Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Win32.downloader.gen- Help Please

  1. #1
    Junior Member
    Join Date
    Sep 2013
    Posts
    16

    Default Win32.downloader.gen- Help Please

    I really hate to bother the forum with this, but I'm at my wit's end!

    I've been trying to remove this virus for several days now with no success. I'm running Windows XP and the virus shows up in SpyBot. It will disappear in safe mode, then reappear in the next regular scan. I've searched the forum and tried everything that I can find, with no luck...

    Any help is greatly appreciated. Thanks! Keith

    (Original link first posted in Forum-Software-Spybot)http://forums.spybot.info/showthread...761#post444761

    Here's the DDS.txt:

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702
    Run by Keith Simmons at 12:46:50 on 2013-09-04
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.462 [GMT -5:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall *Enabled*
    .
    ============== Running Processes ================
    .
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Logitech\SetPointP\SetPoint.exe
    C:\WINDOWS\etMon.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WksCal.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Microsoft Works\WkDStore.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://us.yahoo.com?fr=fp-comodo
    uSearch Page = hxxp://www.google.com
    uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070111
    uInternet Connection Wizard,ShellNext = hxxp://home.frontiernet.net/WelcomeCD.asp
    uSearchAssistant = hxxp://www.google.com
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.google.com
    BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - <orphaned>
    BHO: {53707962-6F74-2D53-2644-206D7942484F} - <orphaned>
    BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
    BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
    TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
    EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [ConduitFloatingPlugin_jcnkjmghmdigcjcajaemenhlleobnhih] "c:\windows\system32\rundll32.exe" "c:\program files\conduit\ct3309657\plugins\TBVerifier.dll",RunConduitFloatingPlugin jcnkjmghmdigcjcajaemenhlleobnhih
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
    mRun: [etMonitor] c:\windows\etMon.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    StartupFolder: c:\docume~1\keiths~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\keiths~1\startm~1\programs\startup\wkcalrem.lnk - c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD}
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    TCP: NameServer = 192.168.254.254
    TCP: Interfaces\{87A4AD3F-113A-4EA7-8351-9EB8BFD5832D} : DHCPNameServer = 192.168.254.254
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    Notify: WgaLogon - <no file>
    AppInit_DLLs= c:\windows\system32\guard32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.66\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-3-19 49376]
    R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-3-19 175176]
    R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2008-11-25 149376]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-31 770344]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-28 369584]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 497952]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 32640]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-28 29816]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-3-19 66336]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 46808]
    R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1990464]
    R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2012-1-5 12184]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-11 1251720]
    S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
    S3 DCamUSBET;ET USB 2710 Camera;c:\windows\system32\drivers\etDevice.sys [2007-6-27 88704]
    S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [2007-6-27 103680]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]
    S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [2007-6-27 5760]
    S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2010-11-8 14592]
    .
    =============== File Associations ===============
    .
    ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
    .
    =============== Created Last 30 ================
    .
    2013-09-04 16:37:18 -------- d-----w- c:\windows\QIUEKXANT6IGFLKJ
    2013-09-04 16:36:47 -------- d-----w- c:\windows\BM375WFYPGE5O1KX
    2013-09-04 16:31:30 -------- d-----w- C:\AdwCleaner
    2013-09-04 14:18:10 -------- d-----w- c:\windows\UJP2LYBHU7JWER3F
    2013-09-04 14:17:36 -------- d-----w- c:\windows\3VCP2EKXAGFLRJAG
    2013-09-04 05:19:41 -------- d-----w- c:\windows\NGT6IV8KP2FLRX1K
    2013-09-04 05:13:51 -------- d-----w- c:\documents and settings\keith simmons\application data\PC VITALWARE
    2013-09-04 05:13:51 -------- d-----w- c:\documents and settings\all users\application data\PC VITALWARE
    2013-09-04 04:05:30 -------- d-----w- c:\windows\IQA1J2ZBVM68YH8Y
    2013-09-04 03:00:39 -------- d-----w- c:\windows\LA1YI9ZI90J9XNEY
    2013-09-04 00:55:17 -------- d-----w- c:\windows\D69TXG7XH1YO1LYI
    2013-09-03 23:11:31 -------- d-----w- c:\windows\XLYB2LYBO1DX2MZJ
    2013-09-03 21:19:48 -------- d-----w- c:\windows\R14HMR4G05AMZ5HG
    2013-09-02 21:36:07 -------- d-----w- c:\windows\QFLYBOU7CPOUTLRX
    2013-09-02 21:35:05 -------- d-----w- c:\windows\GBS5HU0CHU4GTZCP
    2013-09-02 19:52:10 -------- d-----w- c:\windows\S9RA1RB9ZIE5OF6P
    2013-09-02 19:47:52 -------- d-----w- c:\windows\AEA8C2ZWUSQA1KB2
    2013-09-02 18:05:36 -------- d-----w- c:\windows\3SHU7CWG0H1EJW9L
    2013-09-02 17:28:00 -------- d-----w- c:\windows\I5HMZCWNJW9ZJW9E
    2013-09-02 17:21:30 -------- d-----w- c:\windows\96HTZCP27JONMEDC
    2013-09-02 14:52:26 -------- d-----w- c:\windows\MWLY4NS5HMZBV8K2
    2013-09-02 06:58:55 -------- d-----w- c:\windows\SZRUX0UWZ2IE03JW
    2013-09-02 06:53:33 -------- d-----w- c:\windows\63EXOFZQHZQH8RI9
    2013-09-02 06:50:53 -------- d-----w- c:\windows\930DAN7CP2EQ3GT6
    2013-09-02 06:50:19 -------- d-----w- c:\windows\0XQTWZ24DFXTPLHD
    2013-09-02 06:39:25 -------- d-----w- c:\windows\GCNT6IN05PNTSKJI
    2013-09-02 06:38:45 -------- d-----w- c:\windows\JEH8YP9ZP9TDXH1K
    2013-09-02 06:33:50 -------- d-----w- c:\windows\QS5O1DQV8KJB3RIV
    2013-09-02 06:32:05 -------- d-----w- c:\windows\Y4YEV5EHRT3CFPZS
    2013-09-02 06:22:01 -------- d-----w- c:\windows\Y6MORUX09IKUNQTW
    2013-09-02 06:16:32 -------- d-----w- c:\windows\841ZI96W8R8YI2ZJ
    2013-09-02 03:39:27 -------- d-----w- c:\windows\0AS5AN05IU05HMLK
    2013-09-02 03:33:22 338 ----a-w- c:\documents and settings\keith simmons\local settings\application data\poetsch.bat
    2013-09-01 22:17:29 -------- d-----w- c:\windows\SOS2SI2SBVL5H1DQ
    2013-09-01 21:03:14 -------- d-----w- c:\windows\7HPZGQ7NXE7N4KUB
    2013-08-31 22:43:11 -------- d-----w- c:\windows\QGY305386IDA7XUS
    2013-08-31 22:25:11 -------- d-----w- c:\windows\X63N6XG7Q9ZI9SCP
    2013-08-31 03:46:12 -------- d-----w- c:\windows\7I7JO16IN05A8DBA
    2013-08-30 16:20:57 28552 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
    2013-08-30 16:20:57 28040 ----a-w- c:\windows\system32\mdimon.dll
    2013-08-14 23:03:22 -------- d-----w- c:\windows\LAGT6IV8DPV7J3M6
    2013-08-14 23:02:20 -------- d-----w- c:\windows\WDQ3T6IV0C3M6XGT
    2013-08-08 14:18:17 -------- d-----w- c:\windows\RN7Q3FZC3FS5HCPG
    .
    ==================== Find3M ====================
    .
    2013-08-03 19:18:38 1543680 ------w- c:\windows\system32\wmvdecod.dll
    2013-07-29 22:07:42 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-07-29 22:07:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-07-26 02:47:17 920064 ----a-w- c:\windows\system32\wininet.dll
    2013-07-26 02:47:13 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-07-26 02:47:12 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-07-25 15:52:59 385024 ----a-w- c:\windows\system32\html.iec
    2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
    2013-07-04 03:03:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-07-04 02:08:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-06-27 19:34:32 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2013-06-27 19:34:32 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
    2008-11-13 21:56:09 11281 ----a-w- c:\program files\common files\woko.bin
    .
    ============= FINISH: 12:49:30.12 ===============

    Attachment 10908



    Here is the asmMBR Log:

    aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
    Run date: 2013-09-04 13:33:04
    -----------------------------
    13:33:04.203 OS Version: Windows 5.1.2600 Service Pack 3
    13:33:04.203 Number of processors: 2 586 0xF06
    13:33:04.203 ComputerName: D1Q0QCC1 UserName:
    13:33:07.031 Initialize success
    13:33:11.156 AVAST engine defs: 13090400
    13:33:28.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    13:33:28.828 Disk 0 Vendor: ST316081 3.AD Size: 152587MB BusType: 3
    13:33:29.015 Disk 0 MBR read successfully
    13:33:29.015 Disk 0 MBR scan
    13:33:29.015 Disk 0 unknown MBR code
    13:33:29.046 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
    13:33:29.062 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 147793 MB offset 80325
    13:33:29.093 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 4753 MB offset 302760990
    13:33:29.093 Disk 0 scanning sectors +312496380
    13:33:29.281 Disk 0 scanning C:\WINDOWS\system32\drivers
    13:33:46.671 Service scanning
    13:34:02.484 Modules scanning
    13:34:16.140 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
    13:34:18.046 Disk 0 trace - called modules:
    13:34:18.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
    13:34:18.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f87870]
    13:34:18.078 3 CLASSPNP.SYS[f75b0fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86f75030]
    13:34:18.562 AVAST engine scan C:\WINDOWS
    13:34:39.765 AVAST engine scan C:\WINDOWS\system32
    13:38:40.796 AVAST engine scan C:\WINDOWS\system32\drivers
    13:39:14.234 AVAST engine scan C:\Documents and Settings\Keith Simmons
    14:45:05.640 AVAST engine scan C:\Documents and Settings\All Users
    14:47:22.359 Scan finished successfully
    14:55:25.500 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Keith Simmons\My Documents\MBR.dat"
    14:55:25.515 The log file has been saved successfully to "C:\Documents and Settings\Keith Simmons\My Documents\aswMBR.txt"
    14:56:01.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Keith Simmons\Desktop\MBR.dat"
    14:56:01.359 The log file has been saved successfully to "C:\Documents and Settings\Keith Simmons\Desktop\aswMBR.txt"

    In case the above attachment fails, here is the zipped attach.txt file. attachtxt.zip

    Best,

    Keith

    I haven't attempted any fixes since posting this thread, but just now ran SpyBot to check the system.

    Strangely, the virus isn't showing up. Can this virus go dormant for periods and then reactivate???

    Thanks,

    Keith

  2. #2
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default

    Hi and Welcome!! snurd

    My name is Robybel.

    I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
    • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for the issues on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
    • It's often worth reading through these instructions and printing them for ease of reference.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.


    IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.


    Vista and Windows 7 users:

    These tools MUST be run from the executable. (.exe) every time you run them
    with Admin Rights (Right click, choose "Run as Administrator")


    Stay with this topic until I give you the all clean post.

    Having said that....Let's get going!!

    ================================

    Download Security Check by screen317 from here or here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    Next

    AdwCleaner

    Double click on AdwCleaner.exe to run the tool again.
    • Click on the Scan button.
    • AdwCleaner will begin to scan your computer like it did before.
    • After the scan has finished...
    • This time, click on the Clean button.
    • Press OK when asked to close all programs and follow the onscreen prompts.
    • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
    • Copy and paste the contents of that logfile in your next reply.
    • A copy of that logfile will also be saved in the C:\AdwCleaner folder.


    Next

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.



    Next


    • Download RogueKiller and save it to your desktop.
    • Quit all other programs
    • Start RogueKiller.exe
    • Wait until the Prescan has finished ...
    • Click on Scan
    • Wait for the end of the scan
    • A report will be created on your desktop.
    • Click on the Delete button
    • Next click on the ShortcutsFix
    • another report will be created on your desktop.


    Please post: All RKreport.txt text files located on your desktop.

    On your next reply please post :
    • checkup.txt
    • AdwCleaner[S1].txt
    • JRT.txt
    • All RKreport.txt

    Let me know if you have any problems in performing with the steps above or any questions you may have.

    Good Day!
    Last edited by Robybel; 2013-09-07 at 16:22.
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

  3. #3
    Junior Member
    Join Date
    Sep 2013
    Posts
    16

    Default

    Hi Robybel,

    Thanks so much for your kind help!!!

    Here are the results requested...


    checkup.txt

    Results of screen317's Security Check version 0.99.73
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Malwarebytes Anti-Malware version 1.75.0.1300
    CCleaner
    Adobe Flash Player 11.8.800.94
    Adobe Reader 7 Adobe Reader out of Date!
    Google Chrome 29.0.1547.62
    Google Chrome 29.0.1547.66
    ````````Process Check: objlist.exe by Laurent````````
    Comodo Firewall cmdagent.exe
    Comodo Firewall cfp.exe
    Alwil Software Avast5 AvastSvc.exe
    ALWILS~1 Avast5 avastUI.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````



    Adwcleaner.txt

    # AdwCleaner v3.003 - Report created 07/09/2013 at 11:23:20
    # Updated 07/09/2013 by Xplode
    # Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
    # Username : Keith Simmons - D1Q0QCC1
    # Running from : C:\Documents and Settings\Keith Simmons\My Documents\Downloads\AdwCleaner (1).exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****


    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
    Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_jcnkjmghmdigcjcajaemenhlleobnhih]
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

    ***** [ Browsers ] *****

    -\\ Internet Explorer v8.0.6001.18702

    Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

    -\\ Google Chrome v29.0.1547.66

    [ File : C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


    [ File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


    *************************

    AdwCleaner[R0].txt - [6263 octets] - [04/09/2013 11:31:37]
    AdwCleaner[R1].txt - [2112 octets] - [07/09/2013 09:57:38]
    AdwCleaner[R2].txt - [2172 octets] - [07/09/2013 10:15:35]
    AdwCleaner[S0].txt - [6291 octets] - [04/09/2013 11:33:19]
    AdwCleaner[S1].txt - [2009 octets] - [07/09/2013 11:23:20]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2069 octets] ##########


    JRT.txt

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 5.5.8 (09.05.2013:1)
    OS: Microsoft Windows XP x86
    Ran by Keith Simmons on Sat 09/07/2013 at 11:30:34.28
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values

    Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
    Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{660552A4-E87B-45B7-98C6-DBCCDA9F2830}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{390A908E-A8CB-4e7c-8102-724F4C50CF08}



    ~~~ Files



    ~~~ Folders





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Sat 09/07/2013 at 11:39:49.70
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    All RKreport.txt

    RogueKiller V8.6.9 [Sep 3 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Keith Simmons [Admin rights]
    Mode : Scan -- Date : 09/07/2013 11:51:34
    | ARK || FAK || MBR |

    Bad processes : 0

    Registry Entries : 4
    [RUN][SUSP PATH] HKLM\[...]\Run : etMonitor (C:\WINDOWS\etMon.exe [-]) -> FOUND
    [HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    Scheduled tasks : 1
    [V1][SUSP PATH] At5.job : C:\DOCUME~1\KEITHS~1\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

    Startup Entries : 0




    RogueKiller V8.6.9 [Sep 3 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Keith Simmons [Admin rights]
    Mode : Remove -- Date : 09/07/2013 11:52:14
    | ARK || FAK || MBR |

    Bad processes : 0

    Registry Entries : 4
    [RUN][SUSP PATH] HKLM\[...]\Run : etMonitor (C:\WINDOWS\etMon.exe [-]) -> DELETED
    [HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    Scheduled tasks : 1
    [V1][SUSP PATH] At5.job : C:\DOCUME~1\KEITHS~1\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> DELETED

    Startup Entries : 0

    Web browsers : 0

    Particular Files / Folders:

    Driver : [LOADED]

    External Hives:

    Infection :

    HOSTS File:
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 100sexlinks.com
    [...]


    MBR Check:

    +++++ PhysicalDrive0: ST3160812AS +++++
    --- User ---
    [MBR] ccd14587e2bd1506151bda17c281545b
    [BSP] 3efdd157322bc54deb4f0f8435ac64f6 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 147793 Mo
    2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 302760990 | Size: 4753 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_D_09072013_115214.txt >>
    RKreport[0]_S_09072013_115134.txt



    Thanks again!

    Best Regards,

    Keith

  4. #4
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default

    Hi snurd

    Please read through these instructions to familarize yourself with what to expect when this tool runs

    Refer to the ComboFix User's Guide

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT- Save ComboFix.exe to your Desktop

    ====================================================

    Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

    ====================================================


    Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.



    On your next reply please post :
    • Combofix log

    Let me know if you have any problems in performing with the steps above or any questions you may have.

    Good Day!
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

  5. #5
    Junior Member
    Join Date
    Sep 2013
    Posts
    16

    Default Combofix Log

    Here is the requested log. Thanks!

    ComboFix.txt:

    ComboFix 13-09-08.02 - Keith Simmons 09/08/2013 12:42:07.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.649 [GMT -5:00]
    Running from: c:\documents and settings\Keith Simmons\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\imgdoc2.dll
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
    c:\documents and settings\Keith Simmons\Cookies\arudonine.bat
    c:\documents and settings\Keith Simmons\Cookies\dyvycudi.pif
    c:\documents and settings\Keith Simmons\Cookies\ihepofyhuw.inf
    c:\documents and settings\Keith Simmons\Cookies\ofukisamac.pif
    c:\documents and settings\Keith Simmons\My Documents\~WRL0836.tmp
    c:\documents and settings\Keith Simmons\My Documents\~WRL3408.tmp
    c:\documents and settings\Keith Simmons\WINDOWS
    c:\program files\Common Files\daxipezeju.db
    c:\program files\Internet Explorer\SET862.tmp
    c:\program files\Internet Explorer\SET863.tmp
    c:\program files\Internet Explorer\SET865.tmp
    c:\program files\Internet Explorer\SET8C8.tmp
    c:\program files\Internet Explorer\SET8C9.tmp
    c:\program files\Internet Explorer\SET8CA.tmp
    c:\windows\badymivili._sy
    c:\windows\system32\_000008_.tmp.dll
    c:\windows\system32\_000009_.tmp.dll
    c:\windows\system32\_000010_.tmp.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-08-08 to 2013-09-08 )))))))))))))))))))))))))))))))
    .
    .
    2013-09-07 20:44 . 2013-09-07 20:44 -------- d-----w- c:\windows\Q8Y3FKXANT6BHNTZ
    2013-09-07 20:25 . 2013-09-07 20:25 -------- d-----w- c:\windows\GDO1DPV16BGTZCIV
    2013-09-07 20:19 . 2013-09-07 20:19 -------- d-----w- c:\windows\T1KP27JO164H87KI
    2013-09-07 17:29 . 2013-09-07 17:29 -------- d-----w- c:\windows\0W3GZCP2LYBV8KXE
    2013-09-07 16:30 . 2013-09-07 16:30 -------- d-----w- c:\windows\ERUNT
    2013-09-07 16:25 . 2013-09-07 16:25 -------- d-----w- c:\windows\MXFSYBO1DIV8KXA8
    2013-09-06 21:11 . 2013-09-06 21:11 -------- d-----w- c:\windows\9XG7QAUSC3KBVF6P
    2013-09-06 21:10 . 2013-09-06 21:10 -------- d-----w- c:\windows\GX0Q9SB2SJW9EKQV
    2013-09-06 16:26 . 2013-09-06 16:26 -------- d-----w- c:\windows\RN0CP2EJW864A10Z
    2013-09-04 17:45 . 2013-09-04 17:45 -------- d-----w- c:\program files\ERUNT
    2013-09-04 16:37 . 2013-09-04 16:37 -------- d-----w- c:\windows\QIUEKXANT6IGFLKJ
    2013-09-04 16:36 . 2013-09-04 16:36 -------- d-----w- c:\windows\BM375WFYPGE5O1KX
    2013-09-04 16:31 . 2013-09-07 16:23 -------- d-----w- C:\AdwCleaner
    2013-09-04 14:18 . 2013-09-04 14:18 -------- d-----w- c:\windows\UJP2LYBHU7JWER3F
    2013-09-04 14:17 . 2013-09-04 14:17 -------- d-----w- c:\windows\3VCP2EKXAGFLRJAG
    2013-09-04 05:19 . 2013-09-04 05:19 -------- d-----w- c:\windows\NGT6IV8KP2FLRX1K
    2013-09-04 05:13 . 2013-09-04 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC VITALWARE
    2013-09-04 05:13 . 2013-09-04 05:13 -------- d-----w- c:\documents and settings\Keith Simmons\Application Data\PC VITALWARE
    2013-09-04 04:05 . 2013-09-04 04:05 -------- d-----w- c:\windows\IQA1J2ZBVM68YH8Y
    2013-09-04 03:00 . 2013-09-04 03:00 -------- d-----w- c:\windows\LA1YI9ZI90J9XNEY
    2013-09-04 00:55 . 2013-09-04 00:55 -------- d-----w- c:\windows\D69TXG7XH1YO1LYI
    2013-09-03 23:11 . 2013-09-03 23:11 -------- d-----w- c:\windows\XLYB2LYBO1DX2MZJ
    2013-09-03 21:19 . 2013-09-03 21:19 -------- d-----w- c:\windows\R14HMR4G05AMZ5HG
    2013-09-02 21:36 . 2013-09-02 21:36 -------- d-----w- c:\windows\QFLYBOU7CPOUTLRX
    2013-09-02 21:35 . 2013-09-02 21:35 -------- d-----w- c:\windows\GBS5HU0CHU4GTZCP
    2013-09-02 20:56 . 2013-09-02 20:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2013-09-02 19:52 . 2013-09-02 19:52 -------- d-----w- c:\windows\S9RA1RB9ZIE5OF6P
    2013-09-02 19:47 . 2013-09-02 19:47 -------- d-----w- c:\windows\AEA8C2ZWUSQA1KB2
    2013-09-02 18:05 . 2013-09-02 18:05 -------- d-----w- c:\windows\3SHU7CWG0H1EJW9L
    2013-09-02 17:28 . 2013-09-02 17:28 -------- d-----w- c:\windows\I5HMZCWNJW9ZJW9E
    2013-09-02 17:21 . 2013-09-02 17:21 -------- d-----w- c:\windows\96HTZCP27JONMEDC
    2013-09-02 14:52 . 2013-09-02 14:52 -------- d-----w- c:\windows\MWLY4NS5HMZBV8K2
    2013-09-02 06:58 . 2013-09-02 06:58 -------- d-----w- c:\windows\SZRUX0UWZ2IE03JW
    2013-09-02 06:53 . 2013-09-02 06:53 -------- d-----w- c:\windows\63EXOFZQHZQH8RI9
    2013-09-02 06:50 . 2013-09-02 06:50 -------- d-----w- c:\windows\930DAN7CP2EQ3GT6
    2013-09-02 06:50 . 2013-09-02 06:50 -------- d-----w- c:\windows\0XQTWZ24DFXTPLHD
    2013-09-02 06:39 . 2013-09-02 06:39 -------- d-----w- c:\windows\GCNT6IN05PNTSKJI
    2013-09-02 06:38 . 2013-09-02 06:38 -------- d-----w- c:\windows\JEH8YP9ZP9TDXH1K
    2013-09-02 06:33 . 2013-09-02 06:33 -------- d-----w- c:\windows\QS5O1DQV8KJB3RIV
    2013-09-02 06:32 . 2013-09-02 06:32 -------- d-----w- c:\windows\Y4YEV5EHRT3CFPZS
    2013-09-02 06:22 . 2013-09-02 06:22 -------- d-----w- c:\windows\Y6MORUX09IKUNQTW
    2013-09-02 06:16 . 2013-09-02 06:16 -------- d-----w- c:\windows\841ZI96W8R8YI2ZJ
    2013-09-02 03:39 . 2013-09-02 03:39 -------- d-----w- c:\windows\0AS5AN05IU05HMLK
    2013-09-02 03:33 . 2013-09-02 03:33 338 ----a-w- c:\documents and settings\Keith Simmons\Local Settings\Application Data\poetsch.bat
    2013-09-01 22:17 . 2013-09-01 22:17 -------- d-----w- c:\windows\SOS2SI2SBVL5H1DQ
    2013-09-01 21:03 . 2013-09-01 21:03 -------- d-----w- c:\windows\7HPZGQ7NXE7N4KUB
    2013-08-31 22:43 . 2013-08-31 22:43 -------- d-----w- c:\windows\QGY305386IDA7XUS
    2013-08-31 22:25 . 2013-08-31 22:25 -------- d-----w- c:\windows\X63N6XG7Q9ZI9SCP
    2013-08-31 03:46 . 2013-08-31 03:46 -------- d-----w- c:\windows\7I7JO16IN05A8DBA
    2013-08-30 16:20 . 2007-04-09 18:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
    2013-08-30 16:20 . 2007-04-09 18:23 28040 ----a-w- c:\windows\system32\mdimon.dll
    2013-08-30 16:19 . 2013-08-30 16:19 -------- d-----w- c:\program files\Microsoft.NET
    2013-08-14 23:03 . 2013-08-14 23:03 -------- d-----w- c:\windows\LAGT6IV8DPV7J3M6
    2013-08-14 23:02 . 2013-08-14 23:02 -------- d-----w- c:\windows\WDQ3T6IV0C3M6XGT
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-08-03 19:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
    2013-07-29 22:07 . 2013-07-06 22:33 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-07-29 22:07 . 2013-07-06 22:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-07-26 02:47 . 2005-08-16 10:18 920064 ----a-w- c:\windows\system32\wininet.dll
    2013-07-26 02:47 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-07-26 02:47 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-07-25 15:52 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
    2013-07-10 10:37 . 2005-08-16 10:18 406016 ----a-w- c:\windows\system32\usp10.dll
    2013-07-04 03:03 . 2005-08-16 10:18 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-07-04 02:08 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-06-27 19:34 . 2013-03-19 15:20 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
    2013-06-27 19:34 . 2011-06-01 02:29 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2013-06-27 19:34 . 2009-03-28 14:33 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2008-11-13 21:56 . 2008-11-13 21:56 11281 ----a-w- c:\program files\Common Files\woko.bin
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2013-05-09 08:58 121968 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
    .
    c:\documents and settings\Keith Simmons\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
    WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2005-10-7 21504]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-11 24576]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-10-2 815104]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [3/19/2013 10:20 AM 49376]
    R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [3/19/2013 10:20 AM 175176]
    R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [11/25/2008 5:52 PM 149376]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/31/2011 9:29 PM 770344]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/28/2009 9:33 AM 369584]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 497952]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 32640]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2009 9:33 AM 29816]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [3/19/2013 10:20 AM 66336]
    R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [1/5/2012 4:33 PM 12184]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S3 DCamUSBET;ET USB 2710 Camera;c:\windows\system32\drivers\etDevice.sys [6/27/2007 1:59 PM 88704]
    S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [6/27/2007 1:59 PM 103680]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
    S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [6/27/2007 1:59 PM 5760]
    S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [11/8/2010 2:45 PM 14592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2013-09-04 10:29 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-09-08 c:\windows\Tasks\At1.job
    - c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
    .
    2013-09-08 c:\windows\Tasks\At2.job
    - c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
    .
    2013-09-07 c:\windows\Tasks\At3.job
    - c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
    .
    2013-09-07 c:\windows\Tasks\At4.job
    - c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
    .
    2013-09-08 c:\windows\Tasks\avast! Emergency Update.job
    - c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-06 08:58]
    .
    2013-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 20:07]
    .
    2013-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 20:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://us.yahoo.com?fr=fp-comodo
    uInternet Connection Wizard,ShellNext = hxxp://home.frontiernet.net/WelcomeCD.asp
    uSearchAssistant = hxxp://www.google.com
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.254.254
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-WgaLogon - (no file)
    AddRemove-EL-USB&10C4&0002 - c:\program files\Silabs\MCU\DriverUninstall\DriverUninstaller.exe USBXpress\EL-USB&10C4&0002
    AddRemove-QuickBooks - c:\program files\Intuit\QuickBooks\DeIsL1.isu
    AddRemove-SmileBox_EN Toolbar - c:\program files\SmileBox_EN\uninstall.exe
    AddRemove-DSite - c:\documents and settings\Keith Simmons\Application Data\DSite\UpdateProc\UpdateTask.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-09-08 13:03
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(788)
    c:\windows\system32\guard32.dll
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    .
    - - - - - - - > 'lsass.exe'(844)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'csrss.exe'(760)
    c:\windows\system32\cmdcsr.dll
    .
    Completion time: 2013-09-08 13:05:45
    ComboFix-quarantined-files.txt 2013-09-08 18:05
    .
    Pre-Run: 117,411,885,056 bytes free
    Post-Run: 117,538,107,392 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 432BCEEFE0DD8BB1D0711BB57F8BC230
    5CB90281D1A59B251F6603134774EEC3

  6. #6
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default

    Hi snurd

    Please follow all previous instructions regarding security programs.

    Open a new Notepad session
    • Click the Start button, click run
    • in the run box type notepad
    • click ok
    • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
    • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE


    Code:
    Folder::
    c:\windows\Q8Y3FKXANT6BHNTZ
    c:\windows\GDO1DPV16BGTZCIV
    c:\windows\T1KP27JO164H87KI
    c:\windows\0W3GZCP2LYBV8KXE
    c:\windows\MXFSYBO1DIV8KXA8
    c:\windows\9XG7QAUSC3KBVF6P
    c:\windows\GX0Q9SB2SJW9EKQV
    c:\windows\RN0CP2EJW864A10Z
    c:\windows\QIUEKXANT6IGFLKJ
    c:\windows\BM375WFYPGE5O1KX
    c:\windows\UJP2LYBHU7JWER3F
    c:\windows\3VCP2EKXAGFLRJAG
    c:\windows\NGT6IV8KP2FLRX1K
    c:\windows\IQA1J2ZBVM68YH8Y
    c:\windows\LA1YI9ZI90J9XNEY
    c:\windows\D69TXG7XH1YO1LYI
    c:\windows\XLYB2LYBO1DX2MZJ
    c:\windows\R14HMR4G05AMZ5HG
    c:\windows\QFLYBOU7CPOUTLRX
    c:\windows\GBS5HU0CHU4GTZCP
    c:\windows\S9RA1RB9ZIE5OF6P
    c:\windows\AEA8C2ZWUSQA1KB2
    c:\windows\3SHU7CWG0H1EJW9L
    c:\windows\I5HMZCWNJW9ZJW9E
    c:\windows\96HTZCP27JONMEDC
    c:\windows\MWLY4NS5HMZBV8K2
    c:\windows\SZRUX0UWZ2IE03JW
    c:\windows\63EXOFZQHZQH8RI9
    c:\windows\930DAN7CP2EQ3GT6
    c:\windows\0XQTWZ24DFXTPLHD
    c:\windows\GCNT6IN05PNTSKJI
    c:\windows\JEH8YP9ZP9TDXH1K
    c:\windows\QS5O1DQV8KJB3RIV
    c:\windows\Y4YEV5EHRT3CFPZS
    c:\windows\Y6MORUX09IKUNQTW
    c:\windows\841ZI96W8R8YI2ZJ
    c:\windows\0AS5AN05IU05HMLK
    c:\windows\SOS2SI2SBVL5H1DQ
    c:\windows\7HPZGQ7NXE7N4KUB
    c:\windows\QGY305386IDA7XUS
    c:\windows\X63N6XG7Q9ZI9SCP
    c:\windows\7I7JO16IN05A8DBA
    c:\windows\LAGT6IV8DPV7J3M6
    c:\windows\WDQ3T6IV0C3M6XGT

    In the notepad
    • Click File, Save as..., and set the Save in to your Desktop
    • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
    • Click save

    Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

    This will start ComboFix again.Close all browser/windows first.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


    Next

    You will have to unhide files/folders to see the "Local SEttings" and "Application Data" folders. To do that, click on My Computer then go to Tools - Folder Options and click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK".

    Next

    Please go to: VirusTotal

    • Click the Browse button and search for the following file:

      c:\documents and settings\Keith Simmons\Local Settings\Application Data\poetsch.bat
    • Click Open
    • Then click Send File
    • Please be patient while the file is scanned.
    • Once the scan results appear, please provide them in your next reply.

    If it says already scanned -- click "reanalyze now"

    Please post the results in your next reply.
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

  7. #7
    Junior Member
    Join Date
    Sep 2013
    Posts
    16

    Default ComboFix.txt and Virus Total scacn

    Latest results: Thanks!

    ComboFix.txt

    ComboFix 13-09-08.02 - Keith Simmons 09/09/2013 0:23.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.559 [GMT -5:00]
    Running from: c:\documents and settings\Keith Simmons\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Keith Simmons\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\0AS5AN05IU05HMLK
    c:\windows\0W3GZCP2LYBV8KXE
    c:\windows\0XQTWZ24DFXTPLHD
    c:\windows\3SHU7CWG0H1EJW9L
    c:\windows\3VCP2EKXAGFLRJAG
    c:\windows\63EXOFZQHZQH8RI9
    c:\windows\7HPZGQ7NXE7N4KUB
    c:\windows\7I7JO16IN05A8DBA
    c:\windows\841ZI96W8R8YI2ZJ
    c:\windows\930DAN7CP2EQ3GT6
    c:\windows\96HTZCP27JONMEDC
    c:\windows\9XG7QAUSC3KBVF6P
    c:\windows\AEA8C2ZWUSQA1KB2
    c:\windows\BM375WFYPGE5O1KX
    c:\windows\D69TXG7XH1YO1LYI
    c:\windows\GBS5HU0CHU4GTZCP
    c:\windows\GCNT6IN05PNTSKJI
    c:\windows\GDO1DPV16BGTZCIV
    c:\windows\GX0Q9SB2SJW9EKQV
    c:\windows\I5HMZCWNJW9ZJW9E
    c:\windows\IQA1J2ZBVM68YH8Y
    c:\windows\JEH8YP9ZP9TDXH1K
    c:\windows\LA1YI9ZI90J9XNEY
    c:\windows\LAGT6IV8DPV7J3M6
    c:\windows\MWLY4NS5HMZBV8K2
    c:\windows\MXFSYBO1DIV8KXA8
    c:\windows\NGT6IV8KP2FLRX1K
    c:\windows\Q8Y3FKXANT6BHNTZ
    c:\windows\QFLYBOU7CPOUTLRX
    c:\windows\QGY305386IDA7XUS
    c:\windows\QIUEKXANT6IGFLKJ
    c:\windows\QS5O1DQV8KJB3RIV
    c:\windows\R14HMR4G05AMZ5HG
    c:\windows\RN0CP2EJW864A10Z
    c:\windows\S9RA1RB9ZIE5OF6P
    c:\windows\SOS2SI2SBVL5H1DQ
    c:\windows\SZRUX0UWZ2IE03JW
    c:\windows\T1KP27JO164H87KI
    c:\windows\UJP2LYBHU7JWER3F
    c:\windows\WDQ3T6IV0C3M6XGT
    c:\windows\X63N6XG7Q9ZI9SCP
    c:\windows\XLYB2LYBO1DX2MZJ
    c:\windows\Y4YEV5EHRT3CFPZS
    c:\windows\Y6MORUX09IKUNQTW
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-08-09 to 2013-09-09 )))))))))))))))))))))))))))))))
    .
    .
    2013-09-08 18:41 . 2013-09-08 18:41 -------- d-----w- c:\windows\BQFZ5OTZCPONMEW2
    2013-09-07 16:30 . 2013-09-07 16:30 -------- d-----w- c:\windows\ERUNT
    2013-09-04 17:45 . 2013-09-04 17:45 -------- d-----w- c:\program files\ERUNT
    2013-09-04 16:31 . 2013-09-07 16:23 -------- d-----w- C:\AdwCleaner
    2013-09-04 05:13 . 2013-09-04 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC VITALWARE
    2013-09-04 05:13 . 2013-09-04 05:13 -------- d-----w- c:\documents and settings\Keith Simmons\Application Data\PC VITALWARE
    2013-09-02 20:56 . 2013-09-02 20:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2013-09-02 03:33 . 2013-09-02 03:33 338 ----a-w- c:\documents and settings\Keith Simmons\Local Settings\Application Data\poetsch.bat
    2013-08-30 16:20 . 2007-04-09 18:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
    2013-08-30 16:20 . 2007-04-09 18:23 28040 ----a-w- c:\windows\system32\mdimon.dll
    2013-08-30 16:19 . 2013-08-30 16:19 -------- d-----w- c:\program files\Microsoft.NET
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-08-03 19:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
    2013-07-29 22:07 . 2013-07-06 22:33 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-07-29 22:07 . 2013-07-06 22:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-07-26 02:47 . 2005-08-16 10:18 920064 ----a-w- c:\windows\system32\wininet.dll
    2013-07-26 02:47 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-07-26 02:47 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-07-25 15:52 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
    2013-07-10 10:37 . 2005-08-16 10:18 406016 ----a-w- c:\windows\system32\usp10.dll
    2013-07-04 03:03 . 2005-08-16 10:18 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-07-04 02:08 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-06-27 19:34 . 2013-03-19 15:20 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
    2013-06-27 19:34 . 2011-06-01 02:29 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2013-06-27 19:34 . 2009-03-28 14:33 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2008-11-13 21:56 . 2008-11-13 21:56 11281 ----a-w- c:\program files\Common Files\woko.bin
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2013-05-09 08:58 121968 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
    .
    c:\documents and settings\Keith Simmons\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
    WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2005-10-7 21504]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-11 24576]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-10-2 815104]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
    [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [3/19/2013 10:20 AM 49376]
    R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [3/19/2013 10:20 AM 175176]
    R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [11/25/2008 5:52 PM 149376]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/31/2011 9:29 PM 770344]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/28/2009 9:33 AM 369584]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 497952]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 32640]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2009 9:33 AM 29816]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [3/19/2013 10:20 AM 66336]
    R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [1/5/2012 4:33 PM 12184]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S3 DCamUSBET;ET USB 2710 Camera;c:\windows\system32\drivers\etDevice.sys [6/27/2007 1:59 PM 88704]
    S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [6/27/2007 1:59 PM 103680]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
    S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [6/27/2007 1:59 PM 5760]
    S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [11/8/2010 2:45 PM 14592]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2013-09-04 10:29 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-09-08 c:\windows\Tasks\At1.job
    - c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
    .
    2013-09-09 c:\windows\Tasks\At2.job
    - c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
    .
    2013-09-08 c:\windows\Tasks\At3.job
    - c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
    .
    2013-09-08 c:\windows\Tasks\At4.job
    - c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
    .
    2013-09-09 c:\windows\Tasks\avast! Emergency Update.job
    - c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-06 08:58]
    .
    2013-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 20:07]
    .
    2013-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 20:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://us.yahoo.com?fr=fp-comodo
    uInternet Connection Wizard,ShellNext = hxxp://home.frontiernet.net/WelcomeCD.asp
    uSearchAssistant = hxxp://www.google.com
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.254.254
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-09-09 00:31
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(792)
    c:\windows\system32\guard32.dll
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    .
    - - - - - - - > 'lsass.exe'(848)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'explorer.exe'(3344)
    c:\windows\system32\WININET.dll
    c:\windows\system32\guard32.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    - - - - - - - > 'csrss.exe'(764)
    c:\windows\system32\cmdcsr.dll
    .
    Completion time: 2013-09-09 00:33:56
    ComboFix-quarantined-files.txt 2013-09-09 05:33
    ComboFix2.txt 2013-09-08 18:05
    .
    Pre-Run: 117,445,287,936 bytes free
    Post-Run: 117,433,683,968 bytes free
    .
    - - End Of File - - 5AB083EABD964472F78945DCE34E4E61
    5CB90281D1A59B251F6603134774EEC3




    Virus Total Scan:

    SHA256: 064d7b44ca6a31b7905cbb69021271cca86b81cb090467b72871d3dc08fd1ecf
    SHA1: ababf26a021b40984011c933cba2734ae883308b
    MD5: 66bf6205ff477f3978c69cd2cbfb24b7
    File size: 338 bytes ( 338 bytes )
    File name: poetsch.bat
    File type: Text
    Detection ratio: 0 / 47
    Analysis date: 2013-09-09 05:43:32 UTC ( 0 minutes ago )


    Analysis:

    Antivirus Result: (Note-All have green checks beside the result)

    Agnitum  20130908
    AhnLab-V3  20130908
    AntiVir  20130909
    Antiy-AVL  20130908
    Avast  20130909
    AVG  20130908
    Baidu-International  20130908
    BitDefender  20130909
    ByteHero  20130903
    CAT-QuickHeal  20130908
    ClamAV  20130909
    Commtouch  20130909
    Comodo  20130909
    DrWeb  20130909
    Emsisoft  20130909
    ESET-NOD32  20130908
    F-Prot  20130909
    F-Secure  20130909
    Fortinet  20130909
    GData  20130909
    Ikarus  20130909
    Jiangmin  20130903
    K7AntiVirus  20130906
    K7GW  20130906
    Kaspersky  20130909
    Kingsoft  20130829
    Malwarebytes  20130909
    McAfee  20130909
    McAfee-GW-Edition  20130909
    Microsoft  20130909
    MicroWorld-eScan  20130909
    NANO-Antivirus  20130909
    Norman  20130908
    nProtect  20130909
    Panda  20130908
    PCTools  20130908
    Rising  20130906
    Sophos  20130909
    SUPERAntiSpyware  20130908
    Symantec  20130909
    TheHacker  20130908
    TotalDefense  20130906
    TrendMicro  20130909
    TrendMicro-HouseCall  20130909
    VBA32  20130906
    VIPRE  20130909
    ViRobot  20130909

    Additional Information:

    File identification
    MD5 66bf6205ff477f3978c69cd2cbfb24b7
    SHA1 ababf26a021b40984011c933cba2734ae883308b
    SHA256 064d7b44ca6a31b7905cbb69021271cca86b81cb090467b72871d3dc08fd1ecf
    ssdeep6:mRpLqFsAmBYKdEARm5oJQ+pK/2AY5798rdEARm5oJQ+pK/2AY579V9J40DoCdEAj:mRlqFs7mjGi6HwmjGi6HV9J4dRjGi6/

    File size 338 bytes ( 338 bytes )
    File type Text
    Magic literalASCII text, with CRLF line terminators

    TrID file seems to be plain text/ASCII (0.0%)


    VirusTotal metadata
    First submission 2013-09-09 05:43:32 UTC ( 7 minutes ago )
    Last submission 2013-09-09 05:43:32 UTC ( 7 minutes ago )
    File names poetsch.bat

  8. #8
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default Malwarebytes and ESET

    Hi snurd

    very good job

    • Please open your MalwareBytes AntiMalware Program
    • Click the Update Tab and search for updates
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected. <-- very important
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.


    Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


    Next


    ESET Online Scanner
    I'd like us to scan your machine with ESET OnlineScan

    Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Make sure that the option "Remove found threats" is Unchecked
    9. Push the Start button.
    10. ESET will then download updates for itself, install itself, and begin
      scanning your computer. Please be patient as this can take some time.
    11. When the scan completes, push
    12. Push , and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
    13. Push the Back button.
    14. Select Uninstall application on close check box and push

    On your next reply please post :
    • MBAM log
    • ESET Report

    Let me know if you have any problems in performing with the steps above or any questions you may have.

    Good Day!
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

  9. #9
    Junior Member
    Join Date
    Sep 2013
    Posts
    16

    Default MBAM Log & ESET Report

    Hi Robybel,

    Thanks for the very detailed instructions! Makes it
    very easy to follow and perform all the requested tasks.

    Here are the lastest results requested.

    MBAM LOG

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.09.10.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Keith Simmons :: D1Q0QCC1 [administrator]

    9/10/2013 8:36:54 AM
    mbam-log-2013-09-10 (08-36-54).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 238890
    Time elapsed: 8 minute(s),

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\Keith Simmons\My Documents\Downloads\Express_Installer.exe (PUP.Optional.IBryte) -> Quarantined and deleted successfully.

    (end)


    ESET REPORT

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDownloadergen18.zip Win32/Bagle.gen.zip worm
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDownloadergen19.zip Win32/Bagle.gen.zip worm
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDownloadergen20.zip Win32/Bagle.gen.zip worm
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDownloadergen21.zip Win32/Bagle.gen.zip worm


    Best regards,

    Keith

  10. #10
    Malware Team: Emeritus
    Join Date
    Oct 2012
    Posts
    246

    Default

    Hi Snurd

    Good job
    Scan with OTL
    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Under Custom Scan paste this in


      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      explorer.exe
      winlogon.exe
      Userinit.exe
      svchost.exe
      services.exe
      /md5stop
      %systemroot%\*. /rp /s
      %systemdrive%\$Recycle.Bin|@;true;true;true /fp
      DRIVES
      CREATERESTOREPOINT

    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
      • You may need two posts to fit them both in.
    - Proud Graduate of WTT Classroom -

    - Member of UNITE -

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •