Infected logs posted

Started by zep516, August 10, 2012, 10:24:43 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

zep516

August 10, 2012, 10:24:43 PM
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 1.6.0_32
Run by JOE at 18:08:56 on 2012-08-10
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1918.1360 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\alg.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Start Menu 7\StartMenu7.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\DllHost.exe
C:\Users\JOE\Desktop\programs\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.help2go.com/
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [StartMenu7] "c:\program files\start menu 7\StartMenu7.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\joe\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\joe\appdata\roaming\mozilla\firefox\profiles\v6lkgcwz.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - true
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 171064]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-10-19 21992]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-13 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-13 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]
S3 netr73;Netopia RT73 Wireless Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-6-10 545792]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-13 52224]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-8 1343400]
.
=============== Created Last 30 ================
.
2012-08-10 21:53:57   --------   d-----w-   C:\$RECYCLE.BIN
2012-08-10 21:52:38   --------   d-----w-   c:\users\joe\appdata\local\temp
2012-08-10 19:32:06   --------   d-sh--w-   c:\windows\system32\%APPDATA%
2012-08-09 12:12:15   6891424   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{0ccb15a6-0fb4-488f-9efe-fdea1e1a70e2}\mpengine.dll
2012-08-08 02:01:41   6891424   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M  ====================
.
2012-08-10 21:22:04   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-10 21:22:04   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-07-03 17:46:44   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-12 02:40:48   2345984   ----a-w-   c:\windows\system32\win32k.sys
2012-06-06 05:05:52   1390080   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-06 05:05:52   1236992   ----a-w-   c:\windows\system32\msxml3.dll
2012-06-06 05:03:06   805376   ----a-w-   c:\windows\system32\cdosys.dll
2012-06-02 22:12:32   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-02 22:12:13   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-02 19:19:42   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-02 08:33:25   1800192   ----a-w-   c:\windows\system32\jscript9.dll
2012-06-02 08:25:08   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-06-02 08:25:03   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04   67440   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03   134000   ----a-w-   c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59   369336   ----a-w-   c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39   225280   ----a-w-   c:\windows\system32\schannel.dll
2012-06-02 04:39:10   219136   ----a-w-   c:\windows\system32\ncrypt.dll
2010-01-05 00:03:52   163840   ----a-w-   c:\program files\NetworkIndicator.exe
2005-02-16 16:06:16   218112   ----a-w-   c:\program files\HijackThis.exe
.
============= FINISH: 18:09:24.82 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 2/7/2010 2:07:27 PM
System Uptime: 8/10/2012 6:02:04 PM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. |  | GA-MA74GM-S2H
Processor: AMD Phenom(tm) 9750 Quad-Core Processor | Socket M2 | 2400/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 77 GiB total, 51.618 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96d-e325-11ce-bfc1-08002be10318}
Description: Brother MFC-7420 Fax Only
Device ID: USB\VID_04F9&PID_0180&MI_02\6&152347B3&0&0002
Manufacturer: Brother
Name: Brother MFC-7420 Fax Only
PNP Device ID: USB\VID_04F9&PID_0180&MI_02\6&152347B3&0&0002
Service: Modem
.
==== System Restore Points ===================
.
RP598: 8/4/2012 11:52:53 AM - Windows Update
RP599: 8/7/2012 10:01:23 PM - Windows Update
RP600: 8/10/2012 5:45:39 PM - ComboFix created restore point
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Shockwave Player 11.6
CCleaner
Compatibility Pack for the 2007 Office system
CPUID CPU-Z 1.58
CPUID HWMonitor 1.18
Defraggler
ERUNT 1.1j
Foxit Reader
Google Chrome
Google Update Helper
HiJackThis
HijackThis 1.99.1
ISO Recorder
Java Auto Updater
Java(TM) 6 Update 32
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft Office File Validation Add-In
Microsoft Office Standard Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
PaperPort
Recuva
SIW version 2010.07.14
Sophos Windows Shortcut Exploit Protection Tool
Start Menu 7 3.62
SUPERAntiSpyware
swMSM
TreeSize Free V2.6
WinDirStat 1.1.2
.
==== Event Viewer Messages From Past Week ========
.
8/9/2012 5:17:46 PM, Error: Service Control Manager [7031]  - The Microsoft Antimalware Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 15000 milliseconds: Restart the service.
8/10/2012 5:49:59 PM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
8/10/2012 5:44:06 PM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
8/10/2012 5:44:02 PM, Error: Service Control Manager [7023]  - The Function Discovery Resource Publication service terminated with the following error:  %%-2147024891
8/10/2012 4:08:51 PM, Error: Service Control Manager [7031]  - The SAS Core Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
8/10/2012 3:26:45 PM, Error: Microsoft-Windows-SharedAccess_NAT [34001]  - The ICS_IPV6 failed to configure IPv6 stack.
.
==== End Of File ===========================

Results of screen317's Security Check version 0.99.24 
Windows 7 Service Pack 1 x86 (UAC is disabled!) 
Internet Explorer 9 
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled! 
Microsoft Security Essentials   
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Out of date HijackThis installed!
SUPERAntiSpyware     
HijackThis 1.99.1   
CCleaner     
Java(TM) 6 Update 32 
Adobe Flash Player    11.3.300.270 
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
Microsoft Security Essentials msseces.exe
``````````End of Log````````````

ComboFix 12-08-09.01 - JOE 08/10/2012  17:46:56.7.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1918.1150 [GMT -4:00]
Running from: c:\users\JOE\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JOE\AppData\Local\{e26334e7-9f57-4a31-704e-635bd0e538fd}\@
c:\users\JOE\AppData\Local\{e26334e7-9f57-4a31-704e-635bd0e538fd}\n
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\@
c:\windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\L\00000004.@
c:\windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\L\201d3dde
c:\windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\00000004.@
c:\windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\00000008.@
c:\windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\000000cb.@
c:\windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\80000000.@
c:\windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\80000032.@
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy2_!Windows!System32!services.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-10 to 2012-08-10  )))))))))))))))))))))))))))))))
.
.
2012-08-10 21:52 . 2012-08-10 21:54   --------   d-----w-   c:\users\JOE\AppData\Local\temp
2012-08-10 21:52 . 2012-08-10 21:52   --------   d-----w-   c:\users\Public\AppData\Local\temp
2012-08-10 21:52 . 2012-08-10 21:52   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2012-08-10 21:52 . 2012-08-10 21:52   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-08-10 21:52 . 2012-08-10 21:52   --------   d-----w-   c:\users\Administrator\AppData\Local\temp
2012-08-10 19:32 . 2012-08-10 19:32   --------   d-sh--w-   c:\windows\system32\%APPDATA%
2012-08-09 12:12 . 2012-06-29 08:44   6891424   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0CCB15A6-0FB4-488F-9EFE-FDEA1E1A70E2}\mpengine.dll
2012-08-08 02:01 . 2012-06-29 08:44   6891424   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-10 21:22 . 2012-03-29 11:55   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-10 21:22 . 2011-05-20 22:45   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2010-02-20 17:40   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-12 02:40 . 2012-07-11 07:02   2345984   ----a-w-   c:\windows\system32\win32k.sys
2012-06-06 05:05 . 2012-07-10 20:09   1390080   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-10 20:09   1236992   ----a-w-   c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-10 20:09   805376   ----a-w-   c:\windows\system32\cdosys.dll
2012-06-02 22:19 . 2012-06-21 12:08   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 12:08   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 12:08   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 12:08   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 12:08   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 12:08   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 12:08   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 12:08   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 12:08   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-11 07:05   1800192   ----a-w-   c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-11 07:05   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-11 07:05   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 07:05   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 07:05   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-06-02 04:45 . 2012-07-10 20:09   67440   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-10 20:09   134000   ----a-w-   c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-10 20:09   369336   ----a-w-   c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-10 20:09   225280   ----a-w-   c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-10 20:09   219136   ----a-w-   c:\windows\system32\ncrypt.dll
2010-01-05 00:03 . 2010-01-05 00:03   163840   ----a-w-   c:\program files\NetworkIndicator.exe
2005-02-16 16:06 . 2005-02-16 16:06   218112   ----a-w-   c:\program files\HijackThis.exe
2012-07-18 19:11 . 2011-08-27 20:04   136672   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartMenu7"="c:\program files\Start Menu 7\StartMenu7.exe" [2010-04-19 2919288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-28 4777856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\users\JOE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02   254696   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe

  • R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

  • R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe

  • R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe

  • R3 netr73;Netopia RT73 Wireless Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys

  • R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys

  • R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe

  • R3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS23.SYS

  • R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS

  • R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS

  • R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

  • R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS

  • R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS

  • R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

  • S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS

  • S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS

  • S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

  • S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE

  • S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys

  • S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys

  • .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-10 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 21:22]
    .
    2012-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-14 02:56]
    .
    2012-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-14 02:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.help2go.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\JOE\AppData\Roaming\Mozilla\Firefox\Profiles\v6lkgcwz.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - prefs.js: keyword.URL - true
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-MsMpSvc
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,cd,27,00,ce,bd,5c,4e,9e,cf,12,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,cd,27,00,ce,bd,5c,4e,9e,cf,12,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(2352)
    c:\program files\Start Menu 7\VistaStartMenu.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\sppsvc.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-08-10  17:58:23 - machine was rebooted
    ComboFix-quarantined-files.txt  2012-08-10 21:58
    ComboFix2.txt  2012-03-22 03:48
    ComboFix3.txt  2012-03-22 03:28
    ComboFix4.txt  2012-03-21 01:39
    .
    Pre-Run: 55,515,103,232 bytes free
    Post-Run: 55,291,785,216 bytes free
    .
    - - End Of File - - 0C0AE67D99F340AA84B2D1AE29DC7406


    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.10.08

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    JOE :: JOE-PC [administrator]

    8/10/2012 4:27:01 PM
    mbam-log-2012-08-10 (16-52-20).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 216512
    Time elapsed: 2 minute(s), 57 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 3
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65bcd620-07dd-012f-819f-073cf1b8f7c6} (Adware.GamePlayLab) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> No action taken.
    HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> No action taken.

    Registry Values Detected: 1
    HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\JOE\AppData\Local\{e26334e7-9f57-4a31-704e-635bd0e538fd}\n. -> No action taken.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 7
    C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) -> No action taken.
    C:\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\n (Trojan.Agent.BVGen) -> No action taken.
    C:\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\00000004.@ (Rootkit.Zaccess) -> No action taken.
    C:\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.
    C:\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\000000cb.@ (Rootkit.0Access) -> No action taken.
    C:\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\80000000.@ (Rootkit.0Access) -> No action taken.
    C:\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\80000032.@ (Rootkit.0Access) -> No action taken.

    (end)

    I did take action using Malwarebytes, although this log does not show it.

    Symptons were Google redirects sort of. After running combofix everything seems normal, I did notice a rogue pop up, and a flashplayer download that I ignored on a perticular site called Utube.  Everthing seemed normal until I used Googel in an attempt to help someone, tech support forum link was blocked and so was bleeping computer combofix download, I flushed out the DNS and was able to get to combofix Bleeping computer link and ran it, lof is posted. Could someone look at the logs for me.

You're only as safe as your last update.

zep516

#1
August 10, 2012, 11:04:09 PM
Eset scan, I see that's that's combofix Quarantine


C:\Qoobox\Quarantine\C\Users\JOE\AppData\Local\{e26334e7-9f57-4a31-704e-635bd0e538fd}\n.vir   Win32/Sirefef.EV trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\00000004.@.vir   Win32/Conedex.D trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\000000cb.@.vir   Win32/Conedex.E trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\80000000.@.vir   a variant of Win32/Sirefef.FA trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{e26334e7-9f57-4a31-704e-635bd0e538fd}\U\80000032.@.vir   a variant of Win32/Sirefef.FD trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir   Win32/Sirefef.FC trojan   deleted - quarantined
C:\Users\JOE\Desktop\programs\asc-setup.exe   a variant of Win32/Toolbar.Widgi application   cleaned by deleting - quarantined
C:\_OTL\MovedFiles\04102012_234432\C_Users\JOE\Desktop\FreeFileViewer2011Setup.exe   a variant of Win32/InstallIQ application   cleaned by deleting - quarantined
You're only as safe as your last update.

winchester73

#2
August 11, 2012, 12:01:38 AM
Did you update ComboFix from the last time you ran it in March?
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

zep516

#3
August 11, 2012, 12:24:05 AM
That's a darn good question, I had so much trouble getting to bleeping computer to get the download, it's possible an older version ran and I never got the current version, or something like that...
You're only as safe as your last update.

Corrine

#4
August 11, 2012, 02:32:44 AM
"ComboFix 12-08-09.01"  It wouldn't run from March.  It would have been expired. 

Joe, sorry, I hadn't refreshed LzD until a few minutes ago.  I'll take a closer look at your logs tomorrow.  You could go ahead and update Java in the meantime. 



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

zep516

#5
August 11, 2012, 03:35:47 AM
Up-Dated Java. In 8 years using the computer have never had an infection, did have kids 2 using computer last nite, never noticed anything until the odd behavior with Google today, even WOT (Web of Trust) was pooping up warning of legit sites like Bleeping, Tech Support forum were bad when linking to them from Google. I also had to re-install Microsoft Security Essentials, when trying to run it an error came up "Service is not running," there was no Service for (MSE) to be listed in services. So I re-installed MSE.

Everything seems fine now, including Google... Just wanted a second look at the logs.

Thanks,

Joe :) 
You're only as safe as your last update.

Corrine

#6
August 11, 2012, 03:19:12 PM
Hi, Joe.

I didn't see anything in the logs and I'm sure you and Donna gave them close scrutiny as well.  :) 

I suggest that you create a standard user account for the youngsters to use.  See Configuring Windows 7 for a Limited User Account.

Although I realize you know what to do, as a reminder:  Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

zep516

#7
August 11, 2012, 05:04:03 PM
Donna does not know I got infected, it's a secret :)

Thanks I'll follow through with the clean up!

Joe
You're only as safe as your last update.

Corrine

#8
August 11, 2012, 05:09:57 PM
Rest assured, Joe, I won't tell her but I can't guarantee she won't find this thread on her own.  :D


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

DonnaB

#9
August 11, 2012, 11:39:06 PM
QuoteDonna does not know I got infected, it's a secret :)

QuoteRest assured, Joe, I won't tell her but I can't guarantee she won't find this thread on her own.  :D

:hysterical:

Oh sure! Blame it on the children!  :hysterical: You can't hide from me mister!

"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Corrine

#10
August 12, 2012, 12:14:08 AM
It wasn't me, Joe.  Honest.  I didn't say a word. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Print
Go Up Pages1
User actions