Computer Hope
Software => Computer viruses and spyware => Topic started by: summerred on May 02, 2013, 09:20:53 AM
-
I recently downloaded Adobe Reader, and guess what snuck in? Sweetpacks, which was anything but sweet. I attempted to follow the instuctions of previous posts from those who received help from this website. The last thing I was going to do was Combofix, which is now finished. Will someone take a look at my log for me?
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download AdwCleaner (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner)by Xplode onto your Desktop.
- Double click on AdwCleaner.exe to run the tool.
- Click on Search.
- A logfile will automatically open after the scan has finished.
- Please post the content of that logfile in your reply.
- You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
*********************************************
(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here. (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.
•Warning! Once the scan is complete JRT will shut down your browser with NO warning.
•Shut down your protection software now to avoid potential conflicts.
•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this (http://www.bleepingcomputer.com/forums/topic114351.html) link to see a list of security programs that should be disabled and how to disable them.
•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete depending on your system's specifications.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Copy and Paste the JRT.txt log into your next message.
-
Hi Dave,
I appreciate you taking the time to help. I went through previous posts, and followed the instructions. I have no more problems whatsoever. It was a long process, but previous instructions here, worked like a charm. I don't need to do Combofix, but I wanted to double my work. I turned off my antivirus, and ran Combofix following the instructions. If policy states that the entire process must include both a moderator and myself, I understand if your unable to read my Combofix log. You guys have to protect yourselves, which makes perfect sense. If you are able to review my Combofix log, I would appreciate it.
-
Hi Dave,
I appreciate you taking the time to help. I went through previous posts, and followed the instructions. I have no more problems whatsoever. It was a long process, but previous instructions here, worked like a charm. I don't need to do Combofix, but I wanted to double my work. I turned off my antivirus, and ran Combofix following the instructions. If policy states that the entire process must include both a moderator and myself, I understand if your unable to read my Combofix log. You guys have to protect yourselves, which makes perfect sense. If you are able to review my Combofix log, I would appreciate it.
You will need to copy and paste the ComboFix log.
-
Here is the log. It fixed a few things, and I have no more problems, but there may be something
that the combofix contains, but couldn't fix.
ComboFix 13-05-01.03 - Tiffany 05/02/2013 11:14:50.1.2 - x86
Microsoft Windows XP Professional [GMT -4:00]
Running from: c:\documents and settings\Tiffany\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Cache
c:\windows\system32\SET5A.tmp
c:\windows\system32\SET5E.tmp
c:\windows\system32\SET66.tmp
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET71.tmp
c:\windows\system32\SET74.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-04-02 to 2013-05-02 )))))))))))))))))))))))))))))))
.
.
2013-05-01 03:13 . 2013-05-01 03:13 -------- d-----w- C:\JRT
2013-04-28 20:51 . 2013-05-01 13:19 -------- d-----w- C:\Jts
2013-04-28 19:46 . 2013-04-28 19:46 -------- d-----w- C:\Genesis
2013-04-27 21:36 . 2013-04-27 21:37 -------- d-----w- C:\71a4ed12c6783bd016e5
2013-04-27 14:23 . 2013-04-27 14:23 -------- d-----w- C:\$AVG
2013-04-27 13:46 . 2013-04-27 13:46 -------- d-----w- C:\NVIDIA
2013-04-27 07:11 . 2013-04-27 07:12 -------- d-----w- C:\Inetpub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 08:36 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2006-02-28 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2006-02-28 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-03-01 17:32 . 2013-03-01 17:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-02-27 06:40 . 2013-02-27 06:40 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-02-14 10:52 . 2013-02-14 10:52 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-02-12 00:32 . 2006-02-28 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-08 11:37 . 2013-02-08 11:37 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2013-02-08 11:37 . 2013-02-08 11:37 245048 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-02-08 11:37 . 2013-02-08 11:37 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-02-08 11:37 . 2013-02-08 11:37 170808 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-02-08 11:37 . 2013-02-08 11:37 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-04-10 06:58 . 2013-04-27 08:03 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2013-01-31 108832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-01-31 15517472]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-03-14 4394032]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AdFender.lnk - c:\program files\AdFender\AdFender.exe [2012-6-20 2772112]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CodecPackUpdateChecker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk
backup=c:\windows\pss\CodecPackUpdateChecker.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VTAgentReboot.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
backup=c:\windows\pss\VTAgentReboot.exeCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2006-08-03 00:17 9134080 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2008-04-14 12:41 177152 ----a-w- c:\windows\system32\mqrt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2013-01-31 09:02 15517472 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2013-01-31 11:22 1982312 ----a-w- c:\program files\NVIDIA Corporation\nview\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 11:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-04-28 00:37 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Antivirus"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Marvell\\61xx\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Joshua\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AdFender\\AdFender.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2/8/2013 7:37 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2/8/2013 7:37 AM 245048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2/8/2013 7:37 AM 39224]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [8/30/2006 3:43 AM 70784]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2/27/2013 2:40 AM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [3/1/2013 1:32 PM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/8/2013 7:37 AM 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/14/2013 6:52 AM 182072]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [2/19/2013 7:02 AM 282624]
R2 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\61xx\svc\mvraidsvc.exe [8/9/2006 11:46 PM 114688]
R2 MRUWebService;MRU Web Service;c:\program files\Marvell\61xx\Apache2\bin\Apache.exe [4/29/2006 5:47 AM 20541]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [3/6/2013 5:21 AM 39056]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [4/29/2013 10:41 AM 45288]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [2/28/2013 2:42 AM 4937264]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 1:08 PM 11336]
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-28 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-854245398-343818398-839522115-1003.job
- c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2013-03-06 09:23]
.
2013-05-02 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-854245398-343818398-839522115-1003.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-03-06 09:21]
.
2013-05-02 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-854245398-343818398-839522115-1003.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-03-06 09:21]
.
2013-05-02 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-854245398-343818398-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 18:36]
.
2013-05-01 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-854245398-343818398-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
FF - ProfilePath - c:\documents and settings\Joshua\Application Data\Mozilla\Firefox\Profiles\xav9wvmc.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - google.com
FF - ExtSQL: 2013-04-27 17:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SigmatelSysTrayApp - sttray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-02 11:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_ 7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX .exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-05-02 11:20:51
ComboFix-quarantined-files.txt 2013-05-02 15:20
.
Pre-Run: 433,530,941,440 bytes free
Post-Run: 435,804,614,656 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
-
Can you please post the other logs?
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
DirLook::
C:\71a4ed12c6783bd016e5
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i424.photobucket.com/albums/pp322/digistar/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
**********************************************
- Download RogueKiller (http://tigzy.geekstogo.com/Tools/RogueKiller.exe) on the desktop
- Close all the running programs
- Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
- Otherwise just double-click on RogueKiller.exe
- Pre-scan will start. Let it finish.
- Click on SCAN button.
- A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
- If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again