Jump to content

Help with Infected Computer?


Recommended Posts

  • Staff

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download
AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+

Gringo

Link to post
Share on other sites

Thanks for your help Gringo

Security Check - no output

AdwCleaner -

# AdwCleaner v2.104 - Logfile created 01/03/2013 at 12:08:09

# Updated 29/12/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Owner - GRACIE

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Owner\My Documents\Downloads\adwcleaner.exe

# Option [Delete]

***** [services] *****

Stopped & Deleted : Application Updater

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkq0ae5t.default\adawaretb

Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer

Folder Deleted : C:\Documents and Settings\Owner\Application Data\adawaretb

Folder Deleted : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3nkidg1k.default\adawaretb

Folder Deleted : C:\Documents and Settings\Owner\Application Data\yourfiledownloader

Folder Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\AVG Security Toolbar

Folder Deleted : C:\Program Files\adawaretb

Folder Deleted : C:\Program Files\yourfiledownloader

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Freecause

Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings

Key Deleted : HKCU\Software\AVG Security Toolbar

Key Deleted : HKCU\Software\Compete

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\Cr_Installer

Key Deleted : HKCU\Software\Crossrider

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{201F27D4-3704-41D6-89C1-AA35E39143ED}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3041D03E-FD4B-44E0-B742-2D9B88305F98}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201F27D4-3704-41D6-89C1-AA35E39143ED}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Deleted : HKCU\Software\Search Settings

Key Deleted : HKLM\Software\Application Updater

Key Deleted : HKLM\Software\AVG Security Toolbar

Key Deleted : HKLM\Software\Babylon

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}

Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api

Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1

Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Layers

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}

Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SearchSettings

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Key Deleted : HKLM\Software\Search Settings

Key Deleted : HKLM\Software\Tarma Installer

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3nkidg1k.default\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3nkidg1k.default\user.js ... Deleted !

Deleted : user_pref("extensions.crossriderapp19866.19866.InstallationTime", 1357233308);

Deleted : user_pref("extensions.crossriderapp19866.19866.active", true);

Deleted : user_pref("extensions.crossriderapp19866.19866.addressbar", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.addressbarenhanced", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.backgroundjs", "\n\n\"undefined\"!=typeof _GPL_BG_NEW[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.backgroundver", 3);

Deleted : user_pref("extensions.crossriderapp19866.19866.can_run_bg_code", true);

Deleted : user_pref("extensions.crossriderapp19866.19866.certdomaininstaller", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.changeprevious", false);

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie.InstallationTime.expiration", "Fri Feb 01 2030[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie.InstallationTime.value", "1357233308");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:0[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_aoi.value", "1357233308");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_blocklist.expiration", "Thu Jan 03 2013 1[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_blocklist.value", "%22nonexistantdomain.c[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_country_code.expiration", "Thu Jan 10 201[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_country_code.value", "%22US%22");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:0[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_crr.value", "1357233315");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_currenttime.expiration", "Fri Feb 01 2030[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_currenttime.value", "%221356061408%22");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 0[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_hotfix20111102645.value", "%221%22");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_installer_params.expiration", "Fri Feb 01[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_installer_params.value", "%7B%22source_id[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_installtime.expiration", "Fri Feb 01 2030[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_installtime.value", "%221356061408%22");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 20[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_parent_zoneid.value", "%22106779%22");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_pc_20120828.value", "1357233318659");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 [...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_product_id.value", "%221341%22");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:0[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie._GPL_zoneid.value", "%22127114%22");

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 [...]

Deleted : user_pref("extensions.crossriderapp19866.19866.cookie.dbtest.value", "1357233314369");

Deleted : user_pref("extensions.crossriderapp19866.19866.description", "Deal Vault");

Deleted : user_pref("extensions.crossriderapp19866.19866.domain", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.enablesearch", false);

Deleted : user_pref("extensions.crossriderapp19866.19866.fbremoteurl", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.group", 0);

Deleted : user_pref("extensions.crossriderapp19866.19866.homepage", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.iframe", false);

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_appVer.expiration", "Fri Feb 01 [...]

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_appVer.value", "11");

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_lastVersion.expiration", "Fri Fe[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_lastVersion.value", "2");

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_meta.expiration", "Fri Feb 01 20[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_meta.value", "%7B%7D");

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_nextCheck.expiration", "Thu Jan [...]

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_nextCheck.value", "true");

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_queue.expiration", "Fri Feb 01 2[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.internaldb.Resources_queue.value", "%7B%7D");

Deleted : user_pref("extensions.crossriderapp19866.19866.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.manifesturl", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.name", "Deal Vault");

Deleted : user_pref("extensions.crossriderapp19866.19866.newtab", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.opensearch", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_1.code", "appAPI._cr_config={appID:fun[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_1.name", "base");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_1.ver", 3);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_1000014.code", "Array.prototype.indexO[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_1000014.name", "GPL Plugin (Loader)");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_1000014.ver", 10);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_1000015.code", "var _GPL_BG={vars:{},r[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_1000015.name", "GPL Background (BG)");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_1000015.ver", 4);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_13.code", "(function(a){a.selectedText[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_13.name", "CrossriderAppUtils");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_13.ver", 2);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_14.code", "if(typeof(appAPI)===\"undef[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_14.name", "CrossriderUtils");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_14.ver", 2);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_15.code", "(function(f){var u={};var e[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_15.name", "FacebookFFIE");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_15.ver", 1);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_16.code", "if((typeof isBackground===\[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_16.name", "FFAppAPIWrapper");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_16.ver", 4);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_17.code", "if(typeof window!==\"undefi[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_17.name", "jQuery");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_17.ver", 3);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_21.code", "var CrossriderDebugManager=[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_21.name", "debug");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_21.ver", 3);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_22.code", "(function(a){appAPI.queueMa[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_22.name", "resources");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_22.ver", 2);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_28.code", "var CrossriderInitializerPl[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_28.name", "initializer");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_28.ver", 2);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_4.code", "/*! jQuery v1.7.1 jquery.com[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_4.name", "jquery_1_7_1");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_4.ver", 3);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_47.code", "(function(){appAPI.ready=fu[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_47.name", "resources_background");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_47.ver", 1);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_64.code", "(function(){var h=\"__CR_EM[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_64.name", "appApiMessage");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_64.ver", 1);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_72.code", "if(appAPI.__should_activate[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_72.name", "appApiValidation");

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins.plugin_72.ver", 1);

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins_lists.plugins_0", "17,14,16,64,72,47,1000015"[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.plugins_lists.plugins_1", "17,14,13,16,15,64,72,4,1,2[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.pluginsurl", "hxxp://app-static.crossrider.com/plugin[...]

Deleted : user_pref("extensions.crossriderapp19866.19866.pluginsversion", 8);

Deleted : user_pref("extensions.crossriderapp19866.19866.publisher", "215 Apps");

Deleted : user_pref("extensions.crossriderapp19866.19866.searchstatus", 0);

Deleted : user_pref("extensions.crossriderapp19866.19866.setnewtab", false);

Deleted : user_pref("extensions.crossriderapp19866.19866.settingsurl", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.thankyou", "");

Deleted : user_pref("extensions.crossriderapp19866.19866.updateinterval", 360);

Deleted : user_pref("extensions.crossriderapp19866.19866.ver", 11);

Deleted : user_pref("extensions.crossriderapp19866.adsOldValue", -1);

Deleted : user_pref("extensions.crossriderapp19866.apps", "19866");

Deleted : user_pref("extensions.crossriderapp19866.bic", "13c0168c0e9455cebb5e294ea5b26ff3");

Deleted : user_pref("extensions.crossriderapp19866.cid", 19866);

Deleted : user_pref("extensions.crossriderapp19866.firstrun", false);

Deleted : user_pref("extensions.crossriderapp19866.hadappinstalled", true);

Deleted : user_pref("extensions.crossriderapp19866.installationdate", 1357233308);

Deleted : user_pref("extensions.crossriderapp19866.lastcheck", 22620555);

Deleted : user_pref("extensions.crossriderapp19866.lastcheckitem", 22620555);

Deleted : user_pref("extensions.crossriderapp19866.modetype", "production");

Deleted : user_pref("extensions.crossriderapp19866.reportInstall", true);

Deleted : user_pref("extensions.enabledAddons", "crossriderapp19866%40crossrider.com:0.86.6,%7B40D65E82-75AC-4[...]

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkq0ae5t.default\prefs.js

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkq0ae5t.default\user.js ... Deleted !

Deleted : user_pref("extensions.crossriderapp19866.adsOldValue", -1);

-\\ Google Chrome v [unable to get version]

File : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [17924 octets] - [03/01/2013 12:07:50]

AdwCleaner[s2].txt - [18476 octets] - [03/01/2013 12:08:09]

########## EOF - C:\AdwCleaner[s2].txt - [18537 octets] ##########

Rogue Killer -

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Owner [Admin rights]

Mode : Remove -- Date : 01/03/2013 12:18:14

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AACS-00ZUB0 +++++

--- User ---

[MBR] d391c0715b9607c37bc8bfe68b54cb65

[bSP] d798585473137686660b7b42e1787804 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD5000AACS-00ZUB0 +++++

--- User ---

[MBR] 06695c9241862a494ab3274d6c7feb54

[bSP] 4b4a864160c8efbcbb768e59a99079f2 : MBR Code unknown

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3]_D_01032013_02d1218.txt >>

RKreport[1]_S_01032013_02d1217.txt ; RKreport[2]_D_01032013_02d1217.txt ; RKreport[3]_D_01032013_02d1218.txt

Link to post
Share on other sites

  • Staff

Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

combo fix did install Recovery Console

Here is the log:

ComboFix 13-01-03.05 - Owner 01/03/2013 12:58:58.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2830 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

FW: Lavasoft Ad-Aware *Disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\3E60109CA4.sys

c:\documents and settings\All Users\Application Data\hpe5E9.dll

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Owner\Application Data\PropMgrAsync

c:\documents and settings\Owner\Application Data\PropMgrAsync\PropMgrAsync.cfg

c:\documents and settings\Owner\Application Data\PropMgrAsync\PropMgrAsync.log

c:\documents and settings\Owner\My Documents\~WRL3761.tmp

c:\documents and settings\Owner\My Documents\DPE.DUS

c:\documents and settings\Owner\WINDOWS

c:\program files\BasicSeek

c:\program files\BasicSeek\basicseek.dll

c:\program files\BasicSeek\basicseek.exe

c:\program files\BasicSeek\uninstall.exe

c:\windows\wininit.ini

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_BasicSeek_Service

-------\Legacy_BasicSeek_Service

-------\Service_BasicSeek Service

-------\Service_BasicSeek Service

.

.

((((((((((((((((((((((((( Files Created from 2012-12-03 to 2013-01-03 )))))))))))))))))))))))))))))))

.

.

2013-01-03 17:11 . 2013-01-03 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\BasicSeek

2013-01-03 15:46 . 2013-01-03 15:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\adawarebp

2013-01-03 14:56 . 2013-01-03 16:56 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-01-03 14:56 . 2013-01-03 14:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2013-01-03 14:55 . 2013-01-03 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2013-01-03 14:55 . 2013-01-03 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-01-03 14:55 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-03 14:29 . 2013-01-03 14:29 -------- d-----w- c:\documents and settings\Owner\Application Data\DriverCure

2013-01-03 14:29 . 2013-01-03 14:29 -------- d-----w- c:\documents and settings\Owner\Application Data\ParetoLogic

2013-01-03 13:33 . 2013-01-03 13:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2013-01-03 13:22 . 2013-01-03 13:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2013-01-01 16:02 . 2009-01-25 18:14 15224 ----a-w- c:\windows\system32\sdnclean.exe

2012-12-31 19:37 . 2013-01-02 15:21 -------- d-----w- c:\windows\CD27142034CF47DC80B7C409B6CD0DD8.TMP

2012-12-24 08:27 . 2012-12-24 08:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sun

2012-12-21 19:54 . 2012-12-21 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Antivirus

2012-12-21 19:53 . 2012-12-21 19:53 -------- d-----w- c:\documents and settings\Owner\Application Data\LavasoftStatistics

2012-12-21 19:45 . 2012-12-24 03:19 -------- d-----w- c:\program files\Ad-Aware Antivirus

2012-12-21 19:44 . 2013-01-03 15:42 44424 ----a-w- c:\windows\system32\sbbd.exe

2012-12-21 19:44 . 2013-01-03 15:42 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys

2012-12-21 19:43 . 2013-01-03 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection

2012-12-21 19:43 . 2012-12-21 19:43 -------- d-----w- c:\program files\Toolbar Cleaner

2012-12-21 19:42 . 2012-12-21 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Ad-Aware Antivirus

2012-12-21 19:31 . 2012-12-21 19:31 -------- d-----w- c:\windows\system32\Adobe

2012-12-21 19:29 . 2012-12-21 19:29 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-12-21 16:12 . 2012-12-21 16:12 110080 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{DDABC667-56B3-4122-82B0-2F5782EA2F9A}\IconF7A21AF7.exe

2012-12-21 16:12 . 2012-12-21 16:12 110080 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{DDABC667-56B3-4122-82B0-2F5782EA2F9A}\IconD7F16134.exe

2012-12-21 16:12 . 2012-12-21 16:12 110080 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{DDABC667-56B3-4122-82B0-2F5782EA2F9A}\IconCF33A0CE.exe

2012-12-21 16:11 . 2012-12-21 22:04 -------- d-----w- c:\program files\Enigma Software Group

2012-12-21 16:11 . 2012-12-21 16:12 -------- d-----w- C:\sh4ldr

2012-12-21 16:11 . 2012-12-21 16:12 -------- d-----w- c:\windows\DDABC66756B3412282B02F5782EA2F9A.TMP

2012-12-21 13:47 . 2013-01-01 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2012-12-21 13:47 . 2013-01-01 16:03 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2012-12-17 14:13 . 2012-12-17 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1

2012-12-05 21:46 . 2012-12-05 21:46 -------- d-----w- c:\program files\IObit Toolbar

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-03 02:22 . 2008-09-04 02:17 139832 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2013-01-03 02:21 . 2009-03-01 14:56 281768 ----a-w- c:\windows\system32\PnkBstrB.xtr

2013-01-03 02:21 . 2008-09-04 02:17 281768 ----a-w- c:\windows\system32\PnkBstrB.exe

2013-01-02 21:23 . 2008-09-04 02:17 281768 ----a-w- c:\windows\system32\PnkBstrB.ex0

2012-12-21 19:29 . 2008-09-28 04:07 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-12-21 19:29 . 2012-06-16 19:48 859072 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-12-21 19:29 . 2010-04-23 22:44 779704 ----a-w- c:\windows\system32\deployJava1.dll

2012-12-16 12:23 . 2006-02-28 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-12-12 08:34 . 2012-04-04 04:49 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-12 08:34 . 2011-06-03 18:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-13 01:25 . 2006-02-28 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-02 02:02 . 2006-02-28 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec

2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\system32\QuickTime.qts

2012-10-13 00:09 . 2011-12-09 15:55 22400 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2008-08-16 23:42 . 2012-12-06 04:29 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 23:42 . 2012-12-06 04:29 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 23:42 . 2012-12-06 04:29 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 23:42 . 2012-12-06 04:29 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 23:43 . 2012-12-06 04:29 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 23:42 . 2012-12-06 04:29 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 23:42 . 2012-12-06 04:29 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-03-16 22:27 . 2012-12-06 04:29 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 22:27 . 2012-12-06 04:29 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 22:27 . 2012-12-06 04:29 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 19:58 . 2012-12-06 04:29 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 23:42 . 2012-12-06 04:29 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2012-12-06 04:29 . 2012-12-06 04:29 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2012-12-11 542104]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0sdnclean.exe

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]

@="Ad-Aware Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk]

backup=c:\windows\pss\PKZIP Attachments Status.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WalkingSpree Data Uploader.lnk]

backup=c:\windows\pss\WalkingSpree Data Uploader.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 5

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 10:43 69632 ----a-r- c:\windows\ALCMTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2012-11-28 20:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2012-12-12 19:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2008-05-16 19:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2008-05-16 19:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2008-05-16 19:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2008-02-13 06:31 16857600 ----a-r- c:\windows\RTHDCPL.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2011-12-26 21:52 1242448 ----a-w- c:\program files\Steam\steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-07-03 15:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]

2008-08-01 14:47 53248 ----a-w- c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\HP\\HP Color LaserJet CM1312 MFP Series\\hppfaxnc2.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 3\\iw5mp_server.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 3\\iw5sp.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 3\\iw5mp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 3:50 AM 24896]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 2:48 AM 31952]

R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [12/21/2012 1:44 PM 13560]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 2:48 AM 237408]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 2:49 AM 301920]

R2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [12/14/2012 8:38 PM 1236968]

R2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [7/19/2011 7:43 PM 65536]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [8/13/2012 2:24 AM 5167736]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 3:53 AM 193288]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]

R2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [9/20/2012 5:39 AM 3677000]

R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [1/1/2013 10:02 AM 1103392]

R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1/1/2013 10:02 AM 1369624]

R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [10/8/2012 7:21 PM 766400]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [1/22/2012 10:43 PM 92592]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 12:32 PM 139856]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 12:32 PM 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 12:32 PM 17232]

R3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [9/8/2010 5:24 PM 20504]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [11/21/2009 5:56 PM 27632]

S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [1/1/2013 10:02 AM 168384]

S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service; [x]

S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 4:57 PM 13904]

S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 12:01 PM 19984]

S3 getPlus® Installer;getPlus® Installer; [x]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/3/2013 8:56 AM 40776]

S3 se3ebus;Sony Ericsson Device 062 (WDM);c:\windows\system32\drivers\se3ebus.sys [4/10/2007 1:14 PM 83080]

S3 se3emdfl;Sony Ericsson Device 062 USB WMC Modem Filter;c:\windows\system32\drivers\se3emdfl.sys [11/21/2009 5:56 PM 15112]

S3 se3emdm;Sony Ericsson Device 062 USB WMC Modem Driver;c:\windows\system32\drivers\se3emdm.sys [11/21/2009 5:56 PM 108552]

S3 se3emgmt;Sony Ericsson Device 062 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\se3emgmt.sys [11/21/2009 5:56 PM 100360]

S3 se3eobex;Sony Ericsson Device 062 USB WMC OBEX Interface;c:\windows\system32\drivers\se3eobex.sys [11/21/2009 5:56 PM 98568]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-29 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-03 01:35]

.

2012-12-30 c:\windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job

- c:\progra~1\AD-AWA~1\AdAwareLauncher.exe [2012-12-15 02:38]

.

2013-01-03 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 08:34]

.

2012-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

2013-01-03 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job

- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-01-01 20:08]

.

2013-01-02 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-06 02:49]

.

2013-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:27]

.

2013-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:27]

.

2013-01-03 c:\windows\Tasks\rbmonitor.job

- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2012-04-11 14:32]

.

2013-01-02 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job

- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-01-01 20:07]

.

2013-01-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job

- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-01-01 20:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 68.94.156.1 68.94.157.1

DPF: Microsoft XML Parser for Java

DPF: {F6A553B1-4B5F-4974-866F-98C1D1EBD3DE} - hxxps://usportal.amdocs.com/prx/000/http/wwwstl2/tc/CPubAppsTCS.cab

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-HPPQVideo - c:\program files\HP\ScheduledLaunch\HP Color LaserJet CM1312 MFP Series\bin\hppschlnch.exe -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CM1312_MFP_Series -f PQOptimizerVideo.xml

Notify-SDWinLogon - SDWinLogon.dll

AddRemove-BasicSeek - c:\program files\BasicSeek\uninstall.exe

AddRemove-YourFileDownloader - c:\program files\YourFileDownloader\uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-01-03 13:08

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3540)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre7\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\AVG\AVG2012\avgnsx.exe

c:\program files\AVG\AVG2012\avgrsx.exe

c:\program files\AVG\AVG2012\avgcsrvx.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2013-01-03 13:14:04 - machine was rebooted

ComboFix-quarantined-files.txt 2013-01-03 19:13

.

Pre-Run: 316,489,334,784 bytes free

Post-Run: 316,943,351,808 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

[spybotsd]

timeout.old=30

.

- - End Of File - - 9E4234813DA6086B25FB3B4215E42C31

When I double click on item in quick launch bar nothing happens, I have to right click and then open; also quick launch has to be opened every time I reboot. I didn't try to install Mawarebyte yet

Link to post
Share on other sites

  • Staff

Greetings

I would like you to give me a rundown on what is the problem with the computer - you were a little sparse in your opening post

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 Folder::
c:\documents and settings\Owner\Application Data\DriverCure

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  1. report from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now after running the script?

Gringo

Link to post
Share on other sites

Problem started when I rebooted and the quick launch bar was missing. I was able to add it back, but everytime I reboot, it have to manually add it. Now the programs will not lauch via doube clicking on them I have to right clight then OPEN to get mail or web broswer to work. So i tried to down load malwarebytes and couldn't install it. I was getting Run Time error 372 ieframe.dll outdated. I would get that message a few times, each when trying to create a short cut. Now I notice that the icons on my desktop can't move. So i cannot drag and dtrop the text file on Combofix. I check the arrange icon properties and they are not locked.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.