Jump to content

Recommended Posts

Really not sure what this is.. Various infections found & cleaned but strange behavior continues. So far, there has been Open Candy, Java exploit & Ibryte PUP removed but pc still acts like it's hijacked.

Svchost using 90-100 of CPU
and desktop screen flashes, changes color, & task bar splits in two.  Mbam, tdss killer, & adwcleaner are a few of the many scans already run. Your help is kindly appreciated! Thanks!

(winXP, 32 bit, hp desktop w/dsl wireless)

Link to post
Share on other sites

  • Replies 86
  • Created
  • Last Reply

Top Posters In This Topic

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save that zip file to your Desktop.

 

Double click zip file and extract to your  Desktop:

 

 

Zoekd.jpg

 

 

you will now have 3 versions of the tool on the Desktop:

 

 

Zoeke.jpg

 

Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link: http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html[/url

 

Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open:

 

 

Zoekb.jpg

 

 

Copy and paste the following script from the code box and paste into the field.

 

 

standardsearch;autoclean; 

 

 

Select the "Run Script" tab. The following window will open:

 

 

 

Zoekc.jpg

 

 

 

Please be patient and do not use the PC when the scan is in progress.

 

When complete you maybe asked to re-boot your PC, if so please do

 

Zoekf.jpg

 

Post the produced log in your next reply…..

Link to post
Share on other sites

Thank you very much for your time and trying to help me. I am not aware of any p2p software running on my p/c. also, a couple of scanners have been renamed such as "iexplore3.exe" etc, during previous attempts to remove the virus. I had to run this in safe mode as the machine was super slow in regular mode. I hope that was okay. Thanks Again!

 

Zoek.exe Version 4.0.0.5 Updated 22-October-2013

Tool run by Administrator on Tue 10/22/2013 at 20:59:37.75.
Microsoft Windows XP 5.1.2600 Service Pack 3 x86 WMI=failure
Running in: Safe Mode NETWORK No Internet Access Detected
Launched: C:\Documents and Settings\Administrator\Desktop\zoek\zoek.com [script inserted]

==== System Restore Info ======================

Failed to create System Restore Point.

==== Suspicious Entries Found ======================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"3389:TCP"="3389:TCP:*:Disabled:@xpsp2res.dll,-22009"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"

==== Creating Sample_20131022_0908.zip ======================
 
Copied folder C:\Documents and Settings\All Users\Application Data\AVAST Software to sample\AVAST Software

C:\Documents and Settings\All Users\Desktop\sample_20131022_0908.zip created successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Running Processes ======================

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService

==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921

user.js not found
---- Lines Customized removed from prefs.js ----


---- Lines Customized modified from prefs.js ----


---- FireFox user.js and prefs.js backups ----

prefs_20131022_0908_.backup

ProfilePath: C:\Documents and Settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default

user.js not found
---- Lines Customized removed from prefs.js ----

user_pref("extensions.testpilot.alreadyCustomizedToolbar", true);

---- Lines Customized modified from prefs.js ----


---- FireFox user.js and prefs.js backups ----

prefs_20131022_0908_.backup

==== Deleting Files \ Folders ======================

C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) deleted
C:\Program Files\GUT13.tmp deleted
C:\Program Files\GUM12.tmp deleted
"C:\Documents and Settings\Administrator\Application Data\Sun" deleted

==== System Specs ======================

Operating System: Microsoft Windows XP Home Edition 5.1.2600 Service Pack 3
Manufacturer: Compaq Presario 061 - Model: PX796AA-ABA SR1517CL NA530
Install Date: 4/19/2013 5:12:06 PM
Last Boot: 10/22/2013 8:43:49 PM
Processor: AMD Sempron Processor 3000+
Number of Processors: 1
Work Station
Bootmode: Fail-safe with network boot
Total RAM: 639 MB ( - 0)
Computername: RICH-BIZ
Domain: MSHOME
User: Administrator (Administrator account)
Local Disk:        C:\ - NTFS - 99 GB (free 89 GB)
Removable Disk:    E:\ -  -  GB (free  GB)
Removable Disk:    F:\ -  -  GB (free  GB)
Removable Disk:    G:\ -  -  GB (free  GB)
Removable Disk:    H:\ -  -  GB (free  GB)
CD \ DVD Drive:    I:\
Local Disk:        J:\ - NTFS - 49 GB (free 48 GB)
Bootdevice: \Device\HarddiskVolume1
Windows update:
Country: United States
Language: ENU

==== System Specs (Software) ======================

Anti-Virus: Microsoft Security Essentials On-access scanning disabled (Updated)
Internet Explorer version: 8.0.6001.18702
Mozilla Firefox version: 24.0 (x86 en-US)

==== Files Recently Created / Modified ======================

====== C:\WINDOWS ====
====== C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp ====
2013-10-20 18:50:34    2E0323A94915FAAB10A25F3BABF82584    157696    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\Temp\jrt\erunt\ERUNT.EXE
====== Java Cache =====
====== C:\WINDOWS\system32 =====
2013-10-16 20:41:06    D496480A00ABDE0655C0FDCE9530B43E    216064    ----a-w-    C:\WINDOWS\System32\gcapi_dll.dll
====== C:\WINDOWS\system32\drivers =====
2013-10-19 07:33:21    CE77439BAF613019D6B7658292D1E4A6    30976    ----a-w-    C:\WINDOWS\System32\drivers\hitmanpro37.sys
2013-10-19 06:54:19    5C47D60938E77822A2C8D25102C63CE2    105176    ----a-w-    C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys
2013-10-04 04:13:08    805C6F337968C7271F0421D0A386C8EE    47064    ----a-w-    C:\WINDOWS\System32\drivers\mbamchameleon.sys
====== C:\WINDOWS\Tasks ======
2013-10-04 05:37:12    CBCF58977265A7C390376B49B398FC2B    384    ---ha-w-    C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
====== C:\WINDOWS\Temp ======
======= C:\Program Files =====
2013-10-01 23:32:15    1207928    ----a-w-    C:\Program Files\rc-installer.exe
======= C: =====
====== C:\Documents and Settings\Administrator\Application Data ======
2013-10-18 15:16:34    --------    d-----r-    C:\Documents and Settings\RICH\Start Menu\Programs\Administrative Tools
2013-09-23 17:26:24    --------    d-----w-    C:\Documents and Settings\RICH\Application Data\Motive
====== C:\Documents and Settings\Administrator ======
2013-10-19 22:12:27    2E2000AB851DB75EA8E27E3A621B61FC    180000    ----a-w-    C:\Documents and Settings\RICH\desktop\google.exe5.exe
2013-10-19 21:13:41    2E2000AB851DB75EA8E27E3A621B61FC    180000    ----a-w-    C:\Documents and Settings\Administrator\desktop\google.exe5.exe
2013-10-19 19:14:12    7DC87AC83F18ECDCF80886274B60EB0B    3053416    ------w-    C:\Documents and Settings\Administrator\desktop\NPE.exe
2013-10-19 13:29:02    --------    d-sh--w-    C:\Documents and Settings\NetworkService\Cookies
2013-10-19 05:53:16    --------    d-sh--w-    C:\Documents and Settings\LocalService\Cookies
2013-10-17 17:59:54    2084AC9305E20BE7141DAC46902C5427    1050644    ----a-w-    C:\Documents and Settings\Administrator\desktop\adwcleaner.exe

====== C: exe-files ==
2013-10-20 18:50:34    2E0323A94915FAAB10A25F3BABF82584    157696    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\erunt\ERUNT.EXE
2013-10-19 22:12:27    2E2000AB851DB75EA8E27E3A621B61FC    180000    ----a-w-    C:\Documents and Settings\RICH\desktop\google.exe5.exe
2013-10-19 21:23:32    EFDE3843DDE0D1D30161FF27A17D135C    4121952    ----a-w-    C:\Documents and Settings\Administrator\desktop\KasperskyTDSSKillerPortable\App\TDSSKiller\tdsskiller.exe
2013-10-19 21:13:41    2E2000AB851DB75EA8E27E3A621B61FC    180000    ----a-w-    C:\Documents and Settings\Administrator\desktop\google.exe5.exe
2013-10-19 20:33:22    BB3CB855C5939C6391842EE73F600B9A    1033335    ----a-w-    C:\Documents and Settings\Administrator\desktop\ZJRT2\googleplay.exe
2013-10-19 19:14:12    7DC87AC83F18ECDCF80886274B60EB0B    3053416    ------w-    C:\Documents and Settings\Administrator\desktop\NPE.exe
2013-10-19 07:20:17    D41D8CD98F00B204E9800998ECF8427E    0    ----a-w-    C:\Documents and Settings\Administrator\desktop\mbar\HitmanPro.exe
2013-10-19 06:53:10    4503803B9BEF66A375A44029E8BC6725    12576792    ----a-w-    C:\Documents and Settings\Administrator\desktop\mbar\iexplore3.exe
2013-10-19 05:47:52    60CEFABAC2C573B266B567534CE7567E    1178424    ----a-w-    C:\Documents and Settings\RICH\desktop\mbar\Iexplore3.exe
2013-10-17 17:59:54    2084AC9305E20BE7141DAC46902C5427    1050644    ----a-w-    C:\Documents and Settings\Administrator\desktop\adwcleaner.exe
2013-10-17 16:15:48    602C842C9B9063DB76B09E1F8FFE25EA    1678013    ----a-w-    C:\Documents and Settings\Administrator\desktop\mbar\pc-decrapifier-2.3.1.exe
2013-10-16 20:41:06    C17DA0BE97FC9F3C05FDE7BF3C5618D1    96216    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\Shell Extensions\FoxitPrevhost.exe
2013-10-16 20:41:04    8D233BE097AE8993231B4AF89C0FC43B    7682112    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\Foxit Updater.exe
2013-10-16 20:41:01    BA628CB4B2EFE4FDFB327EC84AE4A51C    33846336    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
2013-10-16 20:41:00    EC25836B753F4033C280E65CBA387E2B    60480    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\plugins\Creator\FXC_ProxyProcess.exe
2013-10-16 20:41:00    8991085E81E66C4204CE8ADAE52631AA    759872    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\UninstallPrint.exe
2013-10-16 20:40:57    D4945107DF8F56CC4DC858C0694C13E2    26688    ----a-w-    C:\Program Files\Foxit Software\Foxit Reader\Checkupdate\Checkupdate.exe
2013-10-16 13:55:55    BB3CB855C5939C6391842EE73F600B9A    1033335    ----a-w-    C:\Documents and Settings\RICH\desktop\mbar\iexplore.exe
=== C: other files ==
2013-10-23 01:08:08    57D04532D2F29BF8B1F977A7CB94AA24    664    ----a-w-    C:\Documents and Settings\All Users\Desktop\sample_20131022_0908.zip
2013-10-23 00:59:50    0BE568FD1E7D6C6D64D2272649F5C716    111    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\scripttest.vbs
2013-10-20 18:50:34    FC4F97736048914DC32849E3AE23B70D    16063    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\get.bat
2013-10-20 18:50:34    F8AB3BC726E938E05E57039DCE160BC2    16848    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\chrome.bat
2013-10-20 18:50:34    CC6C23C02BE66014AD87F2678BBB3A1D    8117    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\modules.bat
2013-10-20 18:50:34    BCC12F911E90790A4A83A60DD5878A9B    148311    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\misc.bat
2013-10-20 18:50:34    BAD6C67C870CC81C48DBA53089929884    153331    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\firefox.bat
2013-10-20 18:50:34    B964B792D3692699CD7D4FDB63EE470E    1239    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\FWPolicy.bat
2013-10-20 18:50:34    B45931E5313CB14CAA0F2BC3DA30E6FC    29648    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\ask.bat
2013-10-20 18:50:34    80D02380F1AC33E459324B088392A1EC    732    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\ev_clear.bat
2013-10-20 18:50:34    75C9C20DD9839BF287B43B0E179822DC    31414    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\iexplore.bat
2013-10-20 18:50:34    654E9FE74B930A454EE5BDE165794B65    85    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\delorphans.bat
2013-10-20 18:50:34    58605DA3492FB918D3D40B1FB88046AE    39471    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\prelim.bat
2013-10-20 18:50:34    372EA6F783198102CF5779072EE78C79    24751    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\searchlnk.bat
2013-10-20 18:50:34    286ED57FC6A61371F719AA9C3BA654BE    10261    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\JRT.bat
2013-10-20 18:50:34    1FBF882AA934A741530741FC134872A3    1243    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\TDL4.bat
2013-10-20 18:50:34    14D6EE8B672684E2232FB430D8C4A928    18668    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\medfos.bat
2013-10-20 18:50:34    0D5CD85FCC11F21ABFF551FA629746CD    8713    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\runvalues.bat
2013-10-20 18:50:34    0768E560CCD86C18F35FAD29DCEA7B80    1820    ----a-w-    C:\Documents and Settings\Administrator\Local Settings\temp\jrt\delfolders.bat
2013-10-19 07:33:21    CE77439BAF613019D6B7658292D1E4A6    30976    ----a-w-    C:\WINDOWS\system32\drivers\hitmanpro37.sys
2013-10-19 06:54:19    5C47D60938E77822A2C8D25102C63CE2    105176    ----a-w-    C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys

==== Startup Registry Enabled ======================

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe -t"

[HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe -t"

[HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Windows\CurrentVersion\runonce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe"
"MSC"="c:\Program Files\Microsoft Security Client\msseces.exe -hide -runkey"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

==== Task Scheduler Jobs ======================

C:\WINDOWS\tasks\GlaryInitialize.job --a------ C:\Program Files\Glary Utilities\initialize.exe [03/29/2013 09:09 PM]
C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job --ah----- C:\Program Files\Microsoft Security Client\MpCmdRun.exe [01/27/2013 11:11 AM]

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" []

==== Firefox Extensions ======================

ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

ProfilePath: C:\Documents and Settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default
- Undetermined - C:\Program Files\Mozilla Firefox\extensions\mcciwbch@motive.com
- Instrument Test - %ProfilePath%\extensions\testpilot@labs.mozilla.com.xpi

AppDir: C:\Program Files\Mozilla Firefox
- Default - %AppDir%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921
ADC539F67D3198679F480974EE203678    - C:\WINDOWS\system32\npDeployJava1.dll -    Java Deployment Toolkit 7.0.210.11
28000D7EEB2FD95A36E1A7539F599C3B    - C:\Program Files\Windows Media Player\npdrmv2.dll -    Microsoft® DRM
5D41BCD19A3D90E4EBB58A6BFB79E4F7    - C:\Program Files\Windows Media Player\npdsplay.dll -    Windows Media Player Plug-in Dynamic Link Library
8B6884E3E1E5F8ABA5FA0C6A2B13181D    - C:\Program Files\Windows Media Player\npwmsdrm.dll -    Microsoft® DRM
68A131335A20B343923A2957EB1E413D    - C:\WINDOWS\system32\npptools.dll -    Microsoft® Windows® Operating System


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.bleepingcomputer.com/forums/t/505084/alureon-was-found-but-keeps-coming-back-is-there-any-hope/?hl=%2Balureon#entry3141538"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
No DefaultScope Set For HKCU

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.bleepingcomputer.com/forums/t/505084/alureon-was-found-but-keeps-coming-back-is-there-any-hope/?hl=%2Balureon#entry3141538"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} @ieframe.dll,-12512  Url="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC"
{230BE758-416D-487D-8008-70D941C4D111} Google  Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google  Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}"

==== HijackThis Entries ======================

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Report] C:\AdwCleaner\AdwCleaner[s13].txt
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1366731346250
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

==== Empty IE Cache ======================

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 emptied successfully
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\Cache emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\RECYCLER successfully emptied

==== Deleting Files / Folders ======================

"C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not found

==== EOF on Tue 10/22/2013 at 21:33:52.62 ======================
 

Link to post
Share on other sites

Nothing obvious in those logs, can you attach the created sample zip file: C:\Documents and Settings\All Users\Desktop\sample_20131022_0908.zip

 

See if the following will run from Normal mode, if not, try from Safe mode with NW... if you can only run in that mode be on hand in case CF re-boots the system, if that happens force to Safe mode with NW again...

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Kevin

Link to post
Share on other sites

kevin: here is the combo log. I ran it in safemode, I hope that works okay..? If we need to re-run it in reg just let me know.

Question: can you tell me if the Zoek scan found anything or made any major changes? Thanks!

 

ComboFix 13-10-23.02 - Administrator 10/23/2013  13:19:52.3.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.639.521 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\zebranMalwarebytes' Anti-Malware\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-23 to 2013-10-23  )))))))))))))))))))))))))))))))
.
.
2013-10-16 20:41 . 2013-06-10 01:59    216064    ----a-w-    c:\windows\system32\gcapi_dll.dll
2013-10-04 04:13 . 2013-10-22 00:04    47064    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-10-01 23:32 . 2013-10-01 23:31    1207928    ----a-w-    c:\program files\rc-installer.exe
2013-10-01 06:49 . 2013-10-01 06:49    --------    d-----w-    c:\program files\Microsoft Security Client
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-19 07:54 . 2013-09-19 07:40    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2013-09-17 15:26 . 2013-09-17 15:26    325960    ----a-w-    c:\program files\lua5.1.dll
2013-09-04 03:02 . 2013-07-19 00:22    1966080    ----a-w-    c:\program files\Repair_Windows.exe
2013-04-19 22:40 . 2013-04-19 22:40    11091432    ----a-w-    c:\program files\MSEInstall.exe
2013-03-25 03:24 . 2013-03-25 03:24    2483904    ----a-w-    c:\program files\Procmon.exe
2011-03-08 17:54 . 2013-07-19 00:22    229376    ----a-w-    c:\program files\pcwintech_tabs.ocx
2009-03-24 19:52 . 2013-07-19 00:22    1069376    ----a-w-    c:\program files\MSCOMCTL.OCX
2009-03-24 19:52 . 2013-07-19 00:22    136008    ----a-w-    c:\program files\msinet.ocx
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SiSPower"="SiSPower.dll" [2005-04-12 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"AlcxMonitor"=ALCXMNTR.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
S0 qcihrtv;qcihrtv;c:\windows\system32\drivers\yomjo.sys --> c:\windows\system32\drivers\yomjo.sys [?]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [5/15/2013 1:14 PM 45288]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [10/19/2013 3:33 AM 30976]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [10/4/2013 12:13 AM 47064]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [10/19/2013 2:54 AM 105176]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [5/9/2013 10:12 PM 594048]
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2013-04-16 01:09]
.
2013-10-23 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 15:11]
.
.
------- Supplementary Scan -------
.


Trusted Zone: $talisma_url$


FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\
FF - prefs.js: browser.startup.homepage - hxxps://accounts.google.com/ServiceLogin?service=mail&passive=true&continue=http://mail.google.com/mail/x/ogb/gp/?tab%3Dwm&scc=1&ltmpl=ecobh&nui=5&btmpl=mobile&emr=1
FF - ExtSQL: 2013-09-19 16:03; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-15799350.sys
SafeBoot-36290891.sys
SafeBoot-36329121.sys
SafeBoot-47500374.sys
SafeBoot-70404671.sys
SafeBoot-mbamchameleon
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-23 13:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@SACL=(02 0000)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,0a,91,87,b9,73,4a,42,8a,7f,56,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,0a,91,87,b9,73,4a,42,8a,7f,56,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,0a,91,87,b9,73,4a,42,8a,7f,56,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(172)
c:\windows\system32\WININET.dll
.
Completion time: 2013-10-23  13:28:17
ComboFix-quarantined-files.txt  2013-10-23 17:28
.
Pre-Run: 95,591,141,376 bytes free
Post-Run: 95,584,747,520 bytes free
.
- - End Of File - - 5550C8463BF20716BBCF3090353D8200
8F558EB6672622401DA993E1E865C861
 

Link to post
Share on other sites

Zoek scan was mainly dianostic, will also empty caches and temp folders, amend defaults in IE etc....

 

See if the following will run from Normal mode:

Upload a File to Virustotal

Go to http://www.virustotal.com/

  • Click the Choose file button
  • Navigate to the file c:\program files\rc-installer.exe or just copy/paste it in.
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.


Next,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

File::c:\windows\system32\drivers\yomjo.sysDriver::qcihrtvReglock::[HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]Registry::[HKEY_USERS\S-1-5-21-1614895754-1637723038-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 Next,
 
We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:
 
Run Eset Online Scanner
 
**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin
 
Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.
 
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

 

Thanks,

 

Kevin

Link to post
Share on other sites

Kevin:
Things are looking good and I feel like great progress has been made. I was able to
do all steps thru normal start up mode. After the first re-boot the pc stalled and
displayed "windows cannot find CF2841.3exe." I cancelled that and it booted fine.
2 minutes later it gave me the old symptom of changing taskbar colors, so I rebooted
and was able to run Eset scan where it found an old infection, "win32bundled ask
toolbar". That scan ran uninterupted, amazingly, no taskbar color changes!!
Pc is working much, much better. I'm anxious to hear your review of the log. Also
interested to know what exactly I've been fighting against for the last month & 1/2?
Curious to know the name of whatever it was. Thanks!!

ComboFix 13-10-23.02 - RICH 10/23/2013  17:56:13.4.1 - x86
Running from: C:\Documents and Settings\Administrator\desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RICH\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\yomjo.sys"

I'm very sorry, I missed a step. I did not check "export to text file" but I can
tell you the infection found by eset was one I've seen before.
It is "Win32/Bundled.Toolbar.Ask D application". However, I did check it for removal.

Link to post
Share on other sites

Results for rc-installer.exe = looks clean. (that was a utility offered by the local isp provider)

VirusTotal
SHA256:     030d6fbd4ca5ac91f6aaf1200d157dac62f6d3366f3099ddff7625b54e58ce70
SHA1:     3e522228cfab5421e102d963a6bd0a2a549d5cd1
MD5:     294f1e0acdfe62add927dcb074507b40
File size:     1.2 MB ( 1207928 bytes )
File name:     rc-installer.exe
File type:     Win32 EXE
Detection ratio:     0 / 47
Analysis date:     2013-10-24 04:44:46 UTC ( 0 minutes ago )  
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE signature block
Publisher Alcatel-Lucent USA
Signature verification Signed file, verified signature
Signing date 5:44 AM 10/24/2013
Signers     
[+] Alcatel-Lucent USA
[+] VeriSign Class 3 Code Signing 2010 CA
[+] VeriSign
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI
MachineType
Intel 386 or later, and compatibles
TimeStamp
2009:12:05 23:50:41+01:00
FileType
Win32 EXE
PEType
PE32
CodeSize
23040
LinkerVersion
6.0
FileAccessDate
2013:10:24 05:43:59+01:00
EntryPoint
0x30cb
InitializedDataSize
119808
SubsystemVersion
4.0
ImageVersion
6.0
OSVersion
4.0
FileCreateDate
2013:10:24 05:43:59+01:00
UninitializedDataSize
1024
 

Link to post
Share on other sites

Can you post the log from Combofix, will be here C:\Combofix.txt

 

What is the status of your system now, any remaining issues or concerns?

 

Run this please:

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and the following:

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

  • Double click on AdwCleaner.exe to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review.
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted (if necessary):
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

Kevin...

Link to post
Share on other sites

Kevin:
Pc seemed to be working normal for an extended period but then the symptons returned: svchost.exe
uses 90-100 of cpu, (like some program starts up), and then the desktop flickers and taskbar changes
colors for a second then reverts back to original color blue.

I thought we had it figured out but this bug is hiding somewhere
deep inside. Not sure if this helps but those symptons never occur during safe mode.

 A couple minor issues have popped up;
> no win search tool in normal, only in safe mode- might be disabled somehow?
> new message at every boot-up for "found new hardware", some pci modem.. have no clue.
For your reference,  the infection, "bundled toolbar ask application", was found by Eset
while scanning a restore point on the c: drive.
The only other combofix log is here>  (I hope this is the one you need)

2013-10-23 17:27:18 . 2013-10-23 17:27:18              562 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-mbamchameleon.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-70404671.sys.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-47500374.sys.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-36329121.sys.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-36290891.sys.reg.dat
2013-10-23 17:27:17 . 2013-10-23 17:27:17              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-15799350.sys.reg.dat
2013-10-23 17:24:34 . 2013-10-23 17:24:34           12,683 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-10-23 17:19:51 . 2013-10-23 17:19:51              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2013-10-23 17:17:52 . 2013-10-23 17:17:52               51 ----a-w-  C:\Qoobox\Quarantine\catchme.log

# AdwCleaner v3.010 - Report created 24/10/2013 at 13:07:46
# Updated 20/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : RICH - RICH-BIZ
# Running from : C:\Documents and Settings\RICH\desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default\prefs.js ]


[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ww7oghu.default-1379006515921\prefs.js ]


*************************

AdwCleaner[R0].txt - [1158 octets] - [17/09/2013 15:31:26]
AdwCleaner[R10].txt - [2204 octets] - [18/10/2013 10:38:50]
AdwCleaner[R11].txt - [2266 octets] - [18/10/2013 10:52:17]
AdwCleaner[R12].txt - [2222 octets] - [19/10/2013 01:57:38]
AdwCleaner[R13].txt - [2325 octets] - [19/10/2013 02:07:48]
AdwCleaner[R14].txt - [2465 octets] - [19/10/2013 16:38:37]
AdwCleaner[R15].txt - [2569 octets] - [19/10/2013 18:27:17]
AdwCleaner[R16].txt - [2709 octets] - [20/10/2013 14:44:41]
AdwCleaner[R17].txt - [1287 octets] - [24/10/2013 13:07:46]
AdwCleaner[R1].txt - [1280 octets] - [01/10/2013 12:21:48]
AdwCleaner[R2].txt - [1289 octets] - [03/10/2013 00:38:28]
AdwCleaner[R3].txt - [1485 octets] - [03/10/2013 18:52:17]
AdwCleaner[R4].txt - [1605 octets] - [04/10/2013 03:29:09]
AdwCleaner[R5].txt - [1725 octets] - [04/10/2013 13:25:15]
AdwCleaner[R6].txt - [1845 octets] - [16/10/2013 09:57:10]
AdwCleaner[R7].txt - [1798 octets] - [17/10/2013 10:58:17]
AdwCleaner[R8].txt - [1918 octets] - [17/10/2013 14:01:17]
AdwCleaner[R9].txt - [2020 octets] - [17/10/2013 19:32:47]
AdwCleaner[s0].txt - [1221 octets] - [17/09/2013 15:35:36]
AdwCleaner[s10].txt - [2387 octets] - [19/10/2013 02:09:23]
AdwCleaner[s11].txt - [2527 octets] - [19/10/2013 16:40:10]
AdwCleaner[s12].txt - [2631 octets] - [19/10/2013 18:28:19]
AdwCleaner[s13].txt - [2771 octets] - [20/10/2013 14:45:29]
AdwCleaner[s1].txt - [1343 octets] - [01/10/2013 12:24:23]
AdwCleaner[s2].txt - [1352 octets] - [03/10/2013 00:40:59]
AdwCleaner[s3].txt - [1546 octets] - [03/10/2013 18:54:12]
AdwCleaner[s4].txt - [1666 octets] - [04/10/2013 03:30:42]
AdwCleaner[s5].txt - [1786 octets] - [04/10/2013 13:26:27]
AdwCleaner[s6].txt - [1906 octets] - [16/10/2013 09:58:47]
AdwCleaner[s7].txt - [1859 octets] - [17/10/2013 10:59:07]
AdwCleaner[s8].txt - [1979 octets] - [17/10/2013 14:02:24]
AdwCleaner[s9].txt - [2282 octets] - [19/10/2013 02:05:00]

########## EOF - C:\AdwCleaner\AdwCleaner[R17].txt - [2732 octets] ##########

Results of screen317's Security Check version 0.99.73  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 ESET Online Scanner v3   
 Microsoft Security Essentials    
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Mozilla Firefox (24.0)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Link to post
Share on other sites

Yes possible hidden infection, continue:

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Link to post
Share on other sites

kevin:

Thanks for hanging in there. So I ran Mbam-root kit scan and nothing, no infections found. The only thing I noticed today was that the changing of taskbar color coincided with this process called "verclid.exe" which I saw start up and run for a moment in task-mgr while the suspicious behavior was going on. Hopefully this a good clue.. Are you familiar with this process at all? I will wait for your next steps. Thanks!

Link to post
Share on other sites

Are sure the name you give is correct, I`ve seen a one similar that maybe malicious. OK we have a look for it, plus a similar one;

Please download SystemLook from the following link below and save it to your Desktop.

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe

 

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefindverclid.exeverclsid.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.



Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Svchost still runs briefly upto 100% followed by the an obvious taskbar color change about 7mins after boot-up.

I wasn't completely sure of the name spelling since it was displayed for a quick second. here is the systemlook and Mbar in case you needed it:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:09 on 28/10/2013 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "verclid.exe"
No files found.

Searching for "verclsid.exe"
C:\WINDOWS\system32\verclsid.exe    --a---- 28672 bytes    [12:00 14/04/2008]    [12:00 14/04/2008] 91790D6749EBED90E2C40479C0A91879

-= EOF =-

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.10.28.06

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: RICH-BIZ [administrator]

10/28/2013 12:18:38 PM
mbar-log-2013-10-28 (12-18-38).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 212817
Time elapsed: 36 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

Link to post
Share on other sites

Best to upload that file for analysis, see what results come back...

 

Upload a File to Virustotal

Go to http://www.virustotal.com/


Click the Choose file button
Navigate to the file C:\WINDOWS\system32\verclsid.exe or just copy/paste it in.
Click the Scan it tab
If you get a message saying File has already been analyzed: click Reanalyze file now
Copy and paste the results back here please.

Link to post
Share on other sites

SHA256: 3c267950f13cce412474c5228fc0e3d8d7f912e82464bd2ce6312a0326f84a80 File name: verclsid.exe Detection ratio: 0 / 47 Analysis date: 2013-10-28 23:39:52 UTC ( 0 minutes ago )

 

Publisher Microsoft Corporation
Product Microsoft® Windows® Operating System
Original name verclsid.exe
Internal name verclsid.exe
File version 5.1.2600.5512 (xpsp.080413-2105)
Description Verify Class ID
ExifTool file metadata
SubsystemVersion
5.0
InitializedDataSize
8192
ImageVersion
5.1
ProductName
Microsoft Windows Operating System
FileVersionNumber
5.1.2600.5512
UninitializedDataSize
0
LanguageCode
English (U.S.)
FileFlagsMask
0x003f
CharacterSet
Unicode
LinkerVersion
7.1
OriginalFilename
verclsid.exe
MIMEType
application/octet-stream
Subsystem
Windows GUI
FileVersion
5.1.2600.5512 (xpsp.080413-2105)
TimeStamp
2008:04:13 19:33:58+01:00
FileType
Win32 EXE
PEType
PE32
InternalName
verclsid.exe
FileAccessDate
2013:06:03 12:17:32+01:00
ProductVersion
5.1.2600.5512
FileDescription
Verify Class ID
OSVersion
5.1
Looks like our search continues..
Link to post
Share on other sites

Yes I agree, do the following:

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

Link to post
Share on other sites

Kevin:

ran a clean-boot and same symptons appear only much quicker, like 1-2 mins after boot-up. I ran 2 searches, one for pf files and one for all files modified during that last start-up. not sure if this helps but please review:

only 5 files total created in prefetch = verclsid.exe, svchost.exe, wmiprvse.exe, explorer.exe, & ntosboot.pf

25 files modified during last start-up from 6:07pm to 6:10pm>

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.