Suspicious files in my document folder

View previous topic View next topic Go down

Suspicious files in my document folder

Post by yekkers on Fri Mar 02, 2012 3:02 pm

I ran Malwarebytes AV which deleted 2 of those files, though there is still one file in there, by the name of "h9phcwpt41.exe". Also, I'm unable to turn on windows security automatic updates. I will post the MBAM log in the next post.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Fri Mar 02, 2012 3:03 pm

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
[You must be registered and logged in to see this link.]

Database version: v2012.03.02.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19190
Lou :: LOU-PC [administrator]

Protection: Disabled

02/03/2012 21:47:45
mbam-log-2012-03-02 (21-47-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194816
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Detected: 2
C:\Users\Lou\ogkyuu6grr.exe (Trojan.Agent) -> 3636 -> Delete on reboot.
C:\Users\Lou\1rxzhicpme.exe (Trojan.Agent) -> 4128 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ogkyuu6grr (Trojan.Agent) -> Data: C:\Users\Lou\ogkyuu6grr.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|1rxzhicpme (Trojan.Agent) -> Data: C:\Users\Lou\1rxzhicpme.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{D4A15A75-574C-AD7D-A4E8-B6B78D5195AA} (Spyware.Zeus) -> Data: C:\Users\Lou\AppData\Roaming\Onxe\isad.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windows Time (Trojan.Passwords) -> Data: rundll32.exe "C:\ProgramData\ImwurkImpokn.dll",EntryPoint -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Users\Lou\ogkyuu6grr.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\Lou\1rxzhicpme.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\Lou\AppData\Roaming\Onxe\isad.exe (Spyware.Zeus) -> Quarantined and deleted successfully.
C:\ProgramData\ImwurkImpokn.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
C:\Users\Lou\AppData\Local\temp\4174898.exe (Spyware.Zeus) -> Quarantined and deleted successfully.
C:\Users\Lou\AppData\Local\temp\tmp91ca5a18\loaderl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Lou\AppData\Local\temp\tmp9bdea2db\loaders.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Lou\AppData\Local\temp\tmpeed4c4fc\loaderl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\temp\ogkD434.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Mon Mar 05, 2012 2:09 am

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!


Download [You must be registered and logged in to see this link.]
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from [You must be registered and logged in to see this link.]
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*********************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
****************************************************
Download DDS from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control [You must be registered and logged in to see this link.].Then post your DDS logs. (DDS.txt and Attach.txt )

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Mon Mar 05, 2012 5:41 pm

Hello Dave. Thanks for taking the time and effort to help me out!
---------------------------------------------------------------------------------
I followed your instructions on the SAS scan but it didn't detect anything, so I don't have a log. The "h9phcwpt41.exe" program is still in C:\Users\Lou\ though.

I will post the contents of checkup.txt from Security Check by screen317 in the post below.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Mon Mar 05, 2012 5:42 pm

Results of screen317's Security Check version 0.99.31
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
SUPERAntiSpyware
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Java version out of date!
Adobe Flash Player 10.3.183.7 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of date!
Mozilla Firefox (10.0.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSASCui.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Windows Defender MSASCui.exe
``````````End of Log````````````

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Mon Mar 05, 2012 5:45 pm

The contents of DDS.txt from DDS are below

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19190 BrowserJavaVersion: 1.6.0_13
Run by Lou at 1:16:33 on 2012-03-06
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1147 [GMT 8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileOpen\Services\FileOpenManagerSvc32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Users\Lou\h9phcwpt41.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\conime.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Mon Mar 05, 2012 5:47 pm

The contents of Attach.txt from DDS are below

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 16/01/2008 18:21:28
System Uptime: 05/03/2012 17:35:32 (8 hours ago)
.
Motherboard: Hewlett-Packard | | 30D9
Processor: Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz | CPU | 1667/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 138 GiB total, 67.81 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 2.082 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware 2007
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
Adobe Shockwave Player 11
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
Atheros USB WLAN Installer
Bonjour
Brother HL-2035
Chinese Traditional Fonts Support For Adobe Reader 8
Compatibility Pack for the 2007 Office system
Conexant HD Audio
Cute Knight Kingdom Fyrrion
CyberLink YouCam
D3DX10
Dev-C++ 5 beta 9 release (4.9.9.2)
DHTML Editing Component
DivX Setup
DVD Suite
EA Link
ESU for Microsoft Vista
FIFA 2000 Demo
FileOpen Client
Futuremark SystemInfo
Game Maker 8.0
GIMP 2.6.7
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.8.0.723
GTK DBF Editor (remove only)
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.6
HP Easy Setup - Frontend
HP Help and Support
HP Quick Launch Buttons 6.30 E2
HP Total Care Advisor
HP Update
HP User Guides 0093
HP Wireless Assistant
Intel(R) Matrix Storage Manager
Intel(R) TV Wizard
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Junk Mail filter update
LabelPrint
LiveUpdate (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.1.1000
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MiKTeX 2.8
MobileMe Control Panel
Mozilla Firefox 10.0.2 (x86 en-GB)
MSCU for Microsoft Vista
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.1
My HP Games
NetWaiting
Norton Security Scan
OGA Notifier 2.0.0048.0
Opera 10.61
PageBreeze Free HTML Editor
PDF-Viewer
Pdf995
PdfEdit995
Point Position 1.0
Power2Go
PowerDirector
QuickTime
Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
Riva FLV Encoder 2.0
Safari
Secrets of the Masters Trading Game
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Segoe UI
Simpo PDF Merge & Split 2.2.1.0
Skype Toolbars
Skype™ 5.3
Smart Menus (Windows Live Toolbar)
Spelling Dictionaries Support For Adobe Reader 8
SUPER © Version 2008.bld.30 (Mar 22, 2008)
SUPERAntiSpyware
SWF & FLV Toolbox 3.5 (build 3.5.20.286)
TC2000 v11
thinkorswim
TickInvest 1.0.5
Tomb Raider - The Last Revelation
Touch Pad Driver
Tunatic
Unity Web Player
Universal Document Converter
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
Veoh Web Player
Version 1.55
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
WinRAR archiver
WinShell
Wolfram Mathematica 7 (M-WIN-L 7.0.0 1148351)
Wolfram Notebook Indexer 2.0
.
==== Event Viewer Messages From Past Week ========
.
29/02/2012 21:00:22, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001F3A1C0F47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
05/03/2012 16:15:00, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: A device attached to the system is not functioning.
05/03/2012 16:15:00, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: A device attached to the system is not functioning.
05/03/2012 16:13:38, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
05/03/2012 03:13:29, Error: Service Control Manager [7000] - The SASKUTIL service failed to start due to the following error: A device attached to the system is not functioning.
04/03/2012 23:15:20, Error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: A device attached to the system is not functioning.
01/03/2012 16:59:52, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Font Cache Service service to connect.
01/03/2012 16:59:52, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Mon Mar 05, 2012 6:07 pm

Looking over your log it seems you don't have any antivirus software.

Before we continue download and install a free antivirus.

Remember to only install one antivirus!

1) [You must be registered and logged in to see this link.]
2) [You must be registered and logged in to see this link.]
3) [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.]
3-a) [You must be registered and logged in to see this link.]
4) [You must be registered and logged in to see this link.] (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
5) [You must be registered and logged in to see this link.]

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
***************************************************
The "h9phcwpt41.exe" program is still in C:\Users\Lou\ though.
That is the exe file for VeohWebPlayer. You can see it here:C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Users\Lou\h9phcwpt41.exe. If you don't want it you will have to uninstall VeohWebPlayer. Is that the only thing that was bothering you about the computer?


Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First [You must be registered and logged in to see this link.]

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the [You must be registered and logged in to see this link.].

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download [You must be registered and logged in to see this link.] and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: [You must be registered and logged in to see this link.] adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Mon Mar 05, 2012 7:59 pm

Just installed Comodo as AntiVirus and downloaded the latest Java and everything else like you instructed.
If you don't want it you will have to uninstall VeohWebPlayer. Is that the only thing that was bothering you about the computer?
I just uninstalled VeohWebPlayer. But I can't turn on automatic updates in Windows Security Center though. It will give me the message:
Security Center can't change your automatic updating settings.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Mon Mar 05, 2012 11:53 pm

But I can't turn on automatic updates in Windows Security Center though. It will give me the message:

Security Center can't change your automatic updating settings..
[You must be registered and logged in to see this link.] should help with that problem. Please let me know.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Tue Mar 06, 2012 10:26 am

When I ran regsvr32 wuaueng.dll, I got the message
The module "wuaueng.dll" was loaded but the call to DllRegisterServer failed with error code 0x80070005.
And when I tried to run regsvr32 wucltui.dll it said
The module "wucltui.dll" failed to load.

Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependant .DLL files.

The specified module could not be found.

The others work fine though.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Tue Mar 06, 2012 7:34 pm

Can you now turn on Updates?

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Wed Mar 07, 2012 8:30 am

Nope, I can't. I still keep getting the "Security Center can't change your automatic updating settings" error, and when I tried to run the modules in [You must be registered and logged in to see this link.], it just gives me the error messages in post 11.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Wed Mar 07, 2012 7:25 pm

1. Download this diagnostics tool [You must be registered and logged in to see this link.] and save this to your Desktop.
2. Double-click on MGADiag.exe and click Continue
3. When the program has finished, click on Copy
4. Post the results in your next reply.
*************************************************
Open Notepad and create a file with the following contents:

Code:
@echo off
regsvr32 /s wuapi.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wups.dll
regsvr32 /s wups2.dll
regsvr32 /s wuwebv.dll
regsvr32 /s wucltux.dll
regsvr32 /s wudriver.dll

  • Save it as "fix.bat" (include the quotes) on your desktop.
  • Double click it to run. A black DOS windows will open and close - this is normal.
  • If this went well, delete fix.bat and restart your computer.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Wed Mar 07, 2012 9:51 pm

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-27HYQ-XTKW2-WQD8Q
Windows Product Key Hash: U8YEZzymoD4DMyaMb32rPrNIS90=
Windows Product ID: 89578-OEM-7332157-00061
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.0.6002.2.00010300.2.0.003
ID: {F677D1CA-696A-4F27-B6E2-E4C660498E69}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.111025-0338
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6002.16398

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: ~[Filtered]~

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.0.6002.18005
Name: Windows(TM) Vista, HomePremium edition
Description: Windows Operating System - Vista, OEM_SLP channel
Activation ID: bffdc375-bbd5-499d-8ef1-4f37b61c895f
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 89578-00146-321-500061-02-2057-6000.0000-0942008
Installation ID: 003623670156145974760833202945443424779670226016037732
Processor Certificate URL: [You must be registered and logged in to see this link.]
Machine Certificate URL: [You must be registered and logged in to see this link.]
Use License URL: [You must be registered and logged in to see this link.]
Product Key Certificate URL: [You must be registered and logged in to see this link.]
Partial Product Key: WQD8Q
License Status: Licensed

Windows Activation Technologies-->
N/A

HWID Data-->
N/A, hr = 0x8007000d

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC HPQOEM SLIC-MPC
FACP HP SPARTAN
HPET HPQOEM SLIC-MPC
BOOT HPQOEM SLIC-MPC
MCFG HPQOEM SLIC-MPC
ASF! HPQOEM SLIC-MPC
SLIC HPQOEM SLIC-MPC
SSDT PmRef CpuPm



yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Wed Mar 07, 2012 9:53 pm

I have also followed your instructions on running the "fix.bat" program.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Wed Mar 07, 2012 11:36 pm

[You must be registered and logged in to see this link.] wrote:I have also followed your instructions on running the "fix.bat" program.

Any change?

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Thu Mar 08, 2012 8:21 am

Still can't turn on Updates.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Thu Mar 08, 2012 2:57 pm

Still can't turn on Updates..
Please take a look at [You must be registered and logged in to see this link.] to see if it helps.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Sun Mar 11, 2012 7:48 pm

Please take a look at this to see if it helps.

No, doesn't work, Dave, Updates won't turn on no matter what. This is starting to get to me :sad:

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Mon Mar 12, 2012 1:19 am

I'm going to check with my colleagues about this problem.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Mon Mar 12, 2012 7:23 pm

Can you go to MS and get your updates?

Do you have your OS CD/DVD?

If so,

1/ Click the Start button.

2/ From the Start Menu, Click All programs followed by Accessories.

3/ In the Accessories menu, Right Click on the Command Prompt option.

4/ From the drop down menu that appears, Click on the Run as administrator option.

5/ If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.

6/ In the Command Prompt window, type: sfc /scannow and then press Enter.

7/ A message will appear stating that the system scan will begin.

8/ Be patient because the scan may take some time.

9/ If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue.

10/ If everything is okay you should, after the scan, see the following message Windows resource protection did not find any integrity violations.

11/ After the scan has completed, Close the command prompt window.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Mon Mar 12, 2012 10:06 pm

[You must be registered and logged in to see this link.] wrote:Can you go to MS and get your updates?

You mean go to their websites and get it? If so, then when I try to do it, I will keep getting redirected to [You must be registered and logged in to see this link.], which just tells me to turn on updates.

[You must be registered and logged in to see this link.] wrote:Do you have your OS CD/DVD?

If so,

1/ Click the Start button......
I don't have the Vista disk. I ran your instructions anyway but it never asked for the disk, and it showed the message Windows resource protection did not find any integrity violations. Still can't turn on updates.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Mon Mar 12, 2012 11:19 pm

Basically, what that is telling you that your IE browser is not up-to-date. The Security check shows that you have IE8 so that shouldn't be a problem. Why not try to update to IE9 and see what happens? You can find it on that site. Also, could you please check this? Right-click My Computer, select Manage. Select Services and Applications and double-click on Services. Check and see what the status of Automatice Updates and Background Intelligent Transfer Service. They should be set to Automatic.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Tue Mar 13, 2012 10:20 am

[You must be registered and logged in to see this link.] wrote:Basically, what that is telling you that your IE browser is not up-to-date. The Security check shows that you have IE8 so that shouldn't be a problem. Why not try to update to IE9 and see what happens? You can find it on that site.

Just updated to IE9, but nothing's changed. Still can't turn on Updates.
Select Services and Applications and double-click on Services. Check and see what the status of Automatice Updates and Background Intelligent Transfer Service. They should be set to Automatic.
That's interesting. I see Automatic LiveUpdate (which I'm sure is Symantec, not MS) and Base Filtering Engine, but I don't see either of the services Automatic Updates and Background Intelligent Transfer Service. They seem to be missing.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Tue Mar 13, 2012 5:32 pm

Download Combofix from any of the links below, and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [URL="[You must be registered and logged in to see this link.][You must be registered and logged in to see this link.]here[/URL[/url]] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Tue Mar 13, 2012 7:23 pm

ComboFix 12-03-13.01 - Lou 14/03/2012 2:48.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1249 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\~GLH0014.TMP
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
c:\windows\system32\drivers\e100b325.sys . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys
Infected copy of c:\windows\system32\drivers\asyncmac.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\asyncmac.sys
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
-------\Service_E100B
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-13 18:59 . 2012-03-13 19:02 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-13 18:59 . 2012-03-13 18:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-13 18:59 . 2012-03-13 18:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:24 . 2012-03-02 13:24 43352 ----a-w- c:\windows\system32\drivers\58eb7.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-21 13:06 . 1998-11-22 06:23 84992 ----a-w- c:\windows\system32\Ledit32.dll
2012-02-21 13:06 . 1998-11-18 03:40 89600 ----a-w- c:\windows\system32\Leocx32.ocx
2012-02-21 13:06 . 1998-06-25 16:00 644400 ----a-w- c:\windows\system32\Mscomct2.ocx
2012-02-21 13:06 . 1998-06-23 16:00 369696 ----a-w- c:\windows\system32\Comct332.ocx
2012-02-21 13:06 . 2012-02-21 13:07 -------- d-----w- c:\program files\PageBreeze
2012-02-21 13:06 . 2008-09-12 06:55 1245184 ----a-w- c:\windows\system32\ChilkatCert.dll
2012-02-21 13:06 . 2008-09-12 06:50 1105920 ----a-w- c:\windows\system32\ChilkatFtp2.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-01-12 19:52 . 2012-02-16 09:00 2044416 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-15 06:22 . 2012-02-16 09:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 58eb7;1rxzhicpme.exe;c:\windows\system32\drivers\58eb7.sys [2012-03-02 43352]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39F53C95945612AE
*NewlyCreated* - WS2IFSL
*Deregistered* - 39f53c95945612ae
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-1117921776.www.telechart.com - c:\program files\Microsoft Silverlight\4.0.60129.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\39f53c95945612ae]
"ImagePath"="\SystemRoot\System32\Drivers\39f53c95945612ae.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-14 03:09:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 19:09
ComboFix2.txt 2010-08-07 16:16
.
Pre-Run: 89,004,785,664 bytes free
Post-Run: 88,956,080,128 bytes free
.
- - End Of File - - D0D6261F0ED0C2433130E648BE9F9EAD

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Tue Mar 13, 2012 7:27 pm

I can't open the ComboFix.txt file, or any program, right now. It gives mes the error message Illegal operation attempted on a registry key that has been marked for deletion.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Tue Mar 13, 2012 7:36 pm

Just noticed that there is some weird file called catchme.txt that has appeared on the Desktop. From the sounds of it, this just can't be a good file.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Tue Mar 13, 2012 10:12 pm

Illegal operation attempted on a registry key that has been marked for deletion.
A reboot will fix that.
Just noticed that there is some weird file called catchme.txt that has appeared on the Desktop. From the sounds of it, this just can't be a good file.
That's part of ComboFix. Just leave it.

Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    File::
    c:\windows\system32\drivers\39f53c95945612ae.sys
    c:\windows\system32\drivers\e100b325.sys
    Firefox::
    Trusted Zone: o2.co.uk\*.broadband

    DDS::
    Trusted Zone: o2.co.uk\*.broadband

  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Wed Mar 14, 2012 10:21 am

ComboFix 12-03-13.01 - Lou 14/03/2012 17:54:00.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1275 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
Command switches used :: c:\users\Lou\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\39f53c95945612ae.sys"
"c:\windows\system32\drivers\e100b325.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
c:\windows\system32\drivers\e100b325.sys . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-14 10:01 . 2012-03-14 10:03 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-14 10:01 . 2012-03-14 10:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-14 10:01 . 2012-03-14 10:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:24 . 2012-03-02 13:24 43352 ----a-w- c:\windows\system32\drivers\58eb7.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-16 09:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 58eb7;1rxzhicpme.exe;c:\windows\system32\drivers\58eb7.sys [2012-03-02 43352]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39F53C95945612AE
*Deregistered* - 39f53c95945612ae
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\39f53c95945612ae]
"ImagePath"="\SystemRoot\System32\Drivers\39f53c95945612ae.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-14 18:10:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-14 10:10
ComboFix2.txt 2012-03-14 09:41
ComboFix3.txt 2012-03-13 19:09
ComboFix4.txt 2010-08-07 16:16
.
Pre-Run: 88,764,956,672 bytes free
Post-Run: 88,735,502,336 bytes free
.
- - End Of File - - 4037C3026CC765154B0470AFA9B1BE06

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Wed Mar 14, 2012 6:39 pm

