AOL Mail log-ins reported suspicious activity

View previous topic View next topic Go down

AOL Mail log-ins reported suspicious activity

Post by georgechinsr on Mon Mar 18, 2013 3:39 am

For this computer only, AOL Mail log-in resulted in an Alert that they have "detected unusual activity on this account and for your security are temporarily blocking access. To regain access to this account, please change your password." This had occurred several times, even after changing password.

Requested logs are in the next several posts.

Thank you kindly for your services. I had used your site a few times in the past. You guys/gals are the greatest!!!!

Best regards,
George Sr


georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AOL Mail log-ins reported suspicious activity

Post by georgechinsr on Mon Mar 18, 2013 3:40 am

# AdwCleaner v2.115 - Logfile created 03/17/2013 at 20:17:43
# Updated 17/03/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : ChinG - DTC260055B4975F
# Boot Mode : Normal
# Running from : C:\Documents and Settings\ChinG.DTC260055B4975F\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

-\\ Google Chrome v26.0.1410.33

*************************

AdwCleaner[S1].txt - [642 octets] - [17/03/2013 20:17:43]

########## EOF - C:\AdwCleaner[S1].txt - [701 octets] ##########

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Malwarebytes Anti-Malware log

Post by georgechinsr on Mon Mar 18, 2013 5:49 am

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
[You must be registered and logged in to see this link.]

Database version: v2013.03.18.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
ChinG :: DTC260055B4975F [administrator]

Protection: Enabled

3/17/2013 8:55:00 PM
mbam-log-2013-03-17 (20-55-00).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra |

Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 432900
Time elapsed: 1 hour(s), 34 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 4
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter)

-> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter)

-> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter)

-> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore|DisableConfig

(Windows.Tool.Disabled) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Security Check log

Post by georgechinsr on Mon Mar 18, 2013 6:00 am

Results of screen317's Security Check version 0.99.61
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Symantec AntiVirus Corporate Edition
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
SunJavaRuntime150_06-LXV
SunJavaRuntime160_06-LXV
Java version out of Date!
Adobe Flash Player 11.6.602.180
Adobe Reader XI
Mozilla Firefox 17.0.1 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus SavRoam.exe
Symantec AntiVirus Rtvscan.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AOL Mail log-ins reported suspicious activity

Post by Superdave on Mon Mar 18, 2013 6:37 pm

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
Since it was your AOL that was hacked it's highly unlikely that your computer is infected. However, we can run a few more scans just to be sure.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First [You must be registered and logged in to see this link.]

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the [You must be registered and logged in to see this link.].

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download [You must be registered and logged in to see this link.] and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: [You must be registered and logged in to see this link.] adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
**********************************************
Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [You must be registered and logged in to see this link.] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Thank you, SuperDave. Reason for suspected malware.

Post by georgechinsr on Tue Mar 19, 2013 5:31 am

Thank you, SuperDave!

I am suspicious of this machine because while my daughter was using it, we went to a website Facebook considered suspicious. While there, a lot of ad windows popped up. We clicked the upper right corner "x" button to close them. Except one, we received a screen (I forgot whether it was a pop-up or a browser tab) that is reportedly from AT&T (our DSL ISP provider) saying there is a configuration problem, and asked us to click an OK button to fix it. We clicked the button, then received a message to close/re-open the browser to apply the fix, which we did. In retrospect, we are concerned that screen was a phish of AT&T and was malicious.

ComboFix log in next message.

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

ComboFix log

Post by georgechinsr on Tue Mar 19, 2013 5:32 am

ComboFix 13-03-17.01 - ChinG 03/18/2013 21:39:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1912.868 [GMT -7:00]
Running from: c:\documents and settings\ChinG.DTC260055B4975F\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\Programs\CleanUp
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Cache Clear.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Cookie Clear.lnk
c:\documents and settings\ching\Local Settings\Application Data\assembly\tmp
c:\program files\CleanUp
c:\program files\CleanUp\Cache CleanUp.vbs
c:\program files\CleanUp\CacheClean.ico
c:\program files\CleanUp\CacheLog\CACHE.LOG
c:\program files\CleanUp\Cookie CleanUp.vbs
c:\program files\CleanUp\CookieLog\COOKIE.LOG
c:\program files\CleanUp\CookiesClean.ico
c:\program files\CleanUp\UNWISE.EXE
c:\temp\_MEI45242\_ctypes.pyd
c:\temp\_MEI45242\_elementtree.pyd
c:\temp\_MEI45242\_hashlib.pyd
c:\temp\_MEI45242\_socket.pyd
c:\temp\_MEI45242\_ssl.pyd
c:\temp\_MEI45242\pyexpat.pyd
c:\temp\_MEI45242\pysqlite2._sqlite.pyd
c:\temp\_MEI45242\python26.dll
c:\temp\_MEI45242\pythoncom26.dll
c:\temp\_MEI45242\PyWinTypes26.dll
c:\temp\_MEI45242\select.pyd
c:\temp\_MEI45242\unicodedata.pyd
c:\temp\_MEI45242\win32api.pyd
c:\temp\_MEI45242\win32com.shell.shell.pyd
c:\temp\_MEI45242\win32crypt.pyd
c:\temp\_MEI45242\win32event.pyd
c:\temp\_MEI45242\win32file.pyd
c:\temp\_MEI45242\win32inet.pyd
c:\temp\_MEI45242\win32pdh.pyd
c:\temp\_MEI45242\win32process.pyd
c:\temp\_MEI45242\win32profile.pyd
c:\temp\_MEI45242\win32security.pyd
c:\temp\_MEI45242\win32ts.pyd
c:\temp\_MEI45242\windows._cacheinvalidation.pyd
c:\temp\_MEI45242\wx._controls_.pyd
c:\temp\_MEI45242\wx._core_.pyd
c:\temp\_MEI45242\wx._gdi_.pyd
c:\temp\_MEI45242\wx._html2.pyd
c:\temp\_MEI45242\wx._misc_.pyd
c:\temp\_MEI45242\wx._windows_.pyd
c:\temp\_MEI45242\wx._wizard.pyd
c:\temp\_MEI45242\wxbase293u_net_vc.dll
c:\temp\_MEI45242\wxbase293u_vc.dll
c:\temp\_MEI45242\wxmsw293u_adv_vc.dll
c:\temp\_MEI45242\wxmsw293u_core_vc.dll
c:\temp\_MEI45242\wxmsw293u_html_vc.dll
c:\temp\_MEI45242\wxmsw293u_webview_vc.dll
c:\windows\dasetup.log
c:\windows\EventSystem.log
c:\windows\system32\OLD214.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-02-19 to 2013-03-19 )))))))))))))))))))))))))))))))
.
.
2013-03-19 03:46 . 2013-03-19 03:46 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-18 03:47 . 2013-03-18 03:47 -------- d-----w- c:\documents and settings\ChinG.DTC260055B4975F\Application Data\Malwarebytes
2013-03-18 03:46 . 2013-03-18 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-03-18 03:46 . 2013-03-18 03:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-18 03:46 . 2012-12-14 23:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-19 03:46 . 2012-08-13 22:48 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-19 03:46 . 2011-03-23 20:15 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-19 03:46 . 2010-05-25 22:01 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-17 23:28 . 2012-08-19 22:22 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-17 23:28 . 2011-08-26 17:19 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-26 03:55 . 2004-08-04 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:19 . 2008-11-08 07:41 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2008-11-08 07:41 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2004-08-04 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-08-04 12:00 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2004-08-04 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-12-26 20:16 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2012-12-26 20:16 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-12-26 20:16 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-12-24 06:40 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-03-18 06:08 . 2013-03-18 06:08 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-18 03:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-18 03:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-18 03:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-18 03:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleChromeAutoLaunch_89D6E739634295C57C4CDF8048527E68"="c:\documents and settings\ChinG.DTC260055B4975F\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2013-03-13 1312720]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-12-18 16328976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Quickres"="c:\wfdc\quickresnt.exe" [2002-04-10 36864]
"CheckPath"="c:\wfdc\CheckPath\CheckPath.exe" [2009-02-25 24576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"Zone Labs Client"="c:\program files\Zone Labs\Integrity Client\iclient.exe" [2005-04-13 444160]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2009-01-15 674368]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-30 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 287800]
"iPassConnect"="c:\program files\iPass\iPassConnect\iPassConnectGUI.exe" [2007-10-25 1224704]
"WiFi Tray"="c:\program files\WiFiTray\WiFiTray.exe" [2009-01-05 188416]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"UltraMon"="c:\e\Pgm\UltraMon\UltraMon.exe" [2006-10-13 304640]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-15 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-15 170008]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-15 145432]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-04-05 186904]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"PreXPSP2ShellProtocolBehavior"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1708537768-1801674531-231215\Scripts\Logon\0\0]
"Script"=\\ent.wfb.bank.corp\sysvol\ent.wfb.bank.corp\scripts\DTC\dtclogon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1708537768-1801674531-231215\Scripts\Logon\0\1]
"Script"=\\ent.wfb.bank.corp\sysvol\ent.wfb.bank.corp\scripts\DSD\EFO\EFOinv_q.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1708537768-1801674531-332419\Scripts\Logon\0\0]
"Script"=\\ent.wfb.bank.corp\sysvol\ent.wfb.bank.corp\scripts\DTC\dtclogon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1708537768-1801674531-332419\Scripts\Logon\0\1]
"Script"=\\ent.wfb.bank.corp\sysvol\ent.wfb.bank.corp\scripts\DSD\EFO\EFOinv_q.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1708537768-1801674531-712281\Scripts\Logon\0\0]
"Script"=\\ent.wfb.bank.corp\sysvol\ent.wfb.bank.corp\scripts\DSD\EFO\EFOinv_q.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [5/19/2005 5:13 PM 92411]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [1/15/2009 12:33 PM 217024]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [11/8/2008 12:43 AM 24064]
R2 HopperP;WiFi Hopper (XP);c:\windows\system32\drivers\hopperp.sys [11/5/2011 11:32 PM 21888]
R2 iPassRestart;iPassRestart;c:\program files\Wells Fargo N. A\iPassRemovalSetup\iPassRemoval.exe [7/10/2008 3:39 PM 20480]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [3/2/2009 10:08 AM 124200]
R2 Lan Central Collector Service;Lan Central Collector Service;c:\program files\WFLanCentralService103-L\LanCentralCollectorService.exe [1/13/2009 4:50 PM 36864]
R2 LoggerServer;LoggerServer;c:\program files\Common Files\Verint\Bin\LoggerServer.exe [3/21/2007 12:28 PM 159744]
R2 Marimba;Marimba;c:\program files\marimba\tuner\Tuner.exe [7/26/2007 4:53 PM 36970]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [3/17/2013 8:46 PM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/17/2013 8:46 PM 682344]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\e\Pgm\MSSQL\100\DTS\Binn\MsDtsSrvr.exe [4/24/2011 1:35 AM 214880]
R2 NomadBranch;Nomad Branch;c:\windows\system32\CCM\Nomad\NomadBranch.exe [4/22/2009 9:23 AM 1200800]
R2 PESRV;Hummingbird HostExplorer Print Services;c:\program files\Hummingbird\Connectivity\12.00\HostExplorer\PrintServices\PESRV.exe [12/15/2006 4:59 PM 243272]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [1/15/2009 12:34 PM 621120]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [1/15/2009 12:34 PM 150080]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 3:24 PM 116928]
R2 WFC_WLANWinService;WFC_WLANWinService;c:\windows\system32\wfb\WFC_WLAN.exe [12/19/2008 9:30 AM 372736]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [5/25/2010 2:05 PM 227896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/19/2012 2:31 PM 106656]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/8/2008 12:39 AM 41216]
R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/17/2013 8:46 PM 21104]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [11/8/2008 12:41 AM 47616]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\e\Pgm\MSSQL\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [4/24/2011 1:33 AM 1177952]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/8/2008 12:39 AM 241880]
S3 ProxyEngine;Hummingbird Proxy Server;c:\program files\Hummingbird\Connectivity\12.00\Accessories\ProxyEngine.exe [12/15/2006 5:08 PM 153168]
S4 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [5/27/2005 9:39 AM 251842]
S4 aarich;aarich;c:\windows\system32\drivers\aarich.sys [5/19/2005 5:13 PM 241815]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 11:56 AM 44896]
S4 MyVNetServices;MyVNetServices;c:\windows\system32\VNDesktopService.exe [9/28/2009 9:49 AM 36352]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Winzip90SR1-L]
2006-02-27 20:06 132454 ----a-w- c:\program files\WinZip\WinzipUserConfig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2119947D-7B21-45A9-BE8A-9044DE408737}]
2006-06-29 11:00 99920 ----a-w- c:\program files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
2006-06-29 11:00 99920 ----a-w- c:\program files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 23:28]
.
2013-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2013-03-19 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 05:09]
.
2013-03-19 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 05:09]
.
2013-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-23 23:57]
.
2013-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-23 23:57]
.
2013-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3287246667-3464762049-47498211-1008Core.job
- c:\documents and settings\ChinG.DTC260055B4975F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-10 19:38]
.
2013-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3287246667-3464762049-47498211-1008UA.job
- c:\documents and settings\ChinG.DTC260055B4975F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-10 19:38]
.
2013-03-19 c:\windows\Tasks\User_Feed_Synchronization-{29257197-F4D0-4D0B-A2D8-59CB331757E0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
2013-03-19 c:\windows\Tasks\User_Feed_Synchronization-{A3D54256-531F-4116-A849-CF4216C0A4D3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Hummingbird\Connectivity\12.00\Exceed\humshmx.dll
Trusted Zone: wachovia.com
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\ChinG.DTC260055B4975F\Application Data\Mozilla\Firefox\Profiles\nyrhw2k7.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - ExtSQL: !HIDDEN! 2011-02-24 15:06; [You must be registered and logged in to see this link.]; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
.
------- File Associations -------
.
txtfile=c:\e\Pgm\KEditW\KEDITW32.EXE "%1"
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-MiniStumbler - c:\program files\MiniStumbler\uninst.exe
AddRemove-WFIECacheClear-LXV - c:\progra~1\Cleanup\UNWISE.EXE
AddRemove-WFIECookieClear-LXV - c:\progra~1\Cleanup\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2013-03-18 22:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1080)
c:\windows\system32\pssogina.dll
c:\windows\system32\ipassllgina.dll
c:\windows\system32\MSVCR71.dll
.
- - - - - - - > 'explorer.exe'(5444)
c:\windows\system32\WININET.dll
c:\e\Pgm\UltraMon\RTSUltraMonHook.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\e\Pgm\iBand\iBand.dll
c:\windows\system32\msi.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\e\Pgm\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\12.00\Hummingbird Neighborhood\heshell.dll
c:\program files\Hummingbird\Connectivity\12.00\Hummingbird Neighborhood\hncomlib.dll
c:\program files\Hummingbird\Connectivity\12.00\Hummingbird Neighborhood\humprdfw.dll
c:\program files\Hummingbird\Connectivity\12.00\Accessories\Humpud.dll
c:\program files\hummingbird\connectivity\12.00\accessories\humsettings.eng.nls
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Hummingbird\Connectivity\12.00\InetD\inetd32.exe
c:\program files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\program files\marimba\tuner\.marimba\Marimba\ch.2\data\sum.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\marimba\tuner\lib\minituner.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\e\Pgm\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2013-03-18 22:17:10 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-19 05:16
.
Pre-Run: 106,004,951,040 bytes free
Post-Run: 107,346,335,744 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - DBCCDB1057D9C256B4C7455B3EBBD5AE

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AOL Mail log-ins reported suspicious activity

Post by Superdave on Tue Mar 19, 2013 7:22 pm

Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.

Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    Firefox::
    Trusted Zone: wachovia.com

    DDS::
    Trusted Zone: wachovia.com
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • I don't need to see the log from this script.

***************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

********************************************

  • Download [You must be registered and logged in to see this link.] on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Log for SysProt Antirootkit

Post by georgechinsr on Wed Mar 20, 2013 8:02 pm

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: Combo-Fix.sys
Service Name: ---
Module Base: B98F8000
Module End: B9907000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: A6C44000
Module End: A6D1E000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Service Name: ---
Module Base: A4853000
Module End: A4856000
Hidden: Yes

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: A616A000
Module End: A6172000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: B9E58000
Module End: B9E5A000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwConnectPort
Address: 897B9990
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: A71E0350
Driver Base: A71CC000
Driver End: A71EE000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwOpenProcess
Address: A6B19FA0
Driver Base: A6AFB000
Driver End: A6B2C000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwQueryValueKey
Address: 89799C18
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwResumeThread
Address: 897C7970
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: A71E0580
Driver Base: A71CC000
Driver End: A71EE000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwUnloadKey
Address: A48536D0
Driver Base: A4853000
Driver End: A4856000
Driver Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Log for RogueKiller

Post by georgechinsr on Wed Mar 20, 2013 8:04 pm

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : [You must be registered and logged in to see this link.]
Website : [You must be registered and logged in to see this link.]
Blog : [You must be registered and logged in to see this link.]

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : ChinG [Admin rights]
Mode : Scan -- Date : 03/20/2013 13:01:59
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x897B9990)
SSDT[177] : NtQueryValueKey @ 0x80622384 -> HOOKED (Unknown @ 0x89799C18)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x897C7970)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9160412AS +++++
--- User ---
[MBR] 4787d19d83648079b9aaa45a79e72c03
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03202013_02d1301.txt >>
RKreport[1]_S_03202013_02d1301.txt

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AOL Mail log-ins reported suspicious activity

Post by georgechinsr on Wed Mar 20, 2013 8:08 pm

Thank you, SuperDave!

Completed
- Ran ComboFix to delete Wachovia.com from trusted zone.
- Ran Sysprot Antirootkit and RogueKiller (logs are above).

Have a great day!
George Sr

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Error message on close of RogueKiller

Post by georgechinsr on Wed Mar 20, 2013 9:27 pm

Oh, when I tried to close RogueKiller, I received a pop-up error window:

"No items have been deleted. Do you really want to quit?"

How should I respond?

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AOL Mail log-ins reported suspicious activity

Post by Superdave on Wed Mar 20, 2013 11:30 pm

Oh, when I tried to close RogueKiller, I received a pop-up error window:

"No items have been deleted. Do you really want to quit?"

How should I respond?
Please run RogueKiller and delete those items.

I'd like to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
[You must be registered and logged in to see this link.]

Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

Check
Click the button.
Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Results of ESET OnlineScan

Post by georgechinsr on Thu Mar 21, 2013 3:15 am

Thank you, SuperDave.

ESETScan reports zero (0) infected files and zero (0) cleaned files.

I did not see a ">List of found threats" button or "Export to text file" button.

Below is contents of "C:\Program Files\ESET\ESET Online Scanner\log.txt"

I did not Push the "Finish" button yet.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=0a4e6c377a580648af79fc349fe8fd9a
# engine=13443
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-03-21 02:41:53
# local_time=2013-03-20 07:41:53 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=9217 16777214 75 51 88925983 249521189 0 0
# scanned=128545
# found=0
# cleaned=0
# scan_time=7645


georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AOL Mail log-ins reported suspicious activity

Post by Superdave on Thu Mar 21, 2013 10:38 pm

Ok. How's your computer running now? Any other issues before we cleanup?

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AOL Mail log-ins reported suspicious activity

Post by georgechinsr on Fri Mar 22, 2013 3:52 am

Thank you, SuperDave!

The computer is running okay. Was any infections found?

If yes, is there any chance the infection propagated over the local network my other computers? I am seeing the AT&T ISP fixed network issues, and that I should restart my browsers on my other machines.

You really know your stuff!
Much appreciated,
George Sr

georgechinsr
Novice
Novice

Posts Posts : 22
Joined Joined : 2011-10-07
Gender Gender : Male
OS OS : Windows XP & Windows 7
Protection Protection : Security Essentials
Points Points : 19176
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AOL Mail log-ins reported suspicious activity

Post by Superdave on Fri Mar 22, 2013 11:31 pm

The computer is running okay. Was any infections found?
A few malware infections were removed along with some other junk but nothing serious.

If yes, is there any chance the infection propagated over the local network my other computers?
Only if you share files over the network. Let's do some cleanup.

To uninstall ComboFix


  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall




(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

********************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*****************************************
Go to [You must be registered and logged in to see this link.] and get all critical updates.

----------

I suggest using [You must be registered and logged in to see this link.]. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

[You must be registered and logged in to see this link.]- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* [You must be registered and logged in to see this link.] from Spyware and Malware
* If you don't know what ActiveX controls are, see [You must be registered and logged in to see this link.]

Protect yourself against spyware using the Immunize feature in [You must be registered and logged in to see this link.] Guide: [You must be registered and logged in to see this link.] to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. [You must be registered and logged in to see this link.]

Check out [You must be registered and logged in to see this link.] for tips and free tools to help keep you safe in the future.

Also see [You must be registered and logged in to see this link.] for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum