Jump to content

Moneypak virus infection on windows XP


CTBlack

Recommended Posts

Recently infected with the moneypak virus, but now I managed to use system restore to a date before the infection.

Question on cleanup:

I have installed the anti root kit (mbar) and have ran a couple of scans (1st one it did found a virus then cleaned and the 2nd scan returns clean).

I then ran full system scan with Malwarebytes then made another system restore point. Is there anything else I need to do to be sure there is no components of this virus left?

Thanks!

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

AVG flags it as a threat when it is run, but it did finish scanning and the result it as follows:

RogueKiller V8.4.1 [Dec 27 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : me [Admin rights]

Mode : Scan -- Date : 12/27/2012 12:30:15

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1001namen.com

127.0.0.1 1001namen.com

127.0.0.1 www.100888290cs.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD103UJ +++++

--- User ---

[MBR] 6216de021106a3f7c8d8a2dee76080a8

[bSP] 14eb4da162136baed74bff6071d569cd : Windows XP MBR Code

Partition table:

0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST3500630AS +++++

--- User ---

[MBR] 6100708ea5024c70e16ea3a252d80553

[bSP] f3f594458ab09a1aa8a382a166798aca : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive2: SAMSUNG HD103UJ +++++

--- User ---

[MBR] a0e5c9a7067e92445117556bdc26b144

[bSP] 11071048a74da96b1e2e396204db83e3 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive3: ST31000340AS +++++

--- User ---

[MBR] 83ab9038440c6967af3ed87794401a44

[bSP] 365c1fb46c5ad1ad6b5c134e189c7af6 : MBR Code unknown

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_12272012_02d1230.txt >>

RKreport[1]_S_12272012_02d1230.txt

Link to post
Share on other sites

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Here is the result from ComboFix:

ComboFix 12-12-27.03 - me 12/27/2012 13:45:23.1.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1998 [GMT -7:00]

Running from: c:\documents and settings\me\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\me\Application Data\PriceGong

c:\documents and settings\me\Application Data\PriceGong\Data\1.txt

c:\documents and settings\me\Application Data\PriceGong\Data\a.txt

c:\documents and settings\me\Application Data\PriceGong\Data\b.txt

c:\documents and settings\me\Application Data\PriceGong\Data\c.txt

c:\documents and settings\me\Application Data\PriceGong\Data\d.txt

c:\documents and settings\me\Application Data\PriceGong\Data\e.txt

c:\documents and settings\me\Application Data\PriceGong\Data\f.txt

c:\documents and settings\me\Application Data\PriceGong\Data\g.txt

c:\documents and settings\me\Application Data\PriceGong\Data\h.txt

c:\documents and settings\me\Application Data\PriceGong\Data\i.txt

c:\documents and settings\me\Application Data\PriceGong\Data\j.txt

c:\documents and settings\me\Application Data\PriceGong\Data\k.txt

c:\documents and settings\me\Application Data\PriceGong\Data\l.txt

c:\documents and settings\me\Application Data\PriceGong\Data\m.txt

c:\documents and settings\me\Application Data\PriceGong\Data\n.txt

c:\documents and settings\me\Application Data\PriceGong\Data\o.txt

c:\documents and settings\me\Application Data\PriceGong\Data\p.txt

c:\documents and settings\me\Application Data\PriceGong\Data\q.txt

c:\documents and settings\me\Application Data\PriceGong\Data\r.txt

c:\documents and settings\me\Application Data\PriceGong\Data\s.txt

c:\documents and settings\me\Application Data\PriceGong\Data\t.txt

c:\documents and settings\me\Application Data\PriceGong\Data\u.txt

c:\documents and settings\me\Application Data\PriceGong\Data\v.txt

c:\documents and settings\me\Application Data\PriceGong\Data\w.txt

c:\documents and settings\me\Application Data\PriceGong\Data\wlu.txt

c:\documents and settings\me\Application Data\PriceGong\Data\x.txt

c:\documents and settings\me\Application Data\PriceGong\Data\y.txt

c:\documents and settings\me\Application Data\PriceGong\Data\z.txt

c:\documents and settings\me\Application Data\ProcessLassopl_rsrc_temp.dll

c:\documents and settings\me\WINDOWS

c:\windows\EventSystem.log

c:\windows\pkunzip.pif

c:\windows\pkzip.pif

c:\windows\system32\Cache

c:\windows\system32\Cache\215e3973909a859b.fb

c:\windows\system32\Cache\272512937d9e61a4.fb

c:\windows\system32\Cache\287204568329e189.fb

c:\windows\system32\Cache\28bc8f716fd76a47.fb

c:\windows\system32\Cache\2c53092c95605355.fb

c:\windows\system32\Cache\31a0997e9a5b5eb3.fb

c:\windows\system32\Cache\32c84fe32bb74d60.fb

c:\windows\system32\Cache\3917078cb68ec657.fb

c:\windows\system32\Cache\590ba23ce359fd0c.fb

c:\windows\system32\Cache\5f35ea2be70c5d87.fb

c:\windows\system32\Cache\610289e025a3ee9a.fb

c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb

c:\windows\system32\Cache\66b3308378dcfb94.fb

c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb

c:\windows\system32\Cache\6d03dad1035885d3.fb

c:\windows\system32\Cache\6d478a7668df71f5.fb

c:\windows\system32\Cache\a8556537add6dfc5.fb

c:\windows\system32\Cache\ad10a52aff5e038d.fb

c:\windows\system32\Cache\b3f908f5012dfdec.fb

c:\windows\system32\Cache\c1fa887b03019701.fb

c:\windows\system32\Cache\c4d28dca2e7648be.fb

c:\windows\system32\Cache\d201ef9910cd39de.fb

c:\windows\system32\Cache\d2e94710a5708128.fb

c:\windows\system32\Cache\d79b9dfe81484ec4.fb

c:\windows\system32\Cache\e0de16f883bea794.fb

c:\windows\system32\Cache\e46a7af2b9a8090a.fb

c:\windows\system32\Cache\e66bab5bda6b504e.fb

c:\windows\system32\Cache\f659b8052eed442f.fb

c:\windows\system32\Cache\f998975c9cc711ee.fb

c:\windows\system32\roboot.exe

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\regtlib.exe

.

c:\windows\system32\dmadmin.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2012-11-27 to 2012-12-27 )))))))))))))))))))))))))))))))

.

.

2012-12-27 07:21 . 2012-12-27 07:21 -------- d-----r- C:\Sandbox

2012-12-27 07:20 . 2012-12-27 07:20 -------- d-----w- c:\program files\Sandboxie

2012-12-27 01:41 . 2012-12-27 01:41 -------- d-----w- c:\program files\Dropbox

2012-12-27 01:11 . 2012-12-27 01:11 -------- d-----w- c:\windows\system32\wbem\Repository

2012-12-26 20:28 . 2012-12-26 23:00 2884 ----a-w- c:\documents and settings\All Users\Application Data\dsgsdgdsgdsgw.js

2012-12-09 02:11 . 2012-12-09 02:11 -------- d-----w- c:\documents and settings\me\Application Data\Nico Mak Computing

2012-12-09 02:11 . 2012-12-09 02:11 -------- d-----w- c:\program files\WinZip Registry Optimizer

2012-12-09 02:11 . 2012-12-09 19:27 -------- d-----w- c:\documents and settings\me\Application Data\Trillian

2012-12-09 02:11 . 2012-12-27 19:29 -------- d-----w- c:\program files\Trillian

2012-12-08 22:07 . 2012-12-27 02:21 -------- d-----w- c:\documents and settings\me\Application Data\Skype

2012-12-08 22:07 . 2012-12-08 22:07 -------- d-----w- c:\program files\Common Files\Skype

2012-12-08 22:07 . 2012-12-08 22:07 -------- d-----r- c:\program files\Skype

2012-12-08 22:07 . 2012-12-08 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2012-12-08 21:21 . 2012-12-08 21:21 -------- d-----w- c:\documents and settings\me\Local Settings\Application Data\Opera

2012-12-05 22:34 . 2012-12-06 19:00 -------- d-----w- c:\program files\Mozilla Thunderbird

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-16 12:23 . 2008-04-14 11:39 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-12-12 04:45 . 2012-04-09 22:02 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-12 04:45 . 2011-05-19 00:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-13 01:25 . 2008-04-14 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-08 20:48 . 2012-09-04 01:00 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys

2012-11-02 02:02 . 2008-04-14 11:41 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2008-04-14 11:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-01 12:17 . 2008-04-14 11:42 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2008-04-14 11:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-11-01 00:35 . 2008-04-14 06:07 385024 ----a-w- c:\windows\system32\html.iec

2012-10-22 20:02 . 2011-12-23 19:32 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys

2012-10-15 10:48 . 2012-04-19 10:50 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys

2012-10-05 10:32 . 2010-09-07 09:48 93536 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2012-10-02 18:04 . 2008-04-14 11:42 58368 ----a-w- c:\windows\system32\synceng.dll

2012-10-02 10:30 . 2010-09-07 09:48 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2012-09-30 01:54 . 2009-12-02 17:53 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-05 00:59 . 2012-12-05 00:58 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

2012-11-08 20:48 1796552 ----a-w- c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-08 1796552]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{124D001A-BDCB-472F-AA59-BBE7E4BC3204}"= "c:\program files\Ashampoo_US\prxtbAsh0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{124d001a-bdcb-472f-aa59-bbe7e4bc3204}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\documents and settings\me\Application Data\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\documents and settings\me\Application Data\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\documents and settings\me\Application Data\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\documents and settings\me\Application Data\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AnVir Task Manager"="c:\program files\AnVir Task Manager\anvir.exe" [2012-03-14 6041192]

"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-12-16 545552]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-07-23 5625344]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-17 16806400]

"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]

"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-08 997320]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-09 98304]

"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-09-29 4473728]

"ProcessLassoManagementConsole"="c:\program files\Process Lasso\processlasso.exe" [2012-09-30 935792]

"ProcessGovernor"="c:\program files\Process Lasso\processgovernor.exe" [2012-09-30 633200]

"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-11-07 3143800]

.

c:\documents and settings\me\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\me\Application Data\Dropbox\bin\Dropbox.exe [2012-12-21 28538560]

Trillian.lnk - c:\program files\Trillian\trillian.exe [2012-9-5 2429904]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"e:\\Games\\Neverwinter night 2\\nwn2main.exe"=

"e:\\Games\\Neverwinter night 2\\nwn2main_amdxp.exe"=

"e:\\Games\\Neverwinter night 2\\nwn2server.exe"=

"e:\\Games\\World in Conflict\\wic.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=

"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\DAUM\\PotPlayer\\daumvsvr.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\supreme commander 2\\bin\\SupremeCommander2.exe"=

"c:\\Program Files\\DAUM\\PotPlayer\\PotPlayer.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Documents and Settings\\me\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\DAUM\\PotPlayer\\PotPlayerMini.exe"=

"c:\\Program Files\\Diablo III\\Diablo III.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1040\\Agent.exe"=

"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1225\\Agent.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15417:TCP"= 15417:TCP:BitComet 15417 TCP

"15417:UDP"= 15417:UDP:BitComet 15417 UDP

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"57040:TCP"= 57040:TCP:Pando Media Booster

"57040:UDP"= 57040:UDP:Pando Media Booster

"58528:TCP"= 58528:TCP:Pando Media Booster

"58528:UDP"= 58528:UDP:Pando Media Booster

"58235:TCP"= 58235:TCP:Pando Media Booster

"58235:UDP"= 58235:UDP:Pando Media Booster

.

R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 3:50 AM 55776]

R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 3:46 AM 177376]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 2:48 AM 35552]

R0 DSFKSVCS;Kernel Services for DSF;c:\windows\system32\drivers\dsfksvcs.sys [7/13/2009 6:20 PM 477504]

R0 dsfroot;root enumerated bus driver;c:\windows\system32\drivers\dsfroot.sys [7/13/2009 6:20 PM 29136]

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [12/22/2009 9:50 AM 26248]

R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [12/22/2009 9:50 AM 20616]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/18/2008 5:34 PM 697328]

R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 12:32 PM 179936]

R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 12:32 PM 19936]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 2:48 AM 159712]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 2:49 AM 164832]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [9/3/2012 6:00 PM 26984]

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [3/5/2009 2:07 PM 86552]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [10/22/2012 1:05 PM 196664]

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [12/2/2010 1:36 PM 20328]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9/22/2011 11:43 AM 645048]

R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [11/8/2012 1:48 PM 711112]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [5/22/2012 5:44 PM 100368]

R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [12/22/2009 9:50 AM 122504]

R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [7/4/2012 4:05 PM 246816]

R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/14/2011 10:17 AM 19056]

R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [7/4/2012 4:05 PM 30408]

R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [7/4/2012 4:05 PM 16248]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [11/6/2012 7:00 PM 5814392]

S2 FastPara;FastPara;c:\windows\system32\drivers\fastpara.sys [5/9/2009 3:53 PM 35008]

S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [7/4/2012 4:05 PM 821592]

S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 11:21 AM 160944]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/6/2011 5:37 PM 167264]

S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]

S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [12/22/2009 9:50 AM 14216]

S3 HRMACPI;DSF ACPI Redirection Module;c:\windows\system32\DRIVERS\HRMACPI.SYS --> c:\windows\system32\DRIVERS\HRMACPI.SYS [?]

S3 HRMCFGSPC;DSF General Configuration Space Redirection Module;c:\windows\system32\drivers\hrmcfgspc.sys [7/13/2009 6:20 PM 90176]

S3 HRMINTS;DSF Interrupt Redirection Module;c:\windows\system32\drivers\hrmints.sys [7/13/2009 6:20 PM 87504]

S3 HRMPORTS;DSF IO Port Redirection Module;c:\windows\system32\drivers\hrmports.sys [7/13/2009 6:20 PM 100688]

S3 IEPro;IEPro;"c:\program files\internet explorer\plugins\IEpro.exe" --> c:\program files\internet explorer\plugins\IEpro.exe [?]

S3 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 2:18 AM 360224]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [3/5/2009 2:07 PM 24876]

S3 SOFTHIDUSBK;USB HID Layer;c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS [?]

S3 SOFTUSBK;Generic USB device;c:\windows\system32\DRIVERS\SOFTUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTUSBK.SYS [?]

S3 SOFTUSBTESTHUB;Generic USB Test Hub;c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS --> c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS [?]

S3 SOFTWADP;Wireless adapter devices;c:\windows\system32\DRIVERS\SOFTWADP.SYS --> c:\windows\system32\DRIVERS\SOFTWADP.SYS [?]

S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/5/2008 3:54 PM 20504]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]

S3 WSOFTUSBK;Generic wireless USB device;c:\windows\system32\DRIVERS\WSOFTUSBK.SYS --> c:\windows\system32\DRIVERS\WSOFTUSBK.SYS [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - GUPDATEM

*NewlyCreated* - PBFILTER

*NewlyCreated* - TRUESIGHT

*Deregistered* - TrueSight

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 04:45]

.

2012-12-27 c:\windows\Tasks\automatic_sysrp.job

- c:\documents and settings\me\My Documents\utils\automatic_sysrp.vbs [2012-12-27 03:07]

.

2012-12-27 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2012-01-25 16:50]

.

2012-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 21:27]

.

2012-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 21:27]

.

2012-09-06 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-12-02 22:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2481032

uSearchURL,(Default) = hxxp://search.daum.net/search?nil_profile=ie&ref_code=ms&q=%s

TCP: DhcpNameServer = 208.67.222.222 208.67.220.220

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll

FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\wjhhxri0.default\

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?SSPV=FFSB10&ctid=CT2481032&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bbeb6ebeb-01f3-4c98-8168-baf419f435cd%7D&mid=bb3eb5fa4f52cfefedf7a806df17481d-397f8570f3d7915b32a3427577e888cd85e69a21&ds=AVG&v=13.2.0.5〈=en&pr=fr&d=2012-07-02%2012%3A48%3A37&sap=ku&q=

FF - ExtSQL: 2012-12-05 14:33; {f13b157f-b174-47e7-a34d-4815ddfdfeb8}; c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\wjhhxri0.default\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}.xpi

FF - ExtSQL: 2012-12-05 14:38; firebug@software.joehewitt.com; c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\wjhhxri0.default\extensions\firebug@software.joehewitt.com.xpi

FF - ExtSQL: !HIDDEN! 2009-09-01 16:33; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

------- File Associations -------

.

.txt=Notepad++_file

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)

ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)

AddRemove-360Amigo - c:\program files\360Amigo\Uninstall.exe

AddRemove-DaumCleaner - c:\program files\Daum\Cleaner\Uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-27 13:55

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DSFKSVCS\MofImagePath]

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1084)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

.

Completion time: 2012-12-27 14:00:44

ComboFix-quarantined-files.txt 2012-12-27 21:00

.

Pre-Run: 198,237,720,576 bytes free

Post-Run: 199,341,211,648 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 3D9FD86EE1F773A08985BC9B91CC3728

I think I saw this as part of the Moneypak virus from researching on the net, but it is still not deleted.

c:\documents and settings\All Users\Application Data\dsgsdgdsgdsgw.js

Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    dmadmin.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\documents and settings\All Users\Application Data\dsgsdgdsgdsgw.js

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

I remember when I build this system I had to modify dmadmin.exe to make XP mirror the drives, maybe that is why ComboFix is picking it up from being inflected. Anyways here is the output from ComboFix log:

ComboFix 12-12-27.03 - me 12/27/2012 16:26:27.2.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2330 [GMT -7:00]

Running from: c:\documents and settings\me\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\me\Desktop\CFScript.txt

AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

FILE ::

"c:\documents and settings\ALL Users\Application Data\dsgsdgdsgdsgw.js"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\ALL Users\Application Data\dsgsdgdsgdsgw.js

.

c:\windows\system32\dmadmin.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2012-11-27 to 2012-12-27 )))))))))))))))))))))))))))))))

.

.

2012-12-27 21:36 . 2012-12-27 21:36 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-12-27 21:30 . 2012-12-27 21:30 -------- d-----w- c:\windows\system32\wbem\Repository

2012-12-27 07:21 . 2012-12-27 07:21 -------- d-----r- C:\Sandbox

2012-12-27 07:20 . 2012-12-27 07:20 -------- d-----w- c:\program files\Sandboxie

2012-12-27 01:41 . 2012-12-27 01:41 -------- d-----w- c:\program files\Dropbox

2012-12-09 02:11 . 2012-12-09 02:11 -------- d-----w- c:\documents and settings\me\Application Data\Nico Mak Computing

2012-12-09 02:11 . 2012-12-09 02:11 -------- d-----w- c:\program files\WinZip Registry Optimizer

2012-12-09 02:11 . 2012-12-09 19:27 -------- d-----w- c:\documents and settings\me\Application Data\Trillian

2012-12-09 02:11 . 2012-12-27 19:29 -------- d-----w- c:\program files\Trillian

2012-12-08 22:07 . 2012-12-27 02:21 -------- d-----w- c:\documents and settings\me\Application Data\Skype

2012-12-08 22:07 . 2012-12-08 22:07 -------- d-----w- c:\program files\Common Files\Skype

2012-12-08 22:07 . 2012-12-08 22:07 -------- d-----r- c:\program files\Skype

2012-12-08 22:07 . 2012-12-08 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2012-12-08 21:21 . 2012-12-08 21:21 -------- d-----w- c:\documents and settings\me\Local Settings\Application Data\Opera

2012-12-05 22:34 . 2012-12-06 19:00 -------- d-----w- c:\program files\Mozilla Thunderbird

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-16 12:23 . 2008-04-14 11:39 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-12-12 04:45 . 2012-04-09 22:02 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-12 04:45 . 2011-05-19 00:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-13 01:25 . 2008-04-14 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-08 20:48 . 2012-09-04 01:00 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys

2012-11-02 02:02 . 2008-04-14 11:41 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2008-04-14 11:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-01 12:17 . 2008-04-14 11:42 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2008-04-14 11:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-11-01 00:35 . 2008-04-14 06:07 385024 ----a-w- c:\windows\system32\html.iec

2012-10-22 20:02 . 2011-12-23 19:32 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys

2012-10-15 10:48 . 2012-04-19 10:50 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys

2012-10-05 10:32 . 2010-09-07 09:48 93536 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2012-10-02 18:04 . 2008-04-14 11:42 58368 ----a-w- c:\windows\system32\synceng.dll

2012-10-02 10:30 . 2010-09-07 09:48 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2012-09-30 01:54 . 2009-12-02 17:53 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-05 00:59 . 2012-12-05 00:58 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

2012-11-08 20:48 1796552 ----a-w- c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-08 1796552]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{124D001A-BDCB-472F-AA59-BBE7E4BC3204}"= "c:\program files\Ashampoo_US\prxtbAsh0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{124d001a-bdcb-472f-aa59-bbe7e4bc3204}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\documents and settings\me\Application Data\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\documents and settings\me\Application Data\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\documents and settings\me\Application Data\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\documents and settings\me\Application Data\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AnVir Task Manager"="c:\program files\AnVir Task Manager\anvir.exe" [2012-03-14 6041192]

"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-12-16 545552]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-07-23 5625344]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-17 16806400]

"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]

"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-11-08 997320]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-09 98304]

"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-09-29 4473728]

"ProcessLassoManagementConsole"="c:\program files\Process Lasso\processlasso.exe" [2012-09-30 935792]

"ProcessGovernor"="c:\program files\Process Lasso\processgovernor.exe" [2012-09-30 633200]

"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-11-07 3143800]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Z1"="c:\program files\Malwarebytes' Anti-Malware\mbar\mbar.exe" [2012-12-04 1342312]

.

c:\documents and settings\me\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\me\Application Data\Dropbox\bin\Dropbox.exe [2012-12-21 28538560]

Trillian.lnk - c:\program files\Trillian\trillian.exe [2012-9-5 2429904]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"e:\\Games\\Neverwinter night 2\\nwn2main.exe"=

"e:\\Games\\Neverwinter night 2\\nwn2main_amdxp.exe"=

"e:\\Games\\Neverwinter night 2\\nwn2server.exe"=

"e:\\Games\\World in Conflict\\wic.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=

"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\DAUM\\PotPlayer\\daumvsvr.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\supreme commander 2\\bin\\SupremeCommander2.exe"=

"c:\\Program Files\\DAUM\\PotPlayer\\PotPlayer.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Documents and Settings\\me\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\DAUM\\PotPlayer\\PotPlayerMini.exe"=

"c:\\Program Files\\Diablo III\\Diablo III.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1040\\Agent.exe"=

"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1225\\Agent.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15417:TCP"= 15417:TCP:BitComet 15417 TCP

"15417:UDP"= 15417:UDP:BitComet 15417 UDP

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"57040:TCP"= 57040:TCP:Pando Media Booster

"57040:UDP"= 57040:UDP:Pando Media Booster

"58528:TCP"= 58528:TCP:Pando Media Booster

"58528:UDP"= 58528:UDP:Pando Media Booster

"58235:TCP"= 58235:TCP:Pando Media Booster

"58235:UDP"= 58235:UDP:Pando Media Booster

.

R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 3:50 AM 55776]

R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 3:46 AM 177376]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 2:48 AM 35552]

R0 DSFKSVCS;Kernel Services for DSF;c:\windows\system32\drivers\dsfksvcs.sys [7/13/2009 6:20 PM 477504]

R0 dsfroot;root enumerated bus driver;c:\windows\system32\drivers\dsfroot.sys [7/13/2009 6:20 PM 29136]

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [12/22/2009 9:50 AM 26248]

R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [12/22/2009 9:50 AM 20616]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/18/2008 5:34 PM 697328]

R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 12:32 PM 179936]

R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 12:32 PM 19936]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 2:48 AM 159712]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 2:49 AM 164832]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [9/3/2012 6:00 PM 26984]

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [3/5/2009 2:07 PM 86552]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [10/22/2012 1:05 PM 196664]

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [12/2/2010 1:36 PM 20328]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [7/4/2012 4:05 PM 821592]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9/22/2011 11:43 AM 645048]

R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [11/8/2012 1:48 PM 711112]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [5/22/2012 5:44 PM 100368]

R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [12/22/2009 9:50 AM 122504]

R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [7/4/2012 4:05 PM 246816]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [12/27/2012 2:36 PM 35144]

R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/14/2011 10:17 AM 19056]

R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [7/4/2012 4:05 PM 30408]

R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [7/4/2012 4:05 PM 16248]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [11/6/2012 7:00 PM 5814392]

S2 FastPara;FastPara;c:\windows\system32\drivers\fastpara.sys [5/9/2009 3:53 PM 35008]

S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 11:21 AM 160944]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/6/2011 5:37 PM 167264]

S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]

S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [12/22/2009 9:50 AM 14216]

S3 HRMACPI;DSF ACPI Redirection Module;c:\windows\system32\DRIVERS\HRMACPI.SYS --> c:\windows\system32\DRIVERS\HRMACPI.SYS [?]

S3 HRMCFGSPC;DSF General Configuration Space Redirection Module;c:\windows\system32\drivers\hrmcfgspc.sys [7/13/2009 6:20 PM 90176]

S3 HRMINTS;DSF Interrupt Redirection Module;c:\windows\system32\drivers\hrmints.sys [7/13/2009 6:20 PM 87504]

S3 HRMPORTS;DSF IO Port Redirection Module;c:\windows\system32\drivers\hrmports.sys [7/13/2009 6:20 PM 100688]

S3 IEPro;IEPro;"c:\program files\internet explorer\plugins\IEpro.exe" --> c:\program files\internet explorer\plugins\IEpro.exe [?]

S3 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 2:18 AM 360224]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [3/5/2009 2:07 PM 24876]

S3 SOFTHIDUSBK;USB HID Layer;c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS [?]

S3 SOFTUSBK;Generic USB device;c:\windows\system32\DRIVERS\SOFTUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTUSBK.SYS [?]

S3 SOFTUSBTESTHUB;Generic USB Test Hub;c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS --> c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS [?]

S3 SOFTWADP;Wireless adapter devices;c:\windows\system32\DRIVERS\SOFTWADP.SYS --> c:\windows\system32\DRIVERS\SOFTWADP.SYS [?]

S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/5/2008 3:54 PM 20504]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]

S3 WSOFTUSBK;Generic wireless USB device;c:\windows\system32\DRIVERS\WSOFTUSBK.SYS --> c:\windows\system32\DRIVERS\WSOFTUSBK.SYS [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMCHAMELEON

*NewlyCreated* - TRUESIGHT

*Deregistered* - TrueSight

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 04:45]

.

2012-12-27 c:\windows\Tasks\automatic_sysrp.job

- c:\documents and settings\me\My Documents\utils\automatic_sysrp.vbs [2012-12-27 03:07]

.

2012-12-27 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2012-01-25 16:50]

.

2012-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 21:27]

.

2012-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 21:27]

.

2012-09-06 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-12-02 22:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2481032

uSearchURL,(Default) = hxxp://search.daum.net/search?nil_profile=ie&ref_code=ms&q=%s

TCP: DhcpNameServer = 208.67.222.222 208.67.220.220

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll

FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\wjhhxri0.default\

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?SSPV=FFSB10&ctid=CT2481032&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bbeb6ebeb-01f3-4c98-8168-baf419f435cd%7D&mid=bb3eb5fa4f52cfefedf7a806df17481d-397f8570f3d7915b32a3427577e888cd85e69a21&ds=AVG&v=13.2.0.5〈=en&pr=fr&d=2012-07-02%2012%3A48%3A37&sap=ku&q=

FF - ExtSQL: 2012-12-05 14:33; {f13b157f-b174-47e7-a34d-4815ddfdfeb8}; c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\wjhhxri0.default\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}.xpi

FF - ExtSQL: 2012-12-05 14:38; firebug@software.joehewitt.com; c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\wjhhxri0.default\extensions\firebug@software.joehewitt.com.xpi

FF - ExtSQL: !HIDDEN! 2009-09-01 16:33; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-27 16:31

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DSFKSVCS\MofImagePath]

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1084)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

.

Completion time: 2012-12-27 16:33:16

ComboFix-quarantined-files.txt 2012-12-27 23:33

ComboFix2.txt 2012-12-27 23:10

ComboFix3.txt 2012-12-27 21:00

.

Pre-Run: 199,144,931,328 bytes free

Post-Run: 199,135,903,744 bytes free

.

- - End Of File - - B67270FAEDCD5BE586C17A857CCE5EB5

And here is the output from SystemLook:

SystemLook 30.07.11 by jpshortstuff

Log created at 16:18 on 27/12/2012 by me

Administrator - Elevation successful

========== Filefind ==========

Searching for "dmadmin.exe"

C:\Documents and Settings\me\My Documents\winfiles\dmadmin.exe --a---- 224768 bytes [03:45 17/01/2009] [11:42 14/04/2008] E46050330BD42F33609117F861E32D3C

C:\Documents and Settings\me\My Documents\xpmirror\dmadmin.exe --a---- 204800 bytes [03:42 17/01/2009] [07:35 12/08/2004] 871ED2D643DDFC926BC8F405D1AA90FD

C:\WINDOWS\system32\dmadmin.exe --a---- 204800 bytes [03:55 17/01/2009] [07:35 12/08/2004] 871ED2D643DDFC926BC8F405D1AA90FD

-= EOF =-

Link to post
Share on other sites

OK...........How is it now???

~~~~~~~~~~~~~~~~~

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

MrC

Link to post
Share on other sites

The mirroring is still functioning and the virus doesn't seem to come backup again (keeping my fingers crossed on that).

Here is the log from the search on ADWCleaner:

# AdwCleaner v2.103 - Logfile created 12/27/2012 at 17:16:48

# Updated 25/12/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : me - ME-24QC

# Boot Mode : Normal

# Running from : C:\Documents and Settings\me\desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml

Folder Found : C:\Documents and Settings\All Users\Application Data\AVG Secure Search

Folder Found : C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

Folder Found : C:\Program Files\Ashampoo_US

Folder Found : C:\Program Files\Ask.com

Folder Found : C:\Program Files\AVG Secure Search

Folder Found : C:\Program Files\Common Files\AVG Secure Search

Folder Found : C:\Program Files\Conduit

Folder Found : C:\Program Files\DAEMON Tools Toolbar

Folder Found : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Found : HKCU\Software\APN

Key Found : HKCU\Software\AppDataLow\AskToolbarInfo

Key Found : HKCU\Software\AppDataLow\Software\Conduit

Key Found : HKCU\Software\Ashampoo_US

Key Found : HKCU\Software\Ask.com

Key Found : HKCU\Software\AskToolbar

Key Found : HKCU\Software\AVG Secure Search

Key Found : HKCU\Software\AVG Security Toolbar

Key Found : HKCU\Software\Conduit

Key Found : HKCU\Software\ConduitSearchScopes

Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB9}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Found : HKCU\Toolbar

Key Found : HKLM\SOFTWARE\14919ea49a8f3b4aa3cf1058d9a64cec

Key Found : HKLM\Software\APN

Key Found : HKLM\Software\Ashampoo_US

Key Found : HKLM\Software\AskToolbar

Key Found : HKLM\Software\AVG Secure Search

Key Found : HKLM\Software\AVG Security Toolbar

Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}

Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}

Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE

Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL

Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI

Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1

Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj

Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1

Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{124D001A-BDCB-472F-AA59-BBE7E4BC3204}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{6568F275-5827-43C5-9778-A8A037FF06B8}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj

Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1

Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}

Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}

Key Found : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol

Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi

Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1

Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2481032

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}

Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE

Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1

Key Found : HKLM\Software\Conduit

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A46366FE-82B6-4158-99B6-232CCBA7E4CA}

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E44BD3A4-4471-4909-8B0D-123983F63065}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Ashampoo_US Toolbar

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6568F275-5827-43C5-9778-A8A037FF06B8}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ashampoo_US Toolbar

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin

Key Found : HKU\S-1-5-21-1757981266-616249376-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Found : HKU\S-1-5-21-1757981266-616249376-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB9}

Key Found : HKU\S-1-5-21-1757981266-616249376-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{124D001A-BDCB-472F-AA59-BBE7E4BC3204}]

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]

Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT2481032

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={5EE57405-9FC2-4C85-8CB3-B43EF7B7A64C}&mid=bb3eb5fa4f52cfefedf7a806df17481d-397f8570f3d7915b32a3427577e888cd85e69a21〈=en&ds=AVG&pr=fr&d=2012-07-02 12:48:37&v=13.2.0.5&sap=nt

-\\ Mozilla Firefox v17.0.1 (en-US)

-\\ Google Chrome v23.0.1271.97

-\\ Opera v12.11.1661.0

*************************

AdwCleaner[R1].txt - [11527 octets] - [27/12/2012 17:16:48]

########## EOF - C:\AdwCleaner[R1].txt - [11588 octets] ##########

FYI: Before ComboFix deleted that dsgsdgdsgdsgw.js file I did take a look at what it is doing:

It uses runll32.exe to execute an exe that is in the document and Setting\<User>\ folder and it has the exact opposite spelling of the .js file name, but I don't know how is the .js is being called in the first place by the browser.

Link to post
Share on other sites

FYI: Before ComboFix deleted that dsgsdgdsgdsgw.js file I did take a look at what it is doing:

It uses runll32.exe to execute an exe that is in the document and Setting\<User>\ folder and it has the exact opposite spelling of the .js file name, but I don't know how is the .js is being called in the first place by the browser.

I hope you deleted it. It doesn't show in any of the logs.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Lots of adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then.......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

Yes that .js file is deleted.

Here is the 2nd log report from ADWCleaner after the deletion:

# AdwCleaner v2.103 - Logfile created 12/27/2012 at 19:01:40

# Updated 25/12/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : me - ME-24QC

# Boot Mode : Normal

# Running from : C:\Documents and Settings\me\desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

Folder Deleted : C:\Program Files\Ashampoo_US

Folder Deleted : C:\Program Files\Ask.com

Folder Deleted : C:\Program Files\AVG Secure Search

Folder Deleted : C:\Program Files\Conduit

Folder Deleted : C:\Program Files\DAEMON Tools Toolbar

Folder Deleted : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Deleted : HKCU\Software\APN

Key Deleted : HKCU\Software\AppDataLow\AskToolbarInfo

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\Ashampoo_US

Key Deleted : HKCU\Software\Ask.com

Key Deleted : HKCU\Software\AskToolbar

Key Deleted : HKCU\Software\AVG Secure Search

Key Deleted : HKCU\Software\AVG Security Toolbar

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\ConduitSearchScopes

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB9}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKCU\Toolbar

Key Deleted : HKLM\SOFTWARE\14919ea49a8f3b4aa3cf1058d9a64cec

Key Deleted : HKLM\Software\APN

Key Deleted : HKLM\Software\Ashampoo_US

Key Deleted : HKLM\Software\AskToolbar

Key Deleted : HKLM\Software\AVG Secure Search

Key Deleted : HKLM\Software\AVG Security Toolbar

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE

Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI

Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1

Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj

Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{124D001A-BDCB-472F-AA59-BBE7E4BC3204}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6568F275-5827-43C5-9778-A8A037FF06B8}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj

Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1

Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}

Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol

Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi

Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2481032

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}

Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE

Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A46366FE-82B6-4158-99B6-232CCBA7E4CA}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E44BD3A4-4471-4909-8B0D-123983F63065}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Ashampoo_US Toolbar

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6568F275-5827-43C5-9778-A8A037FF06B8}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ashampoo_US Toolbar

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{124D001A-BDCB-472F-AA59-BBE7E4BC3204}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT2481032 --> hxxp://www.google.com

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={5EE57405-9FC2-4C85-8CB3-B43EF7B7A64C}&mid=bb3eb5fa4f52cfefedf7a806df17481d-397f8570f3d7915b32a3427577e888cd85e69a21〈=en&ds=AVG&pr=fr&d=2012-07-02 12:48:37&v=13.2.0.5&sap=nt --> hxxp://www.google.com

-\\ Mozilla Firefox v17.0.1 (en-US)

-\\ Google Chrome v23.0.1271.97

-\\ Opera v12.11.1661.0

*************************

AdwCleaner[R1].txt - [11658 octets] - [27/12/2012 17:16:48]

AdwCleaner[s1].txt - [11444 octets] - [27/12/2012 19:01:40]

########## EOF - C:\AdwCleaner[s1].txt - [11505 octets] ##########

And here is the report from SecirityCheck:

Results of screen317's Security Check version 0.99.56

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

AVG Anti-Virus Free Edition 2013

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Spybot - Search & Destroy

12Ghosts ShutDown

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 26

Java version out of Date!

Adobe Flash Player 11.5.502.135

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Firefox (17.0.1)

Mozilla Thunderbird (17.0.)

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

Google Chrome 23.0.1271.97

````````Process Check: objlist.exe by Laurent````````

AVG avgwdsvc.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

IObit IObit Malware Fighter IMFsrv.exe

IObit IObit Malware Fighter IMF.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 29% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Java™ 6 Update 26 <---please uninstall from add/remove programs

Java version out of Date! <-------Download and install the latest version from Here

Adobe Reader 9 Adobe Reader out of Date! <----please check for an update

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.