Jump to content


Photo
- - - - -

Another system32/services.exe infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 craigsiegel

craigsiegel

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 August 2012 - 12:46 PM

Help. I have picked up the system32/services.exe trojan and now my windows Vista won't stay up for more than a couple of minutes. It crashes and goes into an automatic restart. My original problem was that I picked up the live security platinum trojan. I ran fixexec and malwarebytes to get rid of it. But then microsoft security essentials wouldn't run. I reinstalled it and that is when I started getting the windows crashes. I ran kaspersky rescue disk 10 which picked up the trojan but can't clean it.

I have not run hijackthis but I ran farbar and got what looks to be the log you really need, so I am including it here. It flags the system32\services.exe file in the MD5 check. I am also including the results of the search in farbar for services.exe. The results files are attached.

Help -- I have been at this almost constantly for two days.
-------------------------------------------

Attached Files



#2 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 08 August 2012 - 12:52 PM

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3 craigsiegel

craigsiegel

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 August 2012 - 02:20 PM

Thank you, thank you, thank you.

Here is the log.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01
Ran by SYSTEM at 2012-08-08 12:18:17 Run:1
Running from F:\MalwareFix

==============================================

C:\Windows\Installer\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully.
C:\Users\Craig and Susan\AppData\Local\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\ERDNT\cache\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Now what?

#4 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 08 August 2012 - 02:23 PM

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#5 craigsiegel

craigsiegel

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 August 2012 - 02:24 PM

Question: Can I now start the PC in regular windows without fear of it crashing again after a few minutes?

#6 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 08 August 2012 - 02:28 PM

Yes, give it a try, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#7 craigsiegel

craigsiegel

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 August 2012 - 03:12 PM

So far so good. PC is still up and running. But I was so excited to finally be making progress that I forgot to disable MSE before I started combofix. I got it turned off as combofix was installing and before combo fix started running. I think that is OK.

Combofix ran and generated its log, but I got the "illegal operation" message when I tried to copy it. I am restarting now to see if I can grab it.

#8 craigsiegel

craigsiegel

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 August 2012 - 03:19 PM

Reboot appears to have taken care of that problem. Here is the combofix log.

ComboFix 12-08-08.01 - Craig and Susan 08/08/2012 12:42:24.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1822 [GMT -7:00]
Running from: c:\users\Craig and Susan\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Craig and Susan\AppData\Roaming\agrer.dll
c:\users\Craig and Susan\AppData\Roaming\vrdms.dll
c:\users\Craig and Susan\Documents\~WRL0005.tmp
c:\users\Craig and Susan\Documents\~WRL0144.tmp
c:\users\Craig and Susan\Documents\~WRL0162.tmp
c:\users\Craig and Susan\Documents\~WRL0307.tmp
c:\users\Craig and Susan\Documents\~WRL1058.tmp
c:\users\Craig and Susan\Documents\~WRL1159.tmp
c:\users\Craig and Susan\Documents\~WRL1446.tmp
c:\users\Craig and Susan\Documents\~WRL1654.tmp
c:\users\Craig and Susan\Documents\~WRL1896.tmp
c:\users\Craig and Susan\Documents\~WRL3248.tmp
c:\users\Craig and Susan\Documents\~WRL3531.tmp
c:\users\Craig and Susan\Documents\~WRL3639.tmp
c:\users\Craig and Susan\Documents\~WRL3766.tmp
c:\users\Craig and Susan\g2mdlhlpx.exe
c:\users\Craig and Susan\Once upon a time there were two caterpillars .doc
.
.
((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))
.
.
2012-08-08 19:54 . 2012-08-08 19:54 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\offreg.dll
2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser.CraigSusan-PC\AppData\Local\temp
2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-07 22:43 . 2012-08-07 22:43 -------- d-----w- C:\FRST
2012-08-07 20:21 . 2012-02-09 21:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{937272F2-4CA6-4830-8EB6-0E864380F4EA}\gapaengine.dll
2012-08-07 20:18 . 2012-07-16 09:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\mpengine.dll
2012-08-07 19:50 . 2012-08-07 19:50 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-07 17:43 . 2012-08-07 17:40 883616 ----a-w- C:\FixExec.exe
2012-08-07 16:51 . 2012-08-07 17:04 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-07 16:41 . 2012-08-07 16:41 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-07 16:36 . 2012-08-07 16:38 -------- d-----w- c:\programdata\036E19320357F9631A6804E82F3B707C
2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_23239
2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_12794
2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AF4AB-E0AD-11E1-8270-B8AC6F996F26}
2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AB980-E0AD-11E1-8270-B8AC6F996F26}
2012-08-07 16:35 . 2012-08-07 16:35 57344 ---ha-w- c:\windows\system32\mobsEXEC.dll
2012-07-17 00:26 . 2012-07-17 00:26 -------- d-----w- c:\users\Craig and Susan\New Folder (1)
2012-07-11 03:40 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 03:39 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 03:39 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 03:39 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 03:39 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 03:39 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 16:54 . 2012-05-02 18:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-03 16:54 . 2011-06-16 13:02 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-12 19:37 . 2009-04-30 03:02 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-12 19:37 . 2009-04-30 03:02 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-07-12 19:37 . 2009-04-30 03:02 30624 ----a-w- c:\windows\system32\LMIport.dll
2012-07-12 19:37 . 2009-04-30 03:02 87456 ----a-w- c:\windows\system32\LMIinit.dll
2012-07-03 20:46 . 2011-02-18 08:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:40 . 2012-07-11 10:08 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-02 22:19 . 2012-06-19 05:45 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-19 05:46 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 05:46 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 05:45 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 05:45 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 05:46 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-19 05:46 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-19 05:45 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-19 05:45 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 08:25 . 2012-07-11 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-19 02:04 . 2009-04-30 03:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2012-07-19 14:02 . 2012-02-05 01:08 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"googletalk"="c:\users\Craig and Susan\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SlickRun"="c:\program files\SlickRun\sr.exe" [2009-06-02 1161568]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-17 1325936]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-17 904840]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-17 136544]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
.
c:\users\Craig and Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
goSoft (3.1.2.0 F).lnk - c:\program files\goFluent\goSoft(3.1.2.0 F)\goStart.exe [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 16:54]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27]
.
2012-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27]
.
2012-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000Core.job
- c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000UA.job
- c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29]
.
2012-07-09 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:63556
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
Trusted Zone: gofluent.com
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
DPF: {F9BF64A0-5A65-43E0-ACDB-B223E7F9DDD9} - hxxp://watch.sniffdoghotel.com:10205/WEBWATCH2.cab
FF - ProfilePath - c:\users\Craig and Susan\AppData\Roaming\Mozilla\Firefox\Profiles\0368sgmm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://portal.gofluent.com/group/trainer|https://mail.google.com/mail/?shva=1#inbox
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63556
FF - prefs.js: network.proxy.type - 0
FF - user.js: extentions.y2layers.installId - 45064580-de3b-4a86-878b-7bb7035d3d86
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-vrdms - c:\users\Craig and Susan\AppData\Roaming\vrdms.dll
HKLM-Run-agrer - c:\users\Craig and Susan\AppData\Roaming\agrer.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-08 12:55
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\LMIGuardianSvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\program files\TeamViewer\Version5\TeamViewer_Service.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2012-08-08 13:06:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-08 20:06
ComboFix2.txt 2011-02-19 23:06
.
Pre-Run: 139,235,803,136 bytes free
Post-Run: 139,302,969,344 bytes free
.
- - End Of File - - EAAE98F1B430770519114F8200B8FB89

#9 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 08 August 2012 - 03:40 PM

This was deleted > is it something you want?

c:\users\Craig and Susan\Once upon a time there were two caterpillars .doc

-------------------------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#10 craigsiegel

craigsiegel

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 August 2012 - 04:06 PM

Nope. Don't need the caterpillar doc.

Here is the MBAM quickscan log. I think I am OK now, right?

Craig
---------------------------------------------

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.07.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Craig and Susan :: CRAIGSUSAN-PC [administrator]

8/8/2012 1:45:44 PM
mbam-log-2012-08-08 (13-45-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 235072
Time elapsed: 12 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#11 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 08 August 2012 - 04:23 PM

Yes.......:)

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Posted Image

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com
http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#12 craigsiegel

craigsiegel

    New Member

  • Members
  • Pip
  • 7 posts

Posted 08 August 2012 - 05:01 PM

Done.

You rock.

Small donation coming.

#13 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 09 August 2012 - 07:28 AM

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users