Jump to content


Photo

Removal of rootkit


  • This topic is locked This topic is locked
29 replies to this topic

#1 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 07 October 2013 - 01:00 PM

I am hoping to get assistance with the removal of a rootkit that has been found in a scan using MalwareBytes.  I tried to run the dds.scr tool and ended up with blue screen.  This could have been because I hadn't disabled script blockers but, unfortunately, I don't know how to do this.  Could someone please provide instructions - many thanks.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.07.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
smiff :: LENOVO-908BF615 [administrator]

07/10/2013 16:23:52
mbam-log-2013-10-07 (16-23-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 226514
Time elapsed: 11 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG (Rootkit.0Access) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by smiff at 5:20:32 on 2013-10-08
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1503 [GMT 1:00]
.
FW: ZoneAlarm Free Firewall Firewall *Disabled*
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft\BingBar\7.2.233.0\BBSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\FpLogonServ.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.co.uk/?gws_rd=cr&ei=KCVIUqT-IuqO5ATTrYDIAQ
uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uProxyServer = hxxp=127.0.0.1:1062;https=127.0.0.1:1062;
uProxyOverride = <-loopback>
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Zonealarm Helper Object: {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - c:\program files\check point software technologies ltd\zonealarm\1.8.22.0\bh\zonealarm.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.2.233.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CPwmIEBrowserHelper Object: {F040E541-A427-4CF7-85D8-75E3E0F476C5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\microsoft\bingbar\7.2.233.0\BingExt.dll
TB: ZoneAlarm Security Toolbar: {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - c:\program files\check point software technologies ltd\zonealarm\1.8.22.0\zonealarmTlbr.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MobileConnect] c:\program files\vodafone\vodafone mobile connect\bin\MobileConnect.exe /silent
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_7_700_224_ActiveX.exe -update activex
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp3.dll
Notify: ACNotify - ACNotify.dll
Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages =  scecli ACGina
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-16 226016]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-16 29712]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-16 243152]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2006-5-24 10240]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2013-8-12 528232]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-4 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-4 308136]
R2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.2.233.0\BBSvc.EXE [2013-4-2 193672]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-6-22 106496]
R2 FNF5SVC;Fn+F5 Service;c:\program files\lenovo\hotkey\FnF5svc.exe [2007-5-11 54832]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files\checkpoint\zonealarm\ZAPrivacyService.exe [2013-6-18 54160]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-23 30336]
S3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.2.233.0\SeaPort.EXE [2013-4-2 240264]
S3 cpuz132;cpuz132;\??\c:\docume~1\smiff\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\smiff\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
.
=============== Created Last 30 ================
.
2013-09-28 18:52:15 -------- d-----w- c:\documents and settings\smiff\local settings\application data\DoNotTrackPlus
2013-09-28 18:52:14 -------- d-----w- c:\documents and settings\smiff\application data\Check Point Software Technologies LTD
2013-09-28 18:48:35 -------- d-----w- c:\program files\Check Point Software Technologies LTD
2013-09-28 18:48:27 -------- d-----w- c:\program files\CheckPoint
2013-09-28 18:46:37 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2013-09-28 17:32:53 -------- d-----w- c:\windows\system32\MRT
2013-09-28 14:03:14 -------- d-----w- c:\program files\MyPC Backup
2013-09-28 12:09:43 17154952 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-09-28 11:53:21 -------- d-----w- c:\program files\TweakNow RegCleaner 2012
2013-09-28 11:53:21 -------- d-----w- c:\documents and settings\smiff\application data\TweakNow RegCleaner 2012
2013-09-28 05:56:33 -------- d-----w- c:\documents and settings\smiff\application data\Malwarebytes
2013-09-28 05:56:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-09-28 05:56:08 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-28 05:56:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-09-11 20:25:14 -------- d-----w- c:\documents and settings\smiff\is-748HO.tmp
2013-09-11 20:24:17 -------- d-----w- c:\documents and settings\smiff\is-LF6QV.tmp
2013-09-11 20:22:22 -------- d-----w- c:\documents and settings\smiff\is-0FFH1.tmp
2013-09-11 20:22:01 -------- d-----w- c:\documents and settings\smiff\is-M1S2I.tmp
2013-09-11 20:18:08 -------- d-----w- c:\documents and settings\smiff\is-IQ57I.tmp
2013-09-11 20:18:04 -------- d-----w- c:\documents and settings\smiff\is-5H5JG.tmp
2013-09-10 18:18:14 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-09-10 18:18:14 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M  ====================
.
2013-10-08 04:10:24 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2013-10-08 04:10:21 58288 ----a-w- c:\windows\system32\rpcnet.dll
2013-09-28 12:09:50 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-28 12:09:50 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-09 01:56:45 386560 ------w- c:\windows\system32\themeui.dll
2013-08-08 06:05:59 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05:59 43520 ------w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05:59 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05:58 18944 ------w- c:\windows\system32\corpol.dll
2013-08-08 01:27:48 1877760 ------w- c:\windows\system32\win32k.sys
2013-08-08 00:02:34 385024 ------w- c:\windows\system32\html.iec
2013-08-05 13:30:32 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 13:18:38 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-10 10:37:53 406016 ------w- c:\windows\system32\usp10.dll
.
============= FINISH:  5:21:31.28 ===============
 

 Results of screen317's Security Check version 0.99.74 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 TweakNow RegCleaner 2012  
 Java™ 6 Update 17 
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Reader 8 Adobe Reader out of Date!
 Google Chrome 29.0.1547.76 
````````Process Check: objlist.exe by Laurent```````` 
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
 CheckPoint ZoneAlarm vsmon.exe 
 CheckPoint ZoneAlarm ZAPrivacyService.exe 
 CheckPoint ZoneAlarm zatray.exe 
 Check Point Software Technologies LTD zonealarm AbineSDK IE\DNTPService.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 4%
````````````````````End of Log``````````````````````
 


Edited by optimist, 07 October 2013 - 11:33 PM.


#2 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 08 October 2013 - 01:27 AM

Hello optimist. Welcome back.

I'm afraid I have bad news.

One or more of the identified infections is a rootkit. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

I would suggest you disconnect this computer from the Internet immediately you finish reading this post.
If you do any banking or other financial transactions on the computer, or  if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted.
Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Instructions how to format and reinstall Windows can be found here

If you want to continue with the cleanup, please proceed with the following steps.

  • Download and save to your Desktop RogueKiller
  • Quit all programs
  • Start RogueKiller.exe
  • Wait until Prescan has finished
  • Click on Scan. Click on Report and copy/paste the content of the notepad


Please download Malwarebytes Anti-Rootkit here.

Please note: This tool is still in BETA mode, so please ensure that you have set a new Restore Point and backed up any important files.

Now:

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

Please post:
Rogue Killer report
MBAR logs



Rocket Grannie
 


a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#3 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 08 October 2013 - 02:06 AM

Thanks Rocket Grannie for such a quick response.  As this laptop belongs to a friend I will print your reply and see what they want to do, Thank you for all your help.



#4 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 08 October 2013 - 02:23 PM

Hi Rocket Grannie - unfortunately this is not a new laptop and there wasn't a windows disk supplied when it was bought.  I think Windows was pre-installed.

 

I did try to read the instructions to format and reinstall windows but that link doesn't seem to work.

 

I will now follow your instructions to try and clean this machine of these infections.



#5 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 08 October 2013 - 03:37 PM

I downloaded and used the RogueKiller programme.  When the scan had finished another page popped up - Zero Access removal with Rogue Killer.  I haven't downloaded anything from this site.

 

At the end of the scan I wasn't sure whether I had to delete the items that were found - I didn't do this and so I won't proceed with the download of Malwarebytes anti rootkit until I get your reply  - in case I have to do the scan again.

 

RogueKiller V8.7.1 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : smiff [Admin rights]
Mode : Scan -- Date : 10/08/2013 21:10:25
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][SERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-2204281632-2994070000-3789831662-1005\[...]\Run : Google Update ("C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" >) -> FOUND
[SERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x]) -> FOUND
[SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x]) -> FOUND
[SERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x]) -> FOUND
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:1062;hxxps=127.0.0.1:1062;) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS002\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][SUSP PATH] At1.job : C:\DOCUME~1\smiff\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [-] -> FOUND
[V1][SUSP PATH] At2.job : C:\DOCUME~1\smiff\APPLIC~1\MYSEAR~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST9160821AS +++++
--- User ---
[MBR] 85fe3a2de275ac449f2055e4cc9d49d5
[BSP] 63378462349bcb7c26c59c5c2a1a49a9 : Lenovo MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 146498 Mo
1 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 300029940 | Size: 6126 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10082013_211025.txt >>

 

 



#6 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 08 October 2013 - 09:05 PM

Hello optimist.

Sorry about the link. I have updated it to here:
Instructions how to format and reinstall Windows XP

Let's get rid of that rootkit.

  • Please run RogueKiller again and click on Scan
  • Wait until the Status box shows Scan Finished
  • Click on Delete
  • Wait unit the Status box shows Deleting Finished
  • Click on Report and copy/paste the content of the Notepad
  • The log should be found in RKreport[1]txt on your Desktop
  • Close RogueKiller

Please download Malwarebytes Anti-Rootkit here.

Please note: This tool is still in BETA mode, so please ensure that you have set a new Restore Point and backed up any important files.

Now:

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

How's the computer performing now?


Rocket Grannie


a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#7 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 09 October 2013 - 02:38 AM

Thanks again Rocket Grannie, I have just completed the 2 scans and will post these reports.  The computer is running well - it was slow but I had already removed lots of stuff with malware bytes but each time I went on the internet I found that this rootkit had returned.  That was when I asked for help on this forum - thankfully.

 

RogueKiller V8.7.1 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : smiff [Admin rights]
Mode : Scan -- Date : 10/09/2013 06:35:16
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][SERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-2204281632-2994070000-3789831662-1005\[...]\Run : Google Update ("C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" >) -> FOUND
[SERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x]) -> FOUND
[SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x]) -> FOUND
[SERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x]) -> FOUND
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:1062;hxxps=127.0.0.1:1062;) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS002\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][SUSP PATH] At1.job : C:\DOCUME~1\smiff\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [-] -> FOUND
[V1][SUSP PATH] At2.job : C:\DOCUME~1\smiff\APPLIC~1\MYSEAR~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (?_Clocptr@_Locimp@locale@std@@0PAV123@A) : MSVCP80.dll -> HOOKED (Unknown @ 0x7F4AE18D)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST9160821AS +++++
--- User ---
[MBR] 85fe3a2de275ac449f2055e4cc9d49d5
[BSP] 63378462349bcb7c26c59c5c2a1a49a9 : Lenovo MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 146498 Mo
1 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 300029940 | Size: 6126 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10092013_063516.txt >>

 

 

RogueKiller V8.7.1 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : smiff [Admin rights]
Mode : Remove -- Date : 10/09/2013 06:35:41
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][SERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" >) -> DELETED
[RUN][ZeroAccess] HKUS\S-1-5-21-2204281632-2994070000-3789831662-1005\[...]\Run : Google Update ("C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" >) -> [0xc0000034] Unknown error
[SERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x]) -> DELETED
[SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x]) -> [0x57] The parameter is incorrect.
[SERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\GoogleUpdate.exe" < [x]) -> DELETED
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> [0x3] The system cannot find the path specified.
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> [0x3] The system cannot find the path specified.
[HID SVC][Hidden from API] HKLM\[...]\CS002\[...]\Services : . e () -> [0x3] The system cannot find the path specified.

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][SUSP PATH] At1.job : C:\DOCUME~1\smiff\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [-] -> DELETED
[V1][SUSP PATH] At2.job : C:\DOCUME~1\smiff\APPLIC~1\MYSEAR~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install [-] --> DELETED
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> DELETED
[ZeroAccess][File] @ : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\@ [-] --> DELETED
[ZeroAccess][Folder] L : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\L [-] --> DELETED
[ZeroAccess][Folder] U : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\U [-] --> DELETED
[ZeroAccess][Folder] {41e3db09-29e4-d7f3-0de2-696451e16089} : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089} [-] --> DELETED
[ZeroAccess][Folder] ???ﯹ๛ : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\???\???ﯹ๛ [-] --> DELETED
[ZeroAccess][Folder] ??? : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\???\??? [-] --> DELETED
[ZeroAccess][Folder] ??? : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\??? [-] --> DELETED
[ZeroAccess][Folder] {41e3db09-29e4-d7f3-0de2-696451e16089} : C:\Documents and Settings\smiff\Local Settings\Application Data\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089} [-] --> DELETED
[ZeroAccess][File] @ : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\@ [-] --> DELETED
[ZeroAccess][Folder] L : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\L [-] --> DELETED
[ZeroAccess][File] 00000001.@ : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\U\00000001.@ [-] --> DELETED
[ZeroAccess][File] 00000002.@ : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\U\00000002.@ [-] --> DELETED
[ZeroAccess][File] 80000000.@ : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\U\80000000.@ [-] --> DELETED
[ZeroAccess][File] 80000001.@ : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\U\80000001.@ [-] --> DELETED
[ZeroAccess][File] 800000cb.@ : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\U\800000cb.@ [-] --> DELETED
[ZeroAccess][Folder] U : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089}\U [-] --> DELETED
[ZeroAccess][Folder] {41e3db09-29e4-d7f3-0de2-696451e16089} : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛\{41e3db09-29e4-d7f3-0de2-696451e16089} [-] --> DELETED
[ZeroAccess][Folder] ???ﯹ๛ : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \   \???ﯹ๛ [-] --> DELETED
[ZeroAccess][Folder]     : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\   \    [-] --> DELETED
[ZeroAccess][Folder]     : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089}\    [-] --> DELETED
[ZeroAccess][Folder] {41e3db09-29e4-d7f3-0de2-696451e16089} : C:\Program Files\Google\Desktop\Install\{41e3db09-29e4-d7f3-0de2-696451e16089} [-] --> DELETED

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (?_Clocptr@_Locimp@locale@std@@0PAV123@A) : MSVCP80.dll -> HOOKED (Unknown @ 0x7F4AE18D)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST9160821AS +++++
--- User ---
[MBR] 85fe3a2de275ac449f2055e4cc9d49d5
[BSP] 63378462349bcb7c26c59c5c2a1a49a9 : Lenovo MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 146498 Mo
1 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 300029940 | Size: 6126 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_10092013_063541.txt >>
RKreport[0]_S_10092013_063516.txt


Edited by optimist, 09 October 2013 - 02:44 AM.


#8 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 09 October 2013 - 11:01 AM

I thought I had posted the malwarebytes log but it looks as though I have done 2 copies of the one from rogue killer - sorry about that.

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_17

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.829000 GHz
Memory total: 2137370624, free: 1439137792

Downloaded database version: v2013.10.09.01
Downloaded database version: v2013.10.08.02
Initializing...
=======================================
------------ Kernel report ------------
     10/09/2013 06:44:55
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
Mup.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\igxpmp32.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw3x32.sys
\SystemRoot\system32\DRIVERS\b57xp32.sys
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\rimmptsk.sys
\SystemRoot\system32\DRIVERS\rimsptsk.sys
\SystemRoot\system32\DRIVERS\rixdptsk.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\iviaspi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\tvtpktfilter.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\psadd.sys
\SystemRoot\system32\DRIVERS\Tvti2c.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\drivers\PMHler.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\AGRSM.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\avgtdix.sys
\SystemRoot\system32\DRIVERS\ATSwpDrv.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\vsdatant.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\System32\drivers\TSMAPIP.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\avgmfx86.sys
\SystemRoot\System32\Drivers\avgldx86.sys
\SystemRoot\system32\DRIVERS\snp2uvc.sys
\SystemRoot\system32\DRIVERS\STREAM.SYS
\SystemRoot\system32\DRIVERS\sncduvc.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\System32\drivers\ANC.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\igxpgd32.dll
\SystemRoot\System32\igxprd32.dll
\SystemRoot\System32\igxpdv32.DLL
\SystemRoot\System32\igxpdx32.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\tvtfilter.sys
\SystemRoot\system32\DRIVERS\AegisP.sys
\SystemRoot\system32\DRIVERS\s24trans.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\PROCDD.SYS
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\System32\drivers\pmemnt.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\??\C:\WINDOWS\system32\TrueSight.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a26bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8a795030
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a26bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a79e908, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a26bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a77c9e0, DeviceName: \Device\00000077\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a795030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: ED1F86F7

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 300029877
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Other (0x12)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 300029940  Numsec = 12546765

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 160041885696 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312561808-312581808)...
Done!
Infected: HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_*202EETADPUG --> [Rootkit.0Access]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_17

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.828000 GHz
Memory total: 2137370624, free: 1307156480

=======================================



#9 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 09 October 2013 - 06:00 PM

Hello optimist.
 

 

I thought I had posted the malwarebytes log but it looks as though I have done 2 copies of the one from rogue killer - sorry about that.

Heh! Heh! :rofl:

It looks as if those scans got it, but let's make sure there's nothing else lurking there.

Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here or here to see a list of programs that should be disabled.

Note: **Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Note: **If you get a message saying "Illegal operation attempted on a Registry Key that has been marked for deletion", please restart your computer.**

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png
       icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Note: If nothing is found, it will not produce a log.

Please post:
ComboFix log
ESet log.

How's the computer performing now?

 

I noticed AVG appears to be only partially installed on the machine. Are you running AVG as an anti-virus program?

Rocket Grannie
 


a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#10 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 10 October 2013 - 02:08 AM

Thanks again Rocket Grannie.  I have been running Combo Fix this morning but have had a few problems.  ComboFix wanted to download the M'soft Recovery Console and so I had to enable internet access, firewall and anti-virus programmes while this was going on.  When that was completed I then disabled these again and allowed it to continue.  It has now got to the stage where it needed to restart the computer (telling me not to restart manually) but it seems to have frozen during this action and absolutely nothing is happening.  All the desktop icons have disappeared.

 

You asked how the computer was running - well everything was fine apart from not starting first time - sometimes having to try 2 or 3 times before it started up.  I am wondering whether that has got anything to do with what is now happening.

 

I will have to close it down manually but not sure whether to do this and run ComboFix again.  I will close it down and wait until I hear from you as to what I should do next.

 

AVG is the anti-virus programme with Zone Alam as the firewall.

 

Thank you for all your help and patience - having a few senior moments here. 

 

An update on the above - I closed down the laptop and turned it back on and ComboFix just carried on and completed what it had been doing and I will have a scan to post.  I will complete your instructions and post what you have asked for aa bit later - I have got to go and have a flu jab this morning - really looking forward to that. 


Edited by optimist, 10 October 2013 - 03:05 AM.


#11 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 10 October 2013 - 11:27 AM

I have managed to complete the scans.

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_17

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.829000 GHz
Memory total: 2137370624, free: 1439137792

Downloaded database version: v2013.10.09.01
Downloaded database version: v2013.10.08.02
Initializing...
=======================================
------------ Kernel report ------------
10/09/2013 06:44:55
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
Mup.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\igxpmp32.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw3x32.sys
\SystemRoot\system32\DRIVERS\b57xp32.sys
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\rimmptsk.sys
\SystemRoot\system32\DRIVERS\rimsptsk.sys
\SystemRoot\system32\DRIVERS\rixdptsk.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\iviaspi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\tvtpktfilter.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\psadd.sys
\SystemRoot\system32\DRIVERS\Tvti2c.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\drivers\PMHler.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\AGRSM.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\avgtdix.sys
\SystemRoot\system32\DRIVERS\ATSwpDrv.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\vsdatant.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\System32\drivers\TSMAPIP.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\avgmfx86.sys
\SystemRoot\System32\Drivers\avgldx86.sys
\SystemRoot\system32\DRIVERS\snp2uvc.sys
\SystemRoot\system32\DRIVERS\STREAM.SYS
\SystemRoot\system32\DRIVERS\sncduvc.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\System32\drivers\ANC.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\igxpgd32.dll
\SystemRoot\System32\igxprd32.dll
\SystemRoot\System32\igxpdv32.DLL
\SystemRoot\System32\igxpdx32.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\tvtfilter.sys
\SystemRoot\system32\DRIVERS\AegisP.sys
\SystemRoot\system32\DRIVERS\s24trans.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\PROCDD.SYS
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\System32\drivers\pmemnt.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\??\C:\WINDOWS\system32\TrueSight.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a26bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8a795030
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a26bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a79e908, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a26bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a77c9e0, DeviceName: \Device\00000077\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a795030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: ED1F86F7

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 300029877
Partition file system is NTFS
Partition is bootable

Partition 1 type is Other (0x12)
Partition is NOT ACTIVE.
Partition starts at LBA: 300029940 Numsec = 12546765

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 160041885696 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312561808-312581808)...
Done!
Infected: HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_*202EETADPUG --> [Rootkit.0Access]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_17

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.828000 GHz
Memory total: 2137370624, free: 1307156480

=======================================


C:\Documents and Settings\smiff\Application Data\DSite\UpdateProc\UpdateTask.exe Win32/DownWare.E application cleaned by deleting - quarantined
C:\Documents and Settings\smiff\My Documents\Downloads\cbsidlm-cbsi5_4_0_101-JetAudio_Basic-BP-10013740 (1).exe probably a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined
C:\Documents and Settings\smiff\My Documents\Downloads\cbsidlm-cbsi5_4_0_101-JetAudio_Basic-BP-10013740.exe probably a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined
C:\Documents and Settings\smiff\My Documents\Downloads\VideoPlayerSetup.exe a variant of Win32/InstallCore.BQ application cleaned by deleting - quarantined
C:\Documents and Settings\smiff\My Documents\Downloads\RegCleaner\cbsidlm-cbsi134-TweakNow_RegCleaner_2012-ORG-10262639.exe probably a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dll a variant of Win32/Toolbar.Montiera.A application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dll probably a variant of Win32/Toolbar.Montiera.A application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exe a variant of Win32/Toolbar.Montiera.A application cleaned by deleting - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll a variant of Win32/Toolbar.Montiera.F application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll a variant of Win32/Toolbar.Escort.A application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\CheckPoint\Install\zatb.exe multiple threats deleted - quarantined
C:\Program Files\FLVPlayer\FLVPlayer.exe a variant of Win32/InstallCore.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP3\A0000123.exe multiple threats cleaned by deleting - quarantined
Operating memory probably a variant of Win32/Toolbar.Montiera.A application contained infected files

#12 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 10 October 2013 - 06:00 PM

I have got to go and have a flu jab this morning - really looking forward to that.

 

:rofl: What! Scared of a little bitty needle!!!!!  :rofl:

 

Thank you for all your help and patience - having a few senior moments here.

 

Your senior moments are continuing. You have posted the old MBAR log----twice. :blink:

 

Please post the ComboFix log,  and if have not run ESet yet, then please don't run it until after I report back about the ComboFix log.

 

What problems do you have now?

 

 

Rocket Grannie.


a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#13 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 11 October 2013 - 12:37 AM

Hi Grannie Rocket and thanks again for your response. This time the flu jab wasn't so bad - the nurse only stood 2 yards away when she aimed the needle at me.

I have also completed the Eset scan so I will post that as well - by the way if you think these senior moments are bad you should see me in the evenings - this is my bright and early self??

ComboFix 13-10-09.01 - smiff 10/10/2013 7:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1411 [GMT 1:00]
Running from: c:\documents and settings\smiff\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\AegisI5Installer.exe
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2013-09-10 to 2013-10-10 )))))))))))))))))))))))))))))))
.
.
2013-10-08 20:07 . 2013-07-03 02:12 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-08 20:06 . 2013-07-17 00:58 123008 ------w- c:\windows\system32\dllcache\usbvideo.sys
2013-10-08 20:06 . 2013-07-17 00:58 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2013-10-08 20:06 . 2013-07-17 00:58 60160 ------w- c:\windows\system32\dllcache\usbaudio.sys
2013-10-08 20:05 . 2013-08-09 00:55 144128 ------w- c:\windows\system32\dllcache\usbport.sys
2013-10-08 20:05 . 2013-08-09 00:55 32384 ------w- c:\windows\system32\dllcache\usbccgp.sys
2013-10-08 20:05 . 2013-08-09 00:55 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-08 20:05 . 2009-03-18 11:02 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-08 05:38 . 2013-10-08 05:38 -------- d-----w- c:\program files\ESET
2013-10-08 04:51 . 2013-10-08 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2013-10-08 04:51 . 2013-10-08 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2013-10-08 04:45 . 2013-10-08 04:45 -------- d-----w- c:\documents and settings\smiff\Application Data\QuickScan
2013-10-08 04:43 . 2013-10-08 04:43 -------- d-----w- c:\program files\GUM87.tmp
2013-09-29 11:17 . 2013-09-29 11:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\DoNotTrackPlus
2013-09-29 11:16 . 2013-09-29 11:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Check Point Software Technologies LTD
2013-09-28 18:52 . 2013-10-09 20:55 -------- d-----w- c:\documents and settings\smiff\Local Settings\Application Data\DoNotTrackPlus
2013-09-28 18:52 . 2013-09-28 18:52 -------- d-----w- c:\documents and settings\smiff\Application Data\Check Point Software Technologies LTD
2013-09-28 18:48 . 2013-09-28 18:48 -------- d-----w- c:\program files\Check Point Software Technologies LTD
2013-09-28 18:48 . 2013-09-28 18:51 -------- d-----w- c:\program files\CheckPoint
2013-09-28 18:46 . 2013-09-28 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
2013-09-28 17:32 . 2013-10-08 20:52 -------- d-----w- c:\windows\system32\MRT
2013-09-28 14:49 . 2013-09-28 14:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-09-28 14:39 . 2013-09-28 14:39 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2013-09-28 14:34 . 2013-09-28 14:34 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2013-09-28 14:03 . 2013-09-28 15:39 -------- d-----w- c:\program files\MyPC Backup
2013-09-28 11:53 . 2013-09-28 12:10 -------- d-----w- c:\program files\TweakNow RegCleaner 2012
2013-09-28 11:53 . 2013-09-28 11:53 -------- d-----w- c:\documents and settings\smiff\Application Data\TweakNow RegCleaner 2012
2013-09-28 05:56 . 2013-09-28 05:56 -------- d-----w- c:\documents and settings\smiff\Application Data\Malwarebytes
2013-09-28 05:56 . 2013-09-28 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-09-28 05:56 . 2013-04-04 13:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-28 05:56 . 2013-09-28 05:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-09-11 20:25 . 2013-09-29 08:25 -------- d-----w- c:\documents and settings\smiff\is-748HO.tmp
2013-09-11 20:24 . 2013-09-29 08:25 -------- d-----w- c:\documents and settings\smiff\is-LF6QV.tmp
2013-09-11 20:22 . 2013-09-29 08:25 -------- d-----w- c:\documents and settings\smiff\is-0FFH1.tmp
2013-09-11 20:22 . 2013-09-29 08:25 -------- d-----w- c:\documents and settings\smiff\is-M1S2I.tmp
2013-09-11 20:18 . 2013-09-29 08:25 -------- d-----w- c:\documents and settings\smiff\is-IQ57I.tmp
2013-09-11 20:18 . 2013-09-29 08:25 -------- d-----w- c:\documents and settings\smiff\is-5H5JG.tmp
2013-09-10 18:18 . 2013-09-10 18:18 -------- d-----w- c:\windows\system32\wbem\Repository
2013-09-10 17:40 . 2013-09-10 17:40 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-10 07:35 . 2010-08-31 12:55 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2013-10-10 07:35 . 2013-02-26 14:12 58288 ----a-w- c:\windows\system32\rpcnet.dll
2013-10-08 17:09 . 2013-02-27 14:28 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-08 17:09 . 2013-02-27 14:28 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-23 18:33 . 2006-04-30 06:56 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2006-04-30 06:55 43520 ------w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2006-04-30 06:55 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2006-04-30 06:55 18944 ------w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2006-04-30 06:55 385024 ------w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2006-04-30 06:55 1878656 ------w- c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2006-04-30 06:56 386560 ------w- c:\windows\system32\themeui.dll
2013-08-09 00:55 . 2004-08-03 23:08 144128 ------w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2010-02-15 22:50 32384 ------w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55 . 2001-08-17 14:03 5376 ------w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2006-04-30 06:55 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 13:18 . 2006-10-19 05:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-19 00:18 . 2013-07-19 00:18 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-07-17 00:58 . 2010-02-15 22:50 123008 ------w- c:\windows\system32\drivers\usbvideo.sys
2013-07-17 00:58 . 2008-04-13 18:45 46848 ------w- c:\windows\system32\drivers\irbus.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2013-02-27 2077536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-10-09 2086912]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-08-12 73832]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-05-31 21:57 155648 ------w- c:\windows\system32\FpWinlogonNp.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-04 15:19 12536 ------w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
2007-07-05 22:58 413696 ------w- c:\program files\ThinkPad\ConnectUtilities\ACTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
2007-07-05 22:51 126976 ------w- c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-08-30 07:40 89542 ------w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-01 18:00 439856 ------w- c:\program files\ThinkVantage\AMSG\Amsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
2006-11-07 10:51 91688 ------w- c:\program files\Lenovo\AwayTask\AwaySch.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2007-08-23 07:36 53248 ------w- c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2007-08-04 00:35 2630968 ------w- c:\program files\Lenovo\Client Security Solution\cssauth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-05-19 00:24 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-03-23 07:32 162584 ------w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-03-23 07:32 138008 ------w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-28 00:50 221184 ------w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 04:40 86960 ------w- c:\program files\Common Files\Installshield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2007-04-26 17:10 120368 ------w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2007-03-14 23:42 321088 ------w- c:\program files\Pure Networks\Network Magic\nmapp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-03-23 07:32 138008 ------w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMHandler]
2007-03-16 13:26 31840 ------w- c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-08-10 07:21 16384000 ------w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2uvc]
2006-12-29 03:48 569344 ------w- c:\windows\vsnp2uvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 21:03 36975 ------w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-05-19 05:51 774233 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2007-04-09 18:03 58416 ------w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPWAUDAP]
2006-09-06 07:38 54824 ------w- c:\program files\Lenovo\HOTKEY\TpWAudAp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-03-04 09:34 487424 ------w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/02/2010 03:15 226016]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/02/2010 03:15 243152]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [24/05/2006 20:48 10240]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [04/08/2010 16:19 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [04/08/2010 16:19 308136]
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE [02/04/2013 03:01 193672]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [22/06/2007 20:45 106496]
R2 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [11/05/2007 03:22 54832]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [08/02/2007 22:11 569344]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 16:32 14336]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [18/06/2013 03:34 54160]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE [02/04/2013 03:01 240264]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [23/05/2007 00:59 30336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - POLICYAGENT
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-08 04:50 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:09]
.
2013-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-29 12:38]
.
2013-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-29 12:38]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.c...-IuqO5ATTrYDIAQ
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:1062;https=127.0.0.1:1062;
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe
Notify-ACNotify - ACNotify.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-osCheck - c:\program files\Norton Internet Security\osCheck.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-10 08:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,3b,d1,9d,21,e3,00,42,be,ff,dd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,3b,d1,9d,21,e3,00,42,be,ff,dd,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1104)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Lenovo\PM Driver\PMSveH.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
Completion time: 2013-10-10 08:48:38 - machine was rebooted
ComboFix-quarantined-files.txt 2013-10-10 07:48
.
Pre-Run: 103,951,958,016 bytes free
Post-Run: 104,330,571,776 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - EAE565B71B15D0B98EE9AB59E493FB5C
28CC3059F4F2293184014E8C0E5F36C2


C:\Documents and Settings\smiff\Application Data\DSite\UpdateProc\UpdateTask.exe Win32/DownWare.E application cleaned by deleting - quarantined
C:\Documents and Settings\smiff\My Documents\Downloads\cbsidlm-cbsi5_4_0_101-JetAudio_Basic-BP-10013740 (1).exe probably a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined
C:\Documents and Settings\smiff\My Documents\Downloads\cbsidlm-cbsi5_4_0_101-JetAudio_Basic-BP-10013740.exe probably a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined
C:\Documents and Settings\smiff\My Documents\Downloads\VideoPlayerSetup.exe a variant of Win32/InstallCore.BQ application cleaned by deleting - quarantined
C:\Documents and Settings\smiff\My Documents\Downloads\RegCleaner\cbsidlm-cbsi134-TweakNow_RegCleaner_2012-ORG-10262639.exe probably a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dll a variant of Win32/Toolbar.Montiera.A application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dll probably a variant of Win32/Toolbar.Montiera.A application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exe a variant of Win32/Toolbar.Montiera.A application cleaned by deleting - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll a variant of Win32/Toolbar.Montiera.F application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll a variant of Win32/Toolbar.Escort.A application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\CheckPoint\Install\zatb.exe multiple threats deleted - quarantined
C:\Program Files\FLVPlayer\FLVPlayer.exe a variant of Win32/InstallCore.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP3\A0000123.exe multiple threats cleaned by deleting - quarantined
Operating memory probably a variant of Win32/Toolbar.Montiera.A application contained infected files

#14 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 11 October 2013 - 01:49 AM

Hi again Rocket Grannie - I meant to add that the laptop seems to be running well apart from the start-up problem.  Usually takes 2 or 3 attempts before it fires up.  Sorry for the mix up with the malware bytes reports - I'll try not to let it happen again.  :whistle:



#15 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 11 October 2013 - 05:09 AM

Hello optimist.
 

 

Sorry for the mix up with the malware bytes reports - I'll try not to let it happen again.

My ribs are very painful from hysterical laughter.
Look at the "ESet log" in post #13, then compare it to the MBAR log in post #11.

Let's soldier on!

Your firewall is corrupted.
Please go here and follow the steps to remove it from the computer.

Please reboot the computer.

Now, go here and download a new version of it.

If you wish to change your firewall:

Some good free firewalls are:
Be sure to only install one.

A tutorial on understanding and using firewalls may be found here

For your start up problem, tell me exactly what happens when you turn the computer on.
When did this problem start?
What had you done just before it started?
How far do you get into the booting cycle?
Are there any error messages?
Do you get a BSOD? [A blue screen]
What have you tried to do to fix it?

Please run the following.
 

Please click Start, select Run and type chkdsk c: /r
Make sure that you include a space between k, C:and /r.
Then hit Enter and type Y in the command prompt.

Reboot the computer, and please wait while it performs error checking.

When it is finished please run the the System File Checker (SFC) to scan all protected files to verify their versions.
If SFC discovers that a critical system file has been damaged, altered or missing, it restores the correct version of the file from the cache folder.
You must be logged on as an Administrator or as a member of the Administrators group to run sfc and it may ask you to insert your XP Installation CD so please have it available.

To use System File Checker:
Go to Start > Run and type: sfc /scannow

Make sure that you include a space between the c and /. This command will initiate the Windows File Protection service to scan all protected files, verify their integrity, and replace any problem files.
 

How's the computer performing now?


Rocket Grannie
 


a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#16 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 11 October 2013 - 06:13 PM

Well - what can I say apart from SORRY.  You probably won't believe me but I am not usually this stupid and hopefully it won't happen again - but at least you've had your share of laughter this week.

 

Now - I have got rid of zone alarm and going to try the private firewall.

 

I followed the instructions for chkdsk and rebooted the computer but I didn't see the error checking being performed.

 

I haven't yet run the System File Checker as I haven't got the XP installation CD for this laptop - I have got the CD for my own computer which is also XP Pro and I wondered whether it would be OK to use that if necessary?

 

With ref. to the computer's performance - it has started up first time ever since I've been trying to get a screen shot of the message that had previously been shown.  I would press the start button and it would go off and I would repeat that a couple of times before it fired up - as I had been told this always happened I hadn't really taken that much notice.  If it happens again I will try and get the details.

 

Thanks again for your patience.



#17 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 11 October 2013 - 10:27 PM

Hello optimist.
 

 

Well - what can I say apart from SORRY.  You probably won't believe me but I am not usually this stupid and hopefully it won't happen again - but at least you've had your share of laughter this week.

Heh! No problem. It's very easy to get them mixed up.
 

 

- it has started up first time ever since I've been trying to get a screen shot of the message that had previously been shown.

Okay, I'm confused. Is there any problem with the computer's start up now or is it performing normally now?
There is no need to run the SFC repair if it is starting up normally.
Yes you can use your XP disc BUT only if it is the same operating system. Namely: XP PRO.

Rocket Grannie
 


a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#18 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 12 October 2013 - 01:32 AM

Hi again Rocket Grannie and thanks for your reply.  This morning the laptop is back to it's usual state of needing 3 attempts to start. Again I was unable to get a screen shot but it is a grey screen informing that a problem has occurred and if I didn't know what caused it to start normally.  I let it take it's course and it eventually started on the 3rd attempt.  It seems very slow this morning but then so does my own computer - microsoft had loads of updates this week (about 17 I think) and I often think things slow down after this for a while.

 

As this problem still seems to be there I will run the system file checker as my disc is XP Pro.

 

Hope you enjoy a good weekend. 

 

Another update - I've just finished running the System File Checker.  I wasn't asked to use the XP disc and no report was generated but I didn't know whether to expect one.

 

I restarted the leptop and it started normally on the first go.  I will use it again during the day and let you know if it reverts back to the restart problem.

 

Did you want me to provide you with any of those logs that I managed not to send? 


Edited by optimist, 12 October 2013 - 02:48 AM.


#19 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 12 October 2013 - 06:47 AM

Hi - I've started the laptop several times this morning and it usually boots up on the 3rd attempt.The first one closes fairly quickly, second seems to get as far as 'windows opening' before it closes and then it opens properly on the 3rd go.

 

I tried to get a print screen of the message but then couldn't paste it in to paint - as I normally manage to do.  Then I thought that probably won't work because windows is not properly open at that stage.  Anyway it is saying that unless you have experienced a problem closing down you should start normally etc.- which I eventually get to do.  Once it starts it seems to be working fine - I haven't carried out any more scans or anything to see if anything is still there and I won't to anything else until I get your instructions.  :think:



#20 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 12 October 2013 - 06:06 PM

Hello optimist.

Did you want me to provide you with any of those logs that I managed not to send?

No. You/ve sent the correct logs eventually.

Good job! Your logs appear to be clean!

Now some updating:

Your Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Updating Java:
  • Go
    here
    and download the latest version of Java:
  • Go to Start -> Control Panel -> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    They should have this icon next to any that are there:  javaicon.gif
    Select any found and choose Uninstall.
  • Then install the version you downloaded earlier.

Adobe Reader is out of date and older versions contain vulnerabilities. Please download the newest version from here
Please uncheck any extras it offers unless you wish to download them.

Adobe Flash is out of date. Please go here and upgrade to the latest version.

Please open AVG and check for updates.

Please let me know if you run into any problems with the updates.

Now, do you want to pursue trying to fix the start up problem?
However, be aware that obviously it is not a Windows problem as the SFC check was clear.


Rocket Grannie
 
a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#21 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 13 October 2013 - 02:48 AM

Good morning Rocket Grannie - the only programme I haven't been able to update is Java.  The page was unavailable from your link and the same thing happened when I tried to update from the programme.  All the other updates have been completed.

 

It would be good to get the start-up problem sorted - having said that it has started first time on the last 2 occasions.  This is a Lenova laptop and their stuff seems to come up first on start-up.  Sometimes it goes from there to windows start up but when it has to be started several times it goes first to that grey screen.

 

Thank you again for all your help - really appreciated.



#22 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 13 October 2013 - 03:20 PM

Hello optimist.

Your problem with Java could mean that there is still some malware on the system.
Let's run a couple of scans to make sure it is clean.

Please locate, then double-click Malwarebytes click Update tab>>>Check for Updates.

  • If an update is found, it will download and install the latest version.
  • Once the program has finished updating please select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a location you will remember.
  • Copy and Paste that log into your next reply.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
Note: This scan will take a long time to complete.

Next: Do the same thing with AVG.
Open AVG and check for updates, then select "Perform a full scan".
When completed, close AVG and post the log back here to me.

Java

Please go here and follow the instructions to download the offline Java.
When finished,
Please download and install Revo Uninstaller (Freeware) from here.

Please run Revo Uninstaller and select all Java entries.

Then please click Uninstall icon

Please choose Advanced and follow the prompts.

Then click Select all (1.) and Delete (2.) to delete all registry items, folders and files listed by Revo and reboot your computer when the Revo Uninstaller is finished.

Then please install Java you downloaded earlier and let me know if you still have any problems with it.



Rocket Grannie
 


a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#23 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 14 October 2013 - 03:33 AM

Hi again and thank you for your reply.  Everything went well with the scans - I saw another Java item (Java 6 Update 16) so went through it again and deleted additional Java items in the leftover registry.  I just hope I have managed to post the correct scans this time and many thanks for your continued patience.  I have installed Java and everything went well this time.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.14.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
smiff :: LENOVO-908BF615 [administrator]

14/10/2013 05:51:39
mbam-log-2013-10-14 (05-51-39).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 293031
Time elapsed: 1 hour(s), 17 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

Scan "Scan whole computer" completed.

 

 

 

 

No infection was found during this scan

 

 

 

 

Folders selected for scanning:;"Scan whole computer"

 

 

 

Scan started:;"14 October 2013, 07:21:28"

 

 

 

 

Scan finished:;"14 October 2013, 07:53:12 (31 minute(s) 44 second(s))"

 

Total object scanned:;"282784"

 

 

 

 

 

User who launched the scan:;"smiff"

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



#24 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 14 October 2013 - 03:43 AM

Hi - I did include a message before I posted the scans but it seems to have disappeared.

 

I used the Revo prog and then found another Java update so did it again and deleted more leftover registry items.  I didn't have any problems installing the latest Java this time.

 

I'm sure (?) that I've posted the correct scans this time and thank you for being so patient.  :think:



#25 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 14 October 2013 - 07:13 PM

Hello optimist.
 

 

I'm sure (?) that I've posted the correct scans this time and thank you for being so patient.

Yes you have and you are welcome.

That looks better.

For the start up problem, run the computer for a few days and see how you get on.

Now some clean up.

Now, you need to uninstall ComboFix.

The following will implement some cleanup procedures as well as reset  System Restore points:

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: The space between x and / is needed.

Please delete the Security Check folder on the Desktop.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections.
Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.
As happy as we at SWI are to help you, for your sake we would rather not have repeat customers.

Note: All of the programs I am suggesting are either free or have free versions.

Please make sure to run your antivirus software regularly, and to keep it up-to-date. Most programs have an automatic update feature.

Keep MalwareBytes Anti-Malware updated and run it regularly.
Please Note: Only the paid for version has real time capabilities.

The free FileHippo Update Checker makes it easy to keep all your programs up to date - run it every few weeks.
Note: If you are running Avast, it has an automatic updater built in.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here

Please make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware from being installed.
Please set your anti-virus and anti-spyware programs to check for updates automatically. If the programs are not able to update automatically, then I suggest you manually check for updates every few days.

Windows needs to be kept up-to-date.
 
Windows Updates are available from here

IMPORTANT: Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs.  If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately.  It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information.  Ask in a security forum that you trust if you are not sure.  If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative.  In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Chrome is another good option.

If you are interested, Firefox may be downloaded from here
Chrome is available here
 
PLEASE NOTE:

A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems!

Safe Surfing:

Rocket Grannie.  
 


a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#26 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 16 October 2013 - 02:43 AM

Thank you Rocket Grannie.  I have started to go through your list and have uninstalled ComboFix but I couldn't find the Security Check folder you asked me to delete.

 

I have replaced AVG anti-virus with Avast for the benefit of automatic updates.  I had problems with the internet connection yesterday and so I will be working my way through your other suggestions today.

 

The computer seems to be running well even with the start-up problem - thanks to your help.  Can't thank you enough for all your assistance.



#27 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 16 October 2013 - 12:51 PM

Hi again - since my last post I have updated items found to be out of date - these were Java; Adobe Reader and Google Chrome and enabled Windows automatic updates.

 

Avast is set to update automatically and the auto updater is also enabled.

 

Spyware Blaster has been downloaded and I used the browser check that I found in Tony Klein's article about infection.

 

I think I have covered everything and I am now going to update and run MalwareBytes - just to be sure.

 

Start up still takes several attempts but - apart from that - everything seems to be going well.  Thank you again for all your help.   :thumbup:



#28 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 16 October 2013 - 06:24 PM

Hello
 
 

Thank you again for all your help.

You are welcome. :wave:
 

Start up still takes several attempts

Go here and select your product.
 
The following link is to Lenovo support USA.

http://support.lenovo.com/en_US/

 

Good luck with it.
 
Rocket Grannie


a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#29 optimist

optimist

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 17 October 2013 - 04:55 PM

Hello again Rocket Grannie and thanks for providing the link to the Lenova site.  I have been searching for answers to this problem but mostly they seem to deal with lack of power.  I think I am going to leave well alone for the time being as the laptop is now working really well and this doesn't  cause any major problem.

 

I did a complete scan with malware bytes and that was completely clear.  I really can't thank you enough for all your hard work and patience to help me get rid of all the nasties that were on this laptop.  Three cheers for Rocket Grannie.    :good:



#30 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,050 posts

Posted 20 October 2013 - 04:21 PM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
a47.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button