TechSpot

Malware infection Hijack control panel style

By rubbersoul
May 13, 2012
  1. Hi folks,

    Lately I've been having problems with laptop freezing and going very slow. I've done scans with MBAM and others and the one main infection was a Hijack.ControlPanelStyle, which I have deleted though keeps coming back.

    I've had rootkit infections before and it seems similar to that though I'm not sure. Here are the following logs from MBAM quick and full, GMER DDS as requested.

    Thanks for the help.

    -----------------------------------------------------------------------------------------------------------------
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.05.13.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Josh :: JOHN-53EAF8E1E1 [administrator]

    Protection: Disabled

    13/05/2012 4:35:38 PM
    mbam-log-2012-05-13 (16-35-38).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 201987
    Time elapsed: 6 minute(s), 16 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    ----------------------------------------------------------------------------------
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.05.13.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Josh :: JOHN-53EAF8E1E1 [administrator]

    Protection: Disabled

    13/05/2012 4:44:18 PM
    mbam-log-2012-05-13 (16-44-18).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 281158
    Time elapsed: 1 hour(s), 47 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ------------------------------------------------------------------------------------------
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-05-13 18:36:23
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LV01
    Running: gmer.exe; Driver: C:\DOCUME~1\Josh\LOCALS~1\Temp\uwncrpod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0x9D993D5A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0x9D993BC5]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Emsisoft)
    Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Emsisoft)
    Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Emsisoft)
    Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Emsisoft)

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- EOF - GMER 1.0.15 ----
    ----------------------------------------------------------------------------------------------------------------

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
    Run by Josh at 18:43:22 on 2012-05-13
    Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2940.2062 [GMT 10:00]
    .
    AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Online Armor Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Online Armor\OAcat.exe
    C:\Program Files\Online Armor\oasrv.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
    C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Online Armor\OAui.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Online Armor\OAhlp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com.au/
    BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - No File
    BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
    BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
    uRun: [SageTV] "c:\program files\sagetv\sagetv\SageTV.exe" -startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ActiveMultiwallpaper] c:\program files\activemultiwallpaper\Changer.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    IE: &Download by Orbit
    IE: &Grab video by Orbit
    IE: Do&wnload selected by Orbit
    IE: Down&load all by Orbit
    IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
    IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    TCP: Interfaces\{6A219B28-2B81-4C7E-8765-52D2B0D554CC} : NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{AC7DDD6A-347A-4ACA-8A2B-5020D95DA085} : NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{C1DEBEAC-51BF-4066-8DF9-52DF20265F80} : NameServer = 8.26.56.26,156.154.70.22
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
    SecurityProviders: schannel.dll, digest.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\josh\application data\mozilla\firefox\profiles\rs3txhg9.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
    FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
    FF - plugin: c:\windows\system32\npDeployJava1.dll
    FF - plugin: c:\windows\system32\npptools.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [2010-4-4 327192]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-12 442200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-12 320856]
    R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-12-30 103944]
    R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2012-1-21 205864]
    R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2012-1-21 40296]
    R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2012-1-21 25192]
    R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2012-1-21 29464]
    R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 130312]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-12 20568]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-12 44768]
    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-1-20 21992]
    R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
    R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2012-1-21 207936]
    R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144008]
    R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
    R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
    R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-11-30 112648]
    R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2012-1-21 4363040]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2011-12-8 5888]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-29 22344]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-12-8 197224]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-29 654408]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-8 257696]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-11-4 1691480]
    S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-12-4 117504]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
    S3 SageTV;SageTV;"c:\program files\sagetv\sagetv\sagetvservice.exe" --> c:\program files\sagetv\sagetv\SageTVService.exe [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-12-8 13592]
    .
    =============== Created Last 30 ================
    .
    2012-05-09 15:19:27 -------- d-----w- c:\program files\CDisplay
    2012-05-08 07:37:16 -------- d-----w- c:\documents and settings\josh\local settings\application data\Sun
    2012-05-08 07:23:57 -------- d-----w- c:\windows\Performance
    2012-05-08 07:23:37 -------- d-----w- c:\documents and settings\josh\local settings\application data\Microsoft Corporation
    2012-05-08 07:22:08 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
    2012-05-08 07:09:58 -------- d-----w- c:\program files\Oracle
    2012-05-08 07:07:51 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-05-08 07:05:07 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-08 06:46:37 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
    2012-05-08 05:52:25 -------- d-----w- c:\documents and settings\josh\application data\Ad-Aware Antivirus
    2012-05-06 13:27:17 -------- d-----w- c:\documents and settings\josh\application data\Panda Security
    2012-05-06 13:25:31 -------- d-----w- c:\program files\Panda Security
    2012-05-06 13:25:31 -------- d-----w- c:\documents and settings\all users\application data\Panda Security
    2012-05-06 13:23:09 -------- d-----w- C:\temp
    2012-05-06 09:26:45 -------- d-----w- c:\documents and settings\all users\application data\Sophos
    2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
    2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
    2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
    2012-05-06 08:59:03 -------- d-----w- c:\program files\Sophos
    2012-05-06 03:20:13 -------- d-----w- c:\program files\MP4 to AVI
    2012-05-06 03:17:50 -------- d-----w- c:\program files\hpmonitor
    2012-05-06 03:17:35 17280 ----a-w- c:\windows\system32\roboot.exe
    2012-05-06 03:17:26 -------- d-----w- c:\documents and settings\josh\application data\systweak
    2012-05-06 03:11:53 -------- d-----w- c:\windows\RegisteredPackages
    2012-04-28 16:40:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-16 14:44:39 54784 ----a-w- c:\windows\system32\brinsstr.dll
    2012-04-16 14:44:24 34816 ------w- c:\windows\system32\BrWiaNCp.dll
    2012-04-16 14:44:23 61952 ------w- c:\windows\system32\BrNetSti.dll
    2012-04-16 14:44:23 37376 ------w- c:\windows\system32\Brnsplg.dll
    2012-04-16 14:44:23 18944 ------w- c:\windows\system32\BrnStiCp.cpl
    2012-04-16 14:44:22 9728 ------w- c:\windows\system32\BrSti07a.dll
    2012-04-16 14:44:13 163840 ------w- c:\windows\system32\NSSearch.dll
    2012-04-16 14:44:13 106496 ------w- c:\windows\system32\BrMuSNMP.dll
    2012-04-16 14:44:12 73728 ------w- c:\windows\system32\BRCrypt.dll
    2012-04-16 14:44:12 61440 ------w- c:\windows\system32\BrMfNt.dll
    2012-04-16 14:44:12 -------- d-----w- c:\program files\Brother
    2012-04-16 14:44:11 131072 ------w- c:\windows\brunin03.dll
    2012-04-16 14:43:32 -------- d-----w- c:\documents and settings\all users\application data\Brother
    2012-04-16 10:27:36 -------- d-sh--w- c:\documents and settings\josh\IECompatCache
    .
    ==================== Find3M ====================
    .
    2012-05-08 07:05:06 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
    2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-04-04 08:47:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
    2012-04-04 08:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
    2012-03-28 13:43:21 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
    .
    ============= FINISH: 18:45:38.70 ===============
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware.

    Hijack.ControlPanelStyle is not the infection. It's a policy change most likely set by the malware.

    Is this the same system I helped you wil\th last year? You had Microsoft Security Essentials then Right? You have an interesting 'bunch' of security now!

    Log header now shows:
    AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Online Armor Firewall *Enabled*>> 2012-1-21

    And you also have installed:
    2012-05-06 >> Downloaded c:\program files\Sophos>> and ran the Sophos Virus Removal Tool
    2012-05-06 >> Downloaded c:\program files\Panda Security
    2012-05-08 >> Ran? c:\documents and settings\josh\application data\Ad-Aware Antivirus
    2012-05-06 >> Ran Systweak Advanced System Optimizer> which is a registry cleaner

    [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    2012-05-06 13:23:09 -------- d-----w- C:\temp <<<< Mystery file
    =============================================

    There may be more. But you should have one antivirus program, one firewall, NO registry cleaner, 2 or more antimlware prograams okay, but only one Resident Real Time running like Tea Times.

    Please clean up the system to get down to that> Reboot the system when finished.
    ===============================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HERE and save to the desktop
      • Double click combofix.exe [​IMG]& follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
    ============================================

    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ================================================

    Please update the following:
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
    Adobe Reader > Adobe Reader Update
    Java(TM) > Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.

    Please leave Combofix and Eset scan logs in next reply.

    Edit: Scan instructions have been redone due to parsing.
     
  3. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    Hey thanks for the help. I think this is a new install but with the same os. Every 6 months or so I usually back everything up and do a fresh install.

    I've followed your directions and deleted all the extra AV programs and stuff. Just Avast, OA and Mbam now. I couldn't find that registry editor though?

    Here are the logs.

    ComboFix 12-05-13.04 - Josh 14/05/2012 14:11:22.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2940.2486 [GMT 10:00]
    Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    C:\install.exe
    c:\windows\system32\SET253.tmp
    c:\windows\system32\SET26C.tmp
    c:\windows\system32\SET26E.tmp
    c:\windows\system32\SET27C.tmp
    c:\windows\system32\SET299.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-14 to 2012-05-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-09 15:19 . 2012-05-09 15:19 -------- d-----w- c:\program files\CDisplay
    2012-05-08 07:37 . 2012-05-08 07:37 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Sun
    2012-05-08 07:23 . 2012-05-08 07:23 -------- d-----w- c:\windows\Performance
    2012-05-08 07:23 . 2012-05-08 07:23 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Microsoft Corporation
    2012-05-08 07:22 . 2012-05-08 07:22 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
    2012-05-08 07:11 . 2012-05-08 07:11 -------- d-----w- c:\program files\Common Files\Java
    2012-05-08 07:09 . 2012-05-08 07:09 -------- d-----w- c:\program files\Oracle
    2012-05-08 07:07 . 2012-05-08 07:07 -------- d-----w- c:\documents and settings\Josh\Application Data\Oracle
    2012-05-08 07:07 . 2012-04-04 08:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-05-08 07:05 . 2012-05-08 07:05 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-08 06:46 . 2012-05-08 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
    2012-05-08 05:52 . 2012-05-08 05:52 -------- d-----w- c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus
    2012-05-06 13:27 . 2012-05-06 13:27 -------- d-----w- c:\documents and settings\Josh\Application Data\Panda Security
    2012-05-06 13:25 . 2012-05-14 03:47 -------- d-----w- c:\program files\Panda Security
    2012-05-06 13:25 . 2012-05-06 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
    2012-05-06 13:23 . 2012-05-06 13:25 -------- d-----w- C:\temp
    2012-05-06 09:26 . 2012-05-06 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
    2012-05-06 03:20 . 2012-05-06 03:20 -------- d-----w- c:\program files\MP4 to AVI
    2012-05-06 03:17 . 2012-05-10 18:18 -------- d-----w- c:\program files\hpmonitor
    2012-05-06 03:17 . 2012-01-20 04:14 17280 ----a-w- c:\windows\system32\roboot.exe
    2012-05-06 03:17 . 2012-05-06 05:23 -------- d-----w- c:\documents and settings\Josh\Application Data\systweak
    2012-04-28 16:40 . 2012-04-04 05:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-16 14:44 . 2007-01-26 06:13 54784 ----a-w- c:\windows\system32\brinsstr.dll
    2012-04-16 14:44 . 2007-01-26 05:06 34816 ------w- c:\windows\system32\BrWiaNCp.dll
    2012-04-16 14:44 . 2007-02-06 09:50 61952 ------w- c:\windows\system32\BrNetSti.dll
    2012-04-16 14:44 . 2007-01-26 05:05 18944 ------w- c:\windows\system32\BrnStiCp.cpl
    2012-04-16 14:44 . 2006-12-26 09:39 37376 ------w- c:\windows\system32\Brnsplg.dll
    2012-04-16 14:44 . 2006-11-20 10:48 9728 ------w- c:\windows\system32\BrSti07a.dll
    2012-04-16 14:44 . 2007-01-18 03:51 163840 ------w- c:\windows\system32\NSSearch.dll
    2012-04-16 14:44 . 2002-11-26 03:43 106496 ------w- c:\windows\system32\BrMuSNMP.dll
    2012-04-16 14:44 . 2012-04-16 15:03 -------- d-----w- c:\program files\Brother
    2012-04-16 14:44 . 2007-04-27 07:13 61440 ------w- c:\windows\system32\BrMfNt.dll
    2012-04-16 14:44 . 2006-07-07 02:40 73728 ------w- c:\windows\system32\BRCrypt.dll
    2012-04-16 14:44 . 2007-02-15 03:54 131072 ------w- c:\windows\brunin03.dll
    2012-04-16 14:43 . 2012-04-16 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
    2012-04-16 10:27 . 2012-04-16 10:27 -------- d-sh--w- c:\documents and settings\Josh\IECompatCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-08 07:05 . 2011-11-25 08:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-11 13:14 . 2010-04-03 15:46 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12 . 2010-04-03 15:47 1862272 ----a-w- c:\windows\system32\win32k.sys
    2012-04-11 12:35 . 2009-12-08 18:43 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-04-04 08:47 . 2011-12-08 03:49 143872 ----a-w- c:\windows\system32\javacpl.cpl
    2012-04-04 08:47 . 2011-12-08 03:49 687504 ----a-w- c:\windows\system32\deployJava1.dll
    2012-03-28 13:43 . 2012-03-28 13:43 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2012-03-01 11:01 . 2010-04-03 15:50 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2010-04-03 15:50 385024 ------w- c:\windows\system32\html.iec
    2012-02-19 01:18 . 2012-02-19 01:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll
    .
    [-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-09-06 19:45 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
    @="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
    [HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
    2011-12-19 20:46 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-12-29 3462552]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
    "RTHDCPL"="RTHDCPL.EXE" [2011-10-14 20064872]
    "@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-11-01 2531104]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2010-04-03 128512]
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-11-01 358840]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders schannel.dll, digest.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-03-30 04:59 937920 ------r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-09-07 22:58 37296 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2011-07-28 23:08 1259376 ------w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]
    2011-10-17 04:12 284440 ------w- c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2012-01-17 01:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2008-08-13 23:20 1343488 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
    2009-06-10 00:05 368640 ------w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "CiSvc"=3 (0x3)
    "IAStorDataMgrSvc"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    .
    R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 3:03 AM 327192]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/11/2011 11:10 PM 442200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/11/2011 11:10 PM 320856]
    R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [30/12/2011 12:35 AM 103944]
    R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [21/01/2012 1:00 PM 205864]
    R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [21/01/2012 1:00 PM 25192]
    R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [21/01/2012 1:00 PM 29464]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/11/2011 11:10 PM 20568]
    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [20/01/2012 12:56 AM 21992]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/04/2012 2:42 AM 654408]
    R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [21/01/2012 1:00 PM 207936]
    R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [4/12/2011 4:16 PM 117504]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [8/12/2011 5:01 PM 5888]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/04/2012 2:40 AM 22344]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/12/2011 5:11 PM 197224]
    S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [21/01/2012 1:00 PM 40296]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/02/2012 5:07 PM 136176]
    S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [21/01/2012 1:00 PM 4363040]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/05/2012 5:05 PM 257696]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/11/2011 7:51 PM 1691480]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/02/2012 5:07 PM 136176]
    S3 SageTV;SageTV;"c:\program files\SageTV\SageTV\SageTVService.exe" --> c:\program files\SageTV\SageTV\SageTVService.exe [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 PM 753504]
    S4 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [8/12/2011 5:06 PM 13592]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-14 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-08 07:05]
    .
    2012-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 07:07]
    .
    2012-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 07:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    IE: &Download by Orbit
    IE: &Grab video by Orbit
    IE: Do&wnload selected by Orbit
    IE: Down&load all by Orbit
    IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    TCP: DhcpNameServer = 192.231.203.132 192.231.203.3
    TCP: Interfaces\{6A219B28-2B81-4C7E-8765-52D2B0D554CC}: NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{AC7DDD6A-347A-4ACA-8A2B-5020D95DA085}: NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{C1DEBEAC-51BF-4066-8DF9-52DF20265F80}: NameServer = 8.26.56.26,156.154.70.22
    FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\rs3txhg9.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-SageTV - c:\program files\SageTV\SageTV\SageTV.exe
    HKCU-Run-ActiveMultiwallpaper - c:\program files\ActiveMultiwallpaper\Changer.exe
    MSConfigStartUp-LClock - c:\program files\LClock\LClock.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-14 14:23
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):dd,e0,08,ad,41,17,d5,b6,6f,94,59,8c,d7,7c,eb,35,84,4d,35,a8,58,
    d8,ed,e9,14,00,d2,91,aa,69,47,8f,f3,dc,b9,14,43,c1,2e,08,00,00,00,00,00,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{db97409d-dda6-40f8-ae74-1137eff9b27c}]
    @Denied: (Full) (Everyone)
    "Model"=dword:00000083
    "Therad"=dword:00000010
    .
    Completion time: 2012-05-14 14:26:45
    ComboFix-quarantined-files.txt 2012-05-14 04:26
    .
    Pre-Run: 47,314,944,000 bytes free
    Post-Run: 47,599,636,480 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 2A3FD83E846FAB393556388ACC779B60

    ----------------------------------------------------------------------------------------

    ESET

    C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url Win32/Adware.ADON application
    C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe a variant of Win32/InstallCore.D application
    C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe a variant of Win32/InstallCore.D application
    C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe a variant of Win32/InstallCore.D application
    C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe a variant of Win32/InstallCore.D application
    C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe a variant of Win32/InstallCore.D application
     
  4. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    bump
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Why do you do that?
     
  6. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    It's not really a structured thing, just for as a method of keeping things fresh I suppose.

    What do you think about the above logs? Any reason why the text is scrambled?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Wow- something caused the Combofix and Eset directions to parse! Hope you got through the reading.

    For the Eset entries:
    Please download OTMovit by Old Timerand save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      
      :Files
      C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url 
      C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe 
      C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe 
      C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe 
      C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe 
      C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe 
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    --------------------------------------------------------

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    FileLook::
    c:\windows\system32\usp10.dll
    c:\windows\system32\sfcfiles.dll
    DDS::
    BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - No File
    BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
     
    Folder::
    C:\temp
    c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus
    c:\documents and settings\Josh\Application Data\Panda Security
    c:\program files\Panda Security
    c:\documents and settings\All Users\Application Data\Panda Security
    c:\documents and settings\All Users\Application Data\Sophos
    c:\documents and settings\Josh\Application Data\systweak
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{db97409d-dda6-40f8-ae74-1137eff9b27c}]
     
    Clearjavacache::
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.

    Please update the following:
    Adobe Reader > to the current version> Adobe Reader Update
    Java(TM) > to the current version> Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.


    Edit: scrmbled text was on this end, not from your system. Sometimes running the Google Spell check will do it.
     
  8. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    Ah cool, I wasn't aware of that feature!

    Following logs as requested:


    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url moved successfully.
    C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe moved successfully.
    C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe moved successfully.
    C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe moved successfully.
    C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe moved successfully.
    C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe moved successfully.
    File/Folder [purity] not found.
    File/Folder [emptytemp] not found.
    File/Folder [start explorer] not found.
    File/Folder [Reboot] not found.

    OTM by OldTimer - Version 3.1.19.0 log created on 05172012_013701

    ComboFix 12-05-13.04 - Josh 17/05/2012 1:55.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2940.2469 [GMT 10:00]
    Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Josh\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Panda Security
    c:\documents and settings\All Users\Application Data\Sophos
    c:\documents and settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
    c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus
    c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus\Installer.xml
    c:\documents and settings\Josh\Application Data\Ad-Aware Antivirus\update-parameters.xml
    c:\documents and settings\Josh\Application Data\Panda Security
    c:\documents and settings\Josh\Application Data\systweak
    c:\program files\Panda Security
    C:\temp
    c:\temp\CloudAvBootstrap.xml
    c:\temp\CloudAvBootstrap.xml.Result
    c:\windows\system32\roboot.exe
    c:\windows\system32\Thumbs.db
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-16 to 2012-05-16 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-16 15:37 . 2012-05-16 15:37 -------- d-----w- C:\_OTM
    2012-05-14 04:32 . 2012-05-14 04:32 -------- d-----w- c:\program files\ESET
    2012-05-09 15:19 . 2012-05-09 15:19 -------- d-----w- c:\program files\CDisplay
    2012-05-08 07:37 . 2012-05-08 07:37 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Sun
    2012-05-08 07:23 . 2012-05-08 07:23 -------- d-----w- c:\windows\Performance
    2012-05-08 07:23 . 2012-05-08 07:23 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Microsoft Corporation
    2012-05-08 07:22 . 2012-05-08 07:22 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
    2012-05-08 07:11 . 2012-05-08 07:11 -------- d-----w- c:\program files\Common Files\Java
    2012-05-08 07:09 . 2012-05-08 07:09 -------- d-----w- c:\program files\Oracle
    2012-05-08 07:07 . 2012-05-08 07:07 -------- d-----w- c:\documents and settings\Josh\Application Data\Oracle
    2012-05-08 07:07 . 2012-04-04 08:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-05-08 07:05 . 2012-05-08 07:05 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-08 06:46 . 2012-05-08 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
    2012-05-06 03:20 . 2012-05-06 03:20 -------- d-----w- c:\program files\MP4 to AVI
    2012-05-06 03:17 . 2012-05-10 18:18 -------- d-----w- c:\program files\hpmonitor
    2012-04-28 16:40 . 2012-04-04 05:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-08 07:05 . 2011-11-25 08:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-11 13:14 . 2010-04-03 15:46 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12 . 2010-04-03 15:47 1862272 ----a-w- c:\windows\system32\win32k.sys
    2012-04-11 12:35 . 2009-12-08 18:43 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-04-04 08:47 . 2011-12-08 03:49 143872 ----a-w- c:\windows\system32\javacpl.cpl
    2012-04-04 08:47 . 2011-12-08 03:49 687504 ----a-w- c:\windows\system32\deployJava1.dll
    2012-03-28 13:43 . 2012-03-28 13:43 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2012-03-01 11:01 . 2010-04-03 15:50 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2010-04-03 15:50 385024 ------w- c:\windows\system32\html.iec
    2012-02-19 01:18 . 2012-02-19 01:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\system32\sfcfiles.dll ---
    Company: Microsoft Corporation
    File Description: Windows 2000 System File Checker
    File Version: 5.1.2600.5512 (xpsp.080413-2111)
    Product Name: Microsoft® Windows® Operating System
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename:
    File size: 1614848
    Created time: 2010-04-03 16:08
    Modified time: 2010-04-03 16:08
    MD5: F2DF0FDBD41B34112EE05ED04258F052
    SHA1: 2CB9068D136F7D997C23D65B375F4CEFF176A1DF
    .
    .
    --- c:\windows\system32\usp10.dll ---
    Company: Microsoft Corporation
    File Description: Uniscribe Unicode script processor
    File Version: 1.0626.6002.18005 (lh_sp2rtm.090410-1830)
    Product Name: Microsoft(R) Uniscribe Unicode script processor
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: Uniscribe
    File size: 502272
    Created time: 2010-04-03 15:52
    Modified time: 2010-04-03 15:52
    MD5: 5A8E28037289FCCBF7AD3FC57DF7048F
    SHA1: 72023966662046D78A7F38C78548BEE1E42ACA75
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll
    .
    [-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-09-06 19:45 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
    @="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
    [HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
    2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-05-14 3478936]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
    "RTHDCPL"="RTHDCPL.EXE" [2011-10-14 20064872]
    "@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-11-01 2531104]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2010-04-03 128512]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-11-01 358840]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders schannel.dll, digest.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-01-02 00:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2011-07-28 23:08 1259376 ------w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]
    2011-10-17 04:12 284440 ------w- c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2012-01-17 01:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2008-08-13 23:20 1343488 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
    2009-06-10 00:05 368640 ------w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "CiSvc"=3 (0x3)
    "IAStorDataMgrSvc"=2 (0x2)
    .
    R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 3:03 AM 327192]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/11/2011 11:10 PM 442200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/11/2011 11:10 PM 320856]
    R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [16/03/2012 9:08 PM 104456]
    R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [21/01/2012 1:00 PM 205864]
    R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [21/01/2012 1:00 PM 40296]
    R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [21/01/2012 1:00 PM 25192]
    R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [21/01/2012 1:00 PM 29464]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/11/2011 11:10 PM 20568]
    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [20/01/2012 12:56 AM 21992]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/04/2012 2:42 AM 654408]
    R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [21/01/2012 1:00 PM 207936]
    R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [21/01/2012 1:00 PM 4363040]
    R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [4/12/2011 4:16 PM 117504]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [8/12/2011 5:01 PM 5888]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/04/2012 2:40 AM 22344]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/12/2011 5:11 PM 197224]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/02/2012 5:07 PM 136176]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/05/2012 5:05 PM 257696]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/11/2011 7:51 PM 1691480]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/02/2012 5:07 PM 136176]
    S3 SageTV;SageTV;"c:\program files\SageTV\SageTV\SageTVService.exe" --> c:\program files\SageTV\SageTV\SageTVService.exe [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 PM 753504]
    S4 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [8/12/2011 5:06 PM 13592]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-16 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-08 07:05]
    .
    2012-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 07:07]
    .
    2012-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-02-06 07:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    IE: &Download by Orbit
    IE: &Grab video by Orbit
    IE: Do&wnload selected by Orbit
    IE: Down&load all by Orbit
    IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    TCP: Interfaces\{6A219B28-2B81-4C7E-8765-52D2B0D554CC}: NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{AC7DDD6A-347A-4ACA-8A2B-5020D95DA085}: NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{C1DEBEAC-51BF-4066-8DF9-52DF20265F80}: NameServer = 8.26.56.26,156.154.70.22
    FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\rs3txhg9.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-17 02:16
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-05-17 02:23:08
    ComboFix-quarantined-files.txt 2012-05-16 16:22
    ComboFix2.txt 2012-05-14 04:26
    .
    Pre-Run: 42,778,320,896 bytes free
    Post-Run: 42,772,160,512 bytes free
    .
    - - End Of File - - 5414CBB48831CA851EA825B91D7D8F83
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run OTM again:

    Please download OTMovit by Old Timerand save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files
      C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url 
      C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe 
      C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe 
      C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe 
      C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe 
      C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ---------------------------------------------------------------
    It may not show any entries for processes but the Commands shouldn't come out like that.

    I'll be back in a bit to check Combofix.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Combofix looks okay. Give me an update on the system.
     
  11. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\All Users\Start Menu\Programs\eBay.url not found.
    File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe not found.
    File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_alarm1_exe.exe not found.
    File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_K-Lite_Codec_Pack_800_Mega_exe.exe not found.
    File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe not found.
    File/Folder C:\Documents and Settings\Josh\My Documents\Downloads\Programs\cnet2_vsw300_exe.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->FireFox cache emptied: 2238556 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->FireFox cache emptied: 2238556 bytes

    User: Josh
    ->Temp folder emptied: 273774 bytes
    ->Temporary Internet Files folder emptied: 327974 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 855837065 bytes
    ->Flash cache emptied: 7033 bytes

    User: LocalService
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2402797 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 8231936 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 439 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 82654 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 831.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 05172012_141236
     
  12. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    You mean virus/ freezing wise? I haven't noticed any freezing/ much slowing down in the last day
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you see the difference in the OTM loigs? I note OTM Total Files Cleaned = 831.00 mb. That's a lot of excess files to be carrying around! Set up some regular maintenance and stick to it.

    The problems you gave were laptop freezing and going very slow and Hijack.ControlPanelStyle. You said the former was resolved and the latter is a policy setting. Is there anything else?

    The Attach.txt log from DDS is missing. Check and see if it's on the system and paste it in please.
     
  14. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    I have just reduced the Firefox cache down to 50mb. Is there anything else in particular I should be looking at to clean up?

    It has frozen a couple times since my last post. I'm running a new scan on MBAM and I will do a defrag tonight and see how it goes.

    I can't find the Attach.txt, it must of been deleted. Would you like me to do another scan?

    Thanks
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Unless you turn up something new, the malware has been handled. You have an entire operating system with many potentials for freezing besides malware. If the freezing continues, please start a new thread in the BSOD forum.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
    • Choose Disc Cleanup
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
    ======================================

    Be sure you do the updates I left for you. Run the following after the cleanup:

    Run this once in a while so the files don't pile up:TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
     
  16. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    Done and done. Thanks for all your help! Much obliged :)
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome. Stay safe!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...