Essexboy
Computer still infected with Rootkit ZeroAccess inserted in tcp/ip stack.
Computer faster after ComboFix but still slow.
More web sites are showing lack of images.
I'm communicating in Safe Mode with Networking to minimize infection spread by ZeroAccess. Lots of Black Screen after combo completed, actual scanning of stages 1 to 50 took about 23 min. Combo recommends second scan if unable to connect to web. But since I experienced longer Black Screen, I'm getting paranoid of shutdown.
Is running ComboFix in Safe Mode with Networking better than Normal mode?
Possible infection of all Restore Points. Should I restore to an earlier Point? Earliest is Jun 14 before the two Black Screen Crashes I recovered from in Safe Mode and other serious errors on jun 17 to 25, see list on my jun 26 response? Or are all my Points infected?
Nothing has eliminated ZeroAccess, it's well hidden.
If I run a Restore Point with errors in it "after doing sfc and chkdsk" does the restore change any correction made by the sfc and chkdsk?
Should I run another two ComboFix scans in Safe Mode with Networking or it a waste of time? enough of my inexperience yacking.
Today's ComboFix
ComboFix 13-06-08.02 - johnt 06/09/13 18:33:35.1.1 - x86
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Privacy Suite RiskMonitor - (no file)
HKLM-Run-ISW - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-06-09 18:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-09 18:58:19
ComboFix-quarantined-files.txt 2013-06-10 01:58
.
Pre-Run: 23,599,026,176 bytes free
Post-Run: 23,670,849,536 bytes free
.
- - End Of File - - 183B9FCEB175422EA4CFD4307BCB4C3F
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/09/13 19:21:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1298 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="" [BU]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-06-09 19:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-09 19:48:06
ComboFix-quarantined-files.txt 2013-06-10 02:48
ComboFix2.txt 2013-06-10 01:58
.
Pre-Run: 23,646,531,584 bytes free
Post-Run: 23,687,942,144 bytes free
.
- - End Of File - - 73D4F5BD54E0A576DC398857118D843F
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/10/13 1:56.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1328 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-10 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="" [BU]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-06-10 02:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-10 02:21:25
ComboFix-quarantined-files.txt 2013-06-10 09:21
ComboFix2.txt 2013-06-10 02:48
ComboFix3.txt 2013-06-10 01:58
.
Pre-Run: 23,660,453,888 bytes free
Post-Run: 23,661,826,048 bytes free
.
- - End Of File - - 0FD37415ADD2D211D072348053B019CD
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/10/13 11:41:53.4.1 - x86
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-10 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="" [BU]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-06-10 12:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-10 12:07:05
ComboFix-quarantined-files.txt 2013-06-10 19:06
ComboFix2.txt 2013-06-10 09:21
ComboFix3.txt 2013-06-10 02:48
ComboFix4.txt 2013-06-10 01:58
.
Pre-Run: 23,641,251,840 bytes free
Post-Run: 23,642,259,456 bytes free
.
- - End Of File - - B97C7BE428FFF87B2BE067122F439B8E
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/10/13 12:49:05.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1294 [GMT -7:00]
Running from: c:\documents and settings\johnt\desktop\combofix.exe
Command switches used :: /killall
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-10 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:21 . 2006-11-29 20:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2013-05-29 06:21 . 2006-09-28 23:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2013-05-29 06:21 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2013-05-21 11:34 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-08-30 738984]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-06-10 13:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(556)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'lsass.exe'(612)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'explorer.exe'(2620)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\progra~1\CheckPoint\ZONEAL~1\MAILFR~1\mlfhook.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(512)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\CheckPoint\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2013-06-10 13:28:25 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-10 20:28
ComboFix2.txt 2013-06-10 19:07
ComboFix3.txt 2013-06-10 09:21
ComboFix4.txt 2013-06-10 02:48
ComboFix5.txt 2013-06-10 19:33
.
Pre-Run: 23,661,428,736 bytes free
Post-Run: 23,660,019,712 bytes free
.
- - End Of File - - BA0086FBE87170E498D79F9F3D05E899
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/10/13 14:10:45.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1296 [GMT -7:00]
Running from: c:\documents and settings\johnt\desktop\combofix.exe
Command switches used :: /killall
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-10 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="" [BU]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-06-10 14:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(516)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'lsass.exe'(572)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'explorer.exe'(2712)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(492)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\CheckPoint\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2013-06-10 14:44:42 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-10 21:44
ComboFix2.txt 2013-06-10 20:28
ComboFix3.txt 2013-06-10 19:07
ComboFix4.txt 2013-06-10 09:21
ComboFix5.txt 2013-06-10 20:54
.
Pre-Run: 23,645,429,760 bytes free
Post-Run: 23,640,039,424 bytes free
.
- - End Of File - - 0AF72E476C3F334FCBE689584DD1425C
8F558EB6672622401DA993E1E865C861
Edited by johneangel, 27 June 2013 - 10:42 AM.