Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

FBI mailware- logs pasted [Closed]


  • This topic is locked This topic is locked

#31
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello surfeit67

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

  • 0

Advertisements


#32
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
  • 0

#33
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
  • 0

#34
surfeit67

surfeit67

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I'm working on getting the next log for you, but will be later today before I can post it... Thanks so much for your patients
  • 0

#35
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
no problem and see you then
  • 0

#36
surfeit67

surfeit67

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
no problems running this.
but, computer is still freezing up with EI, and I get an occasional small windows looking "security alert".."your about to leave a secure site..... do you wish to continue?" with the box to check to: please do not display this message again... etc............. even as EI is 1st opening on MSN webpage...

ComboFix 13-03-20.02 - Administrator 03/20/2013 20:57:30.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.274 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2013-02-21 to 2013-03-21 )))))))))))))))))))))))))))))))
.
.
2013-03-10 19:27 . 2013-03-10 19:27 -------- d-----w- c:\program files\iPod
2013-03-10 19:26 . 2013-03-10 19:28 -------- d-----w- c:\program files\iTunes
2013-03-10 19:26 . 2013-03-10 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-03-10 17:31 . 2013-03-10 17:31 -------- d-----w- C:\mbar-1.01.0.1021
2013-03-10 17:13 . 2013-03-11 00:47 -------- d-----w- C:\TDSSKiller_Quarantine
2013-03-08 03:27 . 2013-03-08 03:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\uTorrentControl_v6
2013-03-08 01:16 . 2013-03-08 01:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\StatusWinks
2013-03-08 01:09 . 2013-03-08 01:09 -------- d-----w- c:\windows\system32\searchplugins
2013-03-08 01:09 . 2013-03-08 01:09 -------- d-----w- c:\windows\system32\Extensions
2013-03-08 01:08 . 2013-03-09 02:33 -------- d-----w- c:\program files\ffdshow
2013-03-08 01:08 . 2013-03-09 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\PerformerSoft
2013-03-08 01:08 . 2013-03-08 01:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\SpeedanAlysis
2013-03-08 01:07 . 2013-03-09 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2013-03-08 00:59 . 2013-03-06 10:38 770384 ----a-w- c:\windows\system32\msvcr100.dll
2013-03-08 00:59 . 2013-03-06 10:38 421200 ----a-w- c:\windows\system32\msvcp100.dll
2013-03-08 00:58 . 2013-03-09 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nico Mak Computing
2013-03-08 00:56 . 2013-03-09 02:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2013-02-25 02:16 . 2011-07-13 02:55 2237440 ----a-r- C:\OTLPE.exe
2013-02-25 02:06 . 2013-02-25 02:06 -------- d-----w- C:\_OTL
2013-02-19 23:13 . 2013-02-19 23:14 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-12 23:49 . 2012-08-14 00:47 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-12 23:49 . 2012-08-14 00:47 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-10 17:28 . 2013-03-10 17:28 13786977 ----a-w- C:\mbar-1.01.0.1021.zip
2013-02-05 20:05 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-01-26 03:55 . 2004-08-04 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:16 . 2004-08-04 12:00 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:36 . 2004-08-03 22:59 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2004-08-04 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-08-04 12:00 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2004-08-04 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2010-03-20 17:02 . 2010-03-20 17:02 13575800 ----a-w- c:\program files\iMeshV9.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-11 180269]
"Motive SmartBridge"="c:\progra~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 393216]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-07-19 53248]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Windstream Service Agent.exe"="c:\program files\Windstream\Service Agent\Windstream Service Agent.exe" [2011-10-14 10204472]
"DiagnosticTools.exe"="c:\program files\Windstream\Diagnostic Tools\DiagnosticTools.exe" [2011-04-25 2037048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HsdService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windstream\\Service Agent\\ServicepointService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7321:TCP"= 7321:TCP:Services
"7322:TCP"= 7322:TCP:Services
"9147:TCP"= 9147:TCP:Services
"9148:TCP"= 9148:TCP:Services
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"4352:TCP"= 4352:TCP:Services
"7204:TCP"= 7204:TCP:Services
.
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [5/8/2002 10:51 AM 212992]
R2 HsdService;HsdService;c:\program files\Windstream\Diagnostic Tools\HsdService.exe [1/23/2013 11:15 PM 1393976]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/15/2010 7:54 PM 655944]
R2 NetAlrt;NetAlrt;c:\windows\system32\drivers\Netalrt.sys [5/7/2002 5:05 PM 39680]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2/13/2005 12:46 AM 28672]
R2 PlatAlrt;PlatAlrt;c:\windows\system32\drivers\platalrt.sys [5/7/2002 5:06 PM 23744]
R2 ServicepointService;ServicepointService;c:\program files\Windstream\Service Agent\ServicepointService.exe [1/23/2013 11:14 PM 10315064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/15/2010 7:54 PM 22344]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2/13/2005 12:46 AM 6942]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-14 23:49]
.
2013-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
Trusted Zone: alltel.com\care
Trusted Zone: download.com
Trusted Zone: georgiaoas.org\regionj
Trusted Zone: rhapsody.com
Trusted Zone: state.ga.us\lms.dhr
Trusted Zone: state.ga.us\stars.dhr
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.254.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {68A12883-7584-11D1-A259-00C04FD97350} - hxxps://stars.dhr.state.ga.us/CABS/pcache.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-20 21:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,81,2d,dd,25,a5,7f,43,be,20,39,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,81,2d,dd,25,a5,7f,43,be,20,39,\
.
[HKEY_USERS\S-1-5-21-1004336348-343818398-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8e,4c,ca,3a,34,cf,b6,47,b8,ca,3a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8e,4c,ca,3a,34,cf,b6,47,b8,ca,3a,\
.
[HKEY_USERS\S-1-5-21-1004336348-343818398-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Settings]
@Denied: (2) (Administrator)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(408)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-03-20 21:17:39
ComboFix-quarantined-files.txt 2013-03-21 01:17
ComboFix2.txt 2013-03-19 22:50
ComboFix3.txt 2013-03-09 23:20
ComboFix4.txt 2013-03-09 07:19
ComboFix5.txt 2013-03-21 00:15
.
Pre-Run: 2,660,896,768 bytes free
Post-Run: 2,692,902,912 bytes free
.
- - End Of File - - BA7730374632FC2272D6520FFE895A55
  • 0

#37
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello surfeit67

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737


Then I want you to do the following

  • Start Internet Explorer.
  • click on "safety"
  • click on "Delete Browsing History"
  • make sure all boxes are checked
  • click on "Delete"
  • click on "Tools",
  • click "Internet Options".
  • On the "Advanced" tab, click "Reset"
  • put a check mark next to "Delete Personal Settings"
  • click "Reset" to confirm
  • when complete click the "Close" button
  • restart IE


Gringo
  • 0

#38
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
  • 0

#39
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
  • 0

#40
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP