Suspicious files in my document folder

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Suspicious files in my document folder

Post by yekkers on Sat 03 Mar 2012, 2:02 am

First topic message reminder :

I ran Malwarebytes AV which deleted 2 of those files, though there is still one file in there, by the name of "h9phcwpt41.exe". Also, I'm unable to turn on windows security automatic updates. I will post the MBAM log in the next post.

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down


Re: Suspicious files in my document folder

Post by Superdave on Wed 14 Mar 2012, 4:32 am

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [URL="here[You must be registered and logged in to see this link.]here[/URL[/url]] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Wed 14 Mar 2012, 6:23 am

ComboFix 12-03-13.01 - Lou 14/03/2012 2:48.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1249 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\~GLH0014.TMP
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
c:\windows\system32\drivers\e100b325.sys . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys
Infected copy of c:\windows\system32\drivers\asyncmac.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\asyncmac.sys
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
-------\Service_E100B
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-13 18:59 . 2012-03-13 19:02 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-13 18:59 . 2012-03-13 18:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-13 18:59 . 2012-03-13 18:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:24 . 2012-03-02 13:24 43352 ----a-w- c:\windows\system32\drivers\58eb7.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-21 13:06 . 1998-11-22 06:23 84992 ----a-w- c:\windows\system32\Ledit32.dll
2012-02-21 13:06 . 1998-11-18 03:40 89600 ----a-w- c:\windows\system32\Leocx32.ocx
2012-02-21 13:06 . 1998-06-25 16:00 644400 ----a-w- c:\windows\system32\Mscomct2.ocx
2012-02-21 13:06 . 1998-06-23 16:00 369696 ----a-w- c:\windows\system32\Comct332.ocx
2012-02-21 13:06 . 2012-02-21 13:07 -------- d-----w- c:\program files\PageBreeze
2012-02-21 13:06 . 2008-09-12 06:55 1245184 ----a-w- c:\windows\system32\ChilkatCert.dll
2012-02-21 13:06 . 2008-09-12 06:50 1105920 ----a-w- c:\windows\system32\ChilkatFtp2.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-01-12 19:52 . 2012-02-16 09:00 2044416 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-15 06:22 . 2012-02-16 09:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 58eb7;1rxzhicpme.exe;c:\windows\system32\drivers\58eb7.sys [2012-03-02 43352]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39F53C95945612AE
*NewlyCreated* - WS2IFSL
*Deregistered* - 39f53c95945612ae
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-1117921776.www.telechart.com - c:\program files\Microsoft Silverlight\4.0.60129.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\39f53c95945612ae]
"ImagePath"="\SystemRoot\System32\Drivers\39f53c95945612ae.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-14 03:09:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 19:09
ComboFix2.txt 2010-08-07 16:16
.
Pre-Run: 89,004,785,664 bytes free
Post-Run: 88,956,080,128 bytes free
.
- - End Of File - - D0D6261F0ED0C2433130E648BE9F9EAD

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Wed 14 Mar 2012, 6:27 am

I can't open the ComboFix.txt file, or any program, right now. It gives mes the error message Illegal operation attempted on a registry key that has been marked for deletion.

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Wed 14 Mar 2012, 6:36 am

Just noticed that there is some weird file called catchme.txt that has appeared on the Desktop. From the sounds of it, this just can't be a good file.

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Wed 14 Mar 2012, 9:12 am

Illegal operation attempted on a registry key that has been marked for deletion.
A reboot will fix that.
Just noticed that there is some weird file called catchme.txt that has appeared on the Desktop. From the sounds of it, this just can't be a good file.
That's part of ComboFix. Just leave it.

Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    File::
    c:\windows\system32\drivers\39f53c95945612ae.sys
    c:\windows\system32\drivers\e100b325.sys
    Firefox::
    Trusted Zone: o2.co.uk\*.broadband

    DDS::
    Trusted Zone: o2.co.uk\*.broadband

  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Wed 14 Mar 2012, 9:21 pm

ComboFix 12-03-13.01 - Lou 14/03/2012 17:54:00.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1275 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
Command switches used :: c:\users\Lou\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\39f53c95945612ae.sys"
"c:\windows\system32\drivers\e100b325.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
c:\windows\system32\drivers\e100b325.sys . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-14 10:01 . 2012-03-14 10:03 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-14 10:01 . 2012-03-14 10:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-14 10:01 . 2012-03-14 10:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:24 . 2012-03-02 13:24 43352 ----a-w- c:\windows\system32\drivers\58eb7.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-16 09:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 58eb7;1rxzhicpme.exe;c:\windows\system32\drivers\58eb7.sys [2012-03-02 43352]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39F53C95945612AE
*Deregistered* - 39f53c95945612ae
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\39f53c95945612ae]
"ImagePath"="\SystemRoot\System32\Drivers\39f53c95945612ae.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-14 18:10:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-14 10:10
ComboFix2.txt 2012-03-14 09:41
ComboFix3.txt 2012-03-13 19:09
ComboFix4.txt 2010-08-07 16:16
.
Pre-Run: 88,764,956,672 bytes free
Post-Run: 88,735,502,336 bytes free
.
- - End Of File - - 4037C3026CC765154B0470AFA9B1BE06

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Thu 15 Mar 2012, 5:39 am

Copy and paste the text in the code box below into Notepad.
Code:

@echo off
del c:\windows\system32\drivers\39f53c95945612ae.sys
del c:\windows\system32\drivers\e100b325.sys

exit

Then click File > Save as
Save to the Desktop as blackpudding.bat
And Save as type: All Files.

Double-click on blackpudding.bat to run it.
After running this bat file please run ComboFix again and post the log.
*********************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Thu 15 Mar 2012, 7:18 am

In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected
I don't think I understand. Are the items IRP Hooks and Ports originally supposed to be NOT selected, and I have to check those boxes? Or am I supposed to leave the boxes for IRP Hooks and Ports unchecked?

Edit: Nvm I got it.

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Fri 16 Mar 2012, 10:09 pm

ComboFix 12-03-13.01 - Lou 15/03/2012 3:39.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1300 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\e100b325.sys
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-14 19:53 . 2012-03-14 19:53 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-03-14 19:48 . 2012-03-14 19:57 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-14 19:48 . 2012-03-14 19:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-14 19:48 . 2012-03-14 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:25 . 2012-03-02 13:25 43352 ----a-w- c:\windows\system32\drivers\39f53c95945612ae.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-16 09:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 25B7BF45801895D6
*NewlyCreated* - 58EB7
*NewlyCreated* - CMDERD
*NewlyCreated* - CMDGUARD
*Deregistered* - 25b7bf45801895d6
*Deregistered* - 58eb7
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-14 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-03-15 03:57
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\25b7bf45801895d6]
"ImagePath"="\SystemRoot\System32\Drivers\25b7bf45801895d6.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(2268)
c:\windows\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-15 04:03:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-14 20:03
ComboFix2.txt 2012-03-14 10:10
ComboFix3.txt 2012-03-14 09:41
ComboFix4.txt 2012-03-13 19:09
ComboFix5.txt 2012-03-14 19:38
.
Pre-Run: 88,681,222,144 bytes free
Post-Run: 88,134,369,280 bytes free
.
- - End Of File - - B82A610563DC10B2F0CDD571E9825BBE

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Fri 16 Mar 2012, 10:10 pm

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found


yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Sat 17 Mar 2012, 5:20 am

Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    File::
    c:\windows\system32\drivers\58eb7.sys
    1rxzhicpme.exe

    Driver::
    R1 58eb7
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

***********************************************
Any change in the Windows Update problem?

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Sat 17 Mar 2012, 7:24 am

ComboFix 12-03-13.01 - Lou 17/03/2012 3:40.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1242 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
Command switches used :: c:\users\Lou\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Outdated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\drivers\58eb7.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\25b7bf45801895d6.sys . . . . Failed to delete
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\asyncmac.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\asyncmac.sys
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_25b7bf45801895d6
-------\Service_25b7bf45801895d6
.
.
((((((((((((((((((((((((( Files Created from 2012-02-16 to 2012-03-16 )))))))))))))))))))))))))))))))
.
.
2012-03-16 19:48 . 2012-03-16 19:51 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-16 19:48 . 2012-03-16 19:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-16 19:48 . 2012-03-16 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-14 19:53 . 2012-03-14 19:53 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:25 . 2012-03-02 13:25 43352 ----a-w- c:\windows\system32\drivers\39f53c95945612ae.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-16 09:00 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 25B7BF45801895D6
*Deregistered* - 25b7bf45801895d6
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-16 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-03-17 03:50
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\25b7bf45801895d6]
"ImagePath"="\SystemRoot\System32\Drivers\25b7bf45801895d6.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-17 03:57:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-16 19:57
ComboFix2.txt 2012-03-14 20:03
ComboFix3.txt 2012-03-14 10:10
ComboFix4.txt 2012-03-14 09:41
ComboFix5.txt 2012-03-16 19:38
.
Pre-Run: 88,017,149,952 bytes free
Post-Run: 87,463,014,400 bytes free
.
- - End Of File - - 9591F523E232E8CA93DC9EF4EBF78114

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Sat 17 Mar 2012, 7:26 am

Any change in the Windows Update problem?
Still no change, can't turn it on.

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Sat 17 Mar 2012, 12:26 pm

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

  • Save it to your desktop.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the License agreement and click on next.
  • It will, by default, install it to your desktop folder. Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • Hidden Startup Objects
  • System Memory
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Sun 18 Mar 2012, 7:27 pm

My PC shut down on me while AVPTool was scanning. When I booted it back up and ran AVPTool again, when the scan completed, it just said it didn't detect anything. As such, I don't have any logs. Please advise on what to do next.

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Mon 19 Mar 2012, 4:10 am

Start Malwarebytes and go to the
More Tools tab. There you'll find a button named Run Tool to run FileASSISSIN.

Then browse to these files:
c:\windows\system32\drivers\25b7bf45801895d6.sys
c:\windows\system32\drivers\39f53c95945612ae.sys


Select that file and click OK, then Yes to remove it.
*******************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Mon 19 Mar 2012, 4:45 am

The module "wuaueng.dll" was loaded but the call to DllRegisterServer failed with error code 0x80070005.
I believe this is what is causing your problem with the Windows Updates.
This
site explains why you receive this message although they only mention XP. Could it be something to do with you not using Adm priveleges? Here's another site that may help. Please notice that Adm. is also mentioned. If none of these help, I think you should request help from Windows Vista about this problem.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Tue 20 Mar 2012, 8:34 am

Start Malwarebytes and go to the
More Tools tab. There you'll find a button named Run Tool to run FileASSISSIN.

Then browse to these files:
c:\windows\system32\drivers\25b7bf45801895d6.sys
c:\windows\system32\drivers\39f53c95945612ae.sys

Select that file and click OK, then Yes to remove it.

FileAssassin was able to remove 39f53c95945612ae.sys, but when I tried to remove 25b7bf45801895d6.sys, I just get the message You don't have permission to open this file.

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Tue 20 Mar 2012, 8:34 am

C:\Qoobox\Quarantine\C\Windows\System32\drivers\_25b7bf45801895d6_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_39f53c95945612ae_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan deleted - quarantined
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-302a17e0 multiple threats deleted - quarantined
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\77c3a532-53cc42a2 Java/TrojanDownloader.Agent.NAI trojan deleted - quarantined
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\799c6e88-7e033fcb multiple threats deleted - quarantined
C:\Users\Lou\Videos\Veoh\16_VeohWebPlayerSetup_eng.exe a variant of Win32/Toolbar.Zugo application deleted - quarantined

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by yekkers on Tue 20 Mar 2012, 8:35 am

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=bb4d046c04010c43b47b1ddaaebd0b23
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-19 08:38:56
# local_time=2012-03-20 04:38:56 (+0800, China Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1797 16774142 0 6 67394331 103706268 0 0
# compatibility_mode=3073 16777214 80 71 1417 7887021 0 0
# compatibility_mode=5892 16776574 100 100 1209976 169708531 0 0
# compatibility_mode=8192 67108863 100 0 1479 1479 0 0
# compatibility_mode=9217 16777214 0 4 102320204 102320204 0 0
# scanned=278860
# found=6
# cleaned=6
# scan_time=10132
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_25b7bf45801895d6_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_39f53c95945612ae_.sys.zip a variant of Win32/Rootkit.Kryptik.HT trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-302a17e0 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\77c3a532-53cc42a2 Java/TrojanDownloader.Agent.NAI trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\799c6e88-7e033fcb multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Lou\Videos\Veoh\16_VeohWebPlayerSetup_eng.exe a variant of Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C

yekkers

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-05-01

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Superdave on Tue 20 Mar 2012, 9:14 am

You can use unlocker to delete that other file.Once you have UnLocker installed, search for that file and right-click on the file and select Unlocker then you should be able to delete it.

You can download and install Unlocker .

Please try this tool to fix the Update problem and let me know how it goes.

Please download Windows Update fix utility from here and run it.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Suspicious files in my document folder

Post by Sponsored content Today at 9:39 pm


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum