Jump to content

Logs for MrC


Recommended Posts

Hi MrC,

 

Further to the PM you sent me earlier today, please find rerun of FRST...

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-09-2013 01 (ATTENTION: ====> FRST version is 38 days old and could be outdated)
Ran by Euan (administrator) on EILEEN on 04-11-2013 18:18:50
Running from C:\Documents and Settings\Euan\Desktop\farbar
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
(Sonic Solutions) C:\WINDOWS\system32\dla\tfswctrl.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(RealNetworks, Inc.) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(Research In Motion Limited) C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [soundMAXPnP] - C:\Program Files\Analog Devices\Core\smax4pnp.exe [1404928 2004-10-14] (Analog Devices, Inc.)
HKLM\...\Run: [intelMeM] - C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [221184 2003-09-03] (Intel Corporation)
HKLM\...\Run: [dla] - C:\WINDOWS\system32\dla\tfswctrl.exe [122939 2004-08-13] (Sonic Solutions)
HKLM\...\Run: [updateManager] - C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [110592 2006-06-29] (Sonic Solutions)
HKLM\...\Run: [NPSStartup] - [x]
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421160 2010-12-13] (Apple Inc.)
HKLM\...\Run: [TkBellExe] - C:\Program Files\Common Files\Real\Update_OB\realsched.exe [198160 2009-09-28] (RealNetworks, Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
HKLM\...\Run: [igfxhkcmd] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [igfxpers] - C:\WINDOWS\system32\igfxpers.exe [114688 2005-09-20] (Intel Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [19875432 2013-06-21] (Skype Technologies S.A.)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {53189a35-4646-11e2-8b26-001111dfcd46} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL drivers\setup.exe
HKU\EMK\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-14] (Microsoft Corporation)
HKU\EMK\...\Run: [MSKAGENTEXE] - C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
HKU\SJK\...\Run: [MSKAGENTEXE] - C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
HKU\SJK\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [ 2010-11-29] (Apple Inc.)
HKU\SJK\...\Run: [spybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
SearchScopes: HKCU - DefaultScope {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://uk.search.yahoo.com/search?fr=mcafee&p={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://uk.search.yahoo.com/search?fr=mcafee&p={searchTerms}
BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll No File
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
ShellExecuteHooks: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll No File [ ]
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

========================== Services (Whitelisted) =================

S2 gupdate1c9ed306e0f9d60; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-06-14] (Google Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-06-20] (Microsoft Corporation)
S3 NetSvc; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [143360 2003-12-17] (Intel® Corporation)
S3 ADMXGHMD; C:\DOCUME~1\Euan\LOCALS~1\Temp\ADMXGHMD.exe [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
S3 Microsoft Office Groove Audit Service; "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe" [x]
S3 odserv; "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" [x]
S2 vsmon; C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{3dc32db7-d17b-333f-d167-0e5d453a1c2e}\   \   \???\{3dc32db7-d17b-333f-d167-0e5d453a1c2e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R2 drvnddm; C:\Windows\System32\drivers\drvnddm.sys [40544 2004-08-13] (Sonic Solutions)
S3 FsUsbExDisk; C:\WINDOWS\system32\FsUsbExDisk.SYS [36608 2009-11-02] ()
R3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1302332 2005-09-20] (Intel Corporation)
R3 IntelC51; C:\Windows\System32\DRIVERS\IntelC51.sys [1233525 2004-03-05] (Intel Corporation)
R3 IntelC52; C:\Windows\System32\DRIVERS\IntelC52.sys [647929 2004-03-05] (Intel Corporation)
R3 IntelC53; C:\Windows\System32\DRIVERS\IntelC53.sys [61157 2004-06-15] (Intel Corporation)
R3 mohfilt; C:\Windows\System32\DRIVERS\mohfilt.sys [37048 2004-03-05] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
R3 pfc; C:\Windows\System32\drivers\pfc.sys [21248 2003-09-20] (Padus, Inc.)
S3 RapportIaso; c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys [55448 2013-04-02] (Trusteer Ltd.)
R3 senfilt; C:\Windows\System32\drivers\senfilt.sys [732928 2004-09-17] (Creative Technology Ltd.)
S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R1 sscdbhk5; C:\Windows\System32\drivers\sscdbhk5.sys [5627 2004-07-14] (Sonic Solutions)
R1 ssrtln; C:\Windows\System32\drivers\ssrtln.sys [23545 2004-07-14] (Sonic Solutions)
R2 tfsnboio; C:\Windows\System32\dla\tfsnboio.sys [25723 2004-08-13] (Sonic Solutions)
R2 tfsncofs; C:\Windows\System32\dla\tfsncofs.sys [34843 2004-08-13] (Sonic Solutions)
R2 tfsndrct; C:\Windows\System32\dla\tfsndrct.sys [4123 2004-08-13] (Sonic Solutions)
R2 tfsndres; C:\Windows\System32\dla\tfsndres.sys [2239 2004-08-13] (Sonic Solutions)
R2 tfsnifs; C:\Windows\System32\dla\tfsnifs.sys [86202 2004-08-13] (Sonic Solutions)
R2 tfsnopio; C:\Windows\System32\dla\tfsnopio.sys [14715 2004-08-13] (Sonic Solutions)
R2 tfsnpool; C:\Windows\System32\dla\tfsnpool.sys [6363 2004-08-13] (Sonic Solutions)
R2 tfsnudf; C:\Windows\System32\dla\tfsnudf.sys [98714 2004-08-13] (Sonic Solutions)
R2 tfsnudfa; C:\Windows\System32\dla\tfsnudfa.sys [100603 2004-08-13] (Sonic Solutions)
S3 v800bus; C:\Windows\System32\DRIVERS\v800bus.sys [52416 2004-08-09] (MCCI)
S3 v800mdfl; C:\Windows\System32\DRIVERS\v800mdfl.sys [6160 2004-08-09] (MCCI)
S3 v800mdm; C:\Windows\System32\DRIVERS\v800mdm.sys [84544 2004-08-09] (MCCI)
S3 v800mgmt; C:\Windows\System32\DRIVERS\v800mgmt.sys [77760 2004-08-09] (MCCI)
S3 v800obex; C:\Windows\System32\DRIVERS\v800obex.sys [75584 2004-08-09] (MCCI)
R1 vsdatant; C:\Windows\System32\vsdatant.sys [394952 2007-11-14] (Zone Labs, LLC)
S3 bvrp_pci; No ImagePath
S1 fbvldaqz; \??\C:\WINDOWS\system32\drivers\fbvldaqz.sys [x]
S1 MpKslbb08b574; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{050977AE-EF92-4890-A703-ED579F5AF2BB}\MpKslbb08b574.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S0 srescan; system32\ZoneLabs\srescan.sys [x]
S3 wanatw; system32\DRIVERS\wanatw4.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-11 10:31 - 2013-10-11 10:31 - 00000000 ____D C:\Documents and Settings\EMK\Application Data\Windows Desktop Search

==================== One Month Modified Files and Folders =======

2013-11-04 18:18 - 2013-09-29 23:17 - 00000000 ____D C:\Documents and Settings\Euan\Desktop\farbar
2013-11-04 18:12 - 2009-07-01 10:13 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-04 18:04 - 2013-05-31 09:32 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-11-04 17:27 - 2005-02-18 17:50 - 01993417 _____ C:\WINDOWS\WindowsUpdate.log
2013-11-04 16:59 - 2005-02-18 17:47 - 00002206 _____ C:\WINDOWS\system32\WPA.DBL
2013-11-04 16:58 - 2012-05-06 22:26 - 00000616 ____H C:\WINDOWS\Tasks\ConfigExec.job
2013-11-04 16:58 - 2005-02-18 17:51 - 00001529 _____ C:\SMax.log
2013-11-04 16:57 - 2009-07-01 10:13 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-04 16:57 - 2005-02-18 17:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-11-04 15:13 - 2005-02-18 17:49 - 00032558 _____ C:\WINDOWS\SchedLgU.Txt
2013-11-04 15:10 - 2005-03-12 22:09 - 00000278 ___SH C:\Documents and Settings\Euan\NTUSER.INI
2013-11-04 15:10 - 2005-03-12 22:09 - 00000000 ____D C:\Documents and Settings\Euan
2013-10-29 23:26 - 2012-05-06 22:26 - 00000580 ____H C:\WINDOWS\Tasks\DataUpload.job
2013-10-29 22:25 - 2005-02-18 17:49 - 00546586 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-10-12 23:53 - 2010-06-10 12:44 - 00000215 _____ C:\WINDOWS\wiadebug.log
2013-10-12 23:53 - 2010-06-10 12:44 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-10-12 23:51 - 2013-04-13 17:28 - 00000000 ____D C:\Documents and Settings\Euan\Desktop\Files
2013-10-12 21:46 - 2005-03-12 23:50 - 00006144 _____ C:\Documents and Settings\Euan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-10-12 21:31 - 2005-03-18 01:15 - 00000000 ____D C:\Documents and Settings\Euan\My Documents\My Received Files
2013-10-12 21:17 - 2008-01-08 18:13 - 00000000 ____D C:\Documents and Settings\Euan\Shared
2013-10-11 12:49 - 2005-03-26 14:42 - 00000178 ___SH C:\Documents and Settings\SJK\NTUSER.INI
2013-10-11 12:49 - 2005-03-26 14:41 - 00000000 ____D C:\Documents and Settings\SJK
2013-10-11 12:44 - 2008-02-22 15:29 - 00000000 ____D C:\Documents and Settings\SJK\Application Data\Adobe
2013-10-11 12:41 - 2005-03-10 23:04 - 00000278 ___SH C:\Documents and Settings\EMK\NTUSER.INI
2013-10-11 12:27 - 2008-08-20 19:46 - 00107736 _____ C:\Documents and Settings\EMK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-10-11 12:11 - 2005-06-11 09:00 - 00010240 _____ C:\Documents and Settings\EMK\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-10-11 10:31 - 2013-10-11 10:31 - 00000000 ____D C:\Documents and Settings\EMK\Application Data\Windows Desktop Search

Files to move or delete:
====================
ZeroAccess:
C:\Documents and Settings\Euan\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install
C:\Documents and Settings\Euan\settings.dat

Some content of TEMP:
====================
C:\Documents and Settings\Euan\Local Settings\Temp\SkypeSetup.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

I have also included a new addition.txt as an attachment.

 

Thanks!

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-09-2013 01
Ran by Euan at 2013-11-04 22:56:37 Run:1
Running from C:\Documents and Settings\Euan\Desktop\farbar
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey 
HKCU\...\Run: [Google Update*] - [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{3dc32db7-d17b-333f-d167-0e5d453a1c2e}\   \   \???\{3dc32db7-d17b-333f-d167-0e5d453a1c2e}\GoogleUpdate.exe"
S1 fbvldaqz; \??\C:\WINDOWS\system32\drivers\fbvldaqz.sys [x]
C:\Documents and Settings\Euan\Local Settings\Application Data\Google\Desktop\Install
C:\WINDOWS\system32\drivers\fbvldaqz.sys
C:\Program Files\Google\Desktop\Install
C:\Documents and Settings\Euan\settings.dat

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\MSC => Value was restored successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
*etadpug => Service deleted successfully.
fbvldaqz => Service deleted successfully.
C:\Documents and Settings\Euan\Local Settings\Application Data\Google\Desktop\Install => Moved successfully.
"C:\WINDOWS\system32\drivers\fbvldaqz.sys " => File/Directory not found.
C:\Program Files\Google\Desktop\Install => Moved successfully.
C:\Documents and Settings\Euan\settings.dat => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Hi MrC,

 

The first scan by MBAR found one malware item. After Cleanup and reboot, a further scan came back clean. I have attached two pairs of log files here (one created after each running of MBAR). Each scan took the best part of three hours to complete - is that normal?

 

I have updated my Antivirus (Microsoft Security Essentials/Windows Defender) and am about to perform Windows update.

 

Are there any other checks you would like me to do, or any other scans/procedures you think I should perform?

 

Thanks!

mbar-log-2013-11-04 (23-03-54).txt

system-log.txt

mbar-log-2013-11-05 (19-53-26).txt

system-log.txt

Link to post
Share on other sites

Each scan took the best part of three hours to complete - is that normal?

Depends on the size of the drive

I have updated my Antivirus (Microsoft Security Essentials/Windows Defender) and am about to perform Windows update.

Are there any other checks you would like me to do, or any other scans/procedures you think I should perform?


Yes, we're not done and don't do any updates.

-----------------------------------------------

Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.
 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Hi MrC,

 

I ran Combofix, taking roughly 2h50 to complete. Here's the log...

 

ComboFix 13-11-07.01 - Euan 08/11/2013  20:10:01.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.510.212 [GMT 0:00]
Running from: c:\documents and settings\Euan\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\SJK\WINDOWS
c:\windows\system32\regobj.dll
c:\windows\system32\SET100.tmp
c:\windows\system32\SET101.tmp
c:\windows\system32\SET102.tmp
c:\windows\system32\SET103.tmp
c:\windows\system32\SET104.tmp
c:\windows\system32\SET105.tmp
c:\windows\system32\SET107.tmp
c:\windows\system32\SET108.tmp
c:\windows\system32\SET109.tmp
c:\windows\system32\SET10B.tmp
c:\windows\system32\SET10C.tmp
c:\windows\system32\SET10D.tmp
c:\windows\system32\SET10E.tmp
c:\windows\system32\SET10F.tmp
c:\windows\system32\SET110.tmp
c:\windows\system32\SET111.tmp
c:\windows\system32\SET112.tmp
c:\windows\system32\SET113.tmp
c:\windows\system32\SET115.tmp
c:\windows\system32\SET116.tmp
c:\windows\system32\SET117.tmp
c:\windows\system32\SET11B.tmp
c:\windows\system32\SET11D.tmp
c:\windows\system32\SET17A.tmp
c:\windows\system32\SET17C.tmp
c:\windows\system32\SET17D.tmp
c:\windows\system32\SET183.tmp
c:\windows\system32\SET184.tmp
c:\windows\system32\SET185.tmp
c:\windows\system32\SET188.tmp
c:\windows\system32\SET18A.tmp
c:\windows\system32\SET18B.tmp
c:\windows\system32\SET18D.tmp
c:\windows\system32\SET18E.tmp
c:\windows\system32\SET193.tmp
c:\windows\system32\SET1A.tmp
c:\windows\system32\SET1B.tmp
c:\windows\system32\SET1C.tmp
c:\windows\system32\SET1D.tmp
c:\windows\system32\SET1E.tmp
c:\windows\system32\SET1F.tmp
c:\windows\system32\SET20.tmp
c:\windows\system32\SET21.tmp
c:\windows\system32\SET22.tmp
c:\windows\system32\SET23.tmp
c:\windows\system32\SET24.tmp
c:\windows\system32\SET25.tmp
c:\windows\system32\SET26.tmp
c:\windows\system32\SET27.tmp
c:\windows\system32\SET28.tmp
c:\windows\system32\SET29.tmp
c:\windows\system32\SET2A.tmp
c:\windows\system32\SET2B.tmp
c:\windows\system32\SET2C.tmp
c:\windows\system32\SET2D.tmp
c:\windows\system32\SET2E.tmp
c:\windows\system32\SET2E4.tmp
c:\windows\system32\SET2E5.tmp
c:\windows\system32\SET2E6.tmp
c:\windows\system32\SET2E7.tmp
c:\windows\system32\SET2ED.tmp
c:\windows\system32\SET2EE.tmp
c:\windows\system32\SET2EF.tmp
c:\windows\system32\SET2F.tmp
c:\windows\system32\SET2F2.tmp
c:\windows\system32\SET2F4.tmp
c:\windows\system32\SET2F6.tmp
c:\windows\system32\SET2FB.tmp
c:\windows\system32\SET30.tmp
c:\windows\system32\SET31.tmp
c:\windows\system32\SET32.tmp
c:\windows\system32\SET33.tmp
c:\windows\system32\SET34.tmp
c:\windows\system32\SET35.tmp
c:\windows\system32\SET36.tmp
c:\windows\system32\SET37.tmp
c:\windows\system32\SET38.tmp
c:\windows\system32\SET39.tmp
c:\windows\system32\SET3A.tmp
c:\windows\system32\SET3B.tmp
c:\windows\system32\SET3C.tmp
c:\windows\system32\SET3D.tmp
c:\windows\system32\SET3E.tmp
c:\windows\system32\SET3F.tmp
c:\windows\system32\SET40.tmp
c:\windows\system32\SET41.tmp
c:\windows\system32\SET42.tmp
c:\windows\system32\SET43.tmp
c:\windows\system32\SET44.tmp
c:\windows\system32\SET45.tmp
c:\windows\system32\SET46.tmp
c:\windows\system32\SET47.tmp
c:\windows\system32\SET48.tmp
c:\windows\system32\SET49.tmp
c:\windows\system32\SET4A.tmp
c:\windows\system32\SET4B.tmp
c:\windows\system32\SET4C.tmp
c:\windows\system32\SET4D.tmp
c:\windows\system32\SET4E.tmp
c:\windows\system32\SET4F.tmp
c:\windows\system32\SET50.tmp
c:\windows\system32\SET51.tmp
c:\windows\system32\SET52.tmp
c:\windows\system32\SET53.tmp
c:\windows\system32\SET54.tmp
c:\windows\system32\SET55.tmp
c:\windows\system32\SET56.tmp
c:\windows\system32\SET57.tmp
c:\windows\system32\SET58.tmp
c:\windows\system32\SET59.tmp
c:\windows\system32\SET5A.tmp
c:\windows\system32\SET5B.tmp
c:\windows\system32\SET5C.tmp
c:\windows\system32\SET5D.tmp
c:\windows\system32\SET5E.tmp
c:\windows\system32\SET5F.tmp
c:\windows\system32\SET60.tmp
c:\windows\system32\SET61.tmp
c:\windows\system32\SET62.tmp
c:\windows\system32\SET63.tmp
c:\windows\system32\SET64.tmp
c:\windows\system32\SET65.tmp
c:\windows\system32\SET66.tmp
c:\windows\system32\SET67.tmp
c:\windows\system32\SET68.tmp
c:\windows\system32\SET69.tmp
c:\windows\system32\SET6A.tmp
c:\windows\system32\SET6B.tmp
c:\windows\system32\SET6C.tmp
c:\windows\system32\SET6D.tmp
c:\windows\system32\SET6E.tmp
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET70.tmp
c:\windows\system32\SET71.tmp
c:\windows\system32\SET72.tmp
c:\windows\system32\SET73.tmp
c:\windows\system32\SET74.tmp
c:\windows\system32\SET75.tmp
c:\windows\system32\SET76.tmp
c:\windows\system32\SET77.tmp
c:\windows\system32\SET78.tmp
c:\windows\system32\SET79.tmp
c:\windows\system32\SET7A.tmp
c:\windows\system32\SET7B.tmp
c:\windows\system32\SET7C.tmp
c:\windows\system32\SET7D.tmp
c:\windows\system32\SET7E.tmp
c:\windows\system32\SET7F.tmp
c:\windows\system32\SET80.tmp
c:\windows\system32\SET81.tmp
c:\windows\system32\SET82.tmp
c:\windows\system32\SET83.tmp
c:\windows\system32\SET84.tmp
c:\windows\system32\SET85.tmp
c:\windows\system32\SET86.tmp
c:\windows\system32\SET87.tmp
c:\windows\system32\SET88.tmp
c:\windows\system32\SET89.tmp
c:\windows\system32\SET8A.tmp
c:\windows\system32\SET8B.tmp
c:\windows\system32\SET8C.tmp
c:\windows\system32\SET8D.tmp
c:\windows\system32\SET8E.tmp
c:\windows\system32\SET8F.tmp
c:\windows\system32\SET90.tmp
c:\windows\system32\SET91.tmp
c:\windows\system32\SET92.tmp
c:\windows\system32\SET93.tmp
c:\windows\system32\SET94.tmp
c:\windows\system32\SET95.tmp
c:\windows\system32\SET96.tmp
c:\windows\system32\SET97.tmp
c:\windows\system32\SET98.tmp
c:\windows\system32\SET99.tmp
c:\windows\system32\SET9A.tmp
c:\windows\system32\SET9B.tmp
c:\windows\system32\SET9C.tmp
c:\windows\system32\SET9D.tmp
c:\windows\system32\SET9E.tmp
c:\windows\system32\SET9F.tmp
c:\windows\system32\SETA0.tmp
c:\windows\system32\SETA1.tmp
c:\windows\system32\SETA2.tmp
c:\windows\system32\SETA3.tmp
c:\windows\system32\SETA4.tmp
c:\windows\system32\SETA5.tmp
c:\windows\system32\SETA6.tmp
c:\windows\system32\SETA7.tmp
c:\windows\system32\SETA8.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETAB.tmp
c:\windows\system32\SETAD.tmp
c:\windows\system32\SETAE.tmp
c:\windows\system32\SETAF.tmp
c:\windows\system32\SETB0.tmp
c:\windows\system32\SETB1.tmp
c:\windows\system32\SETB2.tmp
c:\windows\system32\SETB3.tmp
c:\windows\system32\SETB6.tmp
c:\windows\system32\SETB7.tmp
c:\windows\system32\SETB9.tmp
c:\windows\system32\SETBA.tmp
c:\windows\system32\SETBB.tmp
c:\windows\system32\SETBC.tmp
c:\windows\system32\SETBD.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETBF.tmp
c:\windows\system32\SETC2.tmp
c:\windows\system32\SETC3.tmp
c:\windows\system32\SETC5.tmp
c:\windows\system32\SETC6.tmp
c:\windows\system32\SETC8.tmp
c:\windows\system32\SETC9.tmp
c:\windows\system32\SETCE.tmp
c:\windows\system32\SETD3.tmp
c:\windows\system32\SETD5.tmp
c:\windows\system32\SETD6.tmp
c:\windows\system32\SETDC.tmp
c:\windows\system32\SETDD.tmp
c:\windows\system32\SETDE.tmp
c:\windows\system32\SETE1.tmp
c:\windows\system32\SETE3.tmp
c:\windows\system32\SETE5.tmp
c:\windows\system32\SETE9.tmp
c:\windows\system32\SETEA.tmp
c:\windows\system32\SETEC.tmp
c:\windows\system32\SETED.tmp
c:\windows\system32\SETF1.tmp
c:\windows\system32\SETF2.tmp
c:\windows\system32\SETF4.tmp
c:\windows\system32\SETF5.tmp
c:\windows\system32\SETF6.tmp
c:\windows\system32\SETF7.tmp
c:\windows\system32\SETF9.tmp
c:\windows\system32\SETFA.tmp
c:\windows\system32\SETFB.tmp
c:\windows\system32\SETFC.tmp
c:\windows\system32\SETFD.tmp
c:\windows\system32\SETFE.tmp
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-08 to 2013-11-08  )))))))))))))))))))))))))))))))
.
.
2013-11-08 17:27 . 2013-11-08 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2013-11-05 23:31 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F04EBF08-20F9-4602-AE02-0EABD432AC0D}\mpengine.dll
2013-11-05 19:53 . 2013-11-05 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-11-04 23:03 . 2013-11-05 19:52 105176 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-04 23:02 . 2013-11-05 19:51 47064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-10-11 10:31 . 2013-10-11 10:31 -------- d-----w- c:\documents and settings\EMK\Application Data\Windows Desktop Search
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-04 19:05 . 2012-04-12 20:16 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-04 19:05 . 2011-07-12 20:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2004-08-04 05:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2004-08-04 05:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2004-08-04 05:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2004-08-04 05:00 385024 ----a-w- c:\windows\system32\html.iec
2013-09-05 05:02 . 2013-09-29 19:39 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-08-29 01:31 . 2004-08-04 05:00 1878656 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2006-06-29 110592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-28 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe  /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 16:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 17:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-11 20:15 290816 -c----w- c:\program files\Dell\Media Experience\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-09-28 18:44 222728 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 MpKslbb08b574;MpKslbb08b574;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{050977AE-EF92-4890-A703-ED579F5AF2BB}\MpKslbb08b574.sys [x]
R2 gupdate1c9ed306e0f9d60;Google Update Service (gupdate1c9ed306e0f9d60);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 133104]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-06-21 162408]
R3 ADMXGHMD;ADMXGHMD;c:\docume~1\Euan\LOCALS~1\Temp\ADMXGHMD.exe [x]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-11-02 36608]
R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [2011-06-13 267568]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys [2013-04-02 55448]
R3 v800bus;Sony Ericsson V800-Vodafone 802SE driver (WDM);c:\windows\system32\DRIVERS\v800bus.sys [2004-08-09 52416]
R3 v800mdfl;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Filter;c:\windows\system32\DRIVERS\v800mdfl.sys [2004-08-09 6160]
R3 v800mdm;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Driver;c:\windows\system32\DRIVERS\v800mdm.sys [2004-08-09 84544]
R3 v800mgmt;Sony Ericsson V800-Vodafone 802SE USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\v800mgmt.sys [2004-08-09 77760]
R3 v800obex;Sony Ericsson V800-Vodafone 802SE USB WMC OBEX Interface;c:\windows\system32\DRIVERS\v800obex.sys [2004-08-09 75584]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 19:05]
.
2013-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]
.
2013-11-08 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-13 21:09]
.
2013-11-05 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-13 21:09]
.
2013-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 20:40]
.
2013-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 20:40]
.
2005-03-10 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym
uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-NPSStartup - (no file)
SafeBoot-57656704.sys
SafeBoot-Wdf01000.sys
MSConfigStartUp-CTFMON - (no file)
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-08 20:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-11-08  20:39:01
ComboFix-quarantined-files.txt  2013-11-08 20:38
.
Pre-Run: 23,062,097,920 bytes free
Post-Run: 23,717,298,176 bytes free
.
- - End Of File - - DBD524756500A7441787108162230967
B16A2359F4962B0C622D81A1C1F4B703
 

Thanks!

Link to post
Share on other sites

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Hi MrC,

 

I ran AdwCleaner. It seemed to scan ok, although I was surprised that it only took about 1 minute to complete (after the length of time it took the previous scans I was expecting a bit longer!). The log file AdwCleaner[R0].txt file appeared. I clicked clean. The pc rebooted, but on restart, there was no AdwCleaner[s0].txt file. It didn't open automatically and it doesn't appear in the C:\AdwCleaner folder.

 

I have included AdwCleaner[R0].txt below in case that is of help...

 

# AdwCleaner v3.011 - Report created 08/11/2013 at 23:29:56
# Updated 03/11/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Euan - EILEEN
# Running from : C:\Documents and Settings\Euan\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\Launcher.EXE
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Viewpoint

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [2768 octets] - [08/11/2013 23:29:56]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2828 octets] ##########

 

 

 

Should I continue with Malwarebytes now?

 

Thanks!

Link to post
Share on other sites

I ran AdwCaleaner again and it came back clean.

 

I then ran Malwarebytes, which also came back with no detections...

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.08.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Euan :: EILEEN [administrator]

09/11/2013 00:12:05
mbam-log-2013-11-09 (00-12-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 290809
Time elapsed: 23 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

 

There doesn't seem to be anything apparently wrong with the running of the pc, although I haven't really used it to do anything particularly taxing.

 

Thanks.

Link to post
Share on other sites

OK.........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.76 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 Microsoft Security Essentials   
`````````Anti-malware/Other Utilities Check:`````````
 Out of date HijackThis  installed!
 SpywareBlaster 5.0   
 Malwarebytes Anti-Malware version 1.75.0.1300 
 HijackThis 2.0.2   
 Java 6 Update 29 
 Java version out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Adobe Reader 10.1.8 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Java™ 6 Update 29 <-----please uninstall from your add/remove programs
Java version out of Date! <-------Download and install the latest version (Java™ 7 Update 45) from Here. Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

-----------------------------------

Adobe Reader 9 Adobe Reader out of Date! <----please uninstall from your add/remove programs

Adobe Reader 10.1.8 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (also HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.