Jump to content

Malwarebytes

Have multiple infections please help

- - - - -
Started by rysktkr, Jun 25 2012 09:48 PM


77 replies to this topic

#1
rysktkr
Posted 25 June 2012 - 09:48 PM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
My SEP detected Bloodhound.MalPE but was unable to remove it. I ran Malwarebytes it detected several viruses and trojans. Unfortunately the removal was not successful and I can't even run it anymore. I tried running DDS to get a log but it freezes everytime in the progress location. I was able to get a successful HJT log below:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:29:29 PM, on 6/25/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\windows\System32\svchost.exe
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\RemotelyAnywhere\x86\RaMaint.exe
C:\Program Files\RemotelyAnywhere\x86\RemotelyAnywhere.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\windows\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
C:\windows\System32\vssvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\vsnapvss.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\System32\svchost.exe
C:\windows\System32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\windows\System32\msiexec.exe
I:\hjt\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\system32\V0230Mon.exe
O4 - HKLM\..\Run: [NBAgent] "C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [RemoteControl10] "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe
O4 - HKLM\..\Run: [Nero MediaHome 4] "C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector10" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\10.0"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [GiBbQUEPdGQQTat.exe] C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\RunOnce: [*NPE] "I:\NPE.exe" /POSTADVSCAN
O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Mark')
O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet (User 'Mark')
O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'Mark')
O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [DAEMON Tools Lite] "C:\util\DAEMON Tools Lite\DTLite.exe" -autorun (User 'Mark')
O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'Mark')
O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe (User 'Mark')
O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [Google Update] "C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'Mark')
O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Mark')
O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (User 'Mark')
O4 - S-1-5-21-1960408961-1303643608-839522115-1003 Startup: Check for TWS Updates.lnk = C:\Program Files\Jts\WiseUpdt.exe (User 'Mark')
O4 - S-1-5-21-1960408961-1303643608-839522115-1003 User Startup: Check for TWS Updates.lnk = C:\Program Files\Jts\WiseUpdt.exe (User 'Mark')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech....Detection32.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati...-ie/alttiff.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.h...DataManager.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.co...sreqlab_nvd.cab
O16 - DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} (SlingHealth Class) - http://dishconnectiv...SlingHealth.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} (WebSlingPlayer) - http://plugin.slingb...SlingPlayer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creat...15112/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - http://mypc:2000/activex/RACtrl.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32 acaptuser32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca0bc6b51516ae) (gupdate1ca0bc6b51516ae) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IHA_MessageCenter - Verizon - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Nero MediaHome 4 Service (NeroMediaHomeService.4) - Nero AG - C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\x86\RaMaint.exe
O23 - Service: RemotelyAnywhere - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\x86\RemotelyAnywhere.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: ShadowProtect Service (ShadowProtectSvc) - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SupportSoft Sprocket Service (verizondm) (sprtsvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\sprtsvc.exe
O23 - Service: StorageCraft Image Manager - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ImageManager\ImageManager.exe
O23 - Service: StorageCraft Image Manager (StorageCraft Image Manager32) - Unknown owner - C:\WINDOWS\system32\ntsdexts32.exe (file missing)
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: SupportSoft Repair Service (verizondm) (tgsrvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\tgsrvc.exe
O23 - Service: StorageCraft Shadow Copy Provider (VSNAPVSS) - StorageCraft Technology Corporation - C:\WINDOWS\system32\vsnapvss.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 18520 bytes

#2
MrCharlie
Posted 26 June 2012 - 05:36 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,449 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Welcome to the forum.

Enable hidden files:

http://www.howtogeek...-folders-in-xp/


Using HJT>>>>

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:


O4 - HKLM\..\Run: [GiBbQUEPdGQQTat.exe] C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe


Click on Fix Checked when finished and exit HijackThis.

---------------------------

Delete this file:

C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe

-----------------------------

Next......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!!)
Post back the report.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3
rysktkr
Posted 26 June 2012 - 09:55 AM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
Hi MrCharlie,
I accomplished everything requested with the exception of:
Delete this file:
C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe
While HJT was running I opened up a windows explorer and could see this file. I waited for HJT to complete before trying to delete. Once HJT was finished I could not see any files in the C drive. Note this has been the case during this infection. Here is the log you requested.

RogueKiller V7.6.0 [06/26/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Scan -- Date: 06/26/2012 07:41:29
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[APPINIT_DLL] HKLM\[...]\Windows : AppInit_DLLs (C:\WINDOWS\system32 acaptuser32.dll) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{f53b4e5d-be5e-dbd5-89b7-192bca81046d}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{f53b4e5d-be5e-dbd5-89b7-192bca81046d}\U --> FOUND
¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x80637C36 -> HOOKED (Unknown @ 0x875185C0)
SSDT[13] : NtAlertThread @ 0x80592EFA -> HOOKED (Unknown @ 0x87519260)
SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (Unknown @ 0x875185F8)
SSDT[43] : NtCreateMutant @ 0x80580B62 -> HOOKED (Unknown @ 0x8A048920)
SSDT[53] : NtCreateThread @ 0x805860C0 -> HOOKED (Unknown @ 0x874E1420)
SSDT[83] : NtFreeVirtualMemory @ 0x805710BF -> HOOKED (Unknown @ 0x87523770)
SSDT[89] : NtImpersonateAnonymousToken @ 0x8059BB5D -> HOOKED (Unknown @ 0x8A085E00)
SSDT[91] : NtImpersonateThread @ 0x805874C1 -> HOOKED (Unknown @ 0x8A085EC0)
SSDT[108] : NtMapViewOfSection @ 0x8057AA19 -> HOOKED (Unknown @ 0x874C9838)
SSDT[114] : NtOpenEvent @ 0x80589B69 -> HOOKED (Unknown @ 0x8A048860)
SSDT[123] : NtOpenProcessToken @ 0x805784F6 -> HOOKED (Unknown @ 0x8A062500)
SSDT[129] : NtOpenThreadToken @ 0x805746D2 -> HOOKED (Unknown @ 0x8A083EF0)
SSDT[206] : NtResumeThread @ 0x80586737 -> HOOKED (Unknown @ 0x8A05CCB0)
SSDT[213] : NtSetContextThread @ 0x8063629D -> HOOKED (Unknown @ 0x8A05ADC0)
SSDT[228] : NtSetInformationProcess @ 0x80574B1F -> HOOKED (Unknown @ 0x8A083FC0)
SSDT[229] : NtSetInformationThread @ 0x80576ABD -> HOOKED (Unknown @ 0x8A083678)
SSDT[253] : NtSuspendProcess @ 0x80637B7B -> HOOKED (Unknown @ 0x8A0487A0)
SSDT[254] : NtSuspendThread @ 0x80637A97 -> HOOKED (Unknown @ 0x87521120)
SSDT[257] : NtTerminateProcess @ 0x8058E6B9 -> HOOKED (Unknown @ 0x8A087498)
SSDT[258] : NtTerminateThread @ 0x80582DD9 -> HOOKED (Unknown @ 0x88A13D90)
SSDT[267] : NtUnmapViewOfSection @ 0x8057A5A1 -> HOOKED (Unknown @ 0x8A05C258)
SSDT[277] : NtWriteVirtualMemory @ 0x805873F6 -> HOOKED (Unknown @ 0x87523840)
IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)
IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)
IRP[IRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)
IRP[IRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)
IRP[IRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)
¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤
¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: Hitachi HDS5C3020ALA632 +++++
--- User ---
[MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69
[BSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 832b7b432331ebc868a045aad743990a
[BSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 3907024065 | Size: 2 Mo
+++++ PhysicalDrive1: ST3500630AS +++++
--- User ---
[MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69
[BSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 1406de26d4acd19c9b0ddec378f968d3
[BSP] 93a4ad19c181e7d325737ffc772b14db : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
+++++ PhysicalDrive2: WDC WD7500AADS-00L5B1 +++++
--- User ---
[MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69
[BSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] c83fcee3155eb6114d8c84d54c112317
[BSP] eaf482a9766f3000634a695d502e8c7f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 715402 Mo
+++++ PhysicalDrive3: SATA ST3320620AS SCSI Disk Device +++++
--- User ---
[MBR] 0326145d3c46a04484f1aa0bb439fb72
[BSP] 6367311c297c53c8fa575c4c03192a94 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

#4
MrCharlie
Posted 26 June 2012 - 10:54 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,449 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Running unhide should "unhide" the files:
http://www.bleepingc...opic405109.html <---unhide

-------------------------------------

From the RogueKiller log it shows....
[ZeroAccess] infection, so I have to give you this warning:


Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......
  • There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  • There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  • I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.


Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

------------------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#5
rysktkr
Posted 26 June 2012 - 11:00 AM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
Actually, was now able to delete C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe. Whatever, infection I have it turned file view back to "Do not show hidden files and folders". I was able to switch it back and delete it. Unfortunately it looks like all file and folder attributes were changed to "hidden" on all my drives.

#6
MrCharlie
Posted 26 June 2012 - 11:03 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,449 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
That's what these infection do, if you run ComboFix it will correct it. MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#7
rysktkr
Posted 26 June 2012 - 11:08 AM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
Just got your latest post yikes! If I opt to attempt cleanup rather than nuke and pave what are my chances this rootkit is removed? 70%, 50%, etc?

#8
MrCharlie
Posted 26 June 2012 - 12:25 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,449 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
I really can't be 100% sure but I think we can clean it up, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#9
rysktkr
Posted 26 June 2012 - 04:06 PM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
Well I ran combofix twice both times it hung the computer. It mentioned that I had ZeroAccess and that it was inserted into the TCP/IP stack. I am hoping that doesn't imply that it could of spread itself to other computers on my home network.

#10
MrCharlie
Posted 26 June 2012 - 04:33 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,449 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Quote

Well I ran combofix twice both times it hung the computer. It mentioned that I had ZeroAccess and that it was inserted into the TCP/IP stack. I am hoping that doesn't imply that it could of spread itself to other computers on my home network.

As far as I'm concerned that's the worst version on ZA that you can have and sometimes is very difficult to remove.

I believe that it can spread to other computers on a network.

-------------------------------------

Reboot into safe mode and run ComboFix, please allow at least 3/4 to 1 hour for it to work.

Keep in mind the warnings I advised you about.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#11
rysktkr
Posted 27 June 2012 - 09:23 AM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
No Luck :(. I tried combofix in safe mode several times and hung the computer. Even tried letting it run over night.

#12
MrCharlie
Posted 27 June 2012 - 11:33 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,449 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Try it this way.....
Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\combofix.exe" /nombr

See if it will run successfully now. MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#13
rysktkr
Posted 27 June 2012 - 01:50 PM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
That worked! :) Below is the log:

ComboFix 12-06-27.01 - Mark 06/27/2012 10:39:02.10.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2595 [GMT -7:00]
Running from: c:\documents and settings\Mark\desktop\ComboFix.exe
Command switches used :: /nombr
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\22500634ug8u87c8e64k6l3sf3v
c:\documents and settings\All Users\Application Data\kpI0dn6tFIoruY
c:\documents and settings\All Users\Application Data\l0gdw4nUSn3xA4
c:\documents and settings\All Users\Application Data\l0gdw4nUSn3xA4.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\Setup.ilg
c:\documents and settings\All Users\Application Data\TEMP\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\Setup.exe
c:\documents and settings\All Users\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{E8C64028-08E5-4BF0-B1C0-DBAAC6A77DF1}\PostBuild.exe
c:\documents and settings\Mark\Application Data\Gomodu
c:\documents and settings\Mark\Application Data\Gomodu\ywnui.exe
c:\documents and settings\Mark\Application Data\Isar
c:\documents and settings\Mark\Application Data\Isar\pudy.exe
c:\documents and settings\Mark\Application Data\Soavw
c:\documents and settings\Mark\Application Data\Soavw\ockec.adl
c:\documents and settings\Mark\Desktop\Data_Recovery.lnk
c:\documents and settings\Mark\Local Settings\Application Data\ummcbzl.exe
c:\documents and settings\Mark\My Documents\~WRL1063.tmp
c:\documents and settings\Mark\My Documents\~WRL1136.tmp
c:\documents and settings\Mark\My Documents\~WRL1308.tmp
c:\documents and settings\Mark\My Documents\~WRL1422.tmp
c:\documents and settings\Mark\My Documents\~WRL2838.tmp
c:\documents and settings\Mark\My Documents\~WRL3027.tmp
c:\documents and settings\Mark\My Documents\~WRL3959.tmp
c:\documents and settings\Mark\My Documents\~WRL4047.tmp
C:\NPE.exe
c:\windows\system32\cttype.nls
c:\windows\system32\dllcache\dlimport.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-27 to 2012-06-27 )))))))))))))))))))))))))))))))
.
.
2012-06-27 15:40 . 2012-06-27 15:40 -------- d-----w- c:\documents and settings\Mark\Application Data\Ozbuir
2012-06-27 15:40 . 2012-06-27 15:40 -------- d-----w- C:\Reg_Backup
2012-06-27 15:40 . 2012-06-27 16:08 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-06-27 15:38 . 2012-06-27 15:49 -------- d-----w- c:\documents and settings\Mark\Application Data\Taubox
2012-06-27 15:38 . 2012-06-27 15:38 -------- d-----w- c:\documents and settings\Mark\Application Data\Arpy
2012-06-27 15:38 . 2012-06-27 15:42 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2012-06-26 17:40 . 2012-06-26 18:06 -------- d-----w- C:\fred
2012-06-26 15:51 . 2012-06-26 15:51 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-26 14:35 . 2012-06-26 14:35 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\Google
2012-06-26 14:21 . 2012-06-26 14:21 -------- d-----w- c:\program files\Trend Micro
2012-06-26 02:30 . 2012-06-26 02:30 -------- d-----w- c:\documents and settings\Administrator.MYPC\Application Data\Malwarebytes
2012-06-26 02:28 . 2012-06-26 02:28 388096 ----a-r- c:\documents and settings\Administrator.MYPC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-06-26 02:23 . 2012-06-26 02:23 -------- d-sh--w- c:\documents and settings\Administrator.MYPC\IETldCache
2012-06-25 22:35 . 2012-06-25 22:43 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\NPE
2012-06-25 22:35 . 2012-06-25 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-06-25 15:04 . 2012-06-25 15:04 607260 ------r- C:\dds.scr
2012-06-07 18:14 . 2012-06-07 18:14 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-07 18:14 . 2012-06-07 18:14 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-05 04:49 . 2012-06-05 04:49 -------- d-----w- c:\documents and settings\Mark\Application Data\FreeArc
2012-06-05 04:46 . 2012-06-05 04:46 -------- d-----w- c:\windows\system32\3081
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 15:10 . 2012-05-05 16:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-27 15:10 . 2011-05-20 18:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-27 15:10 . 2012-05-05 17:10 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-06-02 22:19 . 2008-10-16 21:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2009-04-12 00:25 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2009-04-12 00:25 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2009-04-12 00:25 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2009-04-12 00:25 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2009-04-12 00:25 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2008-10-16 21:09 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2008-10-16 21:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2009-04-12 00:25 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2009-04-12 00:25 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_6.exe
2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_5.exe
2012-04-11 13:14 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:56 . 2011-07-28 14:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-07 18:14 . 2012-05-14 15:38 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-17 39408]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"DAEMON Tools Lite"="c:\util\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-03-09 5934712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961]
"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-02-23 1226024]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-11-18 75048]
"Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-11 3622184]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" [2010-09-17 222504]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
.
c:\documents and settings\Mark\Start Menu\Programs\Startup\
Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2011-9-7 194775]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-24 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
TotalMedia Server.lnk - c:\program files\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2011-8-17 519744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ArcSoft\\TotalMedia Theatre 5\\TotalMedia Server\\TM Server.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/11/2009 5:49 PM 113904]
R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [6/27/2009 9:53 AM 96512]
R1 ArcSec;archlp;c:\windows\system32\drivers\ArcSec.sys [9/21/2010 9:10 AM 192504]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/11/2009 5:49 PM 79616]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/24 13:54];c:\program files\Cyberlink\PowerDVD10\NavFilter\000.fcl [11/17/2010 9:29 PM 87536]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/31 16:45];c:\program files\Cyberlink\PowerDVD9\000.fcl [3/30/2009 5:53 PM 87536]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [11/18/2010 3:58 PM 20328]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 4:02 PM 335888]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2/18/2010 3:01 PM 462632]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/22/2011 4:52 PM 2214504]
R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\x86\rainfo.sys [4/17/2007 2:00 PM 12992]
R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;c:\windows\system32\drivers\RARfsDriver.sys [4/4/2010 8:20 AM 46000]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/11/2009 5:49 PM 1990656]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120]
R2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\StorageCraft\ImageManager\ImageManager.exe [10/24/2007 3:26 PM 69632]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [5/29/2009 10:02 AM 66944]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/11/2009 5:49 PM 61952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2012 7:20 PM 106656]
R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [4/17/2007 2:00 PM 10168]
R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [6/25/2010 12:43 AM 6272]
R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [6/25/2010 12:43 AM 500480]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl --> c:\program files\PowerDVD8\PowerDVD8\000.fcl [?]
S2 gupdate1ca0bc6b51516ae;Google Update Service (gupdate1ca0bc6b51516ae);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104]
S2 StorageCraft Image Manager32;StorageCraft Image Manager ;c:\windows\system32\ntsdexts32.exe --> c:\windows\system32\ntsdexts32.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/5/2012 9:36 AM 250056]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [8/11/2009 8:45 AM 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/7/2011 9:11 AM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/7/2011 9:11 AM 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/26/2012 8:51 AM 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/14/2012 8:38 AM 113120]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/26/2009 9:59 PM 47360]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S4 RARfsClientNP;RARfsClientNP; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 12:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 15:10]
.
2012-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
2012-06-26 c:\windows\Tasks\At1.job
- c:\windows\system32\rasphonne.exe [2004-08-04 00:12]
.
2012-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52]
.
2012-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52]
.
2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003Core.job
- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37]
.
2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003UA.job
- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37]
.
2012-06-27 c:\windows\Tasks\User_Feed_Synchronization-{A7972C66-43AF-4964-A40E-32D2946479FE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\p5oo56mt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Codexii - c:\documents and settings\Mark\Application Data\Gomodu\ywnui.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Mark\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-27 11:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
c:\windows\system32\wuauclt.exe [3576] 0x8722E020
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-1303643608-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\RARfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\RARfsClientNP.dll
.
Completion time: 2012-06-27 11:44:40
ComboFix-quarantined-files.txt 2012-06-27 18:44
ComboFix2.txt 2011-12-20 00:00
.
Pre-Run: 223,872,761,856 bytes free
Post-Run: 238,820,614,144 bytes free
.
- - End Of File - - 481BF3507BE7909831EB576D9B18FEAC

#14
MrCharlie
Posted 27 June 2012 - 01:59 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,449 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Enable Hidden files:

http://www.howtogeek...-folders-in-xp/

I believe these are all malware related, take a look and if you don't recognize them or they're empty...please delete them:
c:\documents and settings\Mark\Application Data\Ozbuir
c:\documents and settings\Mark\Application Data\Taubox
c:\documents and settings\Mark\Application Data\Arpy

-------------------------------------------

See if you can run ComboFix in regular mode now.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#15
rysktkr
Posted 28 June 2012 - 01:07 AM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
Unfortunately, running combofix in normal mode it hung the computer. Before it hung, a dialog box appeared saying I was infected with zeroaccess infection.

#16
rysktkr
Posted 28 June 2012 - 01:34 AM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
Also, how do i prevent this from spreading to other PCs on my home network. Daughter's laptop and HTPC I have found infections with similiar symptoms. They both accessed shared drive on zeroaccess infected computer (the one we are working on this thread). My wifes computer is clean, at least as far as MWB and eset scans. She hasn't accessed infected computer. I'm guessing the answer is to turn off sharing until all computers are clean?

#17
MrCharlie
Posted 28 June 2012 - 05:56 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,449 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Quote

Also, how do i prevent this from spreading to other PCs on my home network. Daughter's laptop and HTPC I have found infections with similiar symptoms. They both accessed shared drive on zeroaccess infected computer (the one we are working on this thread). My wifes computer is clean, at least as far as MWB and eset scans. She hasn't accessed infected computer. I'm guessing the answer is to turn off sharing until all computers are clean?


Yes and don't use any pen drives from computer to computer.

------------------------------

Did you run ComboFix like this as we did before: (in normal mode)


"%userprofile%\desktop\combofix.exe" /nombr

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#18
rysktkr
Posted 28 June 2012 - 11:48 AM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
Prior to your last post reran in normal mode just as normal combofix. After reading your last post reran "%userprofile%\desktop\combofix.exe" /nombr in normal mode and was successful. Here is the log:


ComboFix 12-06-27.01 - Mark 06/28/2012 8:40.11.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2506 [GMT -7:00]
Running from: c:\documents and settings\Mark\desktop\ComboFix.exe
Command switches used :: /nombr
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))
.
.
2012-06-27 15:40 . 2012-06-27 15:40 -------- d-----w- C:\Reg_Backup
2012-06-27 15:40 . 2012-06-27 16:08 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-06-27 15:38 . 2012-06-27 15:42 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2012-06-26 17:40 . 2012-06-26 18:06 -------- d-----w- C:\fred
2012-06-26 15:51 . 2012-06-26 15:51 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-26 14:35 . 2012-06-26 14:35 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\Google
2012-06-26 14:21 . 2012-06-26 14:21 -------- d-----w- c:\program files\Trend Micro
2012-06-26 02:30 . 2012-06-26 02:30 -------- d-----w- c:\documents and settings\Administrator.MYPC\Application Data\Malwarebytes
2012-06-26 02:28 . 2012-06-26 02:28 388096 ----a-r- c:\documents and settings\Administrator.MYPC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-06-26 02:23 . 2012-06-26 02:23 -------- d-sh--w- c:\documents and settings\Administrator.MYPC\IETldCache
2012-06-25 22:35 . 2012-06-25 22:43 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\NPE
2012-06-25 22:35 . 2012-06-25 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-06-25 15:04 . 2012-06-25 15:04 607260 ------r- C:\dds.scr
2012-06-07 18:14 . 2012-06-07 18:14 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-07 18:14 . 2012-06-07 18:14 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-05 04:49 . 2012-06-05 04:49 -------- d-----w- c:\documents and settings\Mark\Application Data\FreeArc
2012-06-05 04:46 . 2012-06-05 04:46 -------- d-----w- c:\windows\system32\3081
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 15:10 . 2012-05-05 16:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-27 15:10 . 2011-05-20 18:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-27 15:10 . 2012-05-05 17:10 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-06-02 22:19 . 2008-10-16 21:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2009-04-12 00:25 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2009-04-12 00:25 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2009-04-12 00:25 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2009-04-12 00:25 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2009-04-12 00:25 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2008-10-16 21:09 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2008-10-16 21:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2009-04-12 00:25 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2009-04-12 00:25 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_6.exe
2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_5.exe
2012-04-11 13:14 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:56 . 2011-07-28 14:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-07 18:14 . 2012-05-14 15:38 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-27_18.29.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-28 15:37 . 2012-06-28 15:37 16384 c:\windows\temp\Perflib_Perfdata_d90.dat
+ 2012-06-27 22:28 . 2012-06-27 22:28 16384 c:\windows\temp\Perflib_Perfdata_830.dat
+ 2010-04-24 20:50 . 2012-06-28 16:20 224883 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-17 39408]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"DAEMON Tools Lite"="c:\util\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-03-09 5934712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961]
"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-02-23 1226024]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-11-18 75048]
"Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-11 3622184]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" [2010-09-17 222504]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
c:\documents and settings\Mark\Start Menu\Programs\Startup\
Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2011-9-7 194775]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-24 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
TotalMedia Server.lnk - c:\program files\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2011-8-17 519744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
"DisableRegedit"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ArcSoft\\TotalMedia Theatre 5\\TotalMedia Server\\TM Server.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/11/2009 5:49 PM 113904]
R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [6/27/2009 9:53 AM 96512]
R1 ArcSec;archlp;c:\windows\system32\drivers\ArcSec.sys [9/21/2010 9:10 AM 192504]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/11/2009 5:49 PM 79616]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/24 13:54];c:\program files\Cyberlink\PowerDVD10\NavFilter\000.fcl [11/17/2010 9:29 PM 87536]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/31 16:45];c:\program files\Cyberlink\PowerDVD9\000.fcl [3/30/2009 5:53 PM 87536]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [11/18/2010 3:58 PM 20328]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 4:02 PM 335888]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2/18/2010 3:01 PM 462632]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/22/2011 4:52 PM 2214504]
R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\x86\rainfo.sys [4/17/2007 2:00 PM 12992]
R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;c:\windows\system32\drivers\RARfsDriver.sys [4/4/2010 8:20 AM 46000]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/11/2009 5:49 PM 1990656]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [5/29/2009 10:02 AM 66944]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/11/2009 5:49 PM 61952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2012 7:20 PM 106656]
R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [4/17/2007 2:00 PM 10168]
R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [6/25/2010 12:43 AM 6272]
R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [6/25/2010 12:43 AM 500480]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl --> c:\program files\PowerDVD8\PowerDVD8\000.fcl [?]
S2 gupdate1ca0bc6b51516ae;Google Update Service (gupdate1ca0bc6b51516ae);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104]
S2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\StorageCraft\ImageManager\ImageManager.exe [10/24/2007 3:26 PM 69632]
S2 StorageCraft Image Manager32;StorageCraft Image Manager ;c:\windows\system32\ntsdexts32.exe --> c:\windows\system32\ntsdexts32.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/5/2012 9:36 AM 250056]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [8/11/2009 8:45 AM 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/7/2011 9:11 AM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/7/2011 9:11 AM 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/26/2012 8:51 AM 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/14/2012 8:38 AM 113120]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/26/2009 9:59 PM 47360]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S4 RARfsClientNP;RARfsClientNP; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 12:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 15:10]
.
2012-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
2012-06-26 c:\windows\Tasks\At1.job
- c:\windows\system32\rasphonne.exe [2004-08-04 00:12]
.
2012-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52]
.
2012-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52]
.
2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003Core.job
- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37]
.
2012-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003UA.job
- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37]
.
2012-06-28 c:\windows\Tasks\User_Feed_Synchronization-{A7972C66-43AF-4964-A40E-32D2946479FE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\p5oo56mt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-28 09:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-1303643608-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\RARfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\RARfsClientNP.dll
.
Completion time: 2012-06-28 09:40:46
ComboFix-quarantined-files.txt 2012-06-28 16:40
ComboFix2.txt 2012-06-27 18:44
ComboFix3.txt 2011-12-20 00:00
.
Pre-Run: 238,797,205,504 bytes free
Post-Run: 238,864,044,032 bytes free
.
- - End Of File - - B73B548618553C9A44CE5C964FD630CF

#19
MrCharlie
Posted 28 June 2012 - 12:18 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,449 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Did you get the warning about ZeroAccess when you ran ComboFix? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#20
rysktkr
Posted 28 June 2012 - 12:27 PM

    Regular Member

  • Honorary Members
  • PipPip
  • 95 posts
Yes. It had to reboot as well.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us