Sign in to follow this  
Vegas_Bear

Help with Infection

Recommended Posts

Hi Bear,

 

1. Please, save RougueKiller on the Desktop.

http://www.sur-la-toile.com/RogueKiller/

Turn off all running programs and remove any external drives and other devices connected with USB etc. except mouse and keyboard.

 

Start RougueKiller (in Vista and Windows 7 right-click the program and select "Run as administrator"). If it won't start, try several times. If you still are unsuccessful, rename the file to winlogon.exe.

 

Wait until "Prescan" has finished.

Click on "Scan" button in upper right corner.

Wait until the scan has finished.

 

A report with a name similar to RKreport.txt should have been created on the desktop.

Please, post it in your answer. I prefer if you paste the content of the log into your answer instead of attaching it.

 

2. Please, follow the instructions on http://www.bleepingcomputer.com/combofix/how-to-use-combofix for installing and running ComboFix.

 

Read carefully and note the "Disclaimer of warranty"!

 

Paste the content of the log into your answer.

If ComboFix displays a message, for example that a rootkit was found, write it down as detailed as possible.

Share this post


Link to post
Share on other sites

Thank you for the quick reply CeciliaB. The two programs were downloaded and run. Here are the two logs you requested.

 

ComboFix

 

ComboFix 13-01-08.01 - Bear 01/08/2013   9:59.5.2 - x86
Running from: c:\documents and settings\Bear\Desktop\ComboFix.exe
* Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\1498149814
c:\documents and settings\All Users\Application Data\592624643
c:\documents and settings\Bear\ntuser.tmp
c:\documents and settings\Bear\pmyukfhocdquyqud.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-12-08 to 2013-01-08  )))))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-20 19:11 . 2012-04-06 18:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-20 19:11 . 2011-06-18 20:57 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2003-03-31 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-11-13 01:25 . 2003-03-31 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2008-04-12 12:44 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2003-03-31 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-24 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2002-12-03 143360]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-05-29 520192]
"CTHelper"="CTHELPER.EXE" [2005-08-07 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 18944]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\Bear\Start Menu\Programs\Startup\
restart_vs.lnk - F:\Viewsonic.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-18 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TRUESIGHT
*Deregistered* - EraserUtilDrv11220
*Deregistered* - EraserUtilRebootDrv
*Deregistered* - Lavasoft Kernexplorer
*Deregistered* - TrueSight
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-08 c:\windows\Tasks\Ad-Aware Scan (daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40]
.
2013-01-08 c:\windows\Tasks\Ad-Aware Scan (weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40]
.
2012-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39]
.
2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-08 10:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 CTHelper = CTHELPER.EXE?
 CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-01-08  10:12:13
ComboFix-quarantined-files.txt  2013-01-08 18:11
ComboFix2.txt  2011-06-15 17:08
.
Pre-Run: 161,266,044,928 bytes free
Post-Run: 161,267,294,208 bytes free
.
- - End Of File - - B0110F968443ABE8091EA91BD022EB30

 

RogueKiller

 

[/size][/size][/size][/size][/size][/size][/size]
RogueKiller V8.4.2 [Jan  6 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/[/size]
[size=3]Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Bear [Admin rights]
Mode : Scan -- Date : 01/08/2013 09:56:17[/size]
[size=3]¤¤¤ Bad processes : 0 ¤¤¤[/size]
[size=3]¤¤¤ Registry Entries : 8 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[/size]
[size=3]¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\n --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\n --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\U --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\L --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\L --> FOUND[/size]
[size=3]¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x87C0E4A0)[/size]
[size=3]¤¤¤ Infection : ZeroAccess ¤¤¤[/size]
[size=3]¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts[/size]
[size=3]127.0.0.1	   localhost[/size]

[size=3]¤¤¤ MBR Check: ¤¤¤[/size]
[size=3]+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 9ed3d55b79aa35a51b1526fe86f2e546
[bSP] 6e10de559c15b72a6e89fbc7457d0b08 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK![/size]
[size=3]Finished : << RKreport[1]_S_01082013_02d0956.txt >>
RKreport[1]_S_01082013_02d0956.txt

 

ComboFix did not list a rootkit found in the scan. Awaiting further instructions and thanks again for the help.

 

Bear

Share this post


Link to post
Share on other sites

ZeroAccess is a severe rootkit infection. It is recommended to reinstall Windows since it is impossible to know exactly what has been changed in the computer when it has been open for others to control. Please, change all passwords used in the computer and on internet either now from a clean computer or from this computer when it has been reinstalled or cleaned. You should also contact your bank etc. if the computer is used for financial transactions. But if you don't want to reinstall Windows, I'll try to help you clean the computer.

 

1. Do you miss any menu items in the start menu, e.g. My Pictures or Recent Documents, or on the desktop, e.g. My Computer?

 

2. Turn off all programs including antivirus program and similar programs.

 

Run RogueKiller (in Vista och Windows 7 right-click the program and select "Run as administrator").

Wait until "Prescan" has finished.

 

Select the "Files" tab and select the following entries, but no others:

[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\n --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\n --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\U --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\L --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\L --> FOUND

Click the "Delete" button.

 

Restart the computer.

A new report with a name similar to RKreport.txt should have been created on the desktop.

Please, post it in your answer. I prefer if you paste the content of the log without using any buttons or tags.

 

3. Run ComboFix in the same way as before and post that log, too.

 

4. Please, download aswMBR to your desktop. http://public.avast.com/~gmerek/aswMBR.exe

 

Restart the computer and don't start any programs.

Double click it to start the aswMBR.

Allow it to download the latest definitions, if it asks.

Click the Scan button to start the scan.

When the scan has finished click the Save log button and save it to your desktop.

Post the log.

Share this post


Link to post
Share on other sites

I'd like to try and clean the PC if possible, I don't know how to re-install Windows. I didn't notice anything funny on the start menu, I already had those taken off of the menu. I re ran the RogueKiller and under the files tab, it was empty. Here is the log.

 

RogueKiller

 

 

RogueKiller V8.4.2 [Jan 6 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

 

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Bear [Admin rights]

Mode : Scan -- Date : 01/08/2013 19:47:31

 

¤¤¤ Bad processes : 1 ¤¤¤

[sUSP PATH] CTHELPER.EXE -- C:\WINDOWS\CTHELPER.EXE -> KILLED [TermProc]

 

¤¤¤ Registry Entries : 7 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8764A5E8)

 

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

 

127.0.0.1 localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] 9ed3d55b79aa35a51b1526fe86f2e546

[bSP] 6e10de559c15b72a6e89fbc7457d0b08 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[3]_S_01082013_02d1947.txt >>

RKreport[1]_S_01082013_02d0956.txt ; RKreport[2]_S_01082013_02d1937.txt ; RKreport[3]_S_01082013_02d1947.txt

 

 

 

ComboFix

 

 

ComboFix 13-01-08.01 - Bear 01/08/2013 19:52:13.6.2 - x86

Running from: c:\documents and settings\Bear\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-12-09 to 2013-01-09 )))))))))))))))))))))))))))))))

.

.

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-20 19:11 . 2012-04-06 18:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-20 19:11 . 2011-06-18 20:57 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-16 12:23 . 2003-03-31 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

2012-11-13 01:25 . 2003-03-31 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-02 02:02 . 2008-04-12 12:44 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2003-03-31 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-24 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]

"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]

"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2002-12-03 143360]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-05-29 520192]

"CTHelper"="CTHELPER.EXE" [2005-08-07 16384]

"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 18944]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]

"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\documents and settings\Bear\Start Menu\Programs\Startup\

restart_vs.lnk - F:\Viewsonic.exe [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-18 113664]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

.

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

*Deregistered* - EraserUtilDrv11220

*Deregistered* - EraserUtilRebootDrv

*Deregistered* - TrueSight

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-08 c:\windows\Tasks\Ad-Aware Scan (daily).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40]

.

2013-01-08 c:\windows\Tasks\Ad-Aware Scan (weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40]

.

2012-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

.

2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39]

.

2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-01-08 20:03

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

CTxfiHlp = CTXFIHLP.EXE?

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3596)

c:\windows\system32\WININET.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2013-01-08 20:05:31

ComboFix-quarantined-files.txt 2013-01-09 04:05

ComboFix2.txt 2013-01-08 18:12

ComboFix3.txt 2011-06-15 17:08

.

Pre-Run: 161,293,881,344 bytes free

Post-Run: 161,291,800,576 bytes free

.

- - End Of File - - 056B17C880C69EDEBE128F09A8332B96

 

 

 

aswMBr - smart scan was done

 

 

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2013-01-08 20:08:34

-----------------------------

20:08:34.765 OS Version: Windows 5.1.2600 Service Pack 3

20:08:34.765 Number of processors: 2 586 0x2302

20:08:34.765 ComputerName: LARRY-GAME-BOX UserName: Bear

20:08:36.843 Initialize success

20:12:24.328 AVAST engine defs: 13010801

20:12:57.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17

20:12:57.125 Disk 0 Vendor: WDC_WD5000AACS-00ZUB0 01.01B01 Size: 476940MB BusType: 3

20:12:57.140 Disk 0 MBR read successfully

20:12:57.140 Disk 0 MBR scan

20:12:57.218 Disk 0 Windows XP default MBR code

20:12:57.218 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63

20:12:57.234 Disk 0 scanning sectors +976752000

20:12:57.296 Disk 0 scanning C:\WINDOWS\system32\drivers

20:13:10.343 Service scanning

20:13:30.203 Modules scanning

20:13:37.875 Disk 0 trace - called modules:

20:13:37.890 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys

20:13:37.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7d6ab8]

20:13:37.890 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000076[0x8a7ee9e8]

20:13:37.890 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-17[0x8a7bad98]

20:13:40.109 AVAST engine scan C:\WINDOWS

20:13:58.593 AVAST engine scan C:\WINDOWS\system32

20:17:57.421 AVAST engine scan C:\WINDOWS\system32\drivers

20:18:33.546 AVAST engine scan C:\Documents and Settings\Bear

20:21:59.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bear\Desktop\MBR.dat"

20:21:59.375 The log file has been saved successfully to "C:\Documents and Settings\Bear\Desktop\aswMBR.txt"

Share this post


Link to post
Share on other sites

Please, post RKreport[2]_S_01082013_02d1937.txt that I haven't seen.

 

I didn't notice anything funny on the start menu, I already had those taken off of the menu.
Good, sometimes the malicious programs removes the menu items and then we could get them back.

 

1. Please, run DDS again and post DDS.txt.

 

2. Run an online scan with Eset http://www.eset.com/onlinescan/

To shorten the scanning time disable your antivirus program while scanning.

 

Un-check "Remove found threats"

Check "Scan Archives"

 

Click "Advanced Settings"

Check:

Scan for potentially unwanted applications

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

 

Click Scan

 

When the scan is finished, copy the result and paste its content in your answer.

Share this post


Link to post
Share on other sites

The Eset scan took 17hrs, when done nothing was found and no log was produced. I ran the 3rd RK scan because the 2nd one didn't contain the files you said to remove, posted below along with the new dds scan.

 

RogueKiller 2nd scan

 

 

RogueKiller V8.4.2 [Jan 6 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

 

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Bear [Admin rights]

Mode : Scan -- Date : 01/08/2013 19:37:14

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 7 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x87C0E4A0)

 

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

 

127.0.0.1 localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] 9ed3d55b79aa35a51b1526fe86f2e546

[bSP] 6e10de559c15b72a6e89fbc7457d0b08 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[2]_S_01082013_02d1937.txt >>

RKreport[1]_S_01082013_02d0956.txt ; RKreport[2]_S_01082013_02d1937.txt

 

 

DDS.txt

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by Bear at 8:57:18 on 2013-01-09

.

============== Running Processes ================

.

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec AntiVirus\DoScan.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [Logitech Utility] Logi_MwX.Exe

mRun: [statusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto

mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\docume~1\bear\startm~1\programs\startup\restar~1.lnk - f:\Viewsonic.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208005737100

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343110122984

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12

TCP: Interfaces\{8DA20054-D070-43F6-8030-E1EC8F25A103} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2013-01-08 17:57:11 98816 ----a-w- c:\windows\sed.exe

2013-01-08 17:57:11 256000 ----a-w- c:\windows\PEV.exe

2013-01-08 17:57:11 208896 ----a-w- c:\windows\MBR.exe

.

==================== Find3M ====================

.

2012-12-20 19:11:07 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-20 19:11:06 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-11-13 20:29:04 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec

.

============= FINISH: 8:59:46.21 ===============

Share this post


Link to post
Share on other sites

How is the computer behaving now?

 

What antivirus program etc. do you plan to have?

At the moment you don't have a reliable solution.

 

Please, uninstall:

Java™ 6 Update 24

Java™ 6 Update 26

Those are old version with known vulnerabilities that can be exploited by a web page to easily infect the computer.

Use Secunias Software Inspector to check if you have other old versions with vulnerabilities.

http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ describes how to install and use the program.

Share this post


Link to post
Share on other sites

So i guess the Norton is no good. What antivirus program would you suggest? I will check with Secunias Software Inspector for older versions of programs. The two Java updates were removed.

 

Bear

 

EDIT: a friend recommended these, are they any good?

 

SuperAntiSpyware

 

AVG 2013

Edited by Vegas_Bear

Share this post


Link to post
Share on other sites

Time for final clean-up.

 

1. Removal of ComboFix and all system restore points since they might be infected.

Press Windows-key + R

Copy and paste this line:

ComboFix /Uninstall

 

Note the space before /

Click on OK.

 

2. Removal of tools

Download OTC http://oldtimer.geekstogo.com/OTC.exe

Close all programs.

Start OTC program.

Click the CleanUp! button.

Select Yes when asked "Begin cleanup process".

If you are asked to reboot, select Yes.

If any logs remain on the computer you can remove them.

Any tools left?

 

3. Improve the security in the computer

It is very important to keep Windows and all programs updated. An old version of, for example, Flash contains vulnerabilities that makes it easy to infect the computer from a web page. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ describes how to install and use the program.

 

Norton is good, but you need to have the latest version, Norton Antivirus 2013.

 

In my humble opinion SuperAntiSpyware doesn't find much more than cookies these days and cookies are never dangerous for the computer. This is the forum for Ad-Aware ;) Lavasoft certainly recommends that you have Ad-Aware 10 Antivirus+, Personal or Pro Security.

  • Like 1

Share this post


Link to post
Share on other sites

Using the Secunias Software Inspector It says I need to update the below security update.

 

Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2742597)

 

I have tried several times to update this and it fails everytime. I have restarted PC and re downloaded the file and still no go. Any thoughts?

 

Bear

Share this post


Link to post
Share on other sites

The PC seems to running smoothly, but I followed the steps above to try and update the NET Frameworks. It still failed. I followed the other steps to remove combofix and the other tools.

 

Bear

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this