Jump to content

Malware/Adware Issue:


Recommended Posts

  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

Hello Kevin,

I already have selected single click but it no longer functions
as previously.

34e9w5k.jpg

I found the 3 buttons so would you like me to re-run RKill?

This is my desktop with no Quick Launch toolbar:

2akjcx.jpg

selecting Quick Launch

neb0hz.jpg

desktop with Quick Launch toor:

199py1.jpg

Yes, I tried to run Malwarebytes afterward and posted it:


I tried installing malwarebytes again and failed and gave me this:

Setup

CoCreateInstance failed; code 0x80040154

Class not registered.

 then after I clicked finish and attempted to close it

vbAccelerator SGrid II Control

Run-time error '0'

 then Malwarebytes Anti-Malware

Run-time error '440' Automation error

Robert

Link to post
Share on other sites

Hello Robert,

 

It would appear your system is still infected, please do the following:

 

Read the following link before we continue and run Combofix:

 

ComboFix usage, Questions, Help? - Look here

 

Next,

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

http://www.infospyware.net/antimalware/combofix/

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Kevin

Link to post
Share on other sites

Hello Kevin,

 

I had read through the ComboFix usage as you instructed and I would never

run it on my own. However, I saw under that of making sure that ComboFix is

saved to my desktop. I've run ComboFix a few times (Not on my own) and

each time it doesn't save it to the desktop and I don't quite know how to do this?

 

The purpose of saving it to the desktop is so that later I can delete it when

finished, correct?

 

So before proceeding further could you please tell me how I can save it

to my desktop?

 

Robert

Link to post
Share on other sites

I assume that you are using Firefox for downloads, open Firefox, select tools from the menu bar, then select options. In the new window select the general tab.

I`ve attached an image with the steps required to change the "download to" option to the Desktop...

Let me know if that works for you.

post-3601-0-13854000-1395584592_thumb.jp

Link to post
Share on other sites

Hello Kevin,

 

Here's the log:

 

ComboFix 14-03-24.01 - Lt. Commander 03/25/2014   6:35.3.1 - x86
Running from: c:\documents and settings\Lt. Commander\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-25 to 2014-03-25  )))))))))))))))))))))))))))))))
.
.
2014-03-18 09:09 . 2014-02-26 01:59    13312    -c----w-    c:\windows\system32\dllcache\xp_eos.exe
2014-03-18 09:09 . 2014-02-26 01:59    13312    ------w-    c:\windows\system32\xp_eos.exe
2014-03-16 09:08 . 2014-03-16 09:13    --------    d-----w-    c:\documents and settings\Lt. Commander\Doctor Web
2014-03-12 11:31 . 2014-03-12 11:31    5777288    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2014-03-10 01:00 . 2014-03-10 01:01    --------    d-----w-    C:\FRST
2014-03-05 11:47 . 2014-03-05 11:47    --------    d-----w-    c:\program files\HitmanPro
2014-03-05 11:45 . 2014-03-05 11:50    --------    d-----w-    c:\documents and settings\All Users\Application Data\HitmanPro
2014-03-05 04:10 . 2008-04-14 00:12    26624    ----a-w-    c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-18 09:23 . 2014-02-03 17:50    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-03-12 11:31 . 2013-12-07 11:46    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-12 11:31 . 2013-12-07 11:46    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-24 11:46 . 2001-08-18 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-02-24 11:45 . 2001-08-18 12:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2014-02-24 11:45 . 2001-08-18 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-02-24 11:45 . 2001-08-18 12:00    18944    ------w-    c:\windows\system32\corpol.dll
2014-02-24 10:54 . 2013-12-07 04:26    385024    ------w-    c:\windows\system32\html.iec
2014-02-07 02:01 . 2001-08-18 12:00    1879040    ----a-w-    c:\windows\system32\win32k.sys
2014-02-05 08:55 . 2001-08-18 12:00    562688    ----a-w-    c:\windows\system32\qedit.dll
2014-01-04 03:13 . 2001-08-18 12:00    420864    ----a-w-    c:\windows\system32\vbscript.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-12-07 04:47    321752    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-15 113288]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-12-07 3568312]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2001-08-29 307200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"20131224"="c:\program files\AVAST Software\Avast\setup\emupdate\3ed12633-d643-46b0-b3be-6a1a2db85eb0.exe" [2014-03-25 181136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-03-01 161384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-03-18 40776]
R3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2012-08-21 53952]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2012-08-21 16064]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-12-07 774392]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-12-07 403440]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-12-07 35656]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-12-07 70384]
S2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2012-08-21 224960]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2001-08-29 142336]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2001-08-29 524288]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-07 11:31]
.
2014-03-25 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-07 04:47]
.
2014-03-25 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-18 01:59]
.
2014-03-21 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-18 01:59]
.
.
------- Supplementary Scan -------
.

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 4.2.2.2

.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-25 06:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1409082233-884357618-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-UREQ-A55H-B76Z-N4K9-5Y91-PQMGW8D"
"Activated"="Y"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
.
Completion time: 2014-03-25  06:46:14
ComboFix-quarantined-files.txt  2014-03-25 13:46
ComboFix2.txt  2014-03-14 09:35
ComboFix3.txt  2014-03-12 11:29
.
Pre-Run: 116,304,736,256 bytes free
Post-Run: 116,283,166,720 bytes free
.
- - End Of File - - 3C2D77A2C94CF17BD6B8B57B5D6D3CCD
A36C5E4F47E84449FF07ED3517B43A31
 

Link to post
Share on other sites

That log is clean, nothing to indicate malware or infection...

 

Run the following, then try Malwarebytes one more time after a re-boot...

 

download Portable Windows Repair (all in one) from one of the following:

http://www.tweaking.com/content/page/windows_repair_all_in_one.html
http://www.majorgeeks.com/Tweaking.com_-_Windows_Repair_Portable_d7222.html
http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/

Unzip the contents into a newly created folder on your desktop.

Open the folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"


Tweak1_zps10f67b3e.jpg


From the main GUI do the following:


Select Tab 4 and Create System Restore Point


Tweak4_zps98ef6707.jpg


Select Repairs tab => Click the Start


Tweak5_zps71b85f1c.jpg


The repairs window will open, Check the boxes as indicated, also the "Restart" options, the select Start...


Tweak9-1.png


DON'T use the computer while each scan is in progress.

Post the log, to access select "settings" tab > "open log folder" tab, log will be named _Windows_Repair_Log

Link to post
Share on other sites

Hello Kevin,

I tried downloading Portable Windows Repair  from beleepin computer
and it gave me this:

28lqg4l.jpg

a087k9.jpg

zt906f.jpg

I then tried Major Geeks but it was too confusing so I tried\Tweaking but it
downloaded re-image Repair and installed AVG toolbar. I didn't think this was right
and aborted installation.

Robert

Link to post
Share on other sites

Hello Kevin,

 

I was able to get as far as the recovery screen when it prompted me with this:

 

Which Windows installation would you like to log onto?( It only allows for one space).

(To cancel, press Enter)?

 

I entered 1 and pressed enter but nothing happened so I backed out. So what do I put?

 

Thanks,

Robert

Link to post
Share on other sites

We appear to be chasing our tails with this Robert, as you have the original installation disks maybe the best way forward is to re-install the OS from scratch. Obviously any important data should be backed up first...

 

Full instructions here: http://windows.microsoft.com/en-GB/windows-xp/help/setup/install-windows-xp

 

Kevin.....

Link to post
Share on other sites

Hello Kevin,

 

I'm not a technical person, but doesn't re-installing the OS mean that I have to start from

scratch meaning prior to SP1? I had to install over 300 downloads just to get it to this point

and I don't relish doing that all over again. Also I'm not sure if I could get back to this point

via SP1.

 

Robert

Link to post
Share on other sites

Hiya Robert,

 

Yes it would mean installing the required Service Packs when the OS install was complete, In your case if the Installation CD has no Service packs pre-installed you would need to install SP1a and SP3 when the installation is done..

 

Check you Installation CD, it would be printed on if any SP was preinstalled ready.

 

You can download and save the required Service packs from here: http://windows.microsoft.com/en-GB/windows/service-packs-download#sptabs=xp

 

Download and save to a CD or USB stick Service Packs SP1a and SP3.

 

Use your XP installation CD and do a clean install of XP. When complete install each of the service packs, SP1a and SP3....

Link to post
Share on other sites

Hello Kevin,

 

I tried installing SP1a via USB stick but needs an Internet

connection to proceed.

 

I want to thank you for all your time and effort in helping

resolve this issue. I still have a long way to go though.

 

I would like to contribute but I'm disabled and live on a

very marginal fixed income.

 

Robert

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.