Copy and paste the text in the code box below into Notepad.
Code:

@echo off
del c:\windows\system32\drivers\39f53c95945612ae.sys
del c:\windows\system32\drivers\e100b325.sys

exit

Then click File > Save as
Save to the Desktop as blackpudding.bat
And Save as type: All Files.

Double-click on blackpudding.bat to run it.
After running this bat file please run ComboFix again and post the log.
*********************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Wed Mar 14, 2012 8:18 pm

In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected
I don't think I understand. Are the items IRP Hooks and Ports originally supposed to be NOT selected, and I have to check those boxes? Or am I supposed to leave the boxes for IRP Hooks and Ports unchecked?

Edit: Nvm I got it.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Fri Mar 16, 2012 11:09 am

ComboFix 12-03-13.01 - Lou 15/03/2012 3:39.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1300 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\e100b325.sys
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-14 19:53 . 2012-03-14 19:53 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-03-14 19:48 . 2012-03-14 19:57 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-14 19:48 . 2012-03-14 19:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-14 19:48 . 2012-03-14 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:25 . 2012-03-02 13:25 43352 ----a-w- c:\windows\system32\drivers\39f53c95945612ae.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-16 09:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 25B7BF45801895D6
*NewlyCreated* - 58EB7
*NewlyCreated* - CMDERD
*NewlyCreated* - CMDGUARD
*Deregistered* - 25b7bf45801895d6
*Deregistered* - 58eb7
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-14 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-03-15 03:57
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\25b7bf45801895d6]
"ImagePath"="\SystemRoot\System32\Drivers\25b7bf45801895d6.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(2268)
c:\windows\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-15 04:03:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-14 20:03
ComboFix2.txt 2012-03-14 10:10
ComboFix3.txt 2012-03-14 09:41
ComboFix4.txt 2012-03-13 19:09
ComboFix5.txt 2012-03-14 19:38
.
Pre-Run: 88,681,222,144 bytes free
Post-Run: 88,134,369,280 bytes free
.
- - End Of File - - B82A610563DC10B2F0CDD571E9825BBE

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Fri Mar 16, 2012 11:10 am

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found


yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Fri Mar 16, 2012 6:20 pm

Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    File::
    c:\windows\system32\drivers\58eb7.sys
    1rxzhicpme.exe

    Driver::
    R1 58eb7
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

***********************************************
Any change in the Windows Update problem?

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Fri Mar 16, 2012 8:24 pm

ComboFix 12-03-13.01 - Lou 17/03/2012 3:40.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1242 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
Command switches used :: c:\users\Lou\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\drivers\58eb7.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\25b7bf45801895d6.sys . . . . Failed to delete
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\asyncmac.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\asyncmac.sys
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_25b7bf45801895d6
-------\Service_25b7bf45801895d6
.
.
((((((((((((((((((((((((( Files Created from 2012-02-16 to 2012-03-16 )))))))))))))))))))))))))))))))
.
.
2012-03-16 19:48 . 2012-03-16 19:51 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-16 19:48 . 2012-03-16 19:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-16 19:48 . 2012-03-16 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-14 19:53 . 2012-03-14 19:53 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:25 . 2012-03-02 13:25 43352 ----a-w- c:\windows\system32\drivers\39f53c95945612ae.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-16 09:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 25B7BF45801895D6
*Deregistered* - 25b7bf45801895d6
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-16 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-03-17 03:50
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\25b7bf45801895d6]
"ImagePath"="\SystemRoot\System32\Drivers\25b7bf45801895d6.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-17 03:57:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-16 19:57
ComboFix2.txt 2012-03-14 20:03
ComboFix3.txt 2012-03-14 10:10
ComboFix4.txt 2012-03-14 09:41
ComboFix5.txt 2012-03-16 19:38
.
Pre-Run: 88,017,149,952 bytes free
Post-Run: 87,463,014,400 bytes free
.
- - End Of File - - 9591F523E232E8CA93DC9EF4EBF78114

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Fri Mar 16, 2012 8:26 pm

Any change in the Windows Update problem?
Still no change, can't turn it on.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Sat Mar 17, 2012 1:26 am

Save these instructions so you can have access to them while in Safe Mode.

Please click [You must be registered and logged in to see this link.] to download AVP Tool by Kaspersky.

  • Save it to your desktop.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the License agreement and click on next.
  • It will, by default, install it to your desktop folder. Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • Hidden Startup Objects
  • System Memory
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Sun Mar 18, 2012 8:27 am

My PC shut down on me while AVPTool was scanning. When I booted it back up and ran AVPTool again, when the scan completed, it just said it didn't detect anything. As such, I don't have any logs. Please advise on what to do next.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Sun Mar 18, 2012 5:10 pm

Start Malwarebytes and go to the
More Tools tab. There you'll find a button named Run Tool to run FileASSISSIN.

Then browse to these files:
c:\windows\system32\drivers\25b7bf45801895d6.sys
c:\windows\system32\drivers\39f53c95945612ae.sys


Select that file and click OK, then Yes to remove it.
*******************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
[You must be registered and logged in to see this link.]
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Sun Mar 18, 2012 5:45 pm

The module "wuaueng.dll" was loaded but the call to DllRegisterServer failed with error code 0x80070005.
I believe this is what is causing your problem with the Windows Updates.
This
site explains why you receive this message although they only mention XP. Could it be something to do with you not using Adm priveleges? [You must be registered and logged in to see this link.] another site that may help. Please notice that Adm. is also mentioned. If none of these help, I think you should request help from Windows Vista about this problem.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Mon Mar 19, 2012 9:34 pm

Start Malwarebytes and go to the
More Tools tab. There you'll find a button named Run Tool to run FileASSISSIN.

Then browse to these files:
c:\windows\system32\drivers\25b7bf45801895d6.sys
c:\windows\system32\drivers\39f53c95945612ae.sys

Select that file and click OK, then Yes to remove it.

FileAssassin was able to remove 39f53c95945612ae.sys, but when I tried to remove 25b7bf45801895d6.sys, I just get the message You don't have permission to open this file.

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Mon Mar 19, 2012 9:34 pm

C:\Qoobox\Quarantine\C\Windows\System32\drivers\_25b7bf45801895d6_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_39f53c95945612ae_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan deleted - quarantined
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-302a17e0 multiple threats deleted - quarantined
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\77c3a532-53cc42a2 Java/TrojanDownloader.Agent.NAI trojan deleted - quarantined
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\799c6e88-7e033fcb multiple threats deleted - quarantined
C:\Users\Lou\Videos\Veoh\16_VeohWebPlayerSetup_eng.exe a variant of Win32/Toolbar.Zugo application deleted - quarantined

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Mon Mar 19, 2012 9:35 pm

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=bb4d046c04010c43b47b1ddaaebd0b23
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-19 08:38:56
# local_time=2012-03-20 04:38:56 (+0800, China Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1797 16774142 0 6 67394331 103706268 0 0
# compatibility_mode=3073 16777214 80 71 1417 7887021 0 0
# compatibility_mode=5892 16776574 100 100 1209976 169708531 0 0
# compatibility_mode=8192 67108863 100 0 1479 1479 0 0
# compatibility_mode=9217 16777214 0 4 102320204 102320204 0 0
# scanned=278860
# found=6
# cleaned=6
# scan_time=10132
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_25b7bf45801895d6_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_39f53c95945612ae_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-302a17e0 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\77c3a532-53cc42a2 Java/TrojanDownloader.Agent.NAI trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\799c6e88-7e033fcb multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\Videos\Veoh\16_VeohWebPlayerSetup_eng.exe a variant of Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C

yekkers
Novice
Novice

Posts Posts : 48
Joined Joined : 2010-04-30
Points Points : 24762
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Mon Mar 19, 2012 10:14 pm

You can use unlocker to delete that other file.Once you have UnLocker installed, search for that file and right-click on the file and select Unlocker then you should be able to delete it.

You can download and install [You must be registered and logged in to see this link.] .

Please try this tool to fix the Update problem and let me know how it goes.

Please download Windows Update fix utility from [You must be registered and logged in to see this link.] and run it.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum