Malware

View previous topic View next topic Go down

Malware

Post by avivaohm on Fri 28 Jun 2013, 8:05 pm

Hi GeekPolice

I was trying to download Filezilla FTP yesterday and tried to make sure I downloaded from a genuine site. But somewhere in the process I think I downloaded some malware..

I had a bluescreen crash after trying to play a video that I had rendered out. The video came out with just coloured squares on the screen and no real image.

I have run the tests suggested before posting.

Thanks

Aviva

# AdwCleaner v2.303 - Logfile created 06/27/2013 at 23:42:20
# Updated 08/06/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : hp - HP-9B47C1818988
# Boot Mode : Normal
# Running from : C:\Documents and Settings\hp\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : IBUpdaterService

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\All Users\Application Data\BrowserProtect
Deleted on reboot : C:\Documents and Settings\hp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
File Deleted : C:\Documents and Settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\searchplugins\Babylon.xml
File Deleted : C:\Documents and Settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\searchplugins\BrowserProtect.xml
File Deleted : C:\Documents and Settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\searchplugins\delta.xml
File Deleted : C:\Documents and Settings\hp\Desktop\Play Free Games.lnk
File Deleted : C:\WINDOWS\system32\roboot.exe
File Deleted : C:\WINDOWS\Tasks\EPUpdater.job
Folder Deleted : C:\Documents and Settings\All Users\Application Data\APN
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\IBUpdaterService
Folder Deleted : C:\Documents and Settings\hp\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\hp\Application Data\BabSolution
Folder Deleted : C:\Documents and Settings\hp\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\hp\Application Data\file scout
Folder Deleted : C:\Documents and Settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
Folder Deleted : C:\Documents and Settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\extensions\ffxtlbr@babylon.com
Folder Deleted : C:\Documents and Settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\WinampToolbarData
Folder Deleted : C:\Documents and Settings\hp\Application Data\OpenCandy
Folder Deleted : C:\Documents and Settings\hp\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\LocalService\Application Data\Delta
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Common Files\Software Update Utility

***** [Registry] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\BabSolution
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\delta LTD
Key Deleted : HKCU\Software\e68b88b26eba13
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{82E1477C-B154-48D3-9891-33D83C26BCD3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25CEE8EC-5730-41BC-8B58-22DDC8AB8C20}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{82E1477C-B154-48D3-9891-33D83C26BCD3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\BabylonToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E1164984-B567-47BD-A7FF-240C2594404A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\SOFTWARE\e68b88b26eba13
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Updater Service
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Winamp Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Updater Service
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = [You must be registered and logged in to see this link.] --> [You must be registered and logged in to see this link.]
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - bProtectTabs] = [You must be registered and logged in to see this link.] --> [You must be registered and logged in to see this link.]

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Documents and Settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\prefs.js

C:\Documents and Settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.surf.date", "6");
Deleted : user_pref("aol_toolbar.surf.lastDate", "14");
Deleted : user_pref("aol_toolbar.surf.lastMonth", "5");
Deleted : user_pref("aol_toolbar.surf.lastYear", "2013");
Deleted : user_pref("aol_toolbar.surf.month", "454");
Deleted : user_pref("aol_toolbar.surf.prevMonth", "307");
Deleted : user_pref("aol_toolbar.surf.total", "776");
Deleted : user_pref("aol_toolbar.surf.week", "6");
Deleted : user_pref("aol_toolbar.surf.year", "760");
Deleted : user_pref("extensions.delta.admin", false);
Deleted : user_pref("extensions.delta.aflt", "babsst");
Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Deleted : user_pref("extensions.delta.autoRvrt", "false");
Deleted : user_pref("extensions.delta.bbDpng", "14");
Deleted : user_pref("extensions.delta.cntry", "GB");
Deleted : user_pref("extensions.delta.dfltLng", "en");
Deleted : user_pref("extensions.delta.excTlbr", false);
Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
Deleted : user_pref("extensions.delta.hdrMd5", "CC3B2EDC06C35B0AAC02608EB0A3262C");
Deleted : user_pref("extensions.delta.id", "e0ea6bfb0000000000000022fae4438c");
Deleted : user_pref("extensions.delta.instlDay", "15847");
Deleted : user_pref("extensions.delta.instlRef", "sst");
Deleted : user_pref("extensions.delta.lastVrsnTs", "1.8.21.522:52:42");
Deleted : user_pref("extensions.delta.newTab", false);
Deleted : user_pref("extensions.delta.prdct", "delta");
Deleted : user_pref("extensions.delta.prtnrId", "delta");
Deleted : user_pref("extensions.delta.rvrt", "false");
Deleted : user_pref("extensions.delta.sg", "azb");
Deleted : user_pref("extensions.delta.smplGrp", "azb");
Deleted : user_pref("extensions.delta.tlbrId", "base");
Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Deleted : user_pref("extensions.delta.vrsn", "1.8.21.5");
Deleted : user_pref("extensions.delta.vrsni", "1.8.21.5");
Deleted : user_pref("extensions.delta.vrsnTs", "1.8.21.522:52:42");
Deleted : user_pref("extensions.delta_i.babExt", "");
Deleted : user_pref("extensions.delta_i.babTrack", "affID=119392&tt=gc_");
Deleted : user_pref("extensions.delta_i.srcExt", "ss");
Deleted : user_pref("extensions.enabledAddons", "ffxtlbr%40delta.com:1.5.0,%7B0b38152b-1b20-484d-a11f-5e04a9b0[...]
Deleted : user_pref("winamp_toolbar.buttons.layout", "shoutcast_30026;mobile/android_33522;post_to_twitter_466[...]
Deleted : user_pref("winamp_toolbar.curtain.congrats", "none");
Deleted : user_pref("winamp_toolbar.firsttime.showwindow", false);
Deleted : user_pref("winamp_toolbar.guid", "{D4604B5C-5622-ABC2-E331-D8E3BD789BC5}");
Deleted : user_pref("winamp_toolbar.install.distroid", "winamp");
Deleted : user_pref("winamp_toolbar.install.lastTbVersion", "5.6.20.9397");
Deleted : user_pref("winamp_toolbar.install.lid", "");
Deleted : user_pref("winamp_toolbar.install.mtmhp", "");
Deleted : user_pref("winamp_toolbar.install.ncid", "");
Deleted : user_pref("winamp_toolbar.metrics.activestampdate", "14");
Deleted : user_pref("winamp_toolbar.metrics.activestampmonth", "5");
Deleted : user_pref("winamp_toolbar.metrics.activestampyear", "2013");
Deleted : user_pref("winamp_toolbar.metrics.log", false);
Deleted : user_pref("winamp_toolbar.metrics.originalDate", "13");
Deleted : user_pref("winamp_toolbar.metrics.originalHours", "23");
Deleted : user_pref("winamp_toolbar.metrics.originalMinutes", "0");
Deleted : user_pref("winamp_toolbar.metrics.originalMonth", "6");
Deleted : user_pref("winamp_toolbar.metrics.originalSeconds", "0");
Deleted : user_pref("winamp_toolbar.metrics.originalYear", "2013");
Deleted : user_pref("winamp_toolbar.relatednews.enabled", false);
Deleted : user_pref("winamp_toolbar.remote.publish.xml", "1371205485335");
Deleted : user_pref("winamp_toolbar.search.button", true);
Deleted : user_pref("winamp_toolbar.search.cid", "14-06-2013");
Deleted : user_pref("winamp_toolbar.search.instd", "E60ADE29A49C44FDB35F2BE931D91CD0");
Deleted : user_pref("winamp_toolbar.search.oid", "13-06-2013");
Deleted : user_pref("winamp_toolbar.search.placement", "left");
Deleted : user_pref("winamp_toolbar.search.populateoncomplete", false);
Deleted : user_pref("winamp_toolbar.search.savehistory", false);
Deleted : user_pref("winamp_toolbar.search.searchtype", "web");
Deleted : user_pref("winamp_toolbar.search.source", "winamp-ff");
Deleted : user_pref("winamp_toolbar.skin.custom", true);
Deleted : user_pref("winamp_toolbar.upgrade.showwindow", false);
Deleted : user_pref("winamp_toolbar.weather.degc", "12");
Deleted : user_pref("winamp_toolbar.weather.degf", "54");
Deleted : user_pref("winamp_toolbar.weather.image", "chrome://winamptoolbar/skin/weather/26.png");
Deleted : user_pref("winamp_toolbar.weather.locationid", "USNY0996");
Deleted : user_pref("winamp_toolbar.weather.metric", true);
Deleted : user_pref("winamp_toolbar.weather.tooltip", "New York , NY : Cloudy");
Deleted : user_pref("winamp_toolbar.weather.update", "1371205485990");
Deleted : user_pref("winamp_toolbar.winamp.artist", "");
Deleted : user_pref("winamp_toolbar.winamp.button.focus", true);
Deleted : user_pref("winamp_toolbar.winamp.button.forward", true);
Deleted : user_pref("winamp_toolbar.winamp.button.open", true);
Deleted : user_pref("winamp_toolbar.winamp.button.pause", true);
Deleted : user_pref("winamp_toolbar.winamp.button.play", true);
Deleted : user_pref("winamp_toolbar.winamp.button.rewind", true);
Deleted : user_pref("winamp_toolbar.winamp.button.stop", false);
Deleted : user_pref("winamp_toolbar.winamp.button.volume", true);
Deleted : user_pref("winamp_toolbar.winamp.ticker.show", true);
Deleted : user_pref("winamp_toolbar.winamp.title", "-999999");

-\\ Google Chrome v27.0.1453.116

File : C:\Documents and Settings\hp\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [16239 octets] - [27/06/2013 23:42:20]

########## EOF - C:\AdwCleaner[S1].txt - [16300 octets] ##########


Malwarebytes Anti-Malware (Trial) 1.75.0.1300
[You must be registered and logged in to see this link.]

Database version: v2013.06.27.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
hp :: HP-9B47C1818988 [administrator]

Protection: Enabled

6/27/2013 11:55:44 PM
MBAM-log-2013-06-28 (01-44-15).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 327943
Time elapsed: 1 hour(s), 24 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Program Files\Windows Movie Maker\WMM2EXT.dll (Malware.Packer.Gen) -> No action taken.
C:\Program Files\Windows Movie Maker\WMM2FILT.dll (Malware.Packer.Gen) -> No action taken.

(end)


Results of screen317's Security Check version 0.99.68
Windows XP Service Pack 3 x86
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
AVG Internet Security 2013
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Java(TM) 6 Update 22
Java version out of Date!
Adobe Flash Player 11.7.700.202
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox 21.0 Firefox out of Date!
Google Chrome 27.0.1453.110
Google Chrome 27.0.1453.116
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials msseces.exe
Windows Defender MSMpEng.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Microsoft Security Client Antimalware MsMpEng.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



avivaohm

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2013-04-06
Operating System : Windows XP

View user profile

Back to top Go down

Re: Malware

Post by Superdave on Sat 29 Jun 2013, 6:21 am

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************************************
I had a bluescreen crash after trying to play a video that I had rendered out. The video came out with just coloured squares on the screen and no real image.
Is that the only symptoms that you're experiencing?
Please run MBAM again and Remove those infections.

*************************************************
Please download Junkware Removal Tool to your desktop.

Warning! Once the scan is complete JRT will shut down your browser with NO warning.

Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*********************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
****************************************
Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
You need to defrag your hard drive soon. If you need help doing this, please let me know.(SSD means Solid State Drive)

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Malware

Post by avivaohm on Mon 01 Jul 2013, 7:16 am

Hi Dave - thanks for your help!!

Apart from the bluescreen video crash it seems to be running quite smoothly, but has slowed right down when using a lot of things at once.

It did freeze up once when trying to boot up - it froze on the eggtimer and wouldn't start but I just rebooted it a couple of times and then it worked okay after that.  

But generally the performance is okay, maybe a little slower when pushed - although I haven't tried to render any videos yet.

I ran the MBAM again and it did not detect any infected files.

I have updated my version of Java.

And I have no idea how to defrag my hard drive so if you can help with that would be cool and why do I need to do that. This is a recently bought refurbished Laptop ..

Below is the JRT

thanks again
Aviva
***********************************
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by hp on Sun 06/30/2013 at 20:50:24.54
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\hp\Application Data\mozilla\firefox\profiles\m01btrpe.default\invalidprefs.js





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 06/30/2013 at 20:53:33.60
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

avivaohm

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2013-04-06
Operating System : Windows XP

View user profile

Back to top Go down

Re: Malware

Post by Superdave on Mon 01 Jul 2013, 9:19 am

but has slowed right down when using a lot of things at once.
That would have a lot to do with the speed of your computer and how much RAM you have.
And I have no idea how to defrag my hard drive so if you can help with that would be cool and why do I need to do that.
After a bit of use the data on your hard drive gets fragmented all over the drive. When you open a program or a file a search has to be made all over the disk in order to retrieve all the information. Defragging just organizes things on the disk and makes your computer a bit faster; a bit of housecleaning, if you will. You can defrag by running the Windows defragger. Go to Start, All Programs, Accessories, System Tools and select Disk Defragmenter and follow the instructions. I have other defraggers, if you need them.

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Malware

Post by avivaohm on Wed 03 Jul 2013, 7:29 am

Hi
I defragged the hard drive and below is the log from Combofix..

Many thanks again for your help I will for sure be making a donation...
GeekPolice is Super cool  


ComboFix 13-07-02.03 - hp 07/02/2013  21:13:40.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1976.1219 [GMT 1:00]
Running from: c:\documents and settings\hp\Desktop\ComboFix.exe
AV: AVG Internet Security 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Internet Security 2013 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\hp\Desktop\Setup.exe
c:\windows\EventSystem.log
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-02 to 2013-07-02  )))))))))))))))))))))))))))))))
.
.
2013-07-02 20:06 . 2013-07-02 20:06 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5532EAF5-5D82-4C63-8127-233B53E300CA}\MpKslef37952d.sys
2013-07-02 19:57 . 2013-06-12 04:18 7068072 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5532EAF5-5D82-4C63-8127-233B53E300CA}\mpengine.dll
2013-07-01 22:02 . 2013-07-01 23:12 -------- d-----w- C:\Ohmni Creations Image
2013-07-01 12:50 . 2013-07-01 12:51 -------- d-----w- C:\T23 files
2013-07-01 07:49 . 2013-07-01 07:49 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\Sun
2013-06-30 20:02 . 2013-06-30 20:02 -------- d-----w- c:\program files\Common Files\Java
2013-06-30 20:02 . 2013-06-30 20:02 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-30 20:02 . 2013-06-30 20:02 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-30 20:01 . 2013-06-30 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2013-06-30 19:59 . 2013-06-30 19:59 -------- d-----w- c:\windows\Sun
2013-06-30 19:50 . 2013-06-30 19:50 -------- d-----w- c:\windows\ERUNT
2013-06-30 19:50 . 2013-06-30 19:50 -------- d-----w- C:\JRT
2013-06-29 23:02 . 2011-08-23 17:42 332144 ----a-w- c:\program files\Common Files\MediaOrganizer.dll
2013-06-29 23:02 . 2011-08-23 17:35 33136 ----a-w- c:\program files\Common Files\FlickrProvider.dll
2013-06-29 23:02 . 2011-08-23 17:35 402800 ----a-w- c:\program files\Common Files\facebook.dll
2013-06-29 23:02 . 2011-08-23 17:35 130416 ----a-w- c:\program files\Common Files\PluginCommon.dll
2013-06-29 23:02 . 2011-08-23 17:34 465264 ----a-w- c:\program files\Common Files\AppFramework.dll
2013-06-29 22:56 . 2013-07-01 21:50 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2013-06-29 22:53 . 2013-06-29 22:53 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\Apple Computer
2013-06-29 22:51 . 2013-06-29 22:51 -------- d-----w- c:\program files\Common Files\Protexis
2013-06-29 22:51 . 2013-06-29 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2013-06-29 22:49 . 2013-07-01 23:12 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\Corel
2013-06-29 22:49 . 2013-06-29 22:56 -------- d-----w- c:\documents and settings\hp\Application Data\Corel
2013-06-29 22:46 . 2013-06-29 22:48 -------- d-----w- c:\program files\Common Files\Corel
2013-06-29 22:46 . 2013-06-29 22:46 -------- d-----w- c:\program files\Corel
2013-06-29 22:46 . 2013-06-29 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2013-06-27 22:53 . 2013-06-27 22:53 -------- d-----w- c:\documents and settings\hp\Application Data\Malwarebytes
2013-06-27 22:51 . 2013-06-27 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-06-27 22:51 . 2013-06-27 22:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-06-27 22:51 . 2013-04-04 13:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-27 21:10 . 2013-06-27 21:10 -------- d-----w- c:\documents and settings\hp\Application Data\AVG2013
2013-06-27 21:10 . 2013-06-27 21:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVG2013
2013-06-27 21:09 . 2013-06-27 21:09 -------- d-----w- c:\documents and settings\hp\Application Data\TuneUp Software
2013-06-27 21:09 . 2013-06-27 21:08 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-06-27 21:08 . 2013-06-27 22:46 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2013-06-27 21:06 . 2013-06-27 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2013
2013-06-27 21:00 . 2013-06-27 21:16 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\Avg2013
2013-06-27 21:00 . 2013-06-27 21:00 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\MFAData
2013-06-27 17:25 . 2013-06-27 18:34 -------- d-----w- C:\Music Collection
2013-06-27 17:06 . 2013-06-28 11:19 -------- d-----w- c:\windows\system32\XPSViewer
2013-06-27 17:06 . 2013-06-27 17:06 -------- d-----w- c:\program files\MSBuild
2013-06-27 17:06 . 2013-06-27 17:06 -------- d-----w- c:\program files\Reference Assemblies
2013-06-27 17:06 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-06-27 17:06 . 2007-11-30 11:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2013-06-27 17:05 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-06-27 17:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2013-06-27 17:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2013-06-27 17:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2013-06-27 17:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-06-27 17:05 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-06-27 17:05 . 2013-06-27 17:06 -------- d-----w- C:\06eb76955bdfd70d32ca17ae8aba07
2013-06-27 17:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2013-06-27 17:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2013-06-27 16:00 . 2013-06-27 16:06 -------- d-----w- c:\documents and settings\hp\Application Data\FileZilla
2013-06-27 15:47 . 2013-06-27 15:45 675584 ----a-w- c:\program files\Uninstall Information\Ib\97\3867\ib_uninstall.exe
2013-06-26 23:51 . 2013-06-27 12:16 -------- d-----w- c:\documents and settings\hp\Application Data\FreeVideoConverter
2013-06-26 22:37 . 2013-06-27 00:08 -------- d-----w- c:\program files\Free Video Converter
2013-06-26 22:15 . 2013-06-26 22:17 -------- d-----w- c:\program files\Free mp3 Wma Converter
2013-06-26 21:39 . 2013-06-26 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2013-06-26 21:38 . 2013-06-26 22:10 -------- d-----w- c:\documents and settings\hp\Application Data\NCH Software
2013-06-26 21:38 . 2013-06-26 21:39 -------- d-----w- c:\program files\NCH Software
2013-06-17 21:22 . 2013-05-28 13:05 163328 ----a-w- c:\windows\system32\FlashPlayerUpdateService.exe
2013-06-15 19:50 . 2013-06-15 19:50 -------- d-----w- c:\program files\Steinberg
2013-06-15 19:50 . 2013-06-15 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Acon Digital
2013-06-15 19:50 . 2013-06-15 19:50 -------- d-----w- c:\program files\Acon Digital
2013-06-14 10:35 . 2013-06-14 10:37 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\Google
2013-06-14 10:35 . 2013-06-14 10:36 -------- d-----w- c:\program files\Google
2013-06-07 18:25 . 2013-06-27 16:04 -------- d-----w- c:\program files\FileZilla FTP Client
2013-06-03 23:04 . 2013-06-03 23:04 -------- d-----w- C:\Eternity Starshine
2013-06-03 23:04 . 2013-06-27 20:48 -------- d-----w- C:\OhmniSpirit Creations
2013-06-03 09:43 . 2013-06-03 09:43 -------- d-sh--w- c:\documents and settings\hp\PrivacIE
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-30 20:02 . 2013-05-21 11:19 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-30 20:02 . 2013-05-21 11:19 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-12 04:18 . 2013-05-22 13:31 7068072 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-29 15:40 . 2013-05-21 11:04 98304 ----a-w- c:\windows\DUMP688d.tmp
2013-05-23 15:39 . 2013-05-23 15:39 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2013-05-22 14:00 . 2013-05-22 14:00 8192 ----a-r- c:\documents and settings\hp\Application Data\Microsoft\Installer\{AF25AEFA-F76B-48A7-A709-C69AD56AED51}\IconTmpl1.108DF49C_3AB4_4A7D_B6FD_8B6286B317FA.exe
2013-05-22 14:00 . 2013-05-22 14:00 30208 ----a-r- c:\documents and settings\hp\Application Data\Microsoft\Installer\{AF25AEFA-F76B-48A7-A709-C69AD56AED51}\IconTmpl.108DF49C_3AB4_4A7D_B6FD_8B6286B317FA.exe
2013-05-22 14:00 . 2013-05-22 14:00 14848 ----a-r- c:\documents and settings\hp\Application Data\Microsoft\Installer\{AF25AEFA-F76B-48A7-A709-C69AD56AED51}\IconTmpl4.A961A077_4BD0_4C98_86BC_EE4A98CE550D.exe
2013-05-21 12:02 . 2013-05-21 12:02 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 12:02 . 2008-04-14 11:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2012-01-12 14:05 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2012-01-12 14:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2012-01-12 14:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2012-01-12 14:05 385024 ----a-w- c:\windows\system32\html.iec
2013-05-03 01:30 . 2012-01-12 14:03 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2011-10-25 12:52 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-02 15:28 . 2013-05-21 12:01 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-10 01:31 . 2012-01-12 14:04 1876352 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-01-12 . E17798E1E6FF1CA9C67B8576570E05EE . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2011-09-07 522752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2012-06-28 74752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-04-28 4408368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\hp\Start Menu\Programs\Startup\
CodeMeter Control Center.lnk - c:\program files\CodeMeter\Runtime\bin\CodeMeterCC.exe [2007-3-23 4984832]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK 11n USB Wireless LAN Utility.lnk - c:\program files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe /H [2013-5-23 991232]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 08:36 958576 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2013-05-08 21:20 41056 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-01-28 21:27 173592 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-01-28 21:27 141336 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-01-28 21:27 142360 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-04-05 10:42 17356424 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2008-12-11 10:08 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 06:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"c:\\Program Files\\REALTEK\\11n USB Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\EPSON Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2/8/2013 4:37 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2/8/2013 4:37 AM 245048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2/8/2013 4:37 AM 39224]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [1/12/2012 3:11 PM 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [1/12/2012 3:11 PM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [1/12/2012 3:11 PM 13616]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [5/21/2013 11:38 AM 24064]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [3/29/2013 2:53 AM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [3/1/2013 10:32 AM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/8/2013 4:37 AM 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [3/21/2013 3:08 AM 182072]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [6/27/2013 10:09 PM 37664]
R1 MpKslef37952d;MpKslef37952d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5532EAF5-5D82-4C63-8127-233B53E300CA}\MpKslef37952d.sys [7/2/2013 9:06 PM 29904]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [5/14/2009 5:07 PM 759048]
R2 avgfws;AVG Firewall;c:\program files\AVG\AVG2013\avgfws.exe [4/10/2013 11:07 AM 1428472]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [4/18/2013 4:34 AM 283136]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [8/23/2007 3:20 AM 2007040]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [6/27/2013 11:51 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/27/2013 11:51 PM 701512]
R2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [6/27/2013 10:08 PM 1598128]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/12/2012 7:52 PM 30944]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/21/2013 11:34 AM 44800]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/27/2013 11:51 PM 22856]
R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [5/21/2013 11:39 AM 6913920]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [5/14/2013 12:54 AM 4937264]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/12/2012 7:52 PM 30944]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [5/21/2013 11:37 AM 251096]
S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8192cu.sys [5/23/2013 4:39 PM 894696]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [6/1/2013 9:16 PM 606440]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLEF37952D
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-20 13:40 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-02 c:\windows\Tasks\AdobeFlashPlayerUpdate 2.job
- c:\windows\system32\FlashPlayerUpdateService.exe [2013-06-17 13:05]
.
2013-07-02 c:\windows\Tasks\AdobeFlashPlayerUpdate.job
- c:\windows\system32\FlashPlayerUpdateService.exe [2013-06-17 13:05]
.
2013-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-14 10:35]
.
2013-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-14 10:35]
.
2013-07-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\
FF - prefs.js: browser.startup.homepage -
FF - ExtSQL: 2013-05-21 12:19; [You must be registered and logged in to see this link.]; c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - ExtSQL: 2013-05-22 14:30; [You must be registered and logged in to see this link.]; c:\documents and settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\extensions\ffxtlbr@delta.com
FF - ExtSQL: 2013-05-22 15:57; {B5BB3EC1-23C9-4828-A7E7-5765720AC9F0}; c:\documents and settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\extensions\{B5BB3EC1-23C9-4828-A7E7-5765720AC9F0}
FF - ExtSQL: 2013-05-23 23:10; {0b38152b-1b20-484d-a11f-5e04a9b0661f}; c:\documents and settings\hp\Application Data\Mozilla\Firefox\Profiles\m01btrpe.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2013-07-02 21:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2013-07-02  21:19:32
ComboFix-quarantined-files.txt  2013-07-02 20:19
.
Pre-Run: 201,716,600,832 bytes free
Post-Run: 203,110,100,992 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9CF59D766C97D88989206BAC2D32C562
8F558EB6672622401DA993E1E865C861

avivaohm

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2013-04-06
Operating System : Windows XP

View user profile

Back to top Go down

Re: Malware

Post by Superdave on Thu 04 Jul 2013, 9:33 am

I noticed that you have two Anti-Virus programs on your computer; AVG Internet Security 2013 and Microsoft Security Essentials. Just be sure that only one AV is enabled at any time on your computer otherwise they will cause conflicts.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

******************************************

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again


Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Malware

Post by Sponsored content Today at 6:14 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum