TechSpot

XP Internet Security 2012

Solved
By Twoflower
Jan 11, 2012
  1. I have the dreaded XP Internet Security 2012 issue. I thought I had removed all traces of the files yesterday, however, I've been re-infected today.

    Below are my log files. I did run RKill in order to access the internet.

    Looks like I need to re-run Malwarebytes. I will do that and post the log

    GMER

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-11 00:52:50
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541040G9SA00 rev.MB2IC60R
    Running: dcp5t91h.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\pwqdraoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text mrxsmb.sys A88BE000 6 Bytes [00, C0, E9, 08, 0C, 00]
    .text mrxsmb.sys A88BE007 46 Bytes [90, 90, 90, 90, 90, FF, 25, ...]
    .text mrxsmb.sys A88BE036 24 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
    .text mrxsmb.sys A88BE04F 31 Bytes [68, F0, 9B, 8D, A8, 56, E8, ...]
    .text mrxsmb.sys A88BE070 246 Bytes [53, 68, 9A, E0, 8B, A8, 57, ...]
    .text ...
    ? C:\WINDOWS\system32\DRIVERS\mrxsmb.sys suspicious PE modification

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 019C000A
    .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 019D000A
    .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 019B000C
    .text C:\WINDOWS\system32\SearchIndexer.exe[3668] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Fastfat \Fat A6BA2D20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) A8955000-A8971000 (114688 bytes)

    ---- Files - GMER 1.0.15 ----

    File C:\RRbackups\common 0 bytes
    File C:\RRbackups\common\hints.dat 8192 bytes
    File C:\RRbackups\common\mnd.dat 8192 bytes
    File C:\RRbackups\common\regcerts.dat 8192 bytes
    File C:\RRbackups\common\rr.log 757 bytes
    File C:\RRbackups\common\SAM 28672 bytes
    File C:\RRbackups\common\secpolicy.dat 53248 bytes
    File C:\RRbackups\common\settings.dat 28672 bytes
    File C:\RRbackups\common\system.dat 12288 bytes
    File C:\RRbackups\common\tvtns.bin 23 bytes
    File C:\RRbackups\common\usersids.dat 15600 bytes
    File C:\RRbackups\Documents and Settings 0 bytes
    File C:\RRbackups\Documents and Settings\Admin 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Lenovo 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Lenovo\Client Security Solution 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005\43e3a4a9826996aba5d7727553958fbf_f98f56a2-efd3-4206-9e4e-8df438541ae1 1279 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005\6b29ae44e85efac3c72ff4d1865d73f1_f98f56a2-efd3-4206-9e4e-8df438541ae1 53 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005\83aa4cc77f591dfc2374580bbd95f6ba_f98f56a2-efd3-4206-9e4e-8df438541ae1 45 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2892286239-3679062826-358022272-1005\8f71098770f72c7a67cd8f1151619865_f98f56a2-efd3-4206-9e4e-8df438541ae1 54 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\CREDHIST 24 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\8d9e96a6-6040-41fe-9013-b5f97e847600 388 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\Preferred 24 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-2892286239-3679062826-358022272-1005 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-2892286239-3679062826-358022272-1005\3dbd08ca-ba50-4043-bf2a-bfa8816fccec 388 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-2892286239-3679062826-358022272-1005\8230652c-d1ce-4bb7-9db5-3284a4a0f023 388 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-2892286239-3679062826-358022272-1005\Preferred 24 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\d798298d-45cc-4c54-aec1-daa1a9828fe8 388 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\Preferred 24 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My\Certificates\60EA223EDC33A88A5A48C90EA53CEFB1555815D1 824 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
    File C:\RRbackups\Documents and Settings\Admin\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\8d9e96a6-6040-41fe-9013-b5f97e847600 388 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\Preferred 24 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\d798298d-45cc-4c54-aec1-daa1a9828fe8 388 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\Preferred 24 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
    File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
    File C:\RRbackups\Documents and Settings\All Users 0 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo 0 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution 0 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\PreloadInstall.ini 26 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a5bac492b8a12a9b6bf4a5681cc06a21_f98f56a2-efd3-4206-9e4e-8df438541ae1 888 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_f98f56a2-efd3-4206-9e4e-8df438541ae1 57 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6b29ae44e85efac3c72ff4d1865d73f1_f98f56a2-efd3-4206-9e4e-8df438541ae1 53 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\83aa4cc77f591dfc2374580bbd95f6ba_f98f56a2-efd3-4206-9e4e-8df438541ae1 45 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_f98f56a2-efd3-4206-9e4e-8df438541ae1 54 bytes
    File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_f98f56a2-efd3-4206-9e4e-8df438541ae1 893 bytes
    File C:\RRbackups\Documents and Settings\Default User 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\8d9e96a6-6040-41fe-9013-b5f97e847600 388 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1756038592-513179481-3750871285-500\Preferred 24 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\d798298d-45cc-4c54-aec1-daa1a9828fe8 388 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-786017641-2925068380-3473360674-500\Preferred 24 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
    File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
    File C:\RRbackups\Documents and Settings\LocalService 0 bytes
    File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
    File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
    File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
    File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
    File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
    File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
    File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
    File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
    File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
    File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
    File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
    File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
    File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
    File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
    File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\1929418354 0 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056 0 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\bckfg.tmp 862 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\cfg.ini 198 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\L\hvmonmrs 456320 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\lsflt7.ver 5176 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\00000001.@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\00000002.@ 224768 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\00000004.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\80000000.@ 11264 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\80000004.@ 12800 bytes
    File C:\WINDOWS\$NtUninstallKB61679$\3403627056\U\80000032.@ 77312 bytes

    ---- EOF - GMER 1.0.15 ----
     
  2. Twoflower

    Twoflower TS Rookie Topic Starter

    dds

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
    Run by Admin at 0:58:21 on 2012-01-11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1320 [GMT -8:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ThinkVantage\AMSG\Amsg.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Documents and Settings\Admin\Application Data\Dropbox\bin\Dropbox.exe
    C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
    C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.lenovo.com/us/en/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
    mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
    mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
    mRun: [TP4EX] tp4ex.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
    mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
    mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
    mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
    mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
    mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
    mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\docume~1\admin\locals~1\temp\hbcd\malwarebytes\mbam.exe" /runcleanupscript
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\admin\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\admin\application data\dropbox\bin\Dropbox.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: mswsock.dll
    DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1316042540428
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
    Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
    Notify: igfxcui - igfxdev.dll
    Notify: tpfnf2 - notifyf2.dll
    Notify: tphotkey - tphklock.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\2hfy5ktp.default\
    FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKsl1db3a864;MpKsl1db3a864;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{209edd50-bd0e-4d44-a6df-072fb1d3a45e}\MpKsl1db3a864.sys [2012-1-10 29904]
    R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]
    R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2011-9-14 22568]
    S1 MpKsl06ccec8b;MpKsl06ccec8b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25ba6c26-4edb-4ead-a1bd-220c8f1746a6}\mpksl06ccec8b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25ba6c26-4edb-4ead-a1bd-220c8f1746a6}\MpKsl06ccec8b.sys [?]
    S1 MpKsl0770ef97;MpKsl0770ef97;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\mpksl0770ef97.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\MpKsl0770ef97.sys [?]
    S1 MpKsl11058a3f;MpKsl11058a3f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{72490e94-9b08-49ef-9d37-6555f00c03f0}\mpksl11058a3f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{72490e94-9b08-49ef-9d37-6555f00c03f0}\MpKsl11058a3f.sys [?]
    S1 MpKsl2d36424c;MpKsl2d36424c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33ca217f-84b8-4c6a-a016-ba4545eedf77}\mpksl2d36424c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33ca217f-84b8-4c6a-a016-ba4545eedf77}\MpKsl2d36424c.sys [?]
    S1 MpKsl301d87ec;MpKsl301d87ec;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33ca217f-84b8-4c6a-a016-ba4545eedf77}\mpksl301d87ec.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33ca217f-84b8-4c6a-a016-ba4545eedf77}\MpKsl301d87ec.sys [?]
    S1 MpKsl434c6522;MpKsl434c6522;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f14657cd-591b-4405-82f4-d26bbc8cd8c1}\mpksl434c6522.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f14657cd-591b-4405-82f4-d26bbc8cd8c1}\MpKsl434c6522.sys [?]
    S1 MpKslba92c545;MpKslba92c545;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\mpkslba92c545.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\MpKslba92c545.sys [?]
    S1 MpKslc11f3675;MpKslc11f3675;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\mpkslc11f3675.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed6b75bc-d4ad-4a50-8683-689aadd91d10}\MpKslc11f3675.sys [?]
    S1 MpKslf526b596;MpKslf526b596;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25ba6c26-4edb-4ead-a1bd-220c8f1746a6}\mpkslf526b596.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25ba6c26-4edb-4ead-a1bd-220c8f1746a6}\MpKslf526b596.sys [?]
    S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\admin\locals~1\temp\hbcd\superantispyware\sasdifsv.sys --> c:\docume~1\admin\locals~1\temp\hbcd\superantispyware\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\admin\locals~1\temp\hbcd\superantispyware\saskutil.sys --> c:\docume~1\admin\locals~1\temp\hbcd\superantispyware\SASKUTIL.SYS [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-10 41272]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-4-29 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== File Associations ===============
    .
    .exe=765
    .
    =============== Created Last 30 ================
    .
    2012-01-11 06:58:07 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{209edd50-bd0e-4d44-a6df-072fb1d3a45e}\MpKsl1db3a864.sys
    2012-01-11 06:58:01 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{209edd50-bd0e-4d44-a6df-072fb1d3a45e}\offreg.dll
    2012-01-11 06:15:19 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-01-11 06:09:30 374784 ----a-w- c:\documents and settings\admin\local settings\application data\xeq.exe
    2012-01-10 08:40:27 -------- d-----w- c:\program files\ESET
    2012-01-10 08:15:35 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{209edd50-bd0e-4d44-a6df-072fb1d3a45e}\mpengine.dll
    2012-01-10 07:18:58 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2012-01-10 07:15:23 -------- d-sha-r- C:\cmdcons
    2012-01-10 07:13:28 98816 ----a-w- c:\windows\sed.exe
    2012-01-10 07:13:28 518144 ----a-w- c:\windows\SWREG.exe
    2012-01-10 07:13:28 256000 ----a-w- c:\windows\PEV.exe
    2012-01-10 07:13:28 208896 ----a-w- c:\windows\MBR.exe
    2012-01-10 07:13:11 -------- d-----w- C:\ComboFix
    2012-01-10 07:05:49 388096 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2012-01-10 07:05:47 -------- d-----w- c:\program files\Trend Micro
    2012-01-10 06:14:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-01-10 06:05:40 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2012-01-10 05:01:18 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-10 03:01:55 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2012-01-10 03:01:54 -------- d-----w- c:\documents and settings\admin\application data\SUPERAntiSpyware.com
    2011-12-19 03:28:17 -------- d-----w- c:\program files\SystemRequirementsLab
    2011-12-19 03:17:29 -------- d-----w- C:\Intel
    2011-12-19 02:46:19 -------- d-----w- c:\documents and settings\admin\application data\.minecraft
    2011-12-19 02:45:49 -------- d-----w- c:\documents and settings\all users\application data\Ask
    2011-12-14 02:01:40 -------- d-----w- C:\Ruby193
    .
    ==================== Find3M ====================
    .
    2012-01-08 14:49:21 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
    2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
    .
    ============= FINISH: 0:58:49.29 ===============
     
  3. Twoflower

    Twoflower TS Rookie Topic Starter

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/14/2011 12:55:46 PM
    System Uptime: 1/10/2012 10:57:17 PM (2 hours ago)
    .
    Motherboard: LENOVO | | 0657AJU
    Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | None | 1662/167mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 33 GiB total, 1.786 GiB free.
    D: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP22: 12/5/2011 9:33:15 PM - Installed iTunes
    RP23: 12/6/2011 7:32:21 AM - Software Distribution Service 3.0
    RP24: 12/8/2011 6:10:23 PM - Software Distribution Service 3.0
    RP25: 12/10/2011 7:33:26 AM - Software Distribution Service 3.0
    RP26: 12/13/2011 4:14:13 PM - Software Distribution Service 3.0
    RP27: 12/14/2011 4:21:15 PM - Software Distribution Service 3.0
    RP28: 12/14/2011 4:31:30 PM - Software Distribution Service 3.0
    RP29: 12/16/2011 4:56:29 PM - Software Distribution Service 3.0
    RP30: 12/17/2011 4:58:49 PM - Software Distribution Service 3.0
    RP31: 12/18/2011 6:41:06 PM - Software Distribution Service 3.0
    RP32: 12/18/2011 6:44:49 PM - Installed Java(TM) 6 Update 30
    RP33: 12/18/2011 6:45:42 PM - Installed Java Runtime Environment
    RP34: 12/21/2011 11:09:39 PM - Software Distribution Service 3.0
    RP35: 12/26/2011 6:07:20 PM - Software Distribution Service 3.0
    RP36: 12/27/2011 6:39:58 PM - Software Distribution Service 3.0
    RP37: 12/29/2011 8:43:17 AM - Software Distribution Service 3.0
    RP38: 12/30/2011 5:01:00 PM - Software Distribution Service 3.0
    RP39: 1/2/2012 6:25:17 PM - Software Distribution Service 3.0
    RP40: 1/4/2012 7:15:14 AM - Software Distribution Service 3.0
    RP41: 1/5/2012 7:04:07 AM - Software Distribution Service 3.0
    RP42: 1/5/2012 4:34:23 PM - Software Distribution Service 3.0
    RP43: 1/6/2012 5:37:09 PM - Software Distribution Service 3.0
    RP44: 1/7/2012 6:12:48 PM - System Checkpoint
    RP45: 1/7/2012 7:24:04 PM - Software Distribution Service 3.0
    RP46: 1/9/2012 6:43:06 PM - Removed 8x8 Virtual Office for Salesforce
    RP47: 1/9/2012 6:44:39 PM - Removed Ask Toolbar.
    RP48: 1/9/2012 11:05:46 PM - Installed HiJackThis
    RP49: 1/10/2012 12:15:23 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Access Help
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.1)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    CCleaner
    CutePDF Writer 2.8
    Diskeeper Lite
    Dropbox
    ESET Online Scanner v3
    Google Chrome
    Google Talk (remove only)
    Help Center
    High Definition Audio Driver Package - KB888111
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 30
    Java(TM) 7
    LibreOffice 3.3
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Message Center
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox 8.0.1 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser
    PC-Doctor 5 for Windows
    Productivity Center Supplement for ThinkPad
    psqlODBC
    Rescue and Recovery
    Ruby 1.9.3-p0
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544521)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2559049)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    SoundMAX
    Spybot - Search & Destroy
    System Migration Assistant
    System Requirements Lab for Intel
    System Update
    ThinkPad Configuration
    ThinkPad EasyEject Utility
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Setup
    ThinkPad Keyboard Customizer Utility
    ThinkPad Modem
    ThinkPad PC Card Power Policy
    ThinkPad Power Management Driver
    ThinkPad Power Manager
    ThinkPad Presentation Director
    ThinkPad TrackPoint Driver
    ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
    ThinkVantage Access Connections
    ThinkVantage Away Manager
    ThinkVantage Productivity Center
    ThinkVantage System Update Toolbar Button for IE
    ThinkVantage Technologies Welcome Message
    TrackPoint Accessibility Features
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2492386)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Wallpapers
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Management Framework Core
    Windows Media Connect
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Service Pack 3
    XP Themes
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/9/2012 9:35:34 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    1/9/2012 9:34:38 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    1/9/2012 9:30:03 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    1/9/2012 8:57:43 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    1/9/2012 7:43:20 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    1/9/2012 7:33:37 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    1/9/2012 7:25:57 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    1/9/2012 7:01:56 PM, error: Service Control Manager [7000] - The SASKUTIL service failed to start due to the following error: The system cannot find the file specified.
    1/9/2012 6:18:02 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    1/9/2012 6:05:02 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    1/9/2012 6:04:58 PM, error: Service Control Manager [7023] - The Diskeeper service terminated with the following error: The service has not been started.
    1/9/2012 6:01:26 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    1/9/2012 11:57:24 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    1/9/2012 11:47:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV
    1/9/2012 11:18:33 PM, error: Service Control Manager [7034] - The tvtnetwk service terminated unexpectedly. It has done this 1 time(s).
    1/9/2012 11:18:32 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).
    1/9/2012 11:18:32 PM, error: Service Control Manager [7031] - The Ac Profile Manager Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/9/2012 11:14:23 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    1/9/2012 10:02:57 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2451.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    1/10/2012 10:38:53 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    .
    ==== End Of File ===========================
     
  4. Twoflower

    Twoflower TS Rookie Topic Starter

    Malwarebytes' Anti-Malware
    www.malwarebytes.org

    Database version:

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/11/2012 7:52:16 AM
    mbam-log-2012-01-11 (07-52-16).txt

    Scan type: Quick scan
    Objects scanned: 189947
    Time elapsed: 40 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Admin\Local Settings\Application Data\xeq.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Admin\Local Settings\Application Data\xeq.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Admin\Local Settings\Application Data\xeq.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help you fins the entries for this malware.

    I note you have run several cleaning scans. I'd like you to uninstall those programs and download another program from my links. These will include:

    1. Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      2. MBR.exe
      3. If HJT has been set up in it's own Directory and is the most current version v2.0.4, you can keep it as I will have you run it later.
      4. If the Malwarebytes is the latest, Malwarebytes' Anti-Malware from from HERE you can keep it.

      And although you may have run some of the programs below, You need to follow the order and instructions below.You may not have all of the symptoms below, but if you have any other symptoms, please advise me.
      ========================================
      Please read through all of the instructions before you begin. It would be helpful to you if they were printed out.
      Rogue Internet Security 2012 Description:
      1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
      2. Clicking on any executable loads the malware
      3. Display fake security alerts on the infected computer.
      4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
      5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.
      To fix #5, you start here: Download a Registry file that will fix these changes.
      Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
      • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
      • Double click the FixNCR.reg file
      • You should now be able to run the .exe files.
      -------------------------------------
      To end the processes that belong to the rogue program:
      Please click on RKill
      • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
      • Double click on the iExplore.exe icon
      • Please be patient- it may take a bit.
      • The black Window will close when through and you can continue.
      Note: If you get a message that RKill is malware, ignore it> it's from the malware.
      =======================================
      Do not reboot your computer after running RKill as the malware programs will start again.
      ================================
      Update and rescan with Malwarebytes:
      • Select Perform Full Scan on the Scanner tab
      • Click on the Scan button.
      • When scan has finished, you will see this image:
        [​IMG]
      • Click on OK to close box and continue.
      • Click on the Show Results button.
      • Click on the Remove Selected button to remove all the listed malware.
      • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
      ==============================
      This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
      To run the Eset Online Virus Scan:
      If you use Internet Explorer:
      1. Open the ESETOnlineScan
      2. Skip to #4 to "Continue with the directions"

        If you are using a browser other than Internet Explorer
      3. Open Eset Smart Installer
        [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
        [o] Double click on the desktop icon to run.
        [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
      4. Continue with the directions.
      5. Check 'Yes I accept terms of use.'
      6. Click Start button
      7. Accept any security warnings from your browser.
        [​IMG]
      8. Uncheck 'Remove found threats'
      9. Check 'Scan archives/
      10. Leave remaining settings as is.
      11. Press the Start button.
      12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
      13. When the scan completes, press List of found threats
      14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
      15. Push the Back button, then Finish
      NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
      ===============================
      Please leave all logs in next reply: TDSSKiller, rKill, Malwarebytes Full Scan, Eset Online Scan
      ================================
      My Guidelines: please read and follow:
      • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
      • Read my instructions carefully. If you don't understand or have a problem, ask me.
      • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
      • Follow the order of the tasks I give you. Order is crucial in cleaning process.
      • File sharing programs should be uninstalled or disabled during the cleaning process..
      • Observe these:
        [o] Don't use any other cleaning programs or scans while I'm helping you.
        [o] Don't use a Registry cleaner or make any changes in the Registry.
        [o] Don't download and install new programs- except those I give you.
      • Please let me know if there is any change in the system.
      If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
      =====================================
     
  6. Twoflower

    Twoflower TS Rookie Topic Starter

    Thanks Bobbye below is the results of the scan. Please note that I wasn't able to uninstall ComboFix. I would received an error message stating that it was not able to find Combofix. Also, I did not see in the instructions to run TDSKiller so I do not have a log file for it.

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/11/2012 at 8:38:36.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Documents and Settings\Admin\Application Data\Dropbox\bin\Dropbox.exe
    C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe


    Rkill completed on 01/11/2012 at 8:38:41.


    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.11.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Admin :: LENOVO-D227DC02 [administrator]

    1/11/2012 8:42:06 AM
    mbam-log-2012-01-11 (08-42-06).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 278132
    Time elapsed: 1 hour(s), 5 minute(s), 11 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Documents and Settings\Admin\Local Settings\Application Data\xeq.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.4765355347349418.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\oiu0.9013803349107921.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

    (end)
    =======================================================

    Eset Online Scan

    C:\WINDOWS\system32\drivers\mrxsmb.sys a variant of Win32/Rootkit.Kryptik.HD trojan
    Operating memory multiple threats
     
  7. Twoflower

    Twoflower TS Rookie Topic Starter

    Bump for feedback on info

    Looking for feedback based on the scans that I ran. I still have a problem and not sure where I should go next.

    Thanks,
    Twoflower
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Rogue Antispyware, Antivirus, Security, Home Security , Internet Security 2012
    1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
    2. Clicking on any executable loads the malware
    3. Display fake security alerts on the infected computer.
    4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
    5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

    To fix #5, you start here: Download a Registry file that will fix these changes.
    Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.
    -------------------------------------
    To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKill is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ================================
    Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ================================
    Don't bump again.
     
  9. Twoflower

    Twoflower TS Rookie Topic Starter

    Log Files

    Sorry for the bump. Below are the 3 log files.

    Thanks
    Twoflower

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/13/2012 at 19:21:42.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 01/13/2012 at 19:21:47.
    =================================================
    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.11.05

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Administrator :: LENOVO-D227DC02 [administrator]

    1/13/2012 7:24:15 PM
    mbam-log-2012-01-13 (19-24-15).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 277329
    Time elapsed: 46 minute(s), 48 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    ======================================================

    ESETScan

    C:\WINDOWS\system32\drivers\mrxsmb.sys a variant of Win32/Rootkit.Kryptik.HD trojan
    C:\WINDOWS\Temp\1.4682851395858731E7.tmp a variant of Win32/Kryptik.YVK trojan
    Operating memory multiple threats
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Still getting active malware:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\WINDOWS\system32\drivers\mrxsmb.sys 
      C:\WINDOWS\Temp\1.4682851395858731E7.tmp 
      Operating memory multiple threats 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =====================================
    Do you have any of the original; XP Internet Security problems remaining?
     
  11. Twoflower

    Twoflower TS Rookie Topic Starter

    OTMovit by Old Timer

    I wasn't seeing the XP Internet Security 2012 alerts anymore. I was still seeing pop-ups when using Firefox for ads.

    Thank you for all the help. After re-boot, the system is running much faster. Hopefully this was the end of it. :)

    All processes killed
    ========== FILES ==========
    C:\WINDOWS\system32\drivers\mrxsmb.sys moved successfully.
    C:\WINDOWS\Temp\1.4682851395858731E7.tmp moved successfully.
    File/Folder Operating memory multiple threats not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Admin
    ->Temp folder emptied: 12989185 bytes
    ->Temporary Internet Files folder emptied: 442460 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 46042509 bytes
    ->Google Chrome cache emptied: 162318387 bytes
    ->Flash cache emptied: 1842 bytes

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 16384 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 99050 bytes
    ->Temporary Internet Files folder emptied: 371370630 bytes
    ->Flash cache emptied: 38469 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 21788698 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 1737 bytes

    Total Files Cleaned = 587.00 mb
     
     
  12. Twoflower

    Twoflower TS Rookie Topic Starter

    More logs

    After running OTMovit by Old Timer, everything seemed to be running without problems then the process went to 100%. Because of this, I ran Rkill, Malwarebytes, and ESETScan again. Below are the logs. I'm afraid I re-infected myself when I launched Firefox and it re-loaded the tabs that were previously open. I had not closed all the ads. (smacking myself upside the head)

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/15/2012 at 10:24:18.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 01/15/2012 at 10:24:21.
    ==================================================
    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.11.05

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Administrator :: LENOVO-D227DC02 [administrator]

    1/15/2012 10:25:14 AM
    mbam-log-2012-01-15 (10-25-14).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 266576
    Time elapsed: 36 minute(s), 7 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    =================================================
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\27\227948db-7bcc88b7 a variant of Win32/Kryptik.YXO trojan
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome! This may help with the pop ups in Firefox:
    • Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus

      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    • Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    ================================
    Per OTM> Total Files Cleaned = 587.00 mb you were still having a lot of files removed , so I encourage you to go ahead with number #2. Add to that: Disc Cleanup, Error Check and Defrag on a regular schedule.
    ===============================
    If we have resolved the problem, you can remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ================================
    Here are some additional tips to help keep the system clean:
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Restore Points:
      [o]See System Restore Guide
    6. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.