Jump to content

Recommended Posts

nothing found in MbAM scan

 

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 13:03:06 on 2014-01-11
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.510.69 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Glary Utilities 4\Integrator.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.

BHO: AutorunsDisabled - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
Trusted Zone: dell.com

TCP: NameServer = 192.168.2.1
TCP: Interfaces\{C0C88402-A8E7-4100-8484-EB809ECC9A04} : DHCPNameServer = 192.168.2.1
Filter: AutorunsDisabled - <Clsid value has no data>
Handler: AutorunsDisabled - <Clsid value has no data>
Notify: AutorunsDisabled - <no file>
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - <no file>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0z9g0wqn.default\
FF - prefs.js: browser.startup.homepage - www.bn9.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-1-11 40776]
S0 BootDefragDriver;BootDefragDriver;c:\windows\system32\drivers\bootdefragdriver.sys --> c:\windows\system32\drivers\BootDefragDriver.sys [?]
S3 RkHit;RkHit;\??\c:\windows\system32\drivers\rkhit.sys --> c:\windows\system32\drivers\RKHit.sys [?]
S4 EraserUtilDrvI13;EraserUtilDrvI13;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi13.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI13.sys [?]
S4 gupdate1ca2f215799a516;Google Update Service (gupdate1ca2f215799a516);c:\program files\google\update\GoogleUpdate.exe [2009-9-6 133104]
S4 lfyuktmj;lfyuktmj;\??\c:\windows\system32\drivers\lfyuktmj.sys --> c:\windows\system32\drivers\lfyuktmj.sys [?]
S4 MpKsl1f5afa21;MpKsl1f5afa21;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d82c527b-3632-4166-9a6d-c9c446d8e58c}\mpksl1f5afa21.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d82c527b-3632-4166-9a6d-c9c446d8e58c}\MpKsl1f5afa21.sys [?]
S4 MpKsl2508cadc;MpKsl2508cadc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a59e924-0d71-4023-af30-c58b90384a31}\mpksl2508cadc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a59e924-0d71-4023-af30-c58b90384a31}\MpKsl2508cadc.sys [?]
S4 MpKsl2da05ecf;MpKsl2da05ecf;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{223843f2-32a1-4ac5-b747-62f70249ff81}\mpksl2da05ecf.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{223843f2-32a1-4ac5-b747-62f70249ff81}\MpKsl2da05ecf.sys [?]
S4 MpKsl2f9684e1;MpKsl2f9684e1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{223843f2-32a1-4ac5-b747-62f70249ff81}\mpksl2f9684e1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{223843f2-32a1-4ac5-b747-62f70249ff81}\MpKsl2f9684e1.sys [?]
S4 MpKsl319cc867;MpKsl319cc867;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{223843f2-32a1-4ac5-b747-62f70249ff81}\mpksl319cc867.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{223843f2-32a1-4ac5-b747-62f70249ff81}\MpKsl319cc867.sys [?]
S4 MpKsl42492786;MpKsl42492786;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\mpksl42492786.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\MpKsl42492786.sys [?]
S4 MpKsl5adf4886;MpKsl5adf4886;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\mpksl5adf4886.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\MpKsl5adf4886.sys [?]
S4 MpKsl5f79c885;MpKsl5f79c885;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{223843f2-32a1-4ac5-b747-62f70249ff81}\mpksl5f79c885.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{223843f2-32a1-4ac5-b747-62f70249ff81}\MpKsl5f79c885.sys [?]
S4 MpKsla558c2cb;MpKsla558c2cb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a59e924-0d71-4023-af30-c58b90384a31}\mpksla558c2cb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a59e924-0d71-4023-af30-c58b90384a31}\MpKsla558c2cb.sys [?]
S4 MpKsla8653661;MpKsla8653661;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d095a7e0-5388-4394-a943-adfd38ecc23a}\mpksla8653661.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d095a7e0-5388-4394-a943-adfd38ecc23a}\MpKsla8653661.sys [?]
S4 MpKslc2415b82;MpKslc2415b82;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\mpkslc2415b82.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\MpKslc2415b82.sys [?]
S4 MpKslc683f139;MpKslc683f139;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\mpkslc683f139.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\MpKslc683f139.sys [?]
S4 MpKslef6202ee;MpKslef6202ee;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{83b028d0-b67d-4f62-8b5f-80107de96a27}\mpkslef6202ee.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{83b028d0-b67d-4f62-8b5f-80107de96a27}\MpKslef6202ee.sys [?]
S4 MpKslf8329613;MpKslf8329613;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\mpkslf8329613.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{deb08d1d-2c74-40d2-8346-59e0724aa49b}\MpKslf8329613.sys [?]
S4 nflrxmjo;nflrxmjo;\??\c:\windows\system32\drivers\nflrxmjo.sys --> c:\windows\system32\drivers\nflrxmjo.sys [?]
.
=============== Created Last 30 ================
.
2014-01-11 17:38:02    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-09 00:01:45    --------    dc----w-    C:\FRST
.
==================== Find3M  ====================
.
2013-11-19 03:57:02    101664    ----a-w-    c:\windows\system32\BootDefrag.exe
2013-11-13 02:59:42    150528    ----a-w-    c:\windows\system32\imagehlp.dll
2013-11-07 05:38:51    591360    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-11-06 01:03:31    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-10-30 02:26:17    1879040    ----a-w-    c:\windows\system32\win32k.sys
2013-10-29 07:57:34    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-29 07:57:33    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-10-29 07:57:33    18944    ------w-    c:\windows\system32\corpol.dll
2013-10-29 07:57:33    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-10-29 00:45:02    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-23 23:45:49    172032    ----a-w-    c:\windows\system32\scrrun.dll
.
============= FINISH: 13:03:20.97 ===============
 

 

 

 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/20/2011 8:43:38 PM
System Uptime: 1/11/2014 11:53:39 AM (2 hours ago)
.
Motherboard: Dell Computer Corporation |  | OptiPlex GX260               
Processor:               Intel® Pentium® 4 CPU 2.26GHz | Microprocessor | 2258/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 7.949 GiB free.
D: is Removable
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 12/12/2013 8:45:09 PM - System Checkpoint
RP2: 12/12/2013 8:50:00 PM - Software Distribution Service 3.0
RP3: 12/13/2013 9:52:12 PM - System Checkpoint
RP4: 12/14/2013 10:19:31 PM - System Checkpoint
RP5: 12/15/2013 9:41:47 AM - Installed Java 7 Update 45
RP6: 12/16/2013 10:38:23 AM - System Checkpoint
RP7: 12/17/2013 11:18:21 AM - System Checkpoint
RP8: 12/18/2013 2:45:36 PM - System Checkpoint
RP9: 12/19/2013 4:49:16 PM - System Checkpoint
RP10: 12/20/2013 5:44:24 PM - System Checkpoint
RP11: 12/21/2013 10:23:14 PM - System Checkpoint
RP12: 12/22/2013 10:24:02 PM - System Checkpoint
RP13: 12/23/2013 11:19:26 PM - System Checkpoint
RP14: 12/25/2013 12:29:14 AM - System Checkpoint
RP15: 12/26/2013 1:18:24 AM - System Checkpoint
RP16: 12/27/2013 7:48:04 AM - System Checkpoint
RP17: 12/28/2013 8:05:14 AM - System Checkpoint
RP18: 12/29/2013 9:05:19 AM - System Checkpoint
RP19: 12/30/2013 10:03:27 AM - System Checkpoint
RP20: 12/31/2013 10:47:27 AM - System Checkpoint
RP21: 1/4/2014 11:07:43 AM - System Checkpoint
RP22: 1/5/2014 12:04:34 PM - System Checkpoint
RP23: 1/6/2014 3:20:42 PM - System Checkpoint
RP24: 1/7/2014 4:11:38 PM - System Checkpoint
RP25: 1/8/2014 8:32:24 PM - System Checkpoint
RP26: 1/9/2014 9:48:15 PM - System Checkpoint
RP27: 1/10/2014 10:17:45 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.03)
Adobe SVG Viewer 6.0
AnyDVD
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Belkin Setup and Router Monitor
Bonjour
CCleaner
CloneCD
CloneDVD2
Dell System Detect
DJ_SF_03_D1500_Software_Min
Glary Utilities 4.0
Google Earth
Google Update Helper
HitmanPro 3.7
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet D1500 Printer Driver 10.0 Rel .3
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
iTunes
Java 7 Update 40
Java Auto Updater
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
Mozilla Firefox 26.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
My Dell
Nero OEM
PowerDVD
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB2862772)
Security Update for Windows Internet Explorer 8 (KB2870699)
Security Update for Windows Internet Explorer 8 (KB2879017)
Security Update for Windows Internet Explorer 8 (KB2888505)
Security Update for Windows Internet Explorer 8 (KB2898785)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
SoundMAX
Toolbox
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB976662)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
1/7/2014 9:44:02 PM, error: Service Control Manager [7031]  - The Print Spooler service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/7/2014 9:36:43 PM, error: Service Control Manager [7031]  - The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/7/2014 8:56:51 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/7/2014 8:06:41 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  Fips intelppm
1/7/2014 8:06:05 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/7/2014 3:30:30 AM, error: Dhcp [1002]  - The IP address lease 192.168.2.2 for the Network Card with network address 00087425F1B0 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/6/2014 6:34:49 PM, error: Service Control Manager [7000]  - The Process creation detector. service failed to start due to the following error:  The system cannot find the file specified.
.
==== End Of File ===========================
 

Link to post
Share on other sites

Hello camq and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

combofix log file:

 

ComboFix 14-01-08.03 - Administrator 01/12/2014   8:41.1.1 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.510.375 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Dell
c:\documents and settings\All Users\Application Data\18407204
c:\program files\Shared
c:\windows\system32\user32.DLLA18FCF89
c:\windows\system32\user32.DLLB82E6407
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RKHIT
-------\Service_RkHit
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-12 to 2014-01-12  )))))))))))))))))))))))))))))))
.
.
2014-01-11 17:38 . 2014-01-11 17:38    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-09 00:01 . 2014-01-11 16:25    --------    dc----w-    C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-19 03:57 . 2013-12-07 18:14    101664    ----a-w-    c:\windows\system32\BootDefrag.exe
2013-11-13 02:59 . 2004-08-04 12:00    150528    ----a-w-    c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2004-08-04 12:00    591360    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2009-04-16 19:58    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2004-08-04 12:00    1879040    ----a-w-    c:\windows\system32\win32k.sys
2013-10-29 07:57 . 2004-08-04 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-29 07:57 . 2004-08-04 12:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-10-29 07:57 . 2004-08-04 12:00    18944    ------w-    c:\windows\system32\corpol.dll
2013-10-29 07:57 . 2004-08-04 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-10-29 00:45 . 2004-08-04 12:00    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-23 23:45 . 2004-08-04 12:00    172032    ----a-w-    c:\windows\system32\scrrun.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^_uninst_.lnk]
backup=c:\windows\pss\_uninst_.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop(2).ini]
backup=c:\windows\pss\desktop(2).iniCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-05-11 10:37    958576    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22    59240    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2005-05-19 13:47    57344    ----a-w-    c:\program files\SlySoft\CloneCD\CloneCDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GUDelayStartup]
2013-11-19 03:55    37152    ----a-w-    c:\program files\Glary Utilities 4\StartupManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-05-25 13:43    126976    ----a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-05-25 13:43    155648    ----a-w-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 22:06    421736    -c--a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42    1695232    ------w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50    155648    -c--a-w-    c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 13:16    254336    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"SavRoam"=3 (0x3)
"MsMpSvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MozillaMaintenance"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"HotKeysCmds"="c:\windows\system32\hkcmd.exe"
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
"IgfxTray"="c:\windows\system32\igfxtray.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
.
S0 BootDefragDriver;BootDefragDriver;c:\windows\system32\drivers\BootDefragDriver.sys --> c:\windows\system32\drivers\BootDefragDriver.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/11/2014 12:38 PM 40776]
S4 EraserUtilDrvI13;EraserUtilDrvI13;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI13.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI13.sys [?]
S4 gupdate1ca2f215799a516;Google Update Service (gupdate1ca2f215799a516);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2009 1:39 PM 133104]
S4 lfyuktmj;lfyuktmj;\??\c:\windows\system32\drivers\lfyuktmj.sys --> c:\windows\system32\drivers\lfyuktmj.sys [?]
S4 MpKsl1f5afa21;MpKsl1f5afa21;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D82C527B-3632-4166-9A6D-C9C446D8E58C}\MpKsl1f5afa21.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D82C527B-3632-4166-9A6D-C9C446D8E58C}\MpKsl1f5afa21.sys [?]
S4 MpKsl2508cadc;MpKsl2508cadc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A59E924-0D71-4023-AF30-C58B90384A31}\MpKsl2508cadc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A59E924-0D71-4023-AF30-C58B90384A31}\MpKsl2508cadc.sys [?]
S4 MpKsl2da05ecf;MpKsl2da05ecf;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl2da05ecf.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl2da05ecf.sys [?]
S4 MpKsl2f9684e1;MpKsl2f9684e1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl2f9684e1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl2f9684e1.sys [?]
S4 MpKsl319cc867;MpKsl319cc867;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl319cc867.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl319cc867.sys [?]
S4 MpKsl42492786;MpKsl42492786;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKsl42492786.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKsl42492786.sys [?]
S4 MpKsl5adf4886;MpKsl5adf4886;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKsl5adf4886.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKsl5adf4886.sys [?]
S4 MpKsl5f79c885;MpKsl5f79c885;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl5f79c885.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl5f79c885.sys [?]
S4 MpKsla558c2cb;MpKsla558c2cb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A59E924-0D71-4023-AF30-C58B90384A31}\MpKsla558c2cb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A59E924-0D71-4023-AF30-C58B90384A31}\MpKsla558c2cb.sys [?]
S4 MpKsla8653661;MpKsla8653661;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D095A7E0-5388-4394-A943-ADFD38ECC23A}\MpKsla8653661.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D095A7E0-5388-4394-A943-ADFD38ECC23A}\MpKsla8653661.sys [?]
S4 MpKslc2415b82;MpKslc2415b82;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslc2415b82.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslc2415b82.sys [?]
S4 MpKslc683f139;MpKslc683f139;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslc683f139.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslc683f139.sys [?]
S4 MpKslef6202ee;MpKslef6202ee;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83B028D0-B67D-4F62-8B5F-80107DE96A27}\MpKslef6202ee.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83B028D0-B67D-4F62-8B5F-80107DE96A27}\MpKslef6202ee.sys [?]
S4 MpKslf8329613;MpKslf8329613;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslf8329613.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslf8329613.sys [?]
S4 nflrxmjo;nflrxmjo;\??\c:\windows\system32\drivers\nflrxmjo.sys --> c:\windows\system32\drivers\nflrxmjo.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2014-01-12 c:\windows\Tasks\GlaryInitialize 4.job
- c:\program files\Glary Utilities 4\Initialize.exe [2013-11-19 03:53]
.
2013-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 18:39]
.
2013-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 18:39]
.
.
------- Supplementary Scan -------
.

uInternet Settings,ProxyOverride = *.local
Trusted Zone: dell.com
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z9g0wqn.default\
FF - prefs.js: browser.startup.homepage - www.bn9.com
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Notify-AutorunsDisabled - crypt32.dll    cryptnet.dll
Notify-NavLogon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-12 08:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-842925246-2111687655-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,6c,b6,78,59,c6,4a,42,83,d7,ea,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,6c,b6,78,59,c6,4a,42,83,d7,ea,\
.
[HKEY_USERS\S-1-5-21-842925246-2111687655-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Glary Utilities 4\Integrator.exe
.
**************************************************************************
.
Completion time: 2014-01-12  09:07:58 - machine was rebooted
ComboFix-quarantined-files.txt  2014-01-12 14:07
.
Pre-Run: 8,426,209,280 bytes free
Post-Run: 8,840,019,968 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - F63BC99480236BEBB66ECF54419BAA14
8F558EB6672622401DA993E1E865C861
 

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::

lfyuktmj

nflrxmjo

File::

c:\windows\system32\drivers\lfyuktmj.sys

c:\windows\system32\drivers\nflrxmjo.sys

JavaClearCache::

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

ComboFix 14-01-08.03 - Administrator 01/12/2014  11:31:03.2.1 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.510.373 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\drivers\lfyuktmj.sys"
"c:\windows\system32\drivers\nflrxmjo.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_lfyuktmj
-------\Service_nflrxmjo
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-12 to 2014-01-12  )))))))))))))))))))))))))))))))
.
.
2014-01-11 17:38 . 2014-01-11 17:38    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-09 00:01 . 2014-01-11 16:25    --------    dc----w-    C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-19 03:57 . 2013-12-07 18:14    101664    ----a-w-    c:\windows\system32\BootDefrag.exe
2013-11-13 02:59 . 2004-08-04 12:00    150528    ----a-w-    c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2004-08-04 12:00    591360    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2009-04-16 19:58    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2004-08-04 12:00    1879040    ----a-w-    c:\windows\system32\win32k.sys
2013-10-29 07:57 . 2004-08-04 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-29 07:57 . 2004-08-04 12:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-10-29 07:57 . 2004-08-04 12:00    18944    ------w-    c:\windows\system32\corpol.dll
2013-10-29 07:57 . 2004-08-04 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-10-29 00:45 . 2004-08-04 12:00    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-23 23:45 . 2004-08-04 12:00    172032    ----a-w-    c:\windows\system32\scrrun.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^_uninst_.lnk]
backup=c:\windows\pss\_uninst_.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop(2).ini]
backup=c:\windows\pss\desktop(2).iniCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-05-11 10:37    958576    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22    59240    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2005-05-19 13:47    57344    ----a-w-    c:\program files\SlySoft\CloneCD\CloneCDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GUDelayStartup]
2013-11-19 03:55    37152    ----a-w-    c:\program files\Glary Utilities 4\StartupManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-05-25 13:43    126976    ----a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-05-25 13:43    155648    ----a-w-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 22:06    421736    -c--a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42    1695232    ------w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50    155648    -c--a-w-    c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 13:16    254336    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"SavRoam"=3 (0x3)
"MsMpSvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MozillaMaintenance"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"HotKeysCmds"="c:\windows\system32\hkcmd.exe"
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
"IgfxTray"="c:\windows\system32\igfxtray.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
.
S0 BootDefragDriver;BootDefragDriver;c:\windows\system32\drivers\BootDefragDriver.sys --> c:\windows\system32\drivers\BootDefragDriver.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/11/2014 12:38 PM 40776]
S4 EraserUtilDrvI13;EraserUtilDrvI13;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI13.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI13.sys [?]
S4 gupdate1ca2f215799a516;Google Update Service (gupdate1ca2f215799a516);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2009 1:39 PM 133104]
S4 MpKsl1f5afa21;MpKsl1f5afa21;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D82C527B-3632-4166-9A6D-C9C446D8E58C}\MpKsl1f5afa21.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D82C527B-3632-4166-9A6D-C9C446D8E58C}\MpKsl1f5afa21.sys [?]
S4 MpKsl2508cadc;MpKsl2508cadc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A59E924-0D71-4023-AF30-C58B90384A31}\MpKsl2508cadc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A59E924-0D71-4023-AF30-C58B90384A31}\MpKsl2508cadc.sys [?]
S4 MpKsl2da05ecf;MpKsl2da05ecf;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl2da05ecf.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl2da05ecf.sys [?]
S4 MpKsl2f9684e1;MpKsl2f9684e1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl2f9684e1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl2f9684e1.sys [?]
S4 MpKsl319cc867;MpKsl319cc867;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl319cc867.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl319cc867.sys [?]
S4 MpKsl42492786;MpKsl42492786;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKsl42492786.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKsl42492786.sys [?]
S4 MpKsl5adf4886;MpKsl5adf4886;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKsl5adf4886.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKsl5adf4886.sys [?]
S4 MpKsl5f79c885;MpKsl5f79c885;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl5f79c885.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{223843F2-32A1-4AC5-B747-62F70249FF81}\MpKsl5f79c885.sys [?]
S4 MpKsla558c2cb;MpKsla558c2cb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A59E924-0D71-4023-AF30-C58B90384A31}\MpKsla558c2cb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A59E924-0D71-4023-AF30-C58B90384A31}\MpKsla558c2cb.sys [?]
S4 MpKsla8653661;MpKsla8653661;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D095A7E0-5388-4394-A943-ADFD38ECC23A}\MpKsla8653661.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D095A7E0-5388-4394-A943-ADFD38ECC23A}\MpKsla8653661.sys [?]
S4 MpKslc2415b82;MpKslc2415b82;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslc2415b82.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslc2415b82.sys [?]
S4 MpKslc683f139;MpKslc683f139;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslc683f139.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslc683f139.sys [?]
S4 MpKslef6202ee;MpKslef6202ee;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83B028D0-B67D-4F62-8B5F-80107DE96A27}\MpKslef6202ee.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83B028D0-B67D-4F62-8B5F-80107DE96A27}\MpKslef6202ee.sys [?]
S4 MpKslf8329613;MpKslf8329613;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslf8329613.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEB08D1D-2C74-40D2-8346-59E0724AA49B}\MpKslf8329613.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2014-01-12 c:\windows\Tasks\GlaryInitialize 4.job
- c:\program files\Glary Utilities 4\Initialize.exe [2013-11-19 03:53]
.
2013-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 18:39]
.
2013-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 18:39]
.
.
------- Supplementary Scan -------
.

uInternet Settings,ProxyOverride = *.local
Trusted Zone: dell.com
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z9g0wqn.default\
FF - prefs.js: browser.startup.homepage - www.bn9.com
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-12 11:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-842925246-2111687655-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,6c,b6,78,59,c6,4a,42,83,d7,ea,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,6c,b6,78,59,c6,4a,42,83,d7,ea,\
.
[HKEY_USERS\S-1-5-21-842925246-2111687655-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Glary Utilities 4\Integrator.exe
.
**************************************************************************
.
Completion time: 2014-01-12  11:54:59 - machine was rebooted
ComboFix-quarantined-files.txt  2014-01-12 16:54
ComboFix2.txt  2014-01-12 14:07
.
Pre-Run: 8,839,614,464 bytes free
Post-Run: 8,845,393,920 bytes free
.
- - End Of File - - 3AD6E842A527B99CF05C7D4588E5E654
8F558EB6672622401DA993E1E865C861
 

Link to post
Share on other sites

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

      Save it to your Desktop.

    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Link to post
Share on other sites

ESET scan results:

 

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z9g0wqn.default\prefs-1.js    JS/SecurityDisabler.A.Gen application    cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z9g0wqn.default\prefs-2.js    JS/SecurityDisabler.A.Gen application    cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z9g0wqn.default\prefs-3.js    JS/SecurityDisabler.A.Gen application    cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z9g0wqn.default\prefs.js    JS/SecurityDisabler.A.Gen application    cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z9g0wqn.default\prefs.js.BAK    JS/SecurityDisabler.A.Gen application    cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z9g0wqn.default\user.js    JS/SecurityDisabler.A.Gen application    cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\My Documents\SpywareCease_Setup(Lite).exe    multiple threats    cleaned by deleting - quarantined
C:\System Volume Information\_restore{1C3314E3-C435-490A-B588-D395F59EFC52}\RP12\A0012086.exe    Win32/Adware.SpywareCease.AD application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{1C3314E3-C435-490A-B588-D395F59EFC52}\RP12\A0012090.dll    a variant of Win32/Adware.SpywareCease.AC application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{1C3314E3-C435-490A-B588-D395F59EFC52}\RP12\A0012095.dll    Win32/Adware.SpywareCease.AA application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{1C3314E3-C435-490A-B588-D395F59EFC52}\RP12\A0012096.sys    Win32/Adware.SpywareCease application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{1C3314E3-C435-490A-B588-D395F59EFC52}\RP12\A0012097.dll    Win32/Adware.SpywareCease application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{1C3314E3-C435-490A-B588-D395F59EFC52}\RP12\A0012099.exe    Win32/Adware.SpywareCease.AD application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{1C3314E3-C435-490A-B588-D395F59EFC52}\RP12\A0012100.exe    a variant of Win32/Adware.SpywareCease application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{1C3314E3-C435-490A-B588-D395F59EFC52}\RP27\A0020145.exe    multiple threats    cleaned by deleting - quarantined
 

Link to post
Share on other sites

followed the MS support article as suggested

 

 

At this point there are no apparent changes or improvements from Jan 11

 

 

Same issues: hidden desktop icons, limited use of commands (some will start but get shut off by ???), most of C files and folders are hidden

 

 

Again, all of these issues are non-existent in safe-mode

 

 

Anything else you can recommend trying, Maniac?

 

Thanks

Link to post
Share on other sites

Step 1

Please download unhide.exe from here and save it to your Desktop. Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run. When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt . Post the log file in your next reply here.

Step 2

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1

Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
Step 3

Please download the Kaspersky Virus Removal Tool from here to your Desktop.

Double-click the Removal Tool.

Click the cog in the upper right corner:

AVPfront.gif

Select down to and including your main drive.

Once done please select the Automatic Scan tab and press Start Scan.

avpsettings.gif

Allow AVP to delete all infections found.

Once it has finished select the Report tab.

Select the Detected threats report from the left and press the Save button.

Save it to your Desktop and post the contents in your next reply.

In your next reply, post the following log files:

  • unhide log
  • RKill log
  • Kaspersky AVP log
Link to post
Share on other sites

unhide:

 

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
  http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 01/19/2014 06:10:48 PM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.

Processing the C:\ drive
Finished processing the C:\ drive. 62913 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 0 files processed.

The C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
 - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 01/19/2014 06:19:05 PM
Execution time: 0 hours(s), 8 minute(s), and 16 seconds(s)

 

 

rkill:

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/19/2014 06:20:32 PM in x86 mode. (Safe Mode)
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Manual

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic

 * Automatic Updates (wuauserv) is not Running.
   Startup Type set to: Automatic

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\drivers\mqac.sys : 91,776 : 06/22/2009 06:48 AM : eee50bf24caeedb515a8f3b22756d3bb [NoSig]
 +-> C:\WINDOWS\$hf_mig$\KB971032\SP2QFE\mqac.sys : 91,776 : 06/22/2009 06:30 AM : 9229e191fe206628be17d1e67a5faed9 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\mqac.sys : 92,544 : 04/13/2008 01:39 PM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\mqac.sys : 91,776 : 06/22/2009 06:48 AM : eee50bf24caeedb515a8f3b22756d3bb [Pos Repl]

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 01/19/2014 06:21:35 PM
Execution time: 0 hours(s), 1 minute(s), and 3 seconds(s)

 

 

kaspersky:

 

Status: Disinfected   (events: 2)    
1/20/2014 6:43:03 PM    Disinfected    Trojan program Trojan.Win32.Agent.acoqo    (me)\Local Folders\Deleted Items\[From:<info@tampabay.rr.com>][subject:FW: Action Required  - Time Sensitive Material][Time:2013/10/29 14:17:56]/case#924786362677568~9694308027241.zip    High    
1/20/2014 6:43:02 PM    Disinfected    Trojan program Trojan.Win32.Agent.acoqo    (me)\Local Folders\Deleted Items\[From:<info@tampabay.rr.com>][subject:FW: Action Required  - Time Sensitive Material][Time:2013/10/29 14:17:56]/case#924786362677568~9694308027241.zip/attached_forms.exe    High    
 

 

 

Link to post
Share on other sites

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/23/2014 07:45:08 PM in x86 mode. (Safe Mode)
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Manual

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic

 * Automatic Updates (wuauserv) is not Running.
   Startup Type set to: Automatic

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 01/23/2014 07:46:55 PM
Execution time: 0 hours(s), 1 minute(s), and 47 seconds(s)
 

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
Link to post
Share on other sites

Download Dr.Web CureIt to the desktop.

The download is nearly 104.6 MB in size

  • Turn OFF your antivirus program.

    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

  • Turn off any other add-on security app {if you have them} like MBAM File System Protection.
  • If this system is Windows 8/7 or VISTA, then Right-click on drweb-cureit.exe and select Run as Administrator.
  • Otherwise, on Windows XP, doubleclick on drweb-cureit.exe file to start the tool.
  • You will see a screen similar to this:

    Drweb-cureit-1_zps34a2f747.gif

    Click the checkbox to participate, and then click on Continue button.

  • Next

    Drweb-cureit-2_zpsee7bdcb6.gif

    Click on Select onjects for scanning

  • Next

    Drweb-cureit-3_zps137b4332.gif

    Put a checkmark by clicking on the boxes as shown.

    Do not select Temporary files or System Restore points.

    Then click on Start scanning button

  • The scan in progress will be shown like this

    Drweb-cureit-4_zps211037d0.gif

  • IF something is detected, you will see a screen similar to this

    Drweb-cureit-5_zpsd7be6acf.gif

    For each item "detected", click on the Action column down arrow, like this

    Drweb-cureit-8_zpsb099f9d5.gif

    Your options will be Cure or Ignore

    IF you see an item that you are very sure is ok, then un-check the checkbox for that item.

    Typically, you will keep the Cure default.

    Then click on the Neutralize button.

  • When the actions are completed, you will see this

    Drweb-cureit-7_zpsd290a127.gif

  • Click on the green Open Report line. It will pop-up the report in NOTEPAD.

    Save the report to your desktop. The report will be called Cureit.log

  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, attach the log Cureit.log you saved previously in your next reply.
Re-Enable your antivirus program when all done.
Link to post
Share on other sites

way too much personal info in file extensions on cureit log, here is a recap:

 

 

Total 22362608574 bytes in 14617 files scanned (17786 objects)
Total 14602 files (17769 objects) are clean
There are no infected objects detected
Total 17 files are raised error condition
Scan time is 00:55:26.484

 

let me know if the "17 files are raised error condition" need to be posted

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.