Jump to content

Malware/Adware Issue:


Recommended Posts

I have a Dell XPS 8500, with Windows 7 Professional, SP1,
with Spywareblaster,  SuperAntiSpyware, Avast, Windows Defender

and Windows firewall.

(1) TB HD
Intel ®  Core i7-33-3770 CPU @ 3.40 GHz 3.40 GHz
Ram 12.0 GB
System type : 64-bit operating system


I also have a Dell Dimension 8200(Seagate  Barracuda 7200 HD 160Gb)
with XP, SP3, with Spywareblaster, Avast, and Windows firewall.

I contracted malware (Pup.Optional) when trying to download
AdwCleaner and selected the big green arrow instead of the
small blue print(Bleeping computer).  Since I also did this on
the 8500 and 8200 both computers were infected.

 

I believe I resolved the issues on the 8500 and its clean once more but

it still makes a sound (like when turning speakers on/off when connecting

online and never did this before. However, the issues on the 8200 are far

more severe.

 

8200:

When I logged on, the Firewall turned off and says
my computer is at risk and the virus protection
was out of date. I tried to update Firefox via Avast.
Updated Adobe Flash Player, Adobe plug-in. I also
tried to check for Windows updates but it wouldn't
open. Now it just says my computer is at risk and
clears itself after about a minute.

 

I did the following:

 

The AdwCeaner found nothing... and
generated the automatic report.

Ran the JRT scan but it didn't
display a log it opened My Documents.

Tried installing Malwarebytes and
during installation it gave me this:

Setup

CoCreateInstance failed; code 0x80040154
Class not registered

Ran HitmanPro and found 22 traces but
no threats. deleted traces.


Ran an Avast scan - found (9) infected files

C:\...I>nsis.hdr                      NSIS:NextLive-A[Adw]
C:\AdwCleaner\...\nengine.dll.vir     Win32:NewxtLive-A[Adw]
C:\...\A0014394.dll                   Win32:NewxtLive-A[Adw]
C:\...\A0014395.dll                   Win32:NewxtLive-A[Adw]
C:\...\A0017566.dll                   Win32:NewxtLive-A[Adw]
C:\...\A0014393.dll                   Win32:NewxtLive-A[Adw]
C:\...I>nsis.hdr                      Win32:NewxtLive-A[Adw]

* The first and last isn't really a capital ' I ' but a
black bar but I didn't know how to make  
one.

Ran a boot scan and it gave me this at 21%

File c:\Program Files\Uninstaller\Uninstall.exe is infected by win32:Installer-U [Pup}

I selected number 2 (fix all automatically) and
it was moved to the quarantine chest.

later it gave me

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013223.exe is infected by win32:Mobogenie-B  [PUP]

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013239.exe is infected by win32:Mobogenie-C  [PUP]

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP43\A0014373.exe is infected by win32:Installer-U [PUP]

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP67\A0020850.exe is infected by win32:Instaler-U  [PUP]


the scan didn't stop but moved them all into the quarantine chest.

I ran a full system scan with Avast afterwards
and came up clean.
 
Tried to open Spywareblaster to update it and it
gave me this:

Error: Access violation at 0x73483F5A (tried to read from 0x00000014),
program terminated. Last CP is 'RF'.
 

I tried uninstalling/reinstalling SpyWareBlaster but it gave me the same errors.

Thoughts, suggestions?
Robert

 

 

 

Link to post
Share on other sites

  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin

Link to post
Share on other sites

Hello Kevin,

 

Thank you for helping me.

 

I ran the Farbar Recovery Scan Tool.

 

Here's the FRST.txt log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-03-2014 01
Ran by Lt. Commander (administrator) on HAL9000 on 09-03-2014 18:00:38
Running from C:\Documents and Settings\Lt. Commander\My Documents\Downloads
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
() C:\Program Files\Macrium\Reflect\ReflectService.exe
(Renesas Electronics Corporation) C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Voyetra Turtle Beach, Inc.) C:\WINDOWS\system32\tbctray.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NUSB3MON] - C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2011-04-14] (Renesas Electronics Corporation)
HKLM\...\Run: [AvastUI.exe] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [3568312 2013-12-06] (AVAST Software)
HKLM\...\Run: [nwiz] - nwiz.exe /install
HKLM\...\Run: [NvCplDaemon] - C:\WINDOWS\system32\NvCpl.dll [4841472 2003-07-28] (NVIDIA Corporation)
HKLM\...\Run: [TraySantaCruz] - C:\WINDOWS\system32\tbctray.exe [307200 2001-08-29] (Voyetra Turtle Beach, Inc.)
HKU\S-1-5-21-1409082233-884357618-1801674531-1004\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope value is missing.
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU - No Name - {01E04581-4EEE-11D0-BFE9-00AA005B4383} -  No File
Toolbar: HKCU - No Name - {0E5CBF21-D15F-11D0-8301-00AA005B4383} -  No File
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1386900931250
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL No File
Handler: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL No File
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} -  No File
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 4.2.2.2

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Lt. Commander\Application Data\Mozilla\Firefox\Profiles\dz89itwj.default
FF DefaultSearchEngine: Wikipedia (en)
FF SelectedSearchEngine: Wikipedia (en)
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-12-06]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []

========================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2013-12-06] (AVAST Software)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe [234776 2012-09-05] (McAfee, Inc.)
R2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [224960 2012-08-21] ()

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [35656 2013-12-06] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [70384 2013-12-06] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [54832 2013-12-06] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2013-12-06] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [774392 2013-12-06] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [403440 2013-12-06] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57672 2013-12-06] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [178304 2013-12-06] ()
R3 basic2; C:\WINDOWS\System32\DRIVERS\basic2.sys [77426 2001-07-18] (Conexant Systems)
R2 Fallback; C:\WINDOWS\System32\DRIVERS\fallback.sys [310899 2001-07-18] (Conexant Systems)
R2 Fsks; C:\WINDOWS\System32\DRIVERS\fsksnt.sys [127405 2001-07-18] (Conexant Systems)
R3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
S3 HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFBS2S2.sys [220032 2004-08-03] (Conexant Systems, Inc.)
S3 HSF_DP; C:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys [1041536 2004-08-03] (Conexant Systems, Inc.)
S3 hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [542879 2001-08-17] (Conexant)
R2 K56; C:\WINDOWS\System32\DRIVERS\k56nt.sys [426783 2001-07-18] (Conexant Systems)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2014-03-05] (Malwarebytes Corporation)
S3 PSMounter; C:\WINDOWS\system32\drivers\psmounter.sys [53952 2012-08-21] (Macrium Software)
R0 pssnap; C:\WINDOWS\System32\DRIVERS\pssnap.sys [16064 2012-08-21] (Macrium Software)
R3 Rksample; C:\WINDOWS\System32\DRIVERS\rksample.sys [67654 2001-07-18] (Conexant Systems)
R2 SoftFax; C:\WINDOWS\System32\DRIVERS\faxnt.sys [217019 2001-07-18] (Conexant Systems)
R2 SpeakerPhone; C:\WINDOWS\System32\DRIVERS\spkpnt.sys [80449 2001-07-18] (Conexant Systems)
R3 tbcspud; C:\WINDOWS\System32\drivers\tbcspud.sys [142336 2001-08-29] (Voyetra Turtle Beach)
R3 tbcwdm; C:\WINDOWS\System32\drivers\tbcwdm.sys [524288 2001-08-29] (Voyetra Turtle Beach)
R2 Tones; C:\WINDOWS\System32\DRIVERS\tonesnt.sys [56607 2001-07-18] (Conexant Systems)
R2 V124; C:\WINDOWS\System32\DRIVERS\v124nt.sys [534125 2001-07-18] (Conexant Systems)
S4 hpt3xx; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-09 18:00 - 2014-03-09 18:00 - 00000000 ____D () C:\FRST
2014-03-07 21:00 - 2014-03-07 21:00 - 00000000 ____D () C:\Program Files\SpywareBlaster
2014-03-07 21:00 - 2014-03-07 21:00 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
2014-03-05 04:47 - 2014-03-05 04:47 - 00000000 ____D () C:\Program Files\HitmanPro
2014-03-05 04:47 - 2014-03-05 04:47 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
2014-03-05 04:45 - 2014-03-05 04:50 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-03-05 04:39 - 2014-03-05 04:41 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-03-05 04:39 - 2013-04-04 15:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-03-04 19:06 - 2014-03-04 19:06 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-03-04 19:06 - 2014-03-04 19:06 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
2014-03-04 19:06 - 2014-03-04 19:06 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
2014-02-16 17:29 - 2014-02-16 17:29 - 00000000 ____D () C:\Documents and Settings\Lt. Commander\Local Settings\Application Data\PCHealth
2014-02-16 17:22 - 2014-02-16 17:22 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2916036$
2014-02-16 17:06 - 2014-02-16 17:22 - 00003080 _____ () C:\WINDOWS\updspapi.log
2014-02-16 17:05 - 2014-02-16 17:06 - 00011427 _____ () C:\WINDOWS\KB2909921-IE8.log
2014-02-16 17:05 - 2014-02-16 17:05 - 00004534 _____ () C:\WINDOWS\KB2909210-IE8.log
2014-02-16 17:04 - 2014-02-16 17:22 - 00013982 _____ () C:\WINDOWS\KB2916036.log
2014-02-13 00:58 - 2014-02-13 00:58 - 00001507 _____ () C:\Documents and Settings\Lt. Commander\Desktop\Windows Update.lnk

==================== One Month Modified Files and Folders =======

2014-03-09 18:00 - 2014-03-09 18:00 - 00000000 ____D () C:\FRST
2014-03-09 17:55 - 2013-12-06 21:50 - 00000364 ____H () C:\WINDOWS\Tasks\avast! Emergency Update.job
2014-03-09 17:53 - 2013-11-30 15:31 - 00601640 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-03-09 17:52 - 2013-12-06 17:44 - 02058616 _____ () C:\WINDOWS\WindowsUpdate.log
2014-03-09 17:50 - 2013-12-08 02:37 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-03-09 17:48 - 2013-11-30 23:42 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-03-09 17:48 - 2001-08-18 05:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-03-07 21:01 - 2013-11-30 23:50 - 00000178 ___SH () C:\Documents and Settings\Lt. Commander\ntuser.ini
2014-03-07 21:01 - 2013-11-30 23:46 - 00032370 _____ () C:\WINDOWS\SchedLgU.Txt
2014-03-07 21:00 - 2014-03-07 21:00 - 00000000 ____D () C:\Program Files\SpywareBlaster
2014-03-07 21:00 - 2014-03-07 21:00 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
2014-03-05 04:50 - 2014-03-05 04:45 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-03-05 04:47 - 2014-03-05 04:47 - 00000000 ____D () C:\Program Files\HitmanPro
2014-03-05 04:47 - 2014-03-05 04:47 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
2014-03-05 04:42 - 2014-02-03 10:50 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2014-03-05 04:41 - 2014-03-05 04:39 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-03-05 04:24 - 2014-01-19 19:47 - 00000000 ____D () C:\AdwCleaner
2014-03-04 21:31 - 2013-12-07 04:46 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-03-04 20:00 - 2013-12-07 17:05 - 00000178 ___SH () C:\Documents and Settings\visitor\ntuser.ini
2014-03-04 19:32 - 2013-12-07 04:46 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-03-04 19:32 - 2013-12-07 04:46 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-03-04 19:13 - 2013-12-07 04:42 - 00000000 ____D () C:\Documents and Settings\Lt. Commander\Local Settings\Application Data\Adobe
2014-03-04 19:06 - 2014-03-04 19:06 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-03-04 19:06 - 2014-03-04 19:06 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
2014-03-04 19:06 - 2014-03-04 19:06 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
2014-02-16 17:29 - 2014-02-16 17:29 - 00000000 ____D () C:\Documents and Settings\Lt. Commander\Local Settings\Application Data\PCHealth
2014-02-16 17:22 - 2014-02-16 17:22 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2916036$
2014-02-16 17:22 - 2014-02-16 17:06 - 00003080 _____ () C:\WINDOWS\updspapi.log
2014-02-16 17:22 - 2014-02-16 17:04 - 00013982 _____ () C:\WINDOWS\KB2916036.log
2014-02-16 17:22 - 2014-01-15 10:38 - 00024732 _____ () C:\WINDOWS\FaxSetup.log
2014-02-16 17:22 - 2014-01-15 10:38 - 00011824 _____ () C:\WINDOWS\ocgen.log
2014-02-16 17:22 - 2014-01-15 10:38 - 00009437 _____ () C:\WINDOWS\tsoc.log
2014-02-16 17:22 - 2014-01-15 10:38 - 00008166 _____ () C:\WINDOWS\comsetup.log
2014-02-16 17:22 - 2014-01-15 10:38 - 00004956 _____ () C:\WINDOWS\ntdtcsetup.log
2014-02-16 17:22 - 2014-01-15 10:38 - 00003927 _____ () C:\WINDOWS\iis6.log
2014-02-16 17:22 - 2014-01-15 10:38 - 00001374 _____ () C:\WINDOWS\imsins.log
2014-02-16 17:22 - 2014-01-15 10:38 - 00001368 _____ () C:\WINDOWS\ocmsn.log
2014-02-16 17:22 - 2014-01-15 10:38 - 00001236 _____ () C:\WINDOWS\msgsocm.log
2014-02-16 17:22 - 2013-12-20 16:54 - 00021930 _____ () C:\WINDOWS\setupapi.log
2014-02-16 17:13 - 2013-12-06 22:32 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-02-16 17:10 - 2013-12-06 22:31 - 85946576 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-02-16 17:06 - 2014-02-16 17:05 - 00011427 _____ () C:\WINDOWS\KB2909921-IE8.log
2014-02-16 17:06 - 2014-01-15 10:38 - 00001374 _____ () C:\WINDOWS\imsins.BAK
2014-02-16 17:06 - 2013-12-08 01:31 - 00000000 ____D () C:\WINDOWS\ie8updates
2014-02-16 17:05 - 2014-02-16 17:05 - 00004534 _____ () C:\WINDOWS\KB2909210-IE8.log
2014-02-13 00:58 - 2014-02-13 00:58 - 00001507 _____ () C:\Documents and Settings\Lt. Commander\Desktop\Windows Update.lnk

