Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected with SweetPacks [Closed]

Started by LizT , May 17 2013 04:00 PM

  • This topic is locked This topic is locked

#1
LizT
Posted 17 May 2013 - 04:00 PM

LizT

    New Member

  • Member
  • Pip
  • 6 posts
Hi, I downloaded a "Repair Access Database Free" from cnet using the cnet Download now installer and got massively infected with about 5 things. I've "uninstalled" them from Add/Remove program but i'm still infected. SweetPacks is one and one of them started with a W and was something like Wijin or Wigin.

At the same time, downloaded xls files from an online system that I administer are 0 bytes and produce an error message "file extension [filename.extension] doesn't match the file type." Searches point to a known MS Excel 2007 issue and the fix is a reget to override exension hardening. I think the malware is hoping I'll do that so it can deliver the real bad stuff. The downloaded xls file naming convention has also been changed so I know the malware is messing with it. The sheet name used to be Sheet0 and now it's the temporary file name assigned by the browser's download extension.

OTL produced 2 text files. One is attached. Let me know if you want to see Extras.txt.


Thanks for any help you can provide.

Edited by LizT, 17 May 2013 - 04:01 PM.

  • 0

Advertisements

#2
gringo_pr
Posted 17 May 2013 - 06:23 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello LizT

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.



-Download DDS-

  • Please download DDS from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Gringo
  • 0

#3
LizT
Posted 17 May 2013 - 06:41 PM

LizT

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Gringo. Thanks for the help.

Here's the Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/9/2010 10:27:58 AM
System Uptime: 5/17/2013 5:19:02 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0F428D
Processor: Intel Pentium III Xeon processor | CPU | 3158/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 169.241 GiB free.
D: is CDROM ()
G: is NetworkDisk (NTFS) - 3277 GiB total, 449.485 GiB free.
N: is NetworkDisk (NTFS) - 3277 GiB total, 449.485 GiB free.
O: is NetworkDisk (NTFS) - 3277 GiB total, 449.484 GiB free.
X: is NetworkDisk (NTFS) - 48 GiB total, 39.481 GiB free.
Z: is NetworkDisk (NTFS) - 48 GiB total, 39.481 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP1040: 3/5/2013 8:42:51 AM - System Checkpoint
RP1041: 3/6/2013 12:35:24 PM - System Checkpoint
RP1042: 3/7/2013 2:02:19 PM - System Checkpoint
RP1043: 3/8/2013 6:40:43 PM - System Checkpoint
RP1044: 3/9/2013 8:56:13 PM - System Checkpoint
RP1045: 3/10/2013 8:56:35 PM - System Checkpoint
RP1046: 3/11/2013 10:33:14 PM - System Checkpoint
RP1047: 3/12/2013 10:56:43 PM - System Checkpoint
RP1048: 3/13/2013 3:00:32 AM - Software Distribution Service 3.0
RP1049: 3/14/2013 3:56:48 AM - System Checkpoint
RP1050: 3/15/2013 4:56:43 AM - System Checkpoint
RP1051: 3/16/2013 5:20:42 AM - System Checkpoint
RP1052: 3/17/2013 6:20:48 AM - System Checkpoint
RP1053: 3/18/2013 7:06:38 AM - System Checkpoint
RP1054: 3/19/2013 8:32:22 AM - System Checkpoint
RP1055: 3/20/2013 8:56:53 AM - System Checkpoint
RP1056: 3/21/2013 8:57:55 AM - System Checkpoint
RP1057: 3/22/2013 3:00:17 AM - Software Distribution Service 3.0
RP1058: 3/23/2013 4:09:23 AM - System Checkpoint
RP1059: 3/24/2013 4:56:53 AM - System Checkpoint
RP1060: 3/25/2013 5:08:55 AM - System Checkpoint
RP1061: 3/26/2013 5:56:53 AM - System Checkpoint
RP1062: 3/27/2013 5:57:23 AM - System Checkpoint
RP1063: 3/28/2013 8:24:14 AM - System Checkpoint
RP1064: 3/29/2013 8:24:52 AM - System Checkpoint
RP1065: 3/30/2013 9:19:10 AM - System Checkpoint
RP1066: 3/31/2013 9:32:44 AM - System Checkpoint
RP1067: 4/1/2013 3:08:32 PM - System Checkpoint
RP1068: 4/2/2013 4:37:17 PM - System Checkpoint
RP1069: 4/3/2013 4:57:01 PM - System Checkpoint
RP1070: 4/4/2013 8:17:01 PM - System Checkpoint
RP1071: 4/5/2013 8:57:33 PM - System Checkpoint
RP1072: 4/6/2013 10:59:59 PM - System Checkpoint
RP1073: 4/8/2013 2:20:07 AM - System Checkpoint
RP1074: 4/9/2013 5:43:33 AM - System Checkpoint
RP1075: 4/10/2013 3:00:22 AM - Software Distribution Service 3.0
RP1076: 4/11/2013 3:57:12 AM - System Checkpoint
RP1077: 4/12/2013 4:57:17 AM - System Checkpoint
RP1078: 4/13/2013 6:40:31 AM - System Checkpoint
RP1079: 4/14/2013 6:57:16 AM - System Checkpoint
RP1080: 4/15/2013 7:58:21 AM - System Checkpoint
RP1081: 4/16/2013 8:58:25 AM - System Checkpoint
RP1082: 4/17/2013 9:20:21 AM - System Checkpoint
RP1083: 4/18/2013 10:15:07 PM - System Checkpoint
RP1084: 4/19/2013 10:40:18 PM - System Checkpoint
RP1085: 4/20/2013 11:52:06 PM - System Checkpoint
RP1086: 4/22/2013 3:03:54 AM - System Checkpoint
RP1087: 4/23/2013 3:45:26 AM - System Checkpoint
RP1088: 4/24/2013 3:57:55 AM - System Checkpoint
RP1089: 4/25/2013 4:10:20 AM - System Checkpoint
RP1090: 4/26/2013 4:57:30 AM - System Checkpoint
RP1091: 4/27/2013 5:57:29 AM - System Checkpoint
RP1092: 4/28/2013 6:09:31 AM - System Checkpoint
RP1093: 4/29/2013 6:21:33 AM - System Checkpoint
RP1094: 4/30/2013 6:57:39 AM - System Checkpoint
RP1095: 5/1/2013 7:57:40 AM - System Checkpoint
RP1096: 5/2/2013 8:57:38 AM - System Checkpoint
RP1097: 5/3/2013 11:45:11 AM - System Checkpoint
RP1098: 5/4/2013 11:57:40 AM - System Checkpoint
RP1099: 5/5/2013 12:35:47 PM - System Checkpoint
RP1100: 5/6/2013 6:07:13 PM - System Checkpoint
RP1101: 5/7/2013 6:57:56 PM - System Checkpoint
RP1102: 5/8/2013 8:06:44 PM - System Checkpoint
RP1103: 5/9/2013 8:57:47 PM - System Checkpoint
RP1104: 5/10/2013 9:57:46 PM - System Checkpoint
RP1105: 5/11/2013 10:57:47 PM - System Checkpoint
RP1106: 5/12/2013 11:58:02 PM - System Checkpoint
RP1107: 5/14/2013 10:03:41 AM - System Checkpoint
RP1108: 5/15/2013 10:59:19 AM - System Checkpoint
RP1109: 5/16/2013 3:00:38 AM - Software Distribution Service 3.0
RP1110: 5/17/2013 3:21:41 AM - System Checkpoint
RP1111: 5/17/2013 2:05:23 PM - Printer Driver Microsoft Office Document Image Writer Installed
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
7-zip v9.20
Acrobat.com
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Acrobat 9.4.5 - CPSID_83708
Adobe AIR
Adobe Connect Add-in
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.4.5
Adobe Shockwave Player 12.0
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
BMC Remedy User 7.1
Bomgar Jump Client helpme.ucsf.edu
Bonjour
Borland Delphi 5
Bug Shooting 2
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Thai
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help English
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Polish
CCC Help Portuguese
CCC Help Spanish
CCC Help Thai
Cisco Systems VPN Client 5.0.01.0600
Cisco WebEx Meetings
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Crystal11_Redistributables
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Resource CD
Do Not Track Plus Add-on 2.2.1.827
Dropbox
EHASMIS Client
Google Chrome
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 5.3.0.977
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
Hotfix for Windows Media Player 11 (KB944110)
Hotfix for Windows Media Player 11 (KB944882)
Hotfix for Windows Media Player 11 (KB945381)
Hotfix for Windows Media Player 11 (KB946665)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2732052)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953761)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InstallIQ Updater
Intel® PRO Network Connections Drivers
Java 7 Update 15
Java Auto Updater
Java™ 6 Update 7
JavaFX 2.1.1
join.me
Juniper Networks Network Connect 6.5.0
Juniper Networks Secure Meeting 6.5.0
Juniper Networks, Inc. Setup Client
Juniper Terminal Services Client
LiveUpdate 3.3 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Project MUI (English) 2010
Microsoft Office Project Professional 2010
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Project 2010 Service Pack 1 (SP1)
Microsoft Project Professional 2010
Microsoft Report Viewer Redistributable 2008 (KB971119)
Microsoft Report Viewer Redistributable 2008 SP1
Microsoft Script Debugger
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Software Update for Web Folders (English) 14
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2008 R2 Books Online
Microsoft SQL Server 2008 R2 Native Client
Microsoft SQL Server 2008 R2 Policies
Microsoft SQL Server 2008 R2 Setup (English)
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
Microsoft SQL Server System CLR Types
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft XML Parser
MotoHelper MergeModules
Mozilla Firefox 21.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Pidgin
PowerDVD
QuickTest Professional 6.5
QuickTime
RideMax for Disneyland 5.1
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Safari
Seagate Crystal Reports 7
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589337) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2483614)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813347)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982316)
Security Update for Windows XP (KB982665)
Service Pack 1 for SQL Server 2008 R2 (KB2528583)
Sonic Activation Module
Spelling Dictionaries Support For Adobe Reader 9
SQL Server 2008 R2 SP1 Client Tools
SQL Server 2008 R2 SP1 Common Files
SQL Server 2008 R2 SP1 Management Studio
swMSM
Symantec Endpoint Protection
TeamViewer 6
Tivoli Endpoint Manager Client
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817359) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974631)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Profile Hive Cleanup Service
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Management Framework Core
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
5/17/2013 7:32:17 AM, error: TermServDevices [1111] - Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
5/17/2013 7:32:17 AM, error: TermServDevices [1111] - Driver Amyuni Document Converter 400 required for printer QuickBooks PDF Converter 2.0 is unknown. Contact the administrator to install the driver before you log in again.
5/17/2013 7:32:17 AM, error: TermServDevices [1111] - Driver Amyuni Document Converter 300 required for printer QuickBooks PDF Converter is unknown. Contact the administrator to install the driver before you log in again.
5/17/2013 7:32:07 AM, error: TermServDevices [1111] - Driver Microsoft Shared Fax Driver required for printer Fax is unknown. Contact the administrator to install the driver before you log in again.
5/17/2013 7:32:06 AM, error: TermServDevices [1111] - Driver Amyuni Document Converter 400 required for printer Amyuni Document Converter is unknown. Contact the administrator to install the driver before you log in again.
5/17/2013 7:32:06 AM, error: TermServDevices [1111] - Driver Amyuni Document Converter 300 required for printer Amyuni Document Converter 300 is unknown. Contact the administrator to install the driver before you log in again.
5/17/2013 7:30:26 AM, error: TermServDevices [1111] - Driver HP Officejet 5600 series required for printer HP Officejet 5600 series is unknown. Contact the administrator to install the driver before you log in again.
5/16/2013 12:51:24 PM, error: DCOM [10009] - DCOM was unable to communicate with the computer SIROS using any of the configured protocols.
5/15/2013 1:17:52 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
5/14/2013 11:06:01 PM, error: NETLOGON [5719] - No Domain Controller is available for domain CAMPUS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
.
==== End Of File ===========================

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by ltioupine at 17:35:13 on 2013-05-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2089 [GMT -7:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Bug Shooting 2\BugShooting2.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ltioupine\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClientUI.exe
C:\Documents and Settings\ltioupine\Desktop\OTL.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BHOManager Class: {474264BC-9571-47C1-85B9-780F756DC9CE} - c:\windows\system32\BHOManager.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft outlook 2007\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\ltioup~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ltioupine\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bugsho~1.lnk - c:\program files\bug shooting 2\BugShooting2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: consentpromptbehavioradmin = dword:0
mPolicies-System: MaxGPOScriptWait = dword:0
mPolicies-Windows\System: UserPolicyMode = dword:1
mPolicies-Windows\System: AllowX-ForestPolicy-and-RUP = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mibe46~1\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {00460182-9E5E-11D5-B7C8-B8269041DD68} - hxxps://myaccess.ucsf.edu/imedris/wordwrap.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxps://rio.ucsf.edu/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=kv15ot555ry0i0fxghhbuzrw&ControlID=a282698d3c4f4f9897ee2c6a3ca14d50&Culture=127&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {43A4658A-8BA8-43A9-94BA-E3A22500FB17} - hxxps://chr-hrpp.ucsf.edu/commwrap.cab
DPF: {5A336865-2009-11D4-87C0-0050DACCFBC5} - hxxps://myaccess.ucsf.edu/imedris/IGInterAct40.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1348533498686
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1348533523030
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} - hxxps://uc.sumtotalsystems.com/sumtotal/client/ScheduleServices/ScheduleServices.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP4-14323/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.ucsf.edu/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 128.218.254.10 128.218.254.40
TCP: Interfaces\{D42D6627-7DD3-4794-B635-A65B95043B29} : NameServer = 64.54.128.37,64.54.128.53
TCP: Interfaces\{D42D6627-7DD3-4794-B635-A65B95043B29} : DHCPNameServer = 128.218.254.10 128.218.254.40
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs= c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ltioupine\application data\mozilla\firefox\profiles\bo3afth4.default-1368836151203\
FF - plugin: c:\progra~1\mibe46~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mibe46~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1202122.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-3-9 24064]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-2-3 108456]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-2-3 108456]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-3-10 1839888]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2010-12-14 2228008]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-3-9 144480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-9-14 106656]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20130517.002\NAVENG.SYS [2013-5-17 93296]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20130517.002\NAVEX15.SYS [2013-5-17 1603824]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-7-12 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-3-24 30192]
S3 magaService;Lan Discover Agent;c:\program files\sygate\ssa\maga\maga.exe --> c:\program files\sygate\ssa\maga\maga.exe [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
.
=============== Created Last 30 ================
.
2013-05-17 21:20:57 74136 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2013-05-17 21:20:57 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2013-05-17 21:20:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2013-05-17 21:20:57 116120 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2013-05-17 21:20:56 19352 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2013-05-17 19:34:39 -------- d-----w- c:\documents and settings\all users\application data\PC Optimizer Pro
2013-05-17 19:26:24 -------- d-----w- c:\program files\Repair Access Database Free
2013-05-17 19:25:16 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
.
==================== Find3M ====================
.
2013-05-08 09:21:31 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2013-05-07 04:27:31 6015488 ----a-w- c:\windows\system32\SET549.tmp
2013-04-18 01:05:57 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-18 01:05:57 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\SET62C.tmp
2013-04-16 22:17:15 55296 ----a-w- c:\windows\system32\SET632.tmp
2013-04-16 22:17:15 1215488 ----a-w- c:\windows\system32\SET62D.tmp
2013-04-16 22:17:15 105984 ----a-w- c:\windows\system32\SET62E.tmp
2013-04-16 22:17:14 630272 ----a-w- c:\windows\system32\SET633.tmp
2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 25600 ----a-w- c:\windows\system32\SET636.tmp
2013-04-16 22:17:14 2005504 ----a-w- c:\windows\system32\SET638.tmp
2013-04-16 22:17:14 184320 ----a-w- c:\windows\system32\SET639.tmp
2013-04-16 22:17:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-16 22:17:14 11112960 ----a-w- c:\windows\system32\SET63B.tmp
2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-06 20:47:55 342528 ----a-w- c:\windows\system32\RunAsCurrentUser.exe
2013-03-05 02:08:28 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-05 02:08:22 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-05 02:08:19 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-05 02:08:19 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-02 02:06:31 916480 ------w- c:\windows\system32\wininet.dll
2013-03-02 01:25:02 1867264 ------w- c:\windows\system32\_000005_.tmp.dll
2013-02-27 05:31:23 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-02-27 05:31:23 2691072 ----a-w- c:\windows\system32\mstscax.dll
2013-02-27 05:31:23 131072 ----a-w- c:\windows\system32\aaclient.dll
.
============= FINISH: 17:35:30.44 ===============
  • 0

#4
gringo_pr
Posted 17 May 2013 - 08:27 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello LizT

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.





-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo
  • 0

#5
LizT
Posted 20 May 2013 - 09:58 PM

LizT

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Gringo,

Here they are:

Adware Cleaner:

# AdwCleaner v2.301 - Logfile created 05/17/2013 at 17:17:46
# Updated 16/05/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : ltioupine - HRPP-LTIOUPINE
# Boot Mode : Normal
# Running from : C:\Documents and Settings\ltioupine\Local Settings\Temporary Internet Files\Content.IE5\6ECJZR19\adwcleaner[1].exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\END
Folder Deleted : C:\Documents and Settings\All Users\Application Data\SweetIM
Folder Deleted : C:\Program Files\SweetIM

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\pc optimizer pro
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\Software\Classes\Installer\Features\FB6D58DD787439A4995AF3C00FEA8843
Key Deleted : HKLM\Software\Classes\Installer\Products\FB6D58DD787439A4995AF3C00FEA8843
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\A97CEC23332751B47BA4B95BAA50C9D0
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\02F47BF73B948514FAACADD8CBBDF37D
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\080D9F5E1E95FEE4794CE438E635239E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1E264E0A5959A1C46BA9175A878B12EA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2E6768B6932D112438F047C54D180635
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\351716A953E21214898904032EAE2E81
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\397C771A7BCAC904697C3EC629ED33ED
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\69D6A6B2ED56AF24EA6335EAD6E91CA4
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7FFA128C2B0FF414D805FC5627883401
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86EDC790504E1834DBC20C9A04328FD2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\97C3D0F82E712E241A2F969F45E3351C
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\98CC8BF5A4A6E6C4ABF7051DDAB8B058
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9E7F556BF224D804D96A96F0F6344789
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A189D17A469616C4688D23E192996267
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BF4F885EDEE45644EB1E0C99E0162399
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CE21F3FD57B244142880EF15A165A156
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D15DAF33C220F91468A1D7D57C31ACD7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D3BA76A44C779424889063D5098ED2D6
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D6D0EB9FDBD90C04D92A7E729058F10D
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E4748F9A4181FCE46A23C13B517B9420
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FB6D58DD787439A4995AF3C00FEA8843
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834}
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EEE6C35D-6118-11DC-9C72-001320C79847}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={807A2032-BF27-11E2-B0FC-00059A3C7800} --> hxxp://www.google.com

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Documents and Settings\ltioupine\Application Data\Mozilla\Firefox\Profiles\bo3afth4.default-1368836151203\prefs.js

[OK] File is clean.

-\\ Google Chrome v18.0.1025.168

File : C:\Documents and Settings\ltioupine\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.2148] : urls_to_restore_on_startup = [ "hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045[...]

*************************

AdwCleaner[S1].txt - [9994 octets] - [17/05/2013 17:17:46]

########## EOF - C:\AdwCleaner[S1].txt - [10054 octets] ##########


JRT logfile


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by ltioupine on Mon 05/20/2013 at 20:48:41.57
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\installiqupdater
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sweetim



~~~ Files



~~~ Folders

Failed to delete: [Folder] "C:\Documents and Settings\All Users\application data\bigfix"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\pc optimizer pro"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\w3i"
Successfully deleted: [Folder] "C:\Documents and Settings\ltioupine\Local Settings\Application Data\bigfix"
Successfully deleted: [Folder] "C:\Program Files\w3i"
Successfully deleted: [Folder] "C:\WINDOWS\system32\ai_recyclebin"



~~~ FireFox

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 05/20/2013 at 20:51:26.51
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#6
gringo_pr
Posted 20 May 2013 - 11:13 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello LizT

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#7
LizT
Posted 21 May 2013 - 10:11 AM

LizT

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Gringo,

I ran ComboFix. It gave me a message that Symantec was still running even though I'd disabled the protections and warned me I was running at my own risk.

during the first run, it gave me the blue screen of death mid way through. I restarted and tried again, this time successfully.
Here's the Combofix log:

ComboFix 13-05-20.01 - ltioupine 05/21/2013 8:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2319 [GMT -7:00]
Running from: c:\documents and settings\ltioupine\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ltioupine\g2mdlhlpx.exe
c:\documents and settings\ltioupine\Local Settings\Temporary Internet Files\~$nsent_4005.doc
c:\documents and settings\ltioupine\Local Settings\Temporary Internet Files\Consent_4005.doc
c:\documents and settings\ltioupine\Local Settings\Temporary Internet Files\UM_43FD2BF2-6CEF-4138-BA75-249913DF513D.mp3
c:\documents and settings\ltioupine\My Documents\~WRL0001.tmp
c:\documents and settings\ltioupine\My Documents\~WRL0004.tmp
c:\documents and settings\ltioupine\My Documents\~WRL0005.tmp
c:\documents and settings\ltioupine\My Documents\~WRL0841.tmp
c:\documents and settings\ltioupine\My Documents\~WRL2057.tmp
c:\documents and settings\ltioupine\My Documents\~WRL3222.tmp
c:\documents and settings\ltioupine\WINDOWS
c:\program files\Internet Explorer\SET640.tmp
c:\program files\Internet Explorer\SET642.tmp
c:\windows\dasetup.log
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\drivers\tcpip.copy
c:\windows\system32\SET549.tmp
c:\windows\system32\SET62C.tmp
c:\windows\system32\SET62D.tmp
c:\windows\system32\SET62E.tmp
c:\windows\system32\SET632.tmp
c:\windows\system32\SET633.tmp
c:\windows\system32\SET636.tmp
c:\windows\system32\SET638.tmp
c:\windows\system32\SET639.tmp
c:\windows\system32\SET63B.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-04-21 to 2013-05-21 )))))))))))))))))))))))))))))))
.
.
2013-05-21 03:48 . 2013-05-21 03:48 -------- d-----w- c:\windows\ERUNT
2013-05-21 03:48 . 2013-05-21 03:48 -------- d-----w- C:\JRT
2013-05-17 19:26 . 2013-05-17 21:02 -------- d-----w- c:\program files\Repair Access Database Free
2013-05-17 19:25 . 2013-05-17 19:25 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2013-05-15 21:56 . 2013-04-16 22:17 759296 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\SET63F.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-08 09:21 . 2010-09-16 05:21 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2013-04-18 01:05 . 2012-04-16 17:27 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-18 01:05 . 2011-05-27 17:16 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-16 22:17 . 2008-04-14 12:42 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2008-04-14 12:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-16 22:17 . 2008-04-14 12:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-12 23:28 . 2008-04-14 07:07 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2008-04-14 08:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-03-08 08:36 . 2008-04-14 12:42 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2008-04-14 07:54 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-06 20:47 . 2013-03-06 20:48 342528 ----a-w- c:\windows\system32\RunAsCurrentUser.exe
2013-03-05 02:08 . 2013-03-05 02:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-05 02:08 . 2008-09-26 21:37 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-05 02:08 . 2012-07-17 20:03 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-05 02:08 . 2010-10-05 20:58 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-27 05:31 . 2008-09-26 16:21 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-02-27 05:31 . 2008-09-26 16:21 131072 ----a-w- c:\windows\system32\aaclient.dll
2013-02-27 05:31 . 2008-09-26 16:21 2691072 ----a-w- c:\windows\system32\mstscax.dll
2010-07-13 16:18 . 2013-05-17 21:20 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-09-12 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
[-] 2008-09-25 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-20 5248312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-09-20 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-24 1044480]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-13 30192]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-02-04 115624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\ltioupine\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\ltioupine\Application Data\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bug Shooting 2.lnk - c:\program files\Bug Shooting 2\BugShooting2.exe [2011-1-31 1895936]
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2013-2-12 60216]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2012-9-17 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"MaxGPOScriptWait"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-20159\Scripts\Logon\0\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-20159\Scripts\Logon\1\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-61952\Scripts\Logon\0\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-61952\Scripts\Logon\1\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/9/2009 11:04 AM 24064]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [12/14/2010 12:31 PM 2228008]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [3/9/2009 11:04 AM 144480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/14/2012 9:50 AM 106656]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/12/2010 6:04 PM 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/24/2010 12:33 PM 30192]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 01:05]
.
2013-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-10 06:30]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-10 06:30]
.
2013-05-21 c:\windows\Tasks\User_Feed_Synchronization-{3B29D418-85CB-4174-AED6-4BE6085B3DD8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
2013-05-21 c:\windows\Tasks\User_Feed_Synchronization-{616BF532-8A2E-4B44-8384-DD2108B764D8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MIBE46~1\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: perfect.com\secure-stage
Trusted Zone: perfect.com\wbm-stage
Trusted Zone: ucop.edu\prod
Trusted Zone: ucsf.edu\d13n1
Trusted Zone: ucsf.edu\peoplesoft
Trusted Zone: ucsf.edu\s2n1
Trusted Zone: ucsf.edu\s3n1
Trusted Zone: ucsf.edu\s5n1
Trusted Zone: perfect.com\secure-stage
Trusted Zone: perfect.com\wbm-stage
Trusted Zone: ucop.edu\prod
Trusted Zone: ucsf.edu\peoplesoft
Trusted Zone: ucsf.edu\s2n1
Trusted Zone: ucsf.edu\s3n1
Trusted Zone: ucsf.edu\s5n1
TCP: DhcpNameServer = 128.218.254.10 128.218.254.40
TCP: Interfaces\{D42D6627-7DD3-4794-B635-A65B95043B29}: NameServer = 64.54.128.37,64.54.128.53
DPF: {00460182-9E5E-11D5-B7C8-B8269041DD68} - hxxps://myaccess.ucsf.edu/imedris/wordwrap.cab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxps://rio.ucsf.edu/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=kv15ot555ry0i0fxghhbuzrw&ControlID=a282698d3c4f4f9897ee2c6a3ca14d50&Culture=127&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {43A4658A-8BA8-43A9-94BA-E3A22500FB17} - hxxps://chr-hrpp.ucsf.edu/commwrap.cab
DPF: {5A336865-2009-11D4-87C0-0050DACCFBC5} - hxxps://myaccess.ucsf.edu/imedris/IGInterAct40.cab
FF - ProfilePath - c:\documents and settings\ltioupine\Application Data\Mozilla\Firefox\Profiles\bo3afth4.default-1368836151203\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-21 09:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1788)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\msv1_0.dll
.
- - - - - - - > 'lsass.exe'(1852)
c:\windows\SYSTEM32\SYSFER.DLL
.
Completion time: 2013-05-21 09:07:41
ComboFix-quarantined-files.txt 2013-05-21 16:07
.
Pre-Run: 180,086,853,632 bytes free
Post-Run: 185,796,243,456 bytes free
.
- - End Of File - - F398E58C55378624D62F2D9DAC5F0AE7
  • 0

#8
LizT
Posted 21 May 2013 - 11:56 AM

LizT

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Gringo,

The computer seems to be functioning normally now but I am still afraid to go to any financial sites. How can I tell if it's cleaned out and safe.

The issue with the xls export turned out to be because the results set exceeded the Excel limit. Doh!

Thank you VERY much for your help.

-Liz
  • 0

#9
gringo_pr
Posted 21 May 2013 - 12:06 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello LizT

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo
  • 0

#10
LizT
Posted 22 May 2013 - 09:48 AM

LizT

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Gringo,

Here is the log file:

ComboFix 13-05-20.01 - ltioupine 05/21/2013 17:15:50.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2304 [GMT -7:00]
Running from: c:\documents and settings\ltioupine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ltioupine\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((( Files Created from 2013-04-22 to 2013-05-22 )))))))))))))))))))))))))))))))
.
.
2013-05-21 03:48 . 2013-05-21 03:48 -------- d-----w- c:\windows\ERUNT
2013-05-21 03:48 . 2013-05-21 03:48 -------- d-----w- C:\JRT
2013-05-17 19:26 . 2013-05-17 21:02 -------- d-----w- c:\program files\Repair Access Database Free
2013-05-17 19:25 . 2013-05-17 19:25 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2013-05-15 21:56 . 2013-04-16 22:17 759296 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\SET63F.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-08 09:21 . 2010-09-16 05:21 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2013-04-18 01:05 . 2012-04-16 17:27 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-18 01:05 . 2011-05-27 17:16 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-16 22:17 . 2008-04-14 12:42 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2008-04-14 12:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-16 22:17 . 2008-04-14 12:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-12 23:28 . 2008-04-14 07:07 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2008-04-14 08:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-03-08 08:36 . 2008-04-14 12:42 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2008-04-14 07:54 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-06 20:47 . 2013-03-06 20:48 342528 ----a-w- c:\windows\system32\RunAsCurrentUser.exe
2013-03-05 02:08 . 2013-03-05 02:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-05 02:08 . 2008-09-26 21:37 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-05 02:08 . 2012-07-17 20:03 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-05 02:08 . 2010-10-05 20:58 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-27 05:31 . 2008-09-26 16:21 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-02-27 05:31 . 2008-09-26 16:21 131072 ----a-w- c:\windows\system32\aaclient.dll
2013-02-27 05:31 . 2008-09-26 16:21 2691072 ----a-w- c:\windows\system32\mstscax.dll
2010-07-13 16:18 . 2013-05-17 21:20 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-09-12 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
[-] 2008-09-25 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-20 5248312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-09-20 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-24 1044480]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-13 30192]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-02-04 115624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\ltioupine\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\ltioupine\Application Data\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bug Shooting 2.lnk - c:\program files\Bug Shooting 2\BugShooting2.exe [2011-1-31 1895936]
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2013-2-12 60216]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2012-9-17 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"MaxGPOScriptWait"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-20159\Scripts\Logon\0\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-20159\Scripts\Logon\1\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-61952\Scripts\Logon\0\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-61952\Scripts\Logon\1\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/9/2009 11:04 AM 24064]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [12/14/2010 12:31 PM 2228008]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [3/9/2009 11:04 AM 144480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/14/2012 9:50 AM 106656]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/12/2010 6:04 PM 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/24/2010 12:33 PM 30192]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 01:05]
.
2013-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-10 06:30]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-10 06:30]
.
2013-05-22 c:\windows\Tasks\User_Feed_Synchronization-{3B29D418-85CB-4174-AED6-4BE6085B3DD8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
2013-05-22 c:\windows\Tasks\User_Feed_Synchronization-{616BF532-8A2E-4B44-8384-DD2108B764D8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MIBE46~1\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: perfect.com\secure-stage
Trusted Zone: perfect.com\wbm-stage
Trusted Zone: ucop.edu\prod
Trusted Zone: ucsf.edu\d13n1
Trusted Zone: ucsf.edu\peoplesoft
Trusted Zone: ucsf.edu\s2n1
Trusted Zone: ucsf.edu\s3n1
Trusted Zone: ucsf.edu\s5n1
Trusted Zone: perfect.com\secure-stage
Trusted Zone: perfect.com\wbm-stage
Trusted Zone: ucop.edu\prod
Trusted Zone: ucsf.edu\peoplesoft
Trusted Zone: ucsf.edu\s2n1
Trusted Zone: ucsf.edu\s3n1
Trusted Zone: ucsf.edu\s5n1
TCP: DhcpNameServer = 128.218.254.10 128.218.254.40
TCP: Interfaces\{D42D6627-7DD3-4794-B635-A65B95043B29}: NameServer = 64.54.128.37,64.54.128.53
DPF: {00460182-9E5E-11D5-B7C8-B8269041DD68} - hxxps://myaccess.ucsf.edu/imedris/wordwrap.cab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxps://rio.ucsf.edu/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=kv15ot555ry0i0fxghhbuzrw&ControlID=a282698d3c4f4f9897ee2c6a3ca14d50&Culture=127&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {43A4658A-8BA8-43A9-94BA-E3A22500FB17} - hxxps://chr-hrpp.ucsf.edu/commwrap.cab
DPF: {5A336865-2009-11D4-87C0-0050DACCFBC5} - hxxps://myaccess.ucsf.edu/imedris/IGInterAct40.cab
FF - ProfilePath - c:\documents and settings\ltioupine\Application Data\Mozilla\Firefox\Profiles\bo3afth4.default-1368836151203\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-21 17:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1788)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\msv1_0.dll
.
- - - - - - - > 'lsass.exe'(1852)
c:\windows\SYSTEM32\SYSFER.DLL
.
- - - - - - - > 'explorer.exe'(2192)
c:\windows\SYSTEM32\SYSFER.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-05-21 17:23:03
ComboFix-quarantined-files.txt 2013-05-22 00:23
ComboFix2.txt 2013-05-21 16:07
.
Pre-Run: 185,711,153,152 bytes free
Post-Run: 185,799,651,328 bytes free
.
- - End Of File - - 425903173211D11ED8A8BF718A86A3F1


Thank you!!
  • 0

#11
gringo_pr
Posted 22 May 2013 - 11:48 AM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove


Adobe Reader 9.4.5
Java 7 Update 15
Java™ 6 Update 7
JavaFX 2.1.1

 [/list]

Please download and install Revo Uninstaller Free

  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com.../readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. default settings are fine
  • Click Run Cleaner.
  • Close CCleaner.

Run Malwarebytes

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic


"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#12
gringo_pr
Posted 24 May 2013 - 11:13 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
  • 0

#13
gringo_pr
Posted 28 May 2013 - 07:51 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP