Sign in to follow this  
Followers 0
ChrisP123

I think I'm infected

41 posts in this topic

I am sending this from my laptop. I think my desk pc is infected.

My virus software wont update and pc is running very slowly.

After several attempts I have run a quick scan but this took nearly 14 hours to run.

I have tried several times to run both dds.scr and dds.com but can't get them to run.

Please can you help

Thanks Chris

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.13.07

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

User :: USER-1644A988E1 [administrator]

Protection: Enabled

14/08/2012 22:35:28

mbam-log-2012-08-14 (22-35-28).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 1832768

Time elapsed: 13 hour(s), 59 minute(s), 58 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Share this post


Link to post
Share on other sites

Hi thanks for reply

I can not run DDS. It opens up black screen but closes straight away and doesnt run.

I have run RogueKiller. Report below.

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: User [Admin rights]

Mode: Scan -- Date: 08/21/2012 22:52:08

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[Faked.Drv][FAKED] nwlnknb.sys : c:\windows\system32\drivers\nwlnknb.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3802110A +++++

--- User ---

[MBR] 1501f58a0b8db9a179d72aa3e58d704a

[bSP] a69f28dd57458e3f2598bb696b1d09c6 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

I am having trouble running ComboFix it keeps crashing out.

I am going to be away from my computer for next 3 days so will contact you again when I am back

Many thanks for your help so far.

Chris

Share this post


Link to post
Share on other sites

Do this instead...........

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Share this post


Link to post
Share on other sites

Run TDSSKiller again and choose Delete for this one only: (no need to post the log)

17:25:15.0562 3708 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

17:25:15.0562 3708 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~~~

Try to run ComboFix like this......

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown: (copy and paste)

"%userprofile%\desktop\combofix.exe" /nombr

See if it will run successfully now. MrC

Share this post


Link to post
Share on other sites

I have managed to run combo.fix in safe mode. Crashed out first time I ran it but worked 2nd time

Log is as follows

ComboFix 12-08-25.04 - User 27/08/2012 13:28:41.6.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1503.1166 [GMT 1:00]

Running from: c:\documents and settings\User\desktop\combofix.exe

Command switches used :: /nombr

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\FE05DA0D.dll

c:\windows\system32\FE05EFED.dll

c:\windows\system32\FE05F051.dll

c:\windows\system32\FE05F3D5.dll

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

.

.

((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))

.

.

2012-08-26 16:57 . 2012-08-26 16:57 -------- d-----w- C:\TDSSKiller_Quarantine

2012-08-21 13:00 . 2012-08-21 18:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-08-13 22:32 . 2012-08-13 22:32 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-08-13 22:15 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-12 12:24 . 2012-08-12 12:24 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-29 19:52 . 2012-07-29 19:52 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-12 12:24 . 2011-07-14 18:04 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-29 19:46 . 2012-07-17 03:26 31584 ----a-w- c:\windows\system32\TURegOpt.exe

2012-04-04 16:01 . 2012-04-04 16:01 3993600 ----a-w- c:\program files\GUT8.tmp

2012-03-30 18:29 . 2012-03-30 18:29 3993600 ----a-w- c:\program files\GUTE.tmp

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-02-04 16:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-06 23:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

"Conime"=%windir%\system32\conime.exe

"SiSPower"=Rundll32.exe SiSPower.dll,ModeAgent

"MemoryCardManager"=c:\program files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup

"EKIJ5000StatusMonitor"=c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=

"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2010 9.0.0.459\\English\\setup.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2011\\fm.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=

"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=

"c:\\Program Files\\Cyanide\\Pro Cycling Manager - Season 2011\\PCM.exe"=

"c:\\Program Files\\Cyanide\\Pro Cycling Manager - Season 2011\\Autorun\\Exe\\Autorun.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9322:TCP"= 9322:TCP:EKDiscovery

"5353:UDP"= 5353:UDP:Bonjour Port 5353

.

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [29/07/2012 20:52 65848]

S1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [20/07/2011 19:30 3332784]

S1 is-5I60Cdrv;is-5I60Cdrv;c:\windows\system32\drivers\14093992.sys [07/10/2009 20:05 148496]

S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [12/08/2012 17:20 228376]

S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [29/07/2012 20:52 71480]

S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [29/07/2012 20:52 166840]

S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc --> c:\windows\System32\appdrvrem01.exe svc [?]

S2 bsaspi32;bsaspi32; [x]

S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [25/06/2009 22:21 233472]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 10:19 135664]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/08/2012 23:16 655944]

S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [29/07/2012 20:52 976728]

S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [29/05/2012 20:46 1528672]

S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 10:19 135664]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [13/08/2012 23:32 35144]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/08/2012 23:15 22344]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [21/08/2012 14:00 40776]

S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso.sys [11/03/2012 13:50 21520]

S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [08/05/2012 15:21 10064]

S3 USBAV191;Instant VideoXpress;c:\windows\system32\drivers\USBAV191.SYS [24/02/2008 17:40 120128]

S4 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - PXHELP20

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

2012-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 09:19]

.

2012-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 09:19]

.

2012-08-26 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 16:50]

.

.

------- Supplementary Scan -------

.

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 192.168.2.1

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-RunOnce-NeroHomeFirstStart - c:\program files\Common Files\Ahead\Lib\NMFirstStart.exe

Notify-avgrsstarter - avgrsstx.dll

MSConfigStartUp-Virtual PDF Printer - c:\program files\Virtual PDF Printer\VirtualPDFPrinter.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-27 15:03

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(848)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

.

Completion time: 2012-08-27 15:17:36 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-27 14:17

.

Pre-Run: 36,682,792,960 bytes free

Post-Run: 36,767,485,952 bytes free

.

- - End Of File - - 75F70E6E8689043A197FCC532BA88F98

Share this post


Link to post
Share on other sites

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\program files\GUT8.tmp

c:\program files\GUTE.tmp

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Share this post


Link to post
Share on other sites

Combofix log is as follows:

ComboFix 12-08-25.04 - User 27/08/2012 19:17:43.7.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1503.1102 [GMT 1:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

.

FILE ::

"c:\program files\GUT8.tmp"

"c:\program files\GUTE.tmp"

.

.

((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))

.

.

2012-08-26 16:57 . 2012-08-26 16:57 -------- d-----w- C:\TDSSKiller_Quarantine

2012-08-21 13:00 . 2012-08-21 18:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-08-13 22:32 . 2012-08-13 22:32 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-08-13 22:15 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-12 12:24 . 2012-08-12 12:24 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-29 19:52 . 2012-07-29 19:52 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-12 12:24 . 2011-07-14 18:04 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-29 19:46 . 2012-07-17 03:26 31584 ----a-w- c:\windows\system32\TURegOpt.exe

2012-04-04 16:01 . 2012-04-04 16:01 3993600 ----a-w- c:\program files\GUT8.tmp

2012-03-30 18:29 . 2012-03-30 18:29 3993600 ----a-w- c:\program files\GUTE.tmp

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-02-04 16:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-22 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

avgrsstx.dll [bU]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-06 23:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virtual PDF Printer]

c:\program files\Virtual PDF Printer\VirtualPDFPrinter.exe [bU]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

"AutoStartNPSAgent"=c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

"Steam"="c:\program files\Steam\Steam.exe" -silent

"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

"Conime"=%windir%\system32\conime.exe

"SiSPower"=Rundll32.exe SiSPower.dll,ModeAgent

"MemoryCardManager"=c:\program files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup

"EKIJ5000StatusMonitor"=c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=

"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2010 9.0.0.459\\English\\setup.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2011\\fm.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=

"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=

"c:\\Program Files\\Cyanide\\Pro Cycling Manager - Season 2011\\PCM.exe"=

"c:\\Program Files\\Cyanide\\Pro Cycling Manager - Season 2011\\Autorun\\Exe\\Autorun.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9322:TCP"= 9322:TCP:EKDiscovery

"5353:UDP"= 5353:UDP:Bonjour Port 5353

.

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

R0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [x]

R1 appdrv01;Application Driver (01);c:\windows\system32\Drivers\appdrv01.sys [x]

R1 is-5I60Cdrv;is-5I60Cdrv;c:\windows\system32\DRIVERS\14093992.sys [x]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [x]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [x]

R2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc [x]

R2 bsaspi32;bsaspi32; [x]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [x]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [x]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [x]

R3 FXDRV;FXDRV;D:\Fxdrv.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [x]

R3 USBAV191;Instant VideoXpress;c:\windows\system32\DRIVERS\USBAV191.SYS [x]

R4 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

2012-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 09:19]

.

2012-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 09:19]

.

2012-08-26 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 16:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bbc.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.2.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-27 20:05

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1004336348-1677128483-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ABB1D293-9773-45CD-EEB3-03208CF394FB}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(172)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

.

Completion time: 2012-08-27 20:16:59

ComboFix-quarantined-files.txt 2012-08-27 19:16

ComboFix2.txt 2012-08-27 14:17

.

Pre-Run: 36,795,039,744 bytes free

Post-Run: 36,760,354,816 bytes free

.

- - End Of File - - 3B7748F2A1CE764E01E23EE6E530432F

Share this post


Link to post
Share on other sites

I did have F-Secure installed before a ran combofix. I couldn't get it to run but combo fix said it was running and would affect scan so I uninstalled it.

Can't get mseinstall to work says it is not a valid win32 application

Shall I re-install my old anti virus and run that?

Thanks

Share this post


Link to post
Share on other sites

Run this free online one........

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

Share this post


Link to post
Share on other sites

Hi I have run the scan. It took 15.5 hours.

Here is the log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=26daf518296d0b4bb2ac51852d3d7652

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-08-28 11:34:45

# local_time=2012-08-29 12:34:45 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1026 16777214 0 2 91374165 91374165 0 0

# compatibility_mode=2304 16777215 100 0 0 0 0 0

# compatibility_mode=5893 16776574 0 7 91373700 91373700 0 0

# compatibility_mode=8192 67108863 100 0 41364 41364 0 0

# scanned=122127

# found=1

# cleaned=1

# scan_time=55807

C:\TDSSKiller_Quarantine\26.08.2012_17.06.10\tdlfs0000\tsk0001.dta a variant of Win32/Olmarik.TW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

DLL:pipe not connected. attempts=120

Share this post


Link to post
Share on other sites

That scan is OK.

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Share this post


Link to post
Share on other sites

How are we doing??

Do you still need help or can I close this post??

MrC

Share this post


Link to post
Share on other sites

Hi sorry been away from my computer for a few days.

I have run a quick scan posted below. All looks ok but pc is still slow.

The latest scan took 6 hours but the one before took 14 hours so it is running quicker.

I guess I just need to delete off some of the programs etc.

Thanks for your help.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.02.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

User :: USER-1644A988E1 [administrator]

Protection: Enabled

02/09/2012 23:57:56

mbam-log-2012-09-02 (23-57-56).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 1860023

Time elapsed: 6 hour(s), 24 minute(s), 54 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites

Hi everything seemed ok so I re-installed my virus protection software but now I can not access the internet.

Windows said it was a winsock provider catalog error. It fixed it but then I had to re-boot. I then have the same problem again.

It fixes it but then I have to reboot and it wont connect again.

Can you help?

Share this post


Link to post
Share on other sites

Same thing happens with this one. Runs ok then crashes out during re-boot. When I start it again no connection

Share this post


Link to post
Share on other sites

Try this:

Go to > Start > Run > type CMD, click OK to open a command prompt.

Copy and paste and hit enter:

Reset WINSOCK entries to installation defaults: netsh winsock reset catalog

Copy and paste and hit enter:

Reset TCP/IP stack to installation defaults. netsh int ip reset reset.log

Reboot the machine, let me know......MrC

Share this post


Link to post
Share on other sites

Download and install Complete Internet Repair (it will just install to a folder)

http://www.datum-for...ownloads/?did=4

Open up the folder and run CIntRep.exe

Put a check in the box in the first 4 boxes only!!!

Now Hit Go

When done > Reboot

Let me know

MrC

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.