Author Topic: Trojan Horse "Generic34.BRBV"  (Read 3710 times)

0 Members and 1 Guest are viewing this topic.

Offline mikej.canfield

  • Jr. Member
  • **
  • Posts: 9
    • View Profile
Trojan Horse "Generic34.BRBV"
« on: November 06, 2013, 12:32:27 AM »
 It appears I have a Trojan.  It seems to have gotten it's slimy hands into my system32 and win32k files as well as showing signs in my browser (Chrome) and not allowing me to access my DOS prompt.  I have attempted a system restore from safe mode with no luck.  Your help is greatly appreciated.   I will take no further action till instructed.  Pasted below are the requested logs.

 DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Mike at 21:18:32 on 2013-11-05
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.894.102 [GMT -5:00]
.
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW:  *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
C:\Program Files\Common Files\Motive\pcCMService.exe
C:\Program Files\Common Files\Motive\pcServiceHost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\mswinext.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\ATT-SST\pcTrayApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wireless Adapter\UI.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4024
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4024
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} -
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Speed Test Analysis: {310D38FE-EB4C-467C-8781-B7C2AEB7847D} - c:\program files\speed test analysis\ScriptHost.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: OfferMosquito: {82B16A3D-F03E-4565-A532-666B219C9A53} - c:\documents and settings\mike\local settings\application data\ext_offermosquito\OfferMosquitoIEPlaceholder.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - LocalServer32 - <no file>
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0346.1\npwinext.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: ChromeFrame BHO: {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - c:\program files\google\chrome frame\application\30.0.1599.101\npchrome_frame.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0346.1\npwinext.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SSync] "c:\documents and settings\mike\application data\ssync\SSync.exe"
uRun: [DataMgr] "c:\documents and settings\mike\application data\datamgr\DataMgr.exe"
uRun: [Intermediate] "c:\documents and settings\mike\application data\intermediate\Intermediate.exe"
uRun: [OMESupervisor] c:\documents and settings\mike\local settings\application data\omesuperv.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0346.1\mswinext.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [CHotkey] zHotkey.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\pcTrayApp.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\54mwir~1.lnk - c:\program files\wireless adapter\UI.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{0C54F9BD-5979-45BC-AC2B-20AF57F69160} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{6C0A3849-0802-49F1-BFD1-159DE5896805} : DHCPNameServer = 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\30.0.1599.101\npchrome_frame.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = Error!
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\30.0.1599.101\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-9-2 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-9-2 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-8-20 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-9-8 27448]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-9-25 120632]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-9-2 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-9-10 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-9-2 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 193848]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-10-3 3538480]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-9-25 301152]
R2 pcCMService;pcCMService;c:\program files\common files\motive\pcCMService.exe [2012-6-27 361472]
R2 pcServiceHost;pcServiceHost;c:\program files\common files\motive\pcServiceHost.exe [2012-6-27 342016]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2013-10-25 627072]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2010-8-21 15104]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 WUSB54GSCSVC;WUSB54GSCSVC;"c:\program files\compact wireless-g usb network adapter with speedbooster\wlservice.exe" "wusb54gsc.exe" --> c:\program files\compact wireless-g usb network adapter with speedbooster\WLService.exe [?]
S3 Pantech UTM Service;Pantech UTM Service;c:\program files\pcd\pantech\eudl\utm\PantechService.exe [2010-11-23 65536]
S3 PTHSBUS;PANTECH Handset USB Composite Device Driver (UDP);c:\windows\system32\drivers\PTHSBUS.sys [2012-7-2 56976]
S3 PTHSMDM;PANTECH Handset Drivers (UDP);c:\windows\system32\drivers\PTHSMDM.sys [2012-7-2 167824]
S3 PTHSVSP;PANTECH Handset Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTHSVSP.sys [2012-7-2 167824]
.
=============== File Associations ===============
.
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2013-11-05 04:05:06   --------   d-----w-   c:\documents and settings\mike\application data\AVG2014
2013-11-05 04:04:06   --------   d-----w-   c:\documents and settings\mike\application data\TuneUp Software
2013-11-05 04:03:10   --------   d--h--w-   C:\$AVG
2013-11-05 04:03:10   --------   d-----w-   c:\documents and settings\all users\application data\AVG2014
2013-11-05 04:02:13   --------   d-----w-   c:\program files\AVG
2013-11-05 03:59:53   --------   d-----w-   c:\documents and settings\mike\local settings\application data\MFAData
2013-11-05 03:59:53   --------   d-----w-   c:\documents and settings\mike\local settings\application data\Avg2014
2013-11-05 03:59:53   --------   d-----w-   c:\documents and settings\all users\application data\MFAData
2013-11-01 08:18:51   --------   d-----w-   c:\documents and settings\all users\application data\IBUpdaterService
2013-11-01 08:18:40   --------   d-----w-   c:\program files\Speed Test Analysis
2013-11-01 08:18:37   --------   d-----w-   c:\documents and settings\mike\application data\SpeedTestAnalysis
2013-11-01 08:17:41   --------   d-----w-   c:\documents and settings\mike\local settings\application data\ext_offermosquito
2013-11-01 08:17:20   --------   d-----w-   c:\documents and settings\mike\application data\Intermediate
2013-11-01 08:17:19   --------   d-----w-   c:\documents and settings\mike\application data\DataMgr
2013-11-01 08:17:11   --------   d-----w-   c:\documents and settings\mike\application data\SSync
2013-11-01 08:09:18   --------   d-----w-   c:\documents and settings\mike\application data\OfferMosquito
2013-11-01 08:09:18   --------   d-----w-   c:\documents and settings\mike\application data\Common
2013-11-01 08:08:08   --------   d-----w-   c:\documents and settings\mike\application data\BitTorrent
2013-10-29 02:27:51   --------   d-----w-   c:\documents and settings\mike\local settings\application data\Adobe
2013-10-26 04:05:14   --------   d-----w-   c:\documents and settings\mike\local settings\application data\AskToolbar
2013-10-26 04:05:09   --------   d-----w-   c:\program files\Ask.com
2013-10-26 02:53:28   --------   d-----w-   c:\documents and settings\mike\local settings\application data\Deployment
2013-10-26 02:52:50   --------   d-sh--w-   c:\documents and settings\mike\IETldCache
2013-10-26 02:52:33   --------   d-sh--w-   c:\documents and settings\mike\PrivacIE
2013-10-26 02:29:50   627072   ----a-w-   c:\windows\system32\drivers\rt2870.sys
2013-10-26 02:29:50   221184   ----a-w-   c:\windows\system32\RaCoInst.dll
2013-10-26 02:29:43   --------   d-----w-   c:\program files\Wireless Adapter
2013-10-09 11:53:52   2219305   ----a-w-   c:\documents and settings\mike\local settings\application data\omesuperv.exe
.
==================== Find3M  ====================
.
2013-10-26 02:29:55   21419   -c--a-w-   c:\windows\system32\drivers\AegisP.sys
2013-09-26 01:57:14   120632   ----a-w-   c:\windows\system32\drivers\avgdiskx.sys
2013-09-11 03:11:44   22840   ----a-w-   c:\windows\system32\drivers\avgidsshimx.sys
2013-09-09 03:12:16   27448   ----a-w-   c:\windows\system32\drivers\avgrkx86.sys
2013-09-02 15:39:32   176952   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2013-09-02 15:28:06   145720   ----a-w-   c:\windows\system32\drivers\avgidshx.sys
2013-09-02 15:28:04   209208   ----a-w-   c:\windows\system32\drivers\avgidsdriverx.sys
2013-09-02 15:28:00   223032   ----a-w-   c:\windows\system32\drivers\avglogx.sys
2003-03-19 01:20:00   1060864   ----a-w-   c:\program files\mfc71.dll
2003-03-19 01:12:12   1047552   ----a-w-   c:\program files\mfc71u.dll
2003-03-19 00:44:38   57344   ----a-w-   c:\program files\MFC71ENU.DLL
2003-03-19 00:44:38   49152   ----a-w-   c:\program files\MFC71KOR.DLL
2003-03-19 00:44:36   61440   ----a-w-   c:\program files\MFC71ITA.DLL
2003-03-19 00:44:36   61440   ----a-w-   c:\program files\MFC71ESP.DLL
2003-03-19 00:44:36   45056   ----a-w-   c:\program files\MFC71CHT.DLL
2003-03-19 00:44:36   40960   ----a-w-   c:\program files\MFC71CHS.DLL
2003-03-19 00:44:34   65536   ----a-w-   c:\program files\MFC71DEU.DLL
2003-03-19 00:44:34   61440   ----a-w-   c:\program files\MFC71FRA.DLL
2003-03-19 00:44:34   49152   ----a-w-   c:\program files\MFC71JPN.DLL
2001-06-20 21:19:18   40960   -c--a-w-   c:\program files\ACMonitor_X83.exe
.
============= FINISH: 21:19:38.07 ===============






 .
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/21/2010 12:11:14 PM
System Uptime: 11/5/2013 8:55:58 PM (1 hours ago)
.
Motherboard: Micro Star International |  | MS-7248R
Processor:              Intel(R) Pentium(R) D  CPU 2.66GHz | Socket 775 | 2666/133mhz
Processor:              Intel(R) Pentium(R) D  CPU 2.66GHz | Socket 775 | 2666/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 229 GiB total, 208.448 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is FIXED (FAT32) - 4 GiB total, 0.569 GiB free.
I: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\D0240010DC00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\D0240010DC00
Service: NIC1394
.
==== System Restore Points ===================
.
RP118: 8/20/2013 7:24:40 PM - System Checkpoint
RP119: 9/1/2013 6:25:50 PM - System Checkpoint
RP120: 9/7/2013 8:29:02 AM - System Checkpoint
RP121: 9/22/2013 6:45:19 PM - System Checkpoint
RP122: 10/9/2013 7:42:26 PM - System Checkpoint
RP123: 10/25/2013 10:29:43 PM - Installed 54M Wireless USB Adapter
RP124: 10/26/2013 12:04:12 AM - Removed Adobe Flash Player 9 ActiveX.
RP125: 10/26/2013 12:04:46 AM - Removed Ask Toolbar.
RP126: 10/26/2013 12:05:10 AM - Removed Ask Toolbar.
RP127: 10/26/2013 12:07:07 AM - Removed Microsoft Office Live Meeting 2007
RP128: 10/26/2013 12:08:29 AM - Removed The Print Shop 22
RP129: 10/27/2013 2:03:25 PM - System Checkpoint
RP130: 10/31/2013 9:05:24 AM - System Checkpoint
RP131: 11/1/2013 3:10:47 AM - Removed Microsoft Visual C++ 2005 Redistributable
RP132: 11/2/2013 11:22:05 AM - System Checkpoint
RP133: 11/3/2013 12:55:16 PM - System Checkpoint
RP134: 11/4/2013 4:22:43 PM - System Checkpoint
RP135: 11/4/2013 11:02:11 PM - Installed AVG 2014
RP136: 11/4/2013 11:02:48 PM - Installed AVG 2014
RP137: 11/5/2013 6:18:08 PM - Removed AVG 2014
RP138: 11/5/2013 8:22:59 PM - Restore Operation
RP139: 11/5/2013 8:34:39 PM - Restore Operation
RP140: 11/5/2013 8:57:03 PM - Restore Operation
RP141: 11/5/2013 9:17:29 PM - Removed Ask Toolbar.
.
==== Installed Programs ======================
.
54M Wireless USB Adapter
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Agere Systems PCI-SV92PP Soft Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Ask Toolbar Updater
AT&T Troubleshoot & Resolve Tool
ATI - Software Uninstall Utility
ATI Display Driver
ATI Parental Control & Encoder
att.net Internet Mail
AVG 2014
Bonjour
Citrix Presentation Server Client - Web Only
Compact Wireless-G USB Network Adapter with SpeedBooster
Digital Media Reader
DVD Solution
EPSON CardMonitor
EPSON Event Manager
EPSON PhotoStarter3.0
EPSON Print CD
EPSON Scan Assistant
EPSON Web-To-Page
Express Scribe Uninstall
GearDrvs
getPlus(R)_ocx
Google Chrome
Google Chrome Frame
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Deskjet 3840
HP Software Update
iTunes
Java Auto Updater
Java(TM) 6 Update 20
LSI PCI-SV92PP Soft Modem
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Default Manager
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft IntelliPoint 5.2
Microsoft IntelliType Pro 5.2
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office Standard Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft UI Engine
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual Studio 2005 Tools for Office Runtime
MSN
MSN Toolbar
MSN Toolbar Platform
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
Multimedia Keyboard Driver
Napster Burn Engine
OpenOffice.org 3.4
PANTECH Handset Driver
PC Pitstop Disk MD 2.0
PC Pitstop Driver Alert 1.0.0.12
PC Pitstop Optimize2 2.0
Picasa 3
Power2Go 4.0
PowerDVD
RapidPlayer v5.0 ActiveX Control
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Recovery Software Suite Gateway
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Sonic Encoders
Speed Test Analysis
SwiftView Viewer
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB925720)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Verizon Tool Launcher for CDM8999
Verizon_PCD_D8999VW_UT
Verizon_PCD_Pantech_UTM32
Verizon_PCD_UT_Framework
Viewpoint Media Player
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio 2012 x86 Redistributables
WebFldrs XP
Windows Backup Utility
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
.
==== Event Viewer Messages From Past Week ========
.
11/5/2013 9:18:36 PM, error: Service Control Manager [7016]  - The BrSplService service has reported an invalid current state 0.
11/5/2013 8:49:18 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD Avgdiskx AVGIDSDriver AVGIDSShim Avgldx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/5/2013 8:49:18 PM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
11/5/2013 8:49:18 PM, error: Service Control Manager [7001]  - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
11/5/2013 8:49:18 PM, error: Service Control Manager [7001]  - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error:  A device attached to the system is not functioning.
11/5/2013 8:49:18 PM, error: Service Control Manager [7001]  - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
11/5/2013 8:48:51 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/5/2013 8:48:45 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/1/2013 11:10:46 AM, error: Service Control Manager [7001]  - The Media Center Extender Service service depends on the SSDP Discovery Service service which failed to start because of the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/1/2013 11:10:46 AM, error: Service Control Manager [7000]  - The WUSB54GSCSVC service failed to start due to the following error:  The system cannot find the path specified.
11/1/2013 11:10:46 AM, error: Service Control Manager [7000]  - The Upload Manager service failed to start due to the following error:  The account specified for this service is different from the account specified for other services running in the same process.
11/1/2013 11:10:46 AM, error: Service Control Manager [7000]  - The Genesys Logic USB Scanner Controller NT 5.0 service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
10/29/2013 9:12:44 PM, error: Dhcp [1002]  - The IP address lease 192.168.1.2 for the Network Card with network address 00B08C174F1C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/29/2013 11:06:11 PM, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
.
==== End Of File ===========================
 






 Results of screen317's Security Check version 0.99.76 
 Windows XP Service Pack 2 x86   
 Out of date service pack!!
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
M
c
A
f
e
ECHO is off.
V
i
r
u
s
S
c
a
n
ECHO is off.
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Java(TM) 6 Update 20 
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Flash Player    11.3.300.271 
 Adobe Reader 8 Adobe Reader out of Date!
 Adobe Reader XI (KB403742..)
 Google Chrome 30.0.1599.101 
````````Process Check: objlist.exe by Laurent````````[/u] 
 AVG avgwdsvc.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:: 3%
````````````````````End of Log``````````````````````[/u]

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14486
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Trojan Horse "Generic34.BRBV"
« Reply #1 on: November 06, 2013, 01:13:38 AM »
Hi, Mike.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

You certainly have some updating ahead of you.  However, let's see if you can give you some breathing room first. 

1.  Please download Malwarebytes' Anti-Malware to your desktop from here.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    -- Update Malwarebytes' Anti-Malware and
    -- Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, check the following settings:
    -- On the Scanner tab, check Perform quick scan.
    -- On the Settings tab, Scanner Settings, leave the default boxes checked but change the drop-down boxes to Show in results list and check for removal.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
  • Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please post contents of that file in your next reply.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

2.  Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click AdwCleaner.exe to run the tool.
    Note:  Windows Vista, Windows 7/8 users right-click and select Run As Administrator.
  • Click the Scan button.
  • AdwCleaner will begin.  Be patient as the scan may take some time to complete.
  • After the scan has finished, click the Report button.  A logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The  contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you  see an entry you want to keep, please let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline mikej.canfield

  • Jr. Member
  • **
  • Posts: 9
    • View Profile
Re: Trojan Horse "Generic34.BRBV"
« Reply #2 on: November 06, 2013, 02:39:55 AM »


Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.06.01

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Mike :: FAMILY [administrator]

11/5/2013 10:40:06 PM
mbam-log-2013-11-05 (22-40-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 258409
Time elapsed: 9 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\Mike\Local Settings\Application Data\ext_offermosquito\npOfferMosquitoIEHelper.dll (PUP.Optional.OfferMosquito.A) -> Delete on reboot.

Registry Keys Detected: 5
HKCR\CLSID\{3bc93e76-92f8-5fda-b676-5afee3735bf1} (PUP.Optional.OfferMosquito.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3BC93E76-92F8-5FDA-B676-5AFEE3735BF1} (PUP.Optional.OfferMosquito.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{B83C16AE-3C3D-5362-85D6-D19F9FB51262} (PUP.Optional.OfferMosquito.A) -> Quarantined and deleted successfully.
HKCR\Interface\{2C0830EC-8559-5E15-9DC7-5BB830020064} (PUP.Optional.OfferMosquito.A) -> Quarantined and deleted successfully.
HKCR\AppID\{562B9316-C08A-444A-9482-62080DD851AE} (PUP.Optional.SpeedAnalysis3.A) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|OMESupervisor (PUP.Optional.OfferMosquito.A) -> Data: C:\Documents and Settings\Mike\Local Settings\Application Data\omesuperv.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\Documents and Settings\All Users\Application Data\IBUpdaterService (Adware.InstallBrain) -> Quarantined and deleted successfully.

Files Detected: 10
C:\Documents and Settings\Mike\Local Settings\Application Data\ext_offermosquito\npOfferMosquitoIEHelper.dll (PUP.Optional.OfferMosquito.A) -> Delete on reboot.
C:\Documents and Settings\Mike\Local Settings\Application Data\omesuperv.exe (PUP.Optional.OfferMosquito.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bizkit\My Documents\Downloads\frostwire-5.3.8.windows.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bizkit\My Documents\Downloads\rcpsetup_softonic_s_728_90_pd (1).exe (PUP.Optional.RegCleanerPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bizkit\My Documents\Downloads\rcpsetup_softonic_s_728_90_pd.exe (PUP.Optional.RegCleanerPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bizkit\My Documents\Downloads\SoftonicDownloader_for_frostwire.exe (PUP.Optional.Softonic.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\My Documents\Downloads\ZipExtractorSetup.exe (PUP.Optional.InstallCore) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\SpeedTestSetup.exe (Adware.InstallBrain) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\IBUpdaterService\repository.xml (Adware.InstallBrain) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\roboot.exe (PUP.Optional.PCPerformer.A) -> Quarantined and deleted successfully.

(end)












# AdwCleaner v3.011 - Report created 05/11/2013 at 23:32:00
# Updated 03/11/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 2 (32 bits)
# Username : Mike - FAMILY
# Running from : C:\Documents and Settings\Mike\My Documents\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : CltMngSvc

***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage
File Found : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage-journal
File Found : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage
File Found : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage-journal
File Found : C:\END
File Found : C:\WINDOWS\Tasks\AmiUpdXp.job
Folder Found : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gbmdkmlcnbapgegninelmjbfibaghdmk
Folder Found : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hgeaklkciolgbejekedbdphhbjbiaamp
Folder Found C:\Documents and Settings\All Users\Application Data\Conduit
Folder Found C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Found C:\Documents and Settings\Bizkit\Application Data\Systweak
Folder Found C:\Documents and Settings\Bizkit\Local Settings\Application Data\PackageAware
Folder Found C:\Documents and Settings\Mike\Application Data\Common\LuaRT
Folder Found C:\Documents and Settings\Mike\Application Data\DataMgr
Folder Found C:\Documents and Settings\Mike\Application Data\Intermediate
Folder Found C:\Documents and Settings\Mike\Application Data\Searchprotect
Folder Found C:\Documents and Settings\Mike\Application Data\SSync
Folder Found C:\Documents and Settings\Mike\Application Data\SwvUpdater
Folder Found C:\Documents and Settings\Mike\Local Settings\Application Data\AskToolbar
Folder Found C:\Documents and Settings\Mike\Local Settings\Application Data\Conduit
Folder Found C:\Documents and Settings\Mike\My Documents\optimizer pro
Folder Found C:\Program Files\Ask.com
Folder Found C:\Program Files\Conduit
Folder Found C:\Program Files\optimizer pro
Folder Found C:\Program Files\Searchprotect
Folder Found C:\Program Files\Viewpoint
Folder Found C:\WINDOWS\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\APN
Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKCU\Software\AskToolbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\ConduitSearchScopes
Key Found : HKCU\Software\Google\Chrome\Extensions\gbmdkmlcnbapgegninelmjbfibaghdmk
Key Found : HKCU\Software\Google\Chrome\Extensions\hgeaklkciolgbejekedbdphhbjbiaamp
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKCU\Software\OfferMosquito
Key Found : HKCU\Software\SearchProtect
Key Found : HKCU\Software\smartbar
Key Found : HKCU\Software\Softonic
Key Found : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Found : HKLM\Software\APN
Key Found : HKLM\Software\AskToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}
Key Found : HKLM\SOFTWARE\Classes\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}
Key Found : HKLM\SOFTWARE\Classes\AppID\{562B9317-C08A-444A-9482-62080DD851AE}
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\AddonsFramework.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\ButtonSite.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHost.DLL
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Found : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}
Key Found : HKLM\SOFTWARE\Classes\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}
Key Found : HKLM\SOFTWARE\Classes\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6E4C89CF-3061-4EE4-B22A-B7A8AAEA5CB3}
Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Classes\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}
Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3317127
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Found : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Found : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\hgeaklkciolgbejekedbdphhbjbiaamp
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\SearchProtect
Key Found : HKLM\Software\systweak
Key Found : HKLM\Software\Viewpoint
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_hgeaklkciolgbejekedbdphhbjbiaamp]
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [DataMgr]
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Intermediate]
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [SearchProtect]
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ssync]
Value Found : HKCU\Software\Mozilla\Firefox\Extensions [speedtestanalysis@SpeedAnalysis.com]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [speedtestanalysis@SpeedAnalysis.com]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxp://search.conduit.com/?ctid=CT3317127&octid=CT3317127&SearchSource=61&CUI=UN28792855192424713&UM=2&UP=SP8FB3A37D-43BC-42D4-A6D4-72AEEB6D17AD

-\\ Google Chrome v30.0.1599.101

[ File : C:\Documents and Settings\Bizkit\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Found : urls_to_restore_on_startup
Found : urls_to_restore_on_startup
Found : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [14609 octets] - [05/11/2013 23:32:00]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [14670 octets] ##########



Offline mikej.canfield

  • Jr. Member
  • **
  • Posts: 9
    • View Profile
Re: Trojan Horse "Generic34.BRBV"
« Reply #3 on: November 06, 2013, 02:46:50 AM »
# AdwCleaner v3.011 - Report created 05/11/2013 at 23:40:47
# Updated 03/11/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 2 (32 bits)
# Username : Mike - FAMILY
# Running from : C:\Documents and Settings\Mike\My Documents\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

  • Service Deleted : CltMngSvc


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\optimizer pro
Folder Deleted : C:\Program Files\Searchprotect
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\WINDOWS\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}
Folder Deleted : C:\Documents and Settings\Bizkit\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\Bizkit\Application Data\Systweak
Folder Deleted : C:\Documents and Settings\Mike\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Documents and Settings\Mike\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Mike\Application Data\Common\LuaRT
Folder Deleted : C:\Documents and Settings\Mike\Application Data\DataMgr
Folder Deleted : C:\Documents and Settings\Mike\Application Data\Intermediate
Folder Deleted : C:\Documents and Settings\Mike\Application Data\Searchprotect
Folder Deleted : C:\Documents and Settings\Mike\Application Data\SSync
Folder Deleted : C:\Documents and Settings\Mike\Application Data\SwvUpdater
Folder Deleted : C:\Documents and Settings\Mike\My Documents\optimizer pro
[!] Folder Deleted : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gbmdkmlcnbapgegninelmjbfibaghdmk
[!] Folder Deleted : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hgeaklkciolgbejekedbdphhbjbiaamp
File Deleted : C:\END
File Deleted : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage
File Deleted : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage-journal
File Deleted : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage
File Deleted : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage-journal
File Deleted : C:\WINDOWS\Tasks\AmiUpdXp.job

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [speedtestanalysis@SpeedAnalysis.com]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [speedtestanalysis@SpeedAnalysis.com]
Key Deleted : HKCU\Software\Google\Chrome\Extensions\gbmdkmlcnbapgegninelmjbfibaghdmk
Key Deleted : HKCU\Software\Google\Chrome\Extensions\hgeaklkciolgbejekedbdphhbjbiaamp
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\hgeaklkciolgbejekedbdphhbjbiaamp
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [DataMgr]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Intermediate]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [SearchProtect]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ssync]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\AddonsFramework.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ButtonSite.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHost.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3317127
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_hgeaklkciolgbejekedbdphhbjbiaamp]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{562B9317-C08A-444A-9482-62080DD851AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6E4C89CF-3061-4EE4-B22A-B7A8AAEA5CB3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E4A994B0-5550-4680-A4C6-B9470B888069}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AskToolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\OfferMosquito
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\smartbar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\systweak
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Google Chrome v30.0.1599.101

[ File : C:\Documents and Settings\Bizkit\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [14751 octets] - [05/11/2013 23:32:00]
AdwCleaner[S0].txt - [14815 octets] - [05/11/2013 23:40:47]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [14876 octets] ##########

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14486
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Trojan Horse "Generic34.BRBV"
« Reply #4 on: November 06, 2013, 01:30:21 PM »
Hi, Mike.

I see you went ahead and ran the clean option for AdwCleaner.  Let's follow up with the Junkware Removal Tool and some updating of the outdated vulnerable software on your computer.

1.  Please download Junkware Removal Tool to your desktop.
  • Disable your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it.  If you are using Windows Vista or Seven, right-mouse click it and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

2.  Please uninstall Java(TM) 6 Update 20 and download the latest version, from here:  Java Version 7 Update 45.  UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

3.   With Adobe Flash Player, you need to update both the ActiveX and Plugin.  The current version for both is 11.9.900.117, available from the direct download links below.

Non-IE (Opera, Firefox, Etc.):  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
 
Windows XP, Vista and 7:
Flash Player For Internet Explorer 7, 8, 9, 10:  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe

4.  Please uninstall Adobe Reader version 8.  Adobe Reader XI (11.0.05) for Windows is available here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.  Again, please UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

Another option is to replace Adobe Reader with a less vulnerable option.  My preference is Sumatra PDF.  See Replacing Adobe Reader with Sumatra PDF for additional information.

5.  Please rescan with DDS.  I won't need Attach.txt this time, just the DDS.txt log.

How is your computer now?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline mikej.canfield

  • Jr. Member
  • **
  • Posts: 9
    • View Profile
Re: Trojan Horse "Generic34.BRBV"
« Reply #5 on: November 06, 2013, 05:21:54 PM »
Computer is working better.  After I ran DDS the first time I got a few "your system has recovered from a serious error"  messages.  I noticed I had a lot of updating to do.  I just pulled this machine out of storage :).  I have had an issue stopping the Mcaffee Virus Scan in the past.  I can't seem to see that it is running on the Task Manager and I can't find it in any folder.  I have a folder named Mcaffee but there is nothing in it.  Any advice on how to stop it before running Junkware Removal Tool?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14486
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Trojan Horse "Generic34.BRBV"
« Reply #6 on: November 06, 2013, 09:30:00 PM »
Hi, Mike. 

All that is showing in your log for McAfee in the McAfee folder.  I don't see a Network Associates list either.  Seeing as how you will also need to update to SP3, let's go a different route.  After you run Junkware Removal tool, please do the following -- allowing ComboFix to run even if there is a prompt for the McAfee tool.  Just be sure to disable AVG.  Then we'll see what shows for McAfee.

Please follow these instructions carefully.  Download ComboFix from the following location:  Link 1

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

    Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

  • If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts. 
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, a log will be produced. Please copy C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline mikej.canfield

  • Jr. Member
  • **
  • Posts: 9
    • View Profile
Re: Trojan Horse "Generic34.BRBV"
« Reply #7 on: November 07, 2013, 04:46:20 PM »
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Mike on Thu 11/07/2013 at  8:18:20.03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\browsersafeguard
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{59B451FD-0F91-4559-A4EF-7AFB660BDA4C}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\Mike\Local Settings\Application Data\cre"
Successfully deleted: [Folder] "C:\Program Files\browsersafeguard"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 11/07/2013 at  8:25:30.96
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~







ComboFix 13-11-04.01 - Mike 11/07/2013   8:40.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.894.456 [GMT -5:00]
Running from: c:\documents and settings\Mike\My Documents\Downloads\ComboFix.exe
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW:  *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Bizkit\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Mike\WINDOWS
C:\install.exe
c:\program files\Wireless Adapter\UI.exe
c:\windows\system32\_005130_.tmp.dll
c:\windows\system32\_005131_.tmp.dll
c:\windows\system32\_005132_.tmp.dll
c:\windows\system32\_005133_.tmp.dll
c:\windows\system32\_005140_.tmp.dll
c:\windows\system32\_005141_.tmp.dll
c:\windows\system32\_005142_.tmp.dll
c:\windows\system32\_005143_.tmp.dll
c:\windows\system32\_005145_.tmp.dll
c:\windows\system32\_005146_.tmp.dll
c:\windows\system32\_005149_.tmp.dll
c:\windows\system32\_005150_.tmp.dll
c:\windows\system32\_005152_.tmp.dll
c:\windows\system32\_005153_.tmp.dll
c:\windows\system32\_005154_.tmp.dll
c:\windows\system32\_005156_.tmp.dll
c:\windows\system32\_005159_.tmp.dll
c:\windows\system32\_005160_.tmp.dll
c:\windows\system32\_005164_.tmp.dll
c:\windows\system32\_005165_.tmp.dll
c:\windows\system32\_005167_.tmp.dll
c:\windows\system32\_005170_.tmp.dll
c:\windows\system32\_005172_.tmp.dll
c:\windows\system32\_005173_.tmp.dll
c:\windows\system32\_005174_.tmp.dll
c:\windows\system32\_005175_.tmp.dll
c:\windows\system32\_005176_.tmp.dll
c:\windows\system32\_005179_.tmp.dll
c:\windows\system32\_005180_.tmp.dll
c:\windows\system32\_005181_.tmp.dll
c:\windows\system32\_005182_.tmp.dll
c:\windows\system32\_005183_.tmp.dll
c:\windows\system32\_005188_.tmp.dll
c:\windows\system32\_005190_.tmp.dll
c:\windows\system32\_005191_.tmp.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\SET1131.tmp
c:\windows\system32\SET1136.tmp
c:\windows\system32\SET1139.tmp
c:\windows\system32\SET1155.tmp
c:\windows\system32\SET1174.tmp
c:\windows\system32\SET117A.tmp
c:\windows\system32\SET13D.tmp
c:\windows\system32\SET13E.tmp
c:\windows\system32\SET140.tmp
c:\windows\system32\SET142.tmp
c:\windows\system32\SET144.tmp
c:\windows\system32\SET14B.tmp
c:\windows\system32\SET14C.tmp
c:\windows\system32\SET14F.tmp
c:\windows\system32\SET154.tmp
c:\windows\system32\SET155.tmp
c:\windows\system32\SET156.tmp
c:\windows\system32\SET158.tmp
c:\windows\system32\SET159.tmp
c:\windows\system32\SET15A.tmp
c:\windows\system32\SET15B.tmp
c:\windows\system32\SET15C.tmp
c:\windows\system32\SET15E.tmp
c:\windows\system32\SET15F.tmp
c:\windows\system32\SET160.tmp
c:\windows\system32\SET163.tmp
c:\windows\system32\SET16A.tmp
c:\windows\system32\SET16B.tmp
c:\windows\system32\SET16C.tmp
c:\windows\system32\SET16F.tmp
c:\windows\system32\SET171.tmp
c:\windows\system32\SET172.tmp
c:\windows\system32\SET178.tmp
c:\windows\system32\SET17A.tmp
c:\windows\system32\SET17B.tmp
c:\windows\system32\SET17C.tmp
c:\windows\system32\SET17E.tmp
c:\windows\system32\SET183.tmp
c:\windows\system32\SET184.tmp
c:\windows\system32\SET185.tmp
c:\windows\system32\SET186.tmp
c:\windows\system32\SET187.tmp
c:\windows\system32\SET18D.tmp
c:\windows\system32\SET192.tmp
c:\windows\system32\SET193.tmp
c:\windows\system32\SET196.tmp
c:\windows\system32\SET199.tmp
c:\windows\system32\SET19A.tmp
c:\windows\system32\SET1A1.tmp
c:\windows\system32\SET1A2.tmp
c:\windows\system32\SET1A4.tmp
c:\windows\system32\SET1A7.tmp
c:\windows\system32\SET1B1.tmp
c:\windows\system32\SET1B2.tmp
c:\windows\system32\SET1B5.tmp
c:\windows\system32\SET1B8.tmp
c:\windows\system32\SET1B9.tmp
c:\windows\system32\SET1BA.tmp
c:\windows\system32\SET1BB.tmp
c:\windows\system32\SET1BC.tmp
c:\windows\system32\SET1CC.tmp
c:\windows\system32\SET1D1.tmp
c:\windows\system32\SET1D3.tmp
c:\windows\system32\SET1D5.tmp
c:\windows\system32\SET1D6.tmp
c:\windows\system32\SET1D7.tmp
c:\windows\system32\SET1DA.tmp
c:\windows\system32\SET1DB.tmp
c:\windows\system32\SET1DF.tmp
c:\windows\system32\SET1E0.tmp
c:\windows\system32\SET1E3.tmp
c:\windows\system32\SET1E4.tmp
c:\windows\system32\SET1E5.tmp
c:\windows\system32\SET1EB.tmp
c:\windows\system32\SET1EC.tmp
c:\windows\system32\SET1ED.tmp
c:\windows\system32\SET1F5.tmp
c:\windows\system32\SET1FB.tmp
c:\windows\system32\SET1FC.tmp
c:\windows\system32\SET1FD.tmp
c:\windows\system32\SET1FE.tmp
c:\windows\system32\SET200.tmp
c:\windows\system32\SET205.tmp
c:\windows\system32\SET206.tmp
c:\windows\system32\SET212.tmp
c:\windows\system32\SET214.tmp
c:\windows\system32\SET216.tmp
c:\windows\system32\SET217.tmp
c:\windows\system32\SET218.tmp
c:\windows\system32\SET21B.tmp
c:\windows\system32\SET223.tmp
c:\windows\system32\SET225.tmp
c:\windows\system32\SET226.tmp
c:\windows\system32\SET229.tmp
c:\windows\system32\SET22B.tmp
c:\windows\system32\SET22E.tmp
c:\windows\system32\SET233.tmp
c:\windows\system32\SET236.tmp
c:\windows\system32\SET237.tmp
c:\windows\system32\SET240.tmp
c:\windows\system32\SET241.tmp
c:\windows\system32\SET248.tmp
c:\windows\system32\SET249.tmp
c:\windows\system32\SET24C.tmp
c:\windows\system32\SET24D.tmp
c:\windows\system32\SET24E.tmp
c:\windows\system32\SET24F.tmp
c:\windows\system32\SET250.tmp
c:\windows\system32\SET252.tmp
c:\windows\system32\SET253.tmp
c:\windows\system32\SET254.tmp
c:\windows\system32\SET256.tmp
c:\windows\system32\SET257.tmp
c:\windows\system32\SET258.tmp
c:\windows\system32\SET25A.tmp
c:\windows\system32\SET25D.tmp
c:\windows\system32\SET262.tmp
c:\windows\system32\SET263.tmp
c:\windows\system32\SET264.tmp
c:\windows\system32\SET269.tmp
c:\windows\system32\SET26A.tmp
c:\windows\system32\SET26B.tmp
c:\windows\system32\SET26D.tmp
c:\windows\system32\SET270.tmp
c:\windows\system32\SET272.tmp
c:\windows\system32\SET273.tmp
c:\windows\system32\SET276.tmp
c:\windows\system32\SET277.tmp
c:\windows\system32\SET27A.tmp
c:\windows\system32\SET27D.tmp
c:\windows\system32\SET27E.tmp
c:\windows\system32\SET280.tmp
c:\windows\system32\SET285.tmp
c:\windows\system32\SET28B.tmp
c:\windows\system32\SET291.tmp
c:\windows\system32\SET292.tmp
c:\windows\system32\SET295.tmp
c:\windows\system32\SET296.tmp
c:\windows\system32\SET2A0.tmp
c:\windows\system32\SET2A2.tmp
c:\windows\system32\SET2A4.tmp
c:\windows\system32\SET2A5.tmp
c:\windows\system32\SET2A6.tmp
c:\windows\system32\SET2B0.tmp
c:\windows\system32\SET2B3.tmp
c:\windows\system32\SET2B4.tmp
c:\windows\system32\SET2B5.tmp
c:\windows\system32\SET2B6.tmp
c:\windows\system32\SET2B8.tmp
c:\windows\system32\SET2BA.tmp
c:\windows\system32\SET2BD.tmp
c:\windows\system32\SET2C7.tmp
c:\windows\system32\SET2C9.tmp
c:\windows\system32\SET2CB.tmp
c:\windows\system32\SET2CC.tmp
c:\windows\system32\SET2CD.tmp
c:\windows\system32\SET2CF.tmp
c:\windows\system32\SET2D0.tmp
c:\windows\system32\SET2D5.tmp
c:\windows\system32\SET2D7.tmp
c:\windows\system32\SET2D8.tmp
c:\windows\system32\SET2DF.tmp
c:\windows\system32\SET2EA.tmp
c:\windows\system32\SET2ED.tmp
c:\windows\system32\SET2EE.tmp
c:\windows\system32\SET2EF.tmp
c:\windows\system32\SET2F3.tmp
c:\windows\system32\SET2FB.tmp
c:\windows\system32\SET302.tmp
c:\windows\system32\SET304.tmp
c:\windows\system32\SET309.tmp
c:\windows\system32\SET30B.tmp
c:\windows\system32\SET31C.tmp
c:\windows\system32\SET320.tmp
c:\windows\system32\SET322.tmp
c:\windows\system32\SET324.tmp
c:\windows\system32\SET328.tmp
c:\windows\system32\SET32A.tmp
c:\windows\system32\SET32C.tmp
c:\windows\system32\SET32E.tmp
c:\windows\system32\SET33C.tmp
c:\windows\system32\SET342.tmp
c:\windows\system32\SET344.tmp
c:\windows\system32\SET345.tmp
c:\windows\system32\SET346.tmp
c:\windows\system32\SET34C.tmp
c:\windows\system32\SET350.tmp
c:\windows\system32\SET359.tmp
c:\windows\system32\SET35A.tmp
c:\windows\system32\SET35E.tmp
c:\windows\system32\SET360.tmp
c:\windows\system32\SET361.tmp
c:\windows\system32\SET362.tmp
c:\windows\system32\SET36A.tmp
c:\windows\system32\SET36E.tmp
c:\windows\system32\SET379.tmp
c:\windows\system32\SET389.tmp
c:\windows\system32\SET38A.tmp
c:\windows\system32\SET38F.tmp
c:\windows\system32\SET39E.tmp
c:\windows\system32\SET3A9.tmp
c:\windows\system32\SET3B4.tmp
c:\windows\system32\SET3B6.tmp
c:\windows\system32\SET3BB.tmp
c:\windows\system32\SET3BD.tmp
c:\windows\system32\SET3BE.tmp
c:\windows\system32\SET3BF.tmp
c:\windows\system32\SET3C1.tmp
c:\windows\system32\SET3C2.tmp
c:\windows\system32\SET3C3.tmp
c:\windows\system32\SET3C4.tmp
c:\windows\system32\SET3C6.tmp
c:\windows\system32\SET3C8.tmp
c:\windows\system32\SET3C9.tmp
c:\windows\system32\SET3CA.tmp
c:\windows\system32\SET3CD.tmp
c:\windows\system32\SET3CF.tmp
c:\windows\system32\SET3D4.tmp
c:\windows\system32\SET3D5.tmp
c:\windows\system32\SET3DD.tmp
c:\windows\system32\SET3E4.tmp
c:\windows\system32\SET3E9.tmp
c:\windows\system32\SET3EC.tmp
c:\windows\system32\SET3EF.tmp
c:\windows\system32\SET3F1.tmp
c:\windows\system32\SET3F5.tmp
c:\windows\system32\SET3F7.tmp
c:\windows\system32\SET3F8.tmp
c:\windows\system32\SET3F9.tmp
c:\windows\system32\SET3FC.tmp
c:\windows\system32\SET3FD.tmp
c:\windows\system32\SET401.tmp
c:\windows\system32\SET402.tmp
c:\windows\system32\SET40A.tmp
c:\windows\system32\SET40D.tmp
c:\windows\system32\SET411.tmp
c:\windows\system32\SET413.tmp
c:\windows\system32\SET415.tmp
H:\Autorun.inf
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_PCCMSERVICE
-------\Service_pcCMService
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-07 to 2013-11-07  )))))))))))))))))))))))))))))))
.
.
2013-11-07 13:18 . 2013-11-07 13:18   --------   d-----w-   c:\windows\ERUNT
2013-11-07 13:15 . 2013-11-07 13:15   --------   d-----w-   c:\program files\SumatraPDF
2013-11-06 04:31 . 2013-11-06 04:42   --------   d-----w-   C:\AdwCleaner
2013-11-06 04:00 . 2013-11-06 04:00   40776   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2013-11-06 03:37 . 2013-11-06 03:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2013-11-06 03:37 . 2013-11-06 03:37   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2013-11-06 03:37 . 2013-04-04 19:50   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-11-05 04:04 . 2013-11-05 04:04   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\AVG2014
2013-11-05 04:03 . 2013-11-05 04:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG2014
2013-11-05 04:03 . 2013-11-05 04:03   --------   d-----w-   C:\$AVG
2013-11-05 04:02 . 2013-11-05 04:02   --------   d-----w-   c:\program files\AVG
2013-11-05 03:59 . 2013-11-06 23:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2013-11-01 08:18 . 2013-11-01 08:18   --------   d-----w-   c:\program files\Speed Test Analysis
2013-10-26 02:29 . 2008-08-28 20:52   627072   ----a-w-   c:\windows\system32\drivers\rt2870.sys
2013-10-26 02:29 . 2008-08-28 20:38   221184   ----a-w-   c:\windows\system32\RaCoInst.dll
2013-10-26 02:29 . 2013-11-07 13:48   --------   d-----w-   c:\program files\Wireless Adapter
2013-10-26 02:27 . 2013-11-07 13:49   --------   d-----w-   c:\documents and settings\Mike
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-07 13:13 . 2012-06-28 02:50   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-07 13:13 . 2012-06-28 02:50   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-10-26 02:29 . 2006-08-29 15:21   21419   -c--a-w-   c:\windows\system32\drivers\AegisP.sys
2013-09-26 01:57 . 2013-09-26 01:57   120632   ----a-w-   c:\windows\system32\drivers\avgdiskx.sys
2013-09-11 03:11 . 2013-09-11 03:11   22840   ----a-w-   c:\windows\system32\drivers\avgidsshimx.sys
2013-09-09 03:12 . 2013-09-09 03:12   27448   ----a-w-   c:\windows\system32\drivers\avgrkx86.sys
2013-09-02 15:39 . 2013-09-02 15:39   176952   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2013-09-02 15:28 . 2013-09-02 15:28   145720   ----a-w-   c:\windows\system32\drivers\avgidshx.sys
2013-09-02 15:28 . 2013-09-02 15:28   209208   ----a-w-   c:\windows\system32\drivers\avgidsdriverx.sys
2013-09-02 15:28 . 2013-09-02 15:28   223032   ----a-w-   c:\windows\system32\drivers\avglogx.sys
2013-08-21 03:54 . 2013-08-21 03:54   102200   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2003-03-19 01:20 . 2003-03-19 01:20   1060864   ----a-w-   c:\program files\mfc71.dll
2003-03-19 01:12 . 2003-03-19 01:12   1047552   ----a-w-   c:\program files\mfc71u.dll
2003-03-19 00:44 . 2003-03-19 00:44   57344   ----a-w-   c:\program files\MFC71ENU.DLL
2003-03-19 00:44 . 2003-03-19 00:44   49152   ----a-w-   c:\program files\MFC71KOR.DLL
2003-03-19 00:44 . 2003-03-19 00:44   61440   ----a-w-   c:\program files\MFC71ITA.DLL
2003-03-19 00:44 . 2003-03-19 00:44   61440   ----a-w-   c:\program files\MFC71ESP.DLL
2003-03-19 00:44 . 2003-03-19 00:44   45056   ----a-w-   c:\program files\MFC71CHT.DLL
2003-03-19 00:44 . 2003-03-19 00:44   40960   ----a-w-   c:\program files\MFC71CHS.DLL
2003-03-19 00:44 . 2003-03-19 00:44   65536   ----a-w-   c:\program files\MFC71DEU.DLL
2003-03-19 00:44 . 2003-03-19 00:44   61440   ----a-w-   c:\program files\MFC71FRA.DLL
2003-03-19 00:44 . 2003-03-19 00:44   49152   ----a-w-   c:\program files\MFC71JPN.DLL
2001-06-20 21:19 . 2001-06-19 21:34   40960   -c--a-w-   c:\program files\ACMonitor_X83.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{82B16A3D-F03E-4565-A532-666B219C9A53}]
2013-08-29 19:24   150528   ----a-w-   c:\documents and settings\Mike\Local Settings\Application Data\ext_offermosquito\OfferMosquitoIEPlaceholder.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0346.1\mswinext.exe" [2009-11-01 240992]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\pcTrayApp.exe" [2012-06-07 1939968]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-10-08 4908592]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG2014\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2006-10-12 20:57   102400   ----a-w-   c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56   64512   ----a-w-   c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-18 17:55   49152   ----a-w-   c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 23:33   421776   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Motive\\pcServiceHost.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58098:TCP"= 58098:TCP:Pando Media Booster
"58098:UDP"= 58098:UDP:Pando Media Booster
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [9/2/2013 10:28 AM 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/2/2013 10:28 AM 223032]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/8/2013 10:12 PM 27448]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [9/25/2013 8:57 PM 120632]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [9/2/2013 10:28 AM 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [9/10/2013 10:11 PM 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/2/2013 10:39 AM 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [8/1/2013 4:08 PM 193848]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [9/25/2013 9:47 PM 301152]
R2 pcServiceHost;pcServiceHost;c:\program files\Common Files\Motive\pcServiceHost.exe [6/27/2012 7:36 PM 342016]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [10/3/2013 10:00 PM 3538480]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [8/21/2010 3:44 PM 15104]
S2 WUSB54GSCSVC;WUSB54GSCSVC;"c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe" --> c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/5/2013 11:00 PM 40776]
S3 Pantech UTM Service;Pantech UTM Service;c:\program files\PCD\Pantech\EUDL\UTM\PantechService.exe [11/23/2010 4:22 PM 65536]
S3 PTHSBUS;PANTECH Handset USB Composite Device Driver (UDP);c:\windows\system32\drivers\PTHSBUS.sys [7/2/2012 8:38 AM 56976]
S3 PTHSMDM;PANTECH Handset Drivers (UDP);c:\windows\system32\drivers\PTHSMDM.sys [7/2/2012 8:38 AM 167824]
S3 PTHSVSP;PANTECH Handset Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTHSVSP.sys [7/2/2012 8:38 AM 167824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-26 02:54   1185744   ----a-w-   c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-28 13:13]
.
2013-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-26 02:54]
.
2013-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-26 02:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:1034;https=127.0.0.1:1034;
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-EPSON Stylus Photo R320 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
c:\documents and settings\All Users\Start Menu\Programs\Startup\54M Wireless USB Adapter.lnk - c:\program files\Wireless Adapter\UI.exe
AddRemove-Browsersafeguard - c:\program files\Browsersafeguard\uninstall.browsersafeguard.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-07 08:53
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2232)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTHDCPL.EXE
c:\windows\zHotkey.exe
.
**************************************************************************
.
Completion time: 2013-11-07  08:58:53 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-07 13:58
.
Pre-Run: 224,679,579,648 bytes free
Post-Run: 224,591,753,216 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7C24D6E09548CD975EE2DC448692F88A
B20939CD98B7710036274839082AE757









ComboFix is pretty intense software.  I had a hard time watching it delete system32 files lol.  It actually saw my wireless network manager "UI.exe" as an orphan and deleted it so I had to reinstall it to access the internet.   Also, I had some trouble with the Java update, each time I tried to update it said a file was corrupted.  It appeared the file was one of the newly dowloaded ones.   Here is the path for the corrupted file:   C:\Documents and Settings\Mike\Application Data\Sun\Java\jre1.7.0_45\jre1.7.0_45-c.msi     Any ideas?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14486
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Trojan Horse "Generic34.BRBV"
« Reply #8 on: November 07, 2013, 11:56:45 PM »
Hi, Mike.

After several interruptions today, hopefully, I can finally finish posting the next set of instructions for you!

Yes, ComboFix is a very powerful tool which is why the warning when running it and also why we tell people not to run it unless specifically advised to do so.  I reported the removal of the shortcut to your wireless network manager to the developer of ComboFix. 

Let's take care of the McAfee file you couldn't uninstall as well as a browser hijack leftover.  Please note that the disabled Firewall shown in the log is for the McAfee firewall.  I'll provide a recommendation later in this reply for a software firewall.

1.  Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
SecCenter::
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW:  *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

Reg::
[-HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{82B16A3D-F03E-4565-A532-666B219C9A53}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"=-

Folder::
c:\documents and settings\Mike\Local Settings\Application Data\ext_offermosquito
c:\program files\McAfee
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2.  A software firewall is needed.  There are a variety of firewalls listed here at LandzDown in the Firewall Updates forum.  Some are free, others licensed (paid) programs.  Among the free programs available Private Firewall is considered a good program.

3.  Regarding Java, since you have OpenOffice installed, unfortunately that is one of the programs that uses Java.  In reading about others having a problem with the .msi, they solved the problem by uninstalling Java, restarting and then downloading from here:  http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

Accept the license agreement and then select:  Windows x86   39.57 MB     jre-7u45-windows-i586.tar.gz (rather than the offline version)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline mikej.canfield

  • Jr. Member
  • **
  • Posts: 9
    • View Profile
Re: Trojan Horse "Generic34.BRBV"
« Reply #9 on: November 08, 2013, 01:17:01 AM »
ComboFix 13-11-07.01 - Mike 11/07/2013  21:50:51.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.894.448 [GMT -5:00]
Running from: c:\documents and settings\Mike\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.text
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mike\Local Settings\Application Data\ext_offermosquito
c:\documents and settings\Mike\Local Settings\Application Data\ext_offermosquito\atl100.dll
c:\documents and settings\Mike\Local Settings\Application Data\ext_offermosquito\msvcr100d.dll
c:\documents and settings\Mike\Local Settings\Application Data\ext_offermosquito\OfFErmosquitoieplaceholder.dll
c:\program files\McAfee
c:\program files\McAfee\SpamKiller\borlndmm.dll
c:\program files\McAfee\SpamKiller\MSKColors.dat
c:\program files\McAfee\SpamKiller\MSKDetct.exe
c:\program files\McAfee\SpamKiller\MSKFilte.inf
c:\program files\McAfee\SpamKiller\MSKRescs.dll
c:\program files\Wireless Adapter\UI.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-08 to 2013-11-08  )))))))))))))))))))))))))))))))
.
.
2013-11-08 02:11 . 2013-11-08 02:11   63115   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2013-11-08 02:11 . 2013-11-08 02:11   9310   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2013-11-08 02:11 . 2013-11-08 02:11   8646   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2013-11-08 02:11 . 2013-11-08 02:11   6429   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2013-11-08 02:11 . 2013-11-08 02:11   5927   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2013-11-08 02:11 . 2013-11-08 02:11   4599   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2013-11-08 02:11 . 2013-11-08 02:11   8613   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2013-11-08 02:11 . 2013-11-08 02:11   1651   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2013-11-08 02:11 . 2013-11-08 02:11   6910   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2013-11-08 02:10 . 2013-11-08 02:10   6208   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2013-11-08 02:10 . 2013-11-08 02:10   18541   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2013-11-08 02:10 . 2013-11-08 02:10   8288   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2013-11-08 02:10 . 2013-11-08 02:10   51852   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2013-11-08 02:10 . 2013-11-08 02:10   20719   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2013-11-08 02:10 . 2013-11-08 02:10   7271   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-11-08 02:10 . 2013-11-08 02:10   23327   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-11-08 02:10 . 2013-11-08 02:10   8782   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-11-07 13:18 . 2013-11-07 13:18   --------   d-----w-   c:\windows\ERUNT
2013-11-07 13:15 . 2013-11-07 13:15   --------   d-----w-   c:\program files\SumatraPDF
2013-11-06 04:31 . 2013-11-06 04:42   --------   d-----w-   C:\AdwCleaner
2013-11-06 04:00 . 2013-11-06 04:00   40776   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2013-11-06 03:37 . 2013-11-06 03:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2013-11-06 03:37 . 2013-11-06 03:37   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2013-11-06 03:37 . 2013-04-04 19:50   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-11-05 04:04 . 2013-11-05 04:04   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\AVG2014
2013-11-05 04:03 . 2013-11-05 04:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG2014
2013-11-05 04:03 . 2013-11-05 04:03   --------   d-----w-   C:\$AVG
2013-11-05 04:02 . 2013-11-05 04:02   --------   d-----w-   c:\program files\AVG
2013-11-05 03:59 . 2013-11-08 02:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2013-11-01 08:18 . 2013-11-01 08:18   --------   d-----w-   c:\program files\Speed Test Analysis
2013-10-26 02:29 . 2008-08-28 20:52   627072   ----a-w-   c:\windows\system32\drivers\rt2870.sys
2013-10-26 02:29 . 2008-08-28 20:38   221184   ----a-w-   c:\windows\system32\RaCoInst.dll
2013-10-26 02:29 . 2013-11-08 02:58   --------   d-----w-   c:\program files\Wireless Adapter
2013-10-26 02:27 . 2013-11-07 19:07   --------   d-----w-   c:\documents and settings\Mike
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-07 13:13 . 2012-06-28 02:50   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-07 13:13 . 2012-06-28 02:50   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-10-26 02:29 . 2006-08-29 15:21   21419   -c--a-w-   c:\windows\system32\drivers\AegisP.sys
2013-09-26 01:57 . 2013-09-26 01:57   120632   ----a-w-   c:\windows\system32\drivers\avgdiskx.sys
2013-09-11 03:11 . 2013-09-11 03:11   22840   ----a-w-   c:\windows\system32\drivers\avgidsshimx.sys
2013-09-09 03:12 . 2013-09-09 03:12   27448   ----a-w-   c:\windows\system32\drivers\avgrkx86.sys
2013-09-02 15:39 . 2013-09-02 15:39   176952   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2013-09-02 15:28 . 2013-09-02 15:28   145720   ----a-w-   c:\windows\system32\drivers\avgidshx.sys
2013-09-02 15:28 . 2013-09-02 15:28   209208   ----a-w-   c:\windows\system32\drivers\avgidsdriverx.sys
2013-09-02 15:28 . 2013-09-02 15:28   223032   ----a-w-   c:\windows\system32\drivers\avglogx.sys
2013-08-21 03:54 . 2013-08-21 03:54   102200   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2003-03-19 01:20 . 2003-03-19 01:20   1060864   ----a-w-   c:\program files\mfc71.dll
2003-03-19 01:12 . 2003-03-19 01:12   1047552   ----a-w-   c:\program files\mfc71u.dll
2003-03-19 00:44 . 2003-03-19 00:44   57344   ----a-w-   c:\program files\MFC71ENU.DLL
2003-03-19 00:44 . 2003-03-19 00:44   49152   ----a-w-   c:\program files\MFC71KOR.DLL
2003-03-19 00:44 . 2003-03-19 00:44   61440   ----a-w-   c:\program files\MFC71ITA.DLL
2003-03-19 00:44 . 2003-03-19 00:44   61440   ----a-w-   c:\program files\MFC71ESP.DLL
2003-03-19 00:44 . 2003-03-19 00:44   45056   ----a-w-   c:\program files\MFC71CHT.DLL
2003-03-19 00:44 . 2003-03-19 00:44   40960   ----a-w-   c:\program files\MFC71CHS.DLL
2003-03-19 00:44 . 2003-03-19 00:44   65536   ----a-w-   c:\program files\MFC71DEU.DLL
2003-03-19 00:44 . 2003-03-19 00:44   61440   ----a-w-   c:\program files\MFC71FRA.DLL
2003-03-19 00:44 . 2003-03-19 00:44   49152   ----a-w-   c:\program files\MFC71JPN.DLL
2001-06-20 21:19 . 2001-06-19 21:34   40960   -c--a-w-   c:\program files\ACMonitor_X83.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0346.1\mswinext.exe" [2009-11-01 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\pcTrayApp.exe" [2012-06-07 1939968]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-10-08 4908592]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG2014\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2006-10-12 20:57   102400   ----a-w-   c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56   64512   ----a-w-   c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-18 17:55   49152   ----a-w-   c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 23:33   421776   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Motive\\pcServiceHost.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58098:TCP"= 58098:TCP:Pando Media Booster
"58098:UDP"= 58098:UDP:Pando Media Booster
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [9/2/2013 10:28 AM 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/2/2013 10:28 AM 223032]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/8/2013 10:12 PM 27448]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [9/25/2013 8:57 PM 120632]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [9/2/2013 10:28 AM 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [9/10/2013 10:11 PM 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/2/2013 10:39 AM 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [8/1/2013 4:08 PM 193848]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [9/25/2013 9:47 PM 301152]
R2 pcServiceHost;pcServiceHost;c:\program files\Common Files\Motive\pcServiceHost.exe [6/27/2012 7:36 PM 342016]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [10/3/2013 10:00 PM 3538480]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [8/21/2010 3:44 PM 15104]
S2 WUSB54GSCSVC;WUSB54GSCSVC;"c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe" --> c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/5/2013 11:00 PM 40776]
S3 Pantech UTM Service;Pantech UTM Service;c:\program files\PCD\Pantech\EUDL\UTM\PantechService.exe [11/23/2010 4:22 PM 65536]
S3 PTHSBUS;PANTECH Handset USB Composite Device Driver (UDP);c:\windows\system32\drivers\PTHSBUS.sys [7/2/2012 8:38 AM 56976]
S3 PTHSMDM;PANTECH Handset Drivers (UDP);c:\windows\system32\drivers\PTHSMDM.sys [7/2/2012 8:38 AM 167824]
S3 PTHSVSP;PANTECH Handset Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTHSVSP.sys [7/2/2012 8:38 AM 167824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-26 02:54   1185744   ----a-w-   c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-28 13:13]
.
2013-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-26 02:54]
.
2013-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-26 02:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:1034;https=127.0.0.1:1034;
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\54M Wireless USB Adapter.lnk - c:\program files\Wireless Adapter\UI.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-07 21:58
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1084)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-11-07  22:01:32
ComboFix-quarantined-files.txt  2013-11-08 03:01
ComboFix2.txt  2013-11-07 13:58
.
Pre-Run: 224,524,615,680 bytes free
Post-Run: 224,505,225,216 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 110992ED7F376B04A0B26C63055461C0
B20939CD98B7710036274839082AE757

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14486
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Trojan Horse "Generic34.BRBV"
« Reply #10 on: November 08, 2013, 01:24:04 AM »
Thanks for the log, Mike.  I'll take a closer look tomorrow (after sufficient coffee :) ).

Let me know how you make out with Java and a firewall.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline mikej.canfield

  • Jr. Member
  • **
  • Posts: 9
    • View Profile
Re: Trojan Horse "Generic34.BRBV"
« Reply #11 on: November 08, 2013, 01:28:26 AM »
firewall installed,

Java is for tomorrow lol...Im for some cat memes right now

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14486
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Trojan Horse "Generic34.BRBV"
« Reply #12 on: November 08, 2013, 01:19:51 PM »
Hi, Mike.

Thanks for the update.

sUBs, the developer of ComboFix asked for a copy of you wireless adapter that was removed by ComboFix so he can examine the file and determine why it was removed.  Please run the following script so that a copy can be uploaded for his review.  The script below will automatically obtain a copy of the file for submission. 

1.  Open notepad and copy/paste the text in the quotebox below into it:

Quote
http://www.landzdown.com/analysis-and-malware-removal/trojan-horse-%27generic34-brbv%27/msg163635/#msg163635

Suspect::
c:\program files\Wireless Adapter\UI.exe

Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
2.  Please go here to run an on-line scan from ESET.
  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline mikej.canfield

  • Jr. Member
  • **
  • Posts: 9
    • View Profile
Re: Trojan Horse "Generic34.BRBV"
« Reply #13 on: November 10, 2013, 01:27:57 PM »
Hey,  I have a couple questions.  1st. How do I turn off the Privatefirewall 7.0 so that it doesn't ask for a zillion permissions to run every executable file that CF uses?  2nd. I copypasted everything in the text box except for the quote and I got an error that CFScript was misspelled?  Do I need to include the quotation marks?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14486
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Trojan Horse "Generic34.BRBV"
« Reply #14 on: November 10, 2013, 04:25:15 PM »
Hi, Mike.

1.  Private Firewall will need some training to understand "safe" programs on your computer.  What is happening is that ComboFix does not have a digital signature so PF is providing an alert.  If it were a program you didn't recognize, you would want to click deny.  The following is copy/pasted from the manual (PDF:  User Guide).

Quote
In Standard Control mode, Applications/Processes with validated digital signatures, regardless of PID, will be allowed, not generate alerts and be added to the Trusted Publisher/White List.

•Exception 1:  An alert (fw) will be generated for any App/Proc where inbound traffic is detected that was not recorded during training period. PF will automatically block the event if the user does not elect to Allow via the Tray or Full alert. 

All Applications/Processes that fail signature validation will generate an alert, and be blocked by default if not Allowed by the user prior to the alert time-out (30 seconds), or by selecting the Allow button in the Full alert.

In Standard Control mode, clicking the Allow button should prevent, where possible (see Exceptions), all other alerts related to the same application. This logic applies to both the Tray or Full alerts.

•Exception 2:  An alert will be generated if a program change (size, name, version number, etc.) is detected in a process or application file.

Note also that if PF blocks something that should be allowed to run, you can change the block to allow as follows:

Quote
Regardless of what Security Alert and Threat Management mode is enabled, blocked processes will continue to be listed under File -> Settings -> Advanced -> View/Edit Application List), and the user can change any blocked process to Allow, if appropriate.

2.  My fault on why ComboFix didn't like the script.  I forgot that the "quote" box only works for submissions from sUBs "home site".  This should work:

Open notepad and copy/paste the text in the quotebox below into it:

Code: [Select]
http://www.landzdown.com/analysis-and-malware-removal/trojan-horse-%27generic34-brbv%27/msg163635/#msg163635

Suspect::
c:\program files\Wireless Adapter\UI.exe

Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If that doesn't work, there is still another way!

3.  Please follow the instructions above to run an on-line scan from ESET.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.