Some content of TEMP:
====================
C:\Documents and Settings\Lt. Commander\Local Settings\Temp\1371786419_Cloud_Backup_Setup.exe
C:\Documents and Settings\Lt. Commander\Local Settings\Temp\1374592013_PCSpeedMaximizer.exe
C:\Documents and Settings\Lt. Commander\Local Settings\Temp\BackupSetup.exe
C:\Documents and Settings\Lt. Commander\Local Settings\Temp\oi_{E29DD191-A529-4450-80CA-9B738003C3C4}.exe
C:\Documents and Settings\Lt. Commander\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Lt. Commander\Local Settings\Temp\safeguard.exe
C:\Documents and Settings\Lt. Commander\Local Settings\Temp\vcredist_x86.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

and the Addition.txt log:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 09-03-2014 01
Ran by Lt. Commander at 2014-03-09 18:01:28
Running from C:\Documents and Settings\Lt. Commander\My Documents\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: avast! Antivirus (Disabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}

==================== Installed Programs ======================

Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.70 - Adobe Systems Incorporated)
avast! Free Antivirus (HKLM\...\Avast) (Version: 9.0.2008 - Avast Software)
Dell ResourceCD (HKLM\...\{D78653C3-A8FF-415F-92E6-D774E634FF2D}) (Version:  - )
DELL TrueMobile 1180 Wireless USB (HKLM\...\{764C5E75-2E44-4C1D-B490-5C82229E8058}) (Version:  - )
Google Update Helper (Version: 1.3.22.3 - Google Inc.) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.212 - SurfRight B.V.)
Junk Mail filter update (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Macrium Reflect Free Edition (HKLM\...\{51169E2B-6AE3-4FB2-B8A7-C7AC16BBA3F1}) (Version: 5.0.4995 - Paramount Software (UK) Ltd.)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.0.285.6 - McAfee, Inc.)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 (Version: 1.1.4322 - Microsoft) Hidden
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Choice Guard (Version: 2.0.48.0 - Microsoft Corporation) Hidden
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 26.0 (x86 en-US) (HKLM\...\Mozilla Firefox 26.0 (x86 en-US)) (Version: 26.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 24.2.0 - Mozilla)
Mozilla Thunderbird 24.2.0 (x86 en-US) (HKLM\...\Mozilla Thunderbird 24.2.0 (x86 en-US)) (Version: 24.2.0 - Mozilla)
MSVCRT (Version: 14.0.1468.721 - Microsoft) Hidden
MSXML 6.0 Parser (HKLM\...\{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}) (Version: 6.10.1129.0 - Microsoft Corporation)
NVIDIA Windows 2000/XP Display Drivers (HKLM\...\NVIDIA) (Version:  - )
REALTEK GbE & FE Ethernet PCI NIC Driver (HKLM\...\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}) (Version: 1.23.0000 - Realtek)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.1.25.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (Version: 2.1.25.0 - Renesas Electronics Corporation) Hidden
Santa Cruz (HKLM\...\{A4D58580-EA01-11D3-9318-008048B86EFE}) (Version:  - )
Segoe UI (Version: 14.0.4327.805 - Microsoft Corp) Hidden
Skype™ 6.3 (HKLM\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.3.105 - Skype Technologies S.A.)
SpywareBlaster 5.0 (HKLM\...\SpywareBlaster_is1) (Version: 5.0.0 - BrightFort LLC)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2598845) (HKLM\...\KB2598845-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2632503) (HKLM\...\KB2632503-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2467659) (HKLM\...\KB2467659) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2492386) (HKLM\...\KB2492386) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2808679) (HKLM\...\KB2808679) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2863058) (HKLM\...\KB2863058) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (Version: 1 - Microsoft Corporation) Hidden
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB961503) (HKLM\...\KB961503) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.5318 - Microsoft Corporation) Hidden
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live Call (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
Windows Live Communications Platform (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
Windows Live Essentials (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Windows Live Mail (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
Windows Live Messenger (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Windows Live Sign-in Assistant (HKLM\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation)
Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Windows Live Writer (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows Media Player 11 (Version:  - Microsoft Corporation) Hidden
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)

==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

2001-08-18 05:00 - 2001-08-18 05:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => c:\Program Files\Microsoft Security Client\MpCmdRun.exe

==================== Loaded Modules (whitelisted) =============

2014-03-07 20:53 - 2014-03-07 11:45 - 02186752 _____ () C:\Program Files\AVAST Software\Avast\defs\14030701\algo.dll
2014-03-09 17:51 - 2014-03-09 11:59 - 02186752 _____ () C:\Program Files\AVAST Software\Avast\defs\14030901\algo.dll
2012-08-21 05:32 - 2012-08-21 05:32 - 00224960 _____ () C:\Program Files\Macrium\Reflect\ReflectService.exe
2013-12-06 21:47 - 2013-12-06 21:47 - 19336120 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:07F6D9E4
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:AD022376

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============

Could not list Devices. Check "winmgmt" service or repair WMI.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/16/2014 05:40:20 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (02/16/2014 05:05:20 PM) (Source: HotFixInstaller) (User: )
Description: EventType visualstudio8setup, P1 microsoft .net framework 2.0-kb2898856, P2 1033, P3 1601, P4 msi, P5 f, P6 9.0.40215.0, P7 install, P8 x86, P9 visualstudio8setup0, P10 visualstudio8setup1.

Error: (01/05/2014 09:26:10 PM) (Source: Windows Search Service) (User: )
Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context:  Application, SystemIndex Catalog

Error: (01/02/2014 00:42:15 AM) (Source: MPSampleSubmission) (User: )
Description: mptelemetry0x80070003moaccachereset4.4.304.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (12/25/2013 08:20:00 PM) (Source: Windows Search Service) (User: )
Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context:  Application, SystemIndex Catalog

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application


Details:
    The content index metadata cannot be read.   (0xc0041801)

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog


Details:
    The content index metadata cannot be read.   (0xc0041801)

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog


Details:
    Element not found.   (0x80070490)

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog


Details:
    The content index metadata cannot be read.   (0xc0041801)

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog


Details:
    0x%08x (0x80041181 - The content index server cannot find a description of the content index in its database. Search will automatically attempt to recreate the content index description.  If this problem persists, stop and restart the search service and, if necessary, delete  and recreate the content index.  )


System errors:
=============
Error: (02/16/2014 05:05:26 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2898856).

Error: (02/05/2014 00:14:18 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.65 for the Network Card with network address 000ACD1EE5BC has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (02/01/2014 11:03:43 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.65 for the Network Card with network address 000ACD1EE5BC has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/31/2014 06:45:11 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.65 for the Network Card with network address 000ACD1EE5BC has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/30/2014 08:11:01 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.65 for the Network Card with network address 000ACD1EE5BC has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/19/2014 08:16:10 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (01/19/2014 08:16:10 PM) (Source: Service Control Manager) (User: )
Description: The Application Layer Gateway Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/19/2014 08:16:10 PM) (Source: Service Control Manager) (User: )
Description: The Macrium Reflect Image Mounting Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/19/2014 08:16:10 PM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Driver Helper Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/19/2014 08:16:10 PM) (Source: Service Control Manager) (User: )
Description: The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.


Microsoft Office Sessions:
=========================
Error: (02/16/2014 05:40:20 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (02/16/2014 05:05:20 PM) (Source: HotFixInstaller)(User: )
Description: visualstudio8setupmicrosoft .net framework 2.0-kb289885610331601msif9.0.40215.0installx86xp0

Error: (01/05/2014 09:26:10 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog

Error: (01/02/2014 00:42:15 AM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry0x80070003moaccachereset4.4.304.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (12/25/2013 08:20:00 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application


Details:
    The content index metadata cannot be read.   (0xc0041801)

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog


Details:
    The content index metadata cannot be read.   (0xc0041801)

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog


Details:
    Element not found.   (0x80070490)
Search.TripoliIndexer

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog


Details:
    The content index metadata cannot be read.   (0xc0041801)
Search.JetPropStore

Error: (12/25/2013 08:11:20 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog


Details:
    0x%08x (0x80041181 - The content index server cannot find a description of the content index in its database. Search will automatically attempt to recreate the content index description.  If this problem persists, stop and restart the search service and, if necessary, delete  and recreate the content index.  )


==================== Memory info ===========================

Percentage of memory in use: 29%
Total physical RAM: 1023.01 MB
Available physical RAM: 723.67 MB
Total Pagefile: 2463.43 MB
Available Pagefile: 2206.99 MB
Total Virtual: 2047.88 MB
Available Virtual: 1949.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:127.99 GB) (Free:108.51 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: 000736DC)
Partition 1: (Active) - (Size=128 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Kevin

Link to post
Share on other sites

Hello Kevin,

 

I forget to mention that I've been unable to update
on the 8200. When I try and open Windows updates
it doesn't do anythjing but sometimes a yallow triangle
icon appears in the system tray and it does update then.

Also, I have both computers set up for single click but
on the 8200 it doesn't work now so I have to right click
to open programs.

 
I tried the first link and it workd and I
believe I diasabled all my antivirus software.

I ran ComboFix but it didn't save the icon to
the desk top. So do I need to run this again?
How do I get it to the desktop? That's for
uninstalling it, correct?

While trying to create a restore point ComboFix
gave me this:

Microsoft Windows Recovery Console

This machine does not have the 'Microsoft
Windows recovery console' installed. Alternately,
an existing installation of the recovery console
may be present but requires updating;
Without it, ComboFix shall not ateempt the fixing
of some serious infections.

Click 'Yes' to have ComboFix download/install it.

Note: This requires an active Internet connection.

I clicked yes and followed the prompts.

Here's the log:

ComboFix 14-03-10.01 - Lt. Commander 03/12/2014   4:19.1.1 - x86
Running from: c:\documents and settings\Lt. Commander\My Documents\Downloads\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
c:\program files\WindowsXP-KB835935-SP2-ENU.exe
c:\windows\system32\ATHPRXY(2).DLL
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-12 to 2014-03-12  )))))))))))))))))))))))))))))))
.
.
2014-03-10 01:00 . 2014-03-10 01:01    --------    d-----w-    C:\FRST
2014-03-05 11:47 . 2014-03-05 11:47    --------    d-----w-    c:\program files\HitmanPro
2014-03-05 11:45 . 2014-03-05 11:50    --------    d-----w-    c:\documents and settings\All Users\Application Data\HitmanPro
2014-03-05 11:39 . 2014-03-12 10:46    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-03-05 04:10 . 2008-04-14 00:12    26624    ----a-w-    c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2014-02-17 00:29 . 2014-02-17 00:29    --------    d-----w-    c:\documents and settings\Lt. Commander\Local Settings\Application Data\PCHealth
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 10:33 . 2013-12-07 11:46    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-12 10:33 . 2013-12-07 11:46    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-05 11:42 . 2014-02-03 17:50    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-02-05 23:26 . 2001-08-18 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-02-05 23:26 . 2001-08-18 12:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2014-02-05 23:26 . 2001-08-18 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-02-05 23:26 . 2001-08-18 12:00    18944    ------w-    c:\windows\system32\corpol.dll
2014-02-05 22:24 . 2013-12-07 04:26    385024    ------w-    c:\windows\system32\html.iec
2014-01-04 03:13 . 2001-08-18 12:00    420864    ----a-w-    c:\windows\system32\vbscript.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-12-07 04:47    321752    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-15 113288]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-12-07 3568312]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2001-08-29 307200]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-03-01 161384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-03-05 40776]
R3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2012-08-21 53952]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2012-08-21 16064]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-12-07 774392]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-12-07 403440]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-12-07 35656]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-12-07 70384]
S2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2012-08-21 224960]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2001-08-29 142336]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2001-08-29 524288]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-07 10:33]
.
2014-03-12 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-07 04:47]
.
.
------- Supplementary Scan -------
.

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 4.2.2.2

.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-12 04:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1409082233-884357618-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-UREQ-A55H-B76Z-N4K9-5Y91-PQMGW8D"
"Activated"="Y"
.
Completion time: 2014-03-12  04:29:05
ComboFix-quarantined-files.txt  2014-03-12 11:29
.
Pre-Run: 116,153,933,824 bytes free
Post-Run: 116,234,362,880 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP" /FASTDETECT
.
- - End Of File - - CBB309FDA78A62241D074F1FF410847C
A36C5E4F47E84449FF07ED3517B43A31


Robert

Link to post
Share on other sites

Hello Kevin,

 

I ran a full system scan with Avast
after combo fix and it found this:

2n3fki.jpg

It reommended doing a boot-time scan
which I did and it found this:

File C:\System volume information\_restore{E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013219.exe is infected by Win32:Mobogenie-O [Adw]

I selected 2 to fix all automaticallt and it was moved to the guarantine chest.

I then did another full system scan with Avast
and it came up clean.

Robert

Link to post
Share on other sites

We can only deal with one system in this thread, if you have another PC with issues please open another thread when this one is finished..

 

We continue, do not worry about CF just run from the downloads folder...

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::

 

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

copy and paste the report in next reply

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those logs, also give an update on any remaining issues or concerns..

 

Kevin

 

Link to post
Share on other sites

Hello Kevin,

Here's the ComboFix log, during the process it gave me a message that a newer version of ComboFix
was available and did I want to install it? I was halfway through so I said yes and it downloaded/installed
and continued without interuption.


ComboFix 14-03-13.01 - Lt. Commander 03/14/2014   2:26.2.1 - x86
Running from: c:\documents and settings\Lt. Commander\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Lt. Commander\My Documents\Downloads\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-14 to 2014-03-14  )))))))))))))))))))))))))))))))
.
.
2014-03-14 09:05 . 2014-03-14 09:05    --------    d-----w-    c:\windows\LastGood
2014-03-12 11:31 . 2014-03-12 11:31    5777288    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2014-03-10 01:00 . 2014-03-10 01:01    --------    d-----w-    C:\FRST
2014-03-05 11:47 . 2014-03-05 11:47    --------    d-----w-    c:\program files\HitmanPro
2014-03-05 11:45 . 2014-03-05 11:50    --------    d-----w-    c:\documents and settings\All Users\Application Data\HitmanPro
2014-03-05 04:10 . 2008-04-14 00:12    26624    ----a-w-    c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2014-02-17 00:29 . 2014-02-17 00:29    --------    d-----w-    c:\documents and settings\Lt. Commander\Local Settings\Application Data\PCHealth
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 11:31 . 2013-12-07 11:46    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-12 11:31 . 2013-12-07 11:46    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-05 11:42 . 2014-02-03 17:50    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-02-05 23:26 . 2001-08-18 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-02-05 23:26 . 2001-08-18 12:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2014-02-05 23:26 . 2001-08-18 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-02-05 23:26 . 2001-08-18 12:00    18944    ------w-    c:\windows\system32\corpol.dll
2014-02-05 22:24 . 2013-12-07 04:26    385024    ------w-    c:\windows\system32\html.iec
2014-01-04 03:13 . 2001-08-18 12:00    420864    ----a-w-    c:\windows\system32\vbscript.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-12-07 04:47    321752    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-15 113288]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-12-07 3568312]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2001-08-29 307200]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-03-01 161384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-03-05 40776]
R3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2012-08-21 53952]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2012-08-21 16064]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-12-07 774392]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-12-07 403440]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-12-07 35656]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-12-07 70384]
S2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2012-08-21 224960]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2001-08-29 142336]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2001-08-29 524288]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-07 11:31]
.
2014-03-14 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-07 04:47]
.
.
------- Supplementary Scan -------
.

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 4.2.2.2

.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-14 02:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1409082233-884357618-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-UREQ-A55H-B76Z-N4K9-5Y91-PQMGW8D"
"Activated"="Y"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3064)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
.
Completion time: 2014-03-14  02:35:25
ComboFix-quarantined-files.txt  2014-03-14 09:35
ComboFix2.txt  2014-03-12 11:29
.
Pre-Run: 116,101,136,384 bytes free
Post-Run: 116,086,448,128 bytes free
.
- - End Of File - - D9FC41E1D9C6FE05D281B0C9046C70D4
A36C5E4F47E84449FF07ED3517B43A31


I tried (4) times to run the AV scan afterwards but it gave me this:

2jffv5u.jpg

Robert

Link to post
Share on other sites

Hello Kevin,

Your absolutely right; I forgot it had to be run on IE
to run the scan. However when I tried to do so IE
opens but does not respond or it closes after I select
either of the choices below. I have tried this half a
dozen times with the same resuts. I don't know why
its giving me this message? We did have a power
outtage about a week ago but I don't recall I had IE
running at the time on the 8200 or that it was being

used at all but I was using the 8500 which came up

ok afterwards. 

205z1hz.jpg

15yw16o.jpg

24qlu9u.jpg

 

If I can get the scan to run should Ieave the Anti-virus

and Firewall off? I thought so,  since you didn't say

otherwise and it was right after ComboFix.

Also yesterday, the yellow trangle with exclamation
mark appeared in the system tray and downloaded and
installed (7) updates during the logoff procedure.However
when I try to open Windows Update to check for any
updates it does nothing.

Robert

Link to post
Share on other sites

If cannot get ESET to run try this one:

 

%7Boption%7Dhttp://i1123.photobucket.com/albums/l556/AdvancedSetupMB/dr_web_cureit_zpse80d87bf.jpg[/img]

 

Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)

 

  • The file will be randomly named
  • Reboot to safe mode
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning
     
    drwebselect.JPG
     
  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats
     
    drwebfolders.JPG
     
  • Press start scan
  • The scan will now commence
     
    drwebscan.JPG
     
  • Once the scan has finished click open report
     
    drwebscancomplete.JPG
     
  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop

 

This log will be excessive,  Attach it to your next reply…

 

Next,

 

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

 


Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

 


Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

 

Kevin.....

Link to post
Share on other sites

Hello Kevin,

I downloaded Dr. Webb but it doesn't give me the
option to save to my desktop and I tried right clicking
also. I did save the log to the desktop but I don't know

how to attach it .


When FSS finished it gave me this:

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\System32\es.dll".


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****


Here is the FSS.txt

Farbar Service Scanner Version: 25-02-2014
Ran by Lt. Commander (administrator) on 16-03-2014 at 03:31:16
Running from "C:\Documents and Settings\Lt. Commander\My Documents\Downloads"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Network
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\System32\es.dll".


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000

Link to post
Share on other sites

Under the reply box is "More Reply Options" tab, select that. That will open more options under the reply box, select "Browse" to navigate to the file, double click on the file to load to your reply, then select "Attach This File" to do that....

 

From FSS log Background Intelligent Transfer Service (BITS) is not running, currently set to demand only, we need to set that to Automatic....

 

Select Windows key and R key together, RUN box should open, type services.msc into the run box and hit enter. Services window will open...

 

Scroll to Background Intelligent Transfer Service (BITS) right click on that service and select "Properties" In the new window hit the drop down tag for "Startup type" change that to "Automatic" or "Automatic (delayed start)" if available. Select > Apply > OK.

 

Close those windows, reboot and run FSS one more time, post fresh log...

Link to post
Share on other sites

Hello Kevin,

 

I've attached the Dr.Web log and changed the settings for FSS to automatic and ran another scan. It gave me this log upon finishing which is the only one I could find.

 

Farbar Service Scanner Version: 25-02-2014
Ran by Lt. Commander (administrator) on 17-03-2014 at 03:42:05
Running from "C:\Documents and Settings\Lt. Commander\My Documents\Downloads"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

 

 

cureit.log

Link to post
Share on other sites

Hello Kevin,

 

The Dr Web scan found (3) threats and quarantined (2) and I'm concerned about the one that

didn't get quarantined. Also, I still get the message at Start-up that my Firewall is turned off then

it resets itself. Single click still does not function and the quick launch Tool bar is still hidden and

have to open it each time I logon. Windows Update still won't open with a right click although it did

update via system tray icon. I tried installing malwarebytes again and failed and gave me this:

 

Setup

 

CoCreateInstance failed; code 0x80040154

Class not registered.

 

then after I clicked finish and attempted to close it

 

vbAccelerator SGrid II Control

 

Run-time error '0'

 

then Malwarebytes Anti-Malware

Run-time error '440' Automation error

 

I then tried to install SuperAntiSpyware again and it gave me :

 

Install Error

Error creating shortcuts, aborting installation.

 

I tried instaling Spywareblaster again and it gave me this:

 

CoCreateInstance failed; code 0x80040154

Class not registered.

 

then Error: Acces violation at 0x73483F5A (tried to read from

0x00000014), program terminated. Last CP is 'RF'.

 

Robert

Link to post
Share on other sites

Dr Web found 3 and quarantined 3 according to the log?

 

quick launch Tool bar is still hidden - which toolbar do you refer to?

 

Regarding the single left click, do you mean when opening folders? if so that can be reset via folder options....

 

As you have issue installing Malwarebytes run the following then try once more.. If successful run Quick scan after updating and post log..

 

Please download RKill from here: http://www.bleepingcomputer.com/download/rkill/

 

There are three buttons to choose from with different names on, select the first one and save it to your desktop.

 

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.

Link to post
Share on other sites

If you want to open Desktop icons with a single click you will have to change the setting in "Folder Options" the default setting is double click to open... You will have to change that to "Single" > apply > ok... I attach image..

 

The buttons I refer to regarding RKill are at the d/l link of Bleeping Computers.... I attach image

 

Regarding Quick launch Toolbar, where is that installed I`m not really sure what you refer to, I have a Quick launch icon on my Taskbar,

 

Did you try to Install Malwarebytes after running RKill?

post-3601-0-91843300-1395269329_thumb.pn

post-3601-0-10109500-1395269351_thumb.pn

Link to post
Share on other sites

Hello Kevin,

I thought I had replied to this but it apparently didn't take.

 

I saw the DR Web as quarantining (2)

 

The toolbar is called 'quick Launch' and has Mozilla Firefox,

Mozilla Thunderbird and Show Desktop icons.

 

The single click refers to the desktop icons.

 

Here's the RKill log:

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/19/2014 08:40:54 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 03/19/2014 08:42:03 AM
Execution time: 0 hours(s), 1 minute(s), and 9 seconds(s)
 

 

I did not  see three buttons nor a desktop icon.

 

Robert

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.