Jump to content

~--- Ukash Virus/Ransomware ICE. can't access desktop from login ---~

IndigoEarth
 Share

Recommended Posts

IndigoEarth

IndigoEarth

Posted
  • Author
Posted

the ComboFix Results:

 

ComboFix 13-08-12.01 - USER 13/08/2013   4:01.2.2 - x86
Running from: c:\users\USER\Desktop\ComboFix.exe
Command switches used :: c:\users\USER\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Ad-Aware Antivirus
c:\program files\Ad-Aware Antivirus\AdAwareShellExtension.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AD-AWARE_SERVICE
-------\Service_Ad-Aware Service
-------\Legacy_SBAMSvc
-------\Service_SBAMSvc
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-13 to 2013-08-13  )))))))))))))))))))))))))))))))
.
.
2013-08-13 08:13 . 2013-08-13 08:19 -------- d-----w- c:\users\USER\AppData\Local\temp
2013-08-13 08:13 . 2013-08-13 08:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-13 06:05 . 2013-08-13 06:05 -------- d-----w- c:\users\USER\AppData\Local\LiveGBoost
2013-08-13 06:03 . 2013-08-13 06:03 -------- d-----w- c:\program files\GBoost
2013-08-10 01:00 . 2013-08-10 01:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-08-10 01:00 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-10 00:37 . 2013-08-10 00:37 -------- d-----w- c:\windows\ERUNT
2013-08-06 15:47 . 2013-08-06 16:39 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-08-04 22:53 . 2013-08-04 22:53 -------- d-----w- C:\FRST
2013-08-04 21:09 . 2013-08-04 21:09 30464 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2013-08-04 21:00 . 2013-07-02 06:54 7143960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D809C267-3463-46F2-8761-D3076B9BB5C1}\mpengine.dll
2013-08-04 20:40 . 2013-08-04 21:07 -------- d-----w- c:\programdata\HitmanPro
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-11 22:57 . 2012-11-08 00:09 139152 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-08-11 22:57 . 2012-11-23 15:19 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-06-03 09:20 . 2012-10-12 03:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-03 09:20 . 2011-09-07 02:03 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-17 03:06 . 2011-12-31 20:35 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-07-12 08:28 . 2012-07-12 08:28 2174976 ----a-w- c:\program files\Common Files\atimpenc.dll
2012-01-29 15:55 . 2012-02-05 05:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-12-06 09:18 26624 --sh--w- c:\windows\bfcs2.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\USER\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\USER\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2012-02-02 3034432]
"LogMeIn Cubby"="c:\users\USER\AppData\Roaming\cubby\cubby.exe" [2013-05-07 4898584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-29 36864]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-28 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-03-10 16:20 689488 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2012-02-02 10:01 3034432 ----a-w- c:\program files\DAEMON Tools Pro\DTAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-07-24 06:38 639352 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-28 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-01 c:\windows\Tasks\User_Feed_Synchronization-{D7DE5C91-EEFD-471C-8B73-D84EE071E769}.job
- c:\windows\system32\msfeedssync.exe [2012-10-31 08:30]
.
.
------- Supplementary Scan -------
.


uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\5r7mo9rl.default\


FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-08-07 13:42; ffxtlbr@babylon.com; c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\5r7mo9rl.default\extensions\ffxtlbr@babylon.com
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-SBAMSvc
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-13 04:21
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NCO]
"ImagePath"="\"c:\program files\Norton Identity Safe\Engine\2013.1.0.32\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files\Norton Identity Safe\Engine\2013.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1086904657-4067796721-2086557799-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-Nñ‚W[u^]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1086904657-4067796721-2086557799-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-Nñ‚W[u^\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1086904657-4067796721-2086557799-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-Nñ‚W[u^áÿ#WÎW]N2m¢[]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1086904657-4067796721-2086557799-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-Nñ‚W[u^áÿ#WÎW]N2m¢[\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1086904657-4067796721-2086557799-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ýVñ‚ÌSí‹áÿ#WÎW]N2m¢[]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1086904657-4067796721-2086557799-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ýVñ‚ÌSí‹áÿ#WÎW]N2m¢[\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(716)
c:\users\USER\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\system32\NLSSRV32.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2013-08-13  04:29:22 - machine was rebooted
ComboFix-quarantined-files.txt  2013-08-13 08:28
ComboFix2.txt  2013-08-09 19:27
.
Pre-Run: 2,627,899,392 bytes free
Post-Run: 4,371,759,104 bytes free
.
- - End Of File - - C97D70532DE9CEE7811FF7C7D45C8C5C
5C616939100B85E558DA92B899A0FC36
 

Link to post
Share on other sites
IndigoEarth

IndigoEarth

Posted
  • Author
Posted

ahhh its still there doing the same thing. Always after I right-click a file it says "Windows installer, preparing installation..." then it skips to that Ad-Aware message. But if I close the window and just right-click again, its fine.

All of your help over the last week has done a great deal in improving my computer's operations. So I thank you very much! ...Are there any programs (spyware, malware, anti-virus, etc.) that you would recommend for quality monitoring and solid computer security to prevent future infections...? Programs that hopefully don't really drain too much CPU and RAM memory in order to operate in the background....

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

List last 10 Event Viewer log

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

MrC

Link to post
Share on other sites
IndigoEarth

IndigoEarth

Posted
  • Author
Posted

Hello my friend!
Here is the "Result.txt":

 

MiniToolBox by Farbar  Version: 13-07-2013
Ran by USER (administrator) on 15-08-2013 at 19:55:42
Running from "C:\Users\USER\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/15/2013 07:33:36 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 8.0.6001.19328 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: f00
Start Time: 01ce9959b2b0f3b6
Termination Time: 0

Error: (08/15/2013 05:49:29 PM) (Source: System Restore) (User: )
Description: The scheduled restore point could not be created.  Additional information: (0x8004230f).

Error: (08/15/2013 05:49:29 PM) (Source: System Restore) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x8004230f).

Error: (08/15/2013 05:49:29 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Delete Shadow Copies

Context:
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
   Snapshot Context: 0
   Snapshot Context: 0
   Execution Context: Coordinator

Error: (08/15/2013 05:49:29 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error:  The Microsoft Software Shadow Copy Provider (SWPRV) service is
disabled.  Please enable the service and try again.

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Delete Shadow Copies

Context:
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
   Snapshot Context: 0
   Snapshot Context: 0
   Execution Context: Coordinator

Error: (08/15/2013 05:49:29 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies
   Delete Shadow Copies

Context:
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
   Snapshot Context: 0
   Snapshot Context: 0
   Execution Context: Coordinator
   Execution Context: Coordinator

Error: (08/15/2013 05:49:29 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error:  The Microsoft Software Shadow Copy Provider (SWPRV) service is
disabled.  Please enable the service and try again.

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies
   Delete Shadow Copies

Context:
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
   Snapshot Context: 0
   Snapshot Context: 0
   Execution Context: Coordinator
   Execution Context: Coordinator

Error: (08/15/2013 05:49:29 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Operation:
   Obtain a callable interface for this provider
   Check If Volume Is Supported by Provider
   Add a Volume to a Shadow Copy Set

Context:
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Class ID: {00000000-0000-0000-0000-000000000000}
   Snapshot Context: 4194317
   Execution Context: Coordinator
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Volume Name: \\?\Volume{2adb161a-9be1-11dc-a48c-806e6f6e6963}\
   Execution Context: Coordinator

Error: (08/15/2013 05:49:29 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error:  The Microsoft Software Shadow Copy Provider (SWPRV) service is
disabled.  Please enable the service and try again.

Operation:
   Obtain a callable interface for this provider
   Check If Volume Is Supported by Provider
   Add a Volume to a Shadow Copy Set

Context:
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Class ID: {00000000-0000-0000-0000-000000000000}
   Snapshot Context: 4194317
   Execution Context: Coordinator
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Volume Name: \\?\Volume{2adb161a-9be1-11dc-a48c-806e6f6e6963}\
   Execution Context: Coordinator

Error: (08/15/2013 05:49:03 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies

Context:
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}
   Snapshot Context: 13
   Snapshot Context: 13
   Execution Context: Coordinator

System errors:
=============
Error: (08/15/2013 02:26:37 PM) (Source: PlugPlayManager) (User: )
Description: The device 'Optiarc DVD+-RW AD-5560A ATA Device' (IDE\CdRomOptiarc_DVD+-RW_AD-5560A________________DD11____\5&14f32b41&0&0.0.0) disappeared from the system without first being prepared for removal.

Error: (08/15/2013 02:26:03 PM) (Source: Service Control Manager) (User: )
Description: 30000ShellHWDetection

Error: (08/13/2013 04:40:54 AM) (Source: Service Control Manager) (User: )
Description: Lbd
SABKUTIL

Error: (08/13/2013 04:40:54 AM) (Source: Service Control Manager) (User: )
Description: Trend Micro Personal Firewalltmcfw

Error: (08/13/2013 04:40:54 AM) (Source: Service Control Manager) (User: )
Description: Norton Identity Safe4294967295 (0xFFFFFFFF)

Error: (08/13/2013 04:19:20 AM) (Source: Service Control Manager) (User: )
Description: Lbd
SABKUTIL

Error: (08/13/2013 04:19:20 AM) (Source: Service Control Manager) (User: )
Description: Trend Micro Personal Firewalltmcfw

Error: (08/13/2013 04:19:20 AM) (Source: Service Control Manager) (User: )
Description: Norton Identity Safe4294967295 (0xFFFFFFFF)

Error: (08/13/2013 04:14:06 AM) (Source: Service Control Manager) (User: )
Description: PEVSystemStart

Error: (08/13/2013 04:13:39 AM) (Source: Service Control Manager) (User: )
Description: PEVSystemStart

Microsoft Office Sessions:
=========================
Error: (02/06/2011 03:52:20 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9 seconds with 0 seconds of active time.  This session ended with a crash.

CodeIntegrity Errors:
===================================
  Date: 2013-08-13 04:05:44.694
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-13 04:05:44.491
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-13 04:05:44.289
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-13 04:05:44.055
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-13 04:05:43.727
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-13 04:05:43.493
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-13 04:05:43.275
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-13 04:05:43.072
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-13 04:05:42.682
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\sbapifs.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-13 04:05:42.089
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\sbapifs.sys because the set of per-page image hashes could not be found on the system.

**** End of log ****

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Great, I'll give you info on keeping the system secure when we're done:

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites
IndigoEarth

IndigoEarth

Posted
  • Author
Posted

The SecurityCheck results (checkup.txt):

 

 Results of screen317's Security Check version 0.99.72 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
 Internet Explorer 8 Out of date!
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 25 
 Java SE Runtime Environment 6
 Adobe Reader 8 Adobe Reader out of Date!
 Mozilla Firefox 10.0 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 17 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Java 7 Update 25 <----OK

Java™ SE Runtime Environment 6 <----please uninstall from your add/remove programs

---------------------------------

Adobe Reader 8 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

------------------------------

Mozilla Firefox 10.0 Firefox out of Date! <----check for an update if available

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used FRST:
Download the fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
That will delete the quarantine folder created by FRST.

-----------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.