\Themes\Classic\menu\cnet2_operapassview_zip.exe
    C:\System Volume Information\_restore{EB7F1B06-164C-4636-B503-2DC3C06962D0}\RP969\A0062687.manifest
    C:\System Volume Information\_restore{EB7F1B06-164C-4636-B503-2DC3C06962D0}\RP969\A0062688.manifest
    C:\System Volume Information\_restore{EB7F1B06-164C-4636-B503-2DC3C06962D0}\RP969\A0062689.manifest
    :Commands
    [EmptyTemp]
    [CreateRestorePoint]


  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

download http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Post those two logs, let me know what issues remain.

Kevin

Link to post
Share on other sites

Hi Kevin,

It seems like the ads have stopped. I'll continue to browse to make sure that's really the case. In the meantime, here are the OTM and Adwcleaner logs...

OTM Log

All processes killed

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\jacob\My Documents\Downloads\cmd.bat deleted successfully.

C:\Documents and Settings\jacob\My Documents\Downloads\cmd.txt deleted successfully.

DllUnregisterServer procedure not found in C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll moved successfully.

C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\plugin@yontoo.com\content\overlay.js moved successfully.

C:\Documents and Settings\jacob\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\ebnehkddfiaomejkimgflklafgimlgia\contentscript.js moved successfully.

C:\Documents and Settings\jacob\My Documents\Downloads\Pokemon-Online-v2.0.05-Setup.exe moved successfully.

C:\Documents and Settings\jacob\Pokemon Online\Themes\Classic\menu\cnet2_operapassview_zip.exe moved successfully.

C:\System Volume Information\_restore{EB7F1B06-164C-4636-B503-2DC3C06962D0}\RP969\A0062687.manifest moved successfully.

C:\System Volume Information\_restore{EB7F1B06-164C-4636-B503-2DC3C06962D0}\RP969\A0062688.manifest moved successfully.

C:\System Volume Information\_restore{EB7F1B06-164C-4636-B503-2DC3C06962D0}\RP969\A0062689.manifest moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: All Users

User: crowder.will

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

User: green.steve

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: jacob

->Temp folder emptied: 4992 bytes

->Temporary Internet Files folder emptied: 15344625 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 70674531 bytes

->Google Chrome cache emptied: 410277835 bytes

->Flash cache emptied: 121040 bytes

User: l3svc.2000inst

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

User: lee

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32835 bytes

->Flash cache emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 0 bytes

User: sam

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: steve

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: walton.james

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 345 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 473.00 mb

Restore point Set: OTM Restore Point

OTM by OldTimer - Version 3.1.21.0 log created on 12292012_082022

Files moved on Reboot...

Registry entries deleted on Reboot...

ADWCleaner log

# AdwCleaner v2.103 - Logfile created 12/29/2012 at 08:24:08

# Updated 25/12/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)

# User : jacob - FR-FULLAG77-02

# Boot Mode : Normal

# Running from : C:\Documents and Settings\jacob\My Documents\Downloads\adwcleaner (1).exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\searchplugins\Web Search.xml

File Deleted : C:\Program Files\Mozilla Firefox\.autoreg

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer

Folder Deleted : C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\plugin@yontoo.com

Folder Deleted : C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\extensions\staged

Folder Deleted : C:\Program Files\Yontoo Layers Client

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}

Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api

Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Key Deleted : HKLM\Software\TENCENT

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]

***** [internet Browsers] *****

-\\ Internet Explorer v7.0.6000.16915

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q={searchTerms} --> hxxp://www.google.com

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=e130b1bd-5d9a-4482-b13b-3ed2aca999fb&searchtype=ds&q={searchTerms} --> hxxp://www.google.com

-\\ Mozilla Firefox v3.0.15 (en-US)

File : C:\Documents and Settings\green.steve\Application Data\Mozilla\Firefox\Profiles\6w224wla.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\i5xkbq6g.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\steve\Application Data\Mozilla\Firefox\Profiles\rwaj9zs3.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Documents and Settings\jacob\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [4048 octets] - [29/12/2012 08:24:08]

########## EOF - C:\AdwCleaner[s1].txt - [4108 octets] ##########

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.