Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't Remove RCMP Ukash and Windows Security Center [Solved]


  • This topic is locked This topic is locked

#91
lillie_nemo

lillie_nemo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Sorry late reply! I stepped out for the day.
And yes, I did paste everything from the text file.
  • 0

Advertisements


#92
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Let's see if we can find the one file throwing an error:


Open OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    /md5start
    RDPCDD.*
    /md5stop
  • Select the None button on the top of the window
  • Click the Run Scan button. Post the log it produces in your next reply.

  • 0

#93
lillie_nemo

lillie_nemo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Here is the log!

OTL logfile created on: 2013/07/05 18:48:20 - Run 5
OTL by OldTimer - Version 3.2.69.0 Folder = E:\
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16945)
Locale: 00000411 | Country: Japan | Language: JPN | Date Format: yyyy/MM/dd

1021.88 Mb Total Physical Memory | 231.94 Mb Available Physical Memory | 22.70% Memory free
2.22 Gb Paging File | 1.07 Gb Available in Paging File | 48.22% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 363.68 Gb Total Space | 51.85 Gb Free Space | 14.26% Space Free | Partition Type: NTFS
Drive D: | 8.92 Gb Total Space | 0.98 Gb Free Space | 10.95% Space Free | Partition Type: NTFS
Drive E: | 3.73 Gb Total Space | 1.73 Gb Free Space | 46.41% Space Free | Partition Type: FAT32

Computer Name: ENFLEUR | User Name: saicoink | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< MD5 for: [email protected] >
[2006/11/02 05:02:01 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=794585276B5D7FCA9F3FC15543F9F0B9 -- C:\Windows\System32\drivers\[email protected]

< MD5 for: RDPCDD.SYS >
[2010/11/19 16:32:22 | 000,006,144 | ---- | M] () MD5=259531ACCC493DA5602C7D89D7E41E32 -- C:\Windows\System32\drivers\RDPCDD.sys
[2010/11/19 16:32:22 | 000,006,144 | ---- | M] () MD5=259531ACCC493DA5602C7D89D7E41E32 -- C:\Windows\winsxs\x86_microsoft-windows-t..niportdisplaydriver_31bf3856ad364e35_6.0.6000.16386_none_d2a4621f4153e710\RDPCDD.sys
[2008/01/18 22:01:10 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=89E59BE9A564262A3FB6C4F4F1CD9899 -- C:\Users\saicoink\AppData\Local\Temp\SPI9AD1.tmp\x86_microsoft-windows-t..niportdisplaydriver_31bf3856ad364e35_6.0.6001.18000_none_d4db241b3e3ef7e4\rdpcdd.sys
[2008/01/19 02:01:08 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=89E59BE9A564262A3FB6C4F4F1CD9899 -- C:\Windows\SoftwareDistribution\Download.bak\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-t..niportdisplaydriver_31bf3856ad364e35_6.0.6001.18000_none_d4db241b3e3ef7e4\RDPCDD.sys

< End of report >
  • 0

#94
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
I think we need to try our bigger hammer and see if it helps.

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
  • 0

#95
lillie_nemo

lillie_nemo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Combofix ran without any problems. It noted that there was a Rootkit.ZeroAccess twice and restarted the machine and kept running to completion after the reboot.

Here is the log!:

ComboFix 13-07-06.03 - saicoink 2013/07/06 16:04:32.1.4 - x86
Running from: c:\users\saicoink\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\WinPCap
c:\programdata\D81EDBF9-D167-4011-B77D-211DF920EB80
c:\programdata\tmp2628.tmp
c:\programdata\tmp300.tmp
c:\programdata\tmp4C30.tmp
c:\programdata\tmp6766.tmp
c:\programdata\tmp6E6B.tmp
c:\programdata\tmp936B.tmp
c:\programdata\tmp9669.tmp
c:\programdata\tmp9686.tmp
c:\programdata\tmpA6BD.tmp
c:\programdata\tmpAE44.tmp
c:\programdata\tmpAFC0.tmp
c:\programdata\tmpD368.tmp
c:\programdata\tmpD4B3.tmp
c:\programdata\tmpEE87.tmp
c:\windows\$NtUninstallKB53243$
c:\windows\$NtUninstallKB53243$\1575818995
c:\windows\$NtUninstallKB53243$\1721084270\@
c:\windows\$NtUninstallKB53243$\1721084270\cfg.ini
c:\windows\$NtUninstallKB53243$\1721084270\Desktop.ini
c:\windows\$NtUninstallKB53243$\1721084270\L\qnbwvoto
c:\windows\$NtUninstallKB53243$\1721084270\U\[email protected]
c:\windows\$NtUninstallKB53243$\1721084270\U\[email protected]
c:\windows\$NtUninstallKB53243$\1721084270\U\[email protected]
c:\windows\$NtUninstallKB53243$\1721084270\U\[email protected]
c:\windows\$NtUninstallKB53243$\1721084270\U\[email protected]
c:\windows\$NtUninstallKB53243$\1721084270\U\[email protected]
c:\windows\$NtUninstallKB53243$\1721084270\version
c:\windows\system32\dds_trash_log.cmd
K:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2013-06-06 to 2013-07-06 )))))))))))))))))))))))))))))))
.
.
2013-07-06 20:33 . 2013-07-06 20:35 -------- d-----w- c:\users\saicoink\AppData\Local\temp
2013-07-06 20:33 . 2013-07-06 20:33 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2013-07-06 20:33 . 2013-07-06 20:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-05 14:29 . 2006-11-02 08:51 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2013-07-04 17:50 . 2013-07-04 17:50 -------- d-----w- c:\program files\Common Files\Skype
2013-07-04 17:50 . 2013-07-04 17:50 -------- d-----r- c:\program files\Skype
2013-07-04 15:26 . 2013-07-04 15:26 -------- d-----w- C:\e58eb3509435b08a3c86038f2627
2013-07-03 16:23 . 2013-07-03 16:23 -------- d-----w- c:\windows\system32\EventProviders
2013-07-03 03:01 . 2013-06-17 06:10 7068072 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1B18E421-E27F-49FF-AB9C-CA8933EEE555}\mpengine.dll
2013-07-02 21:36 . 2013-07-02 21:36 -------- d-----w- c:\windows\CheckSur
2013-07-01 20:09 . 2013-07-01 20:14 -------- d-----w- C:\a96d2516f9ed8aef795f
2013-07-01 20:02 . 2013-07-01 20:02 -------- d-----w- C:\bed74e8316d85149c782e6dbdab458
2013-07-01 18:47 . 2010-02-20 23:54 24064 ----a-w- c:\windows\system32\nshhttp.dll
2013-07-01 18:47 . 2010-02-20 21:30 396800 ----a-w- c:\windows\system32\drivers\http.sys
2013-07-01 18:47 . 2010-02-20 23:51 31232 ----a-w- c:\windows\system32\httpapi.dll
2013-07-01 18:39 . 2010-03-04 19:24 434176 ----a-w- c:\windows\system32\vbscript.dll
2013-07-01 18:39 . 2009-10-14 15:02 10922496 ----a-w- c:\program files\Movie Maker\MOVIEMK.dll
2013-07-01 18:39 . 2009-10-14 15:06 195072 ----a-w- c:\program files\Movie Maker\WMM2AE.dll
2013-07-01 18:39 . 2009-10-14 15:06 23040 ----a-w- c:\program files\Movie Maker\WMM2EXT.dll
2013-07-01 18:39 . 2009-10-14 12:54 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2013-07-01 18:39 . 2010-02-18 14:54 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-01 18:39 . 2010-02-18 14:54 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-26 14:45 . 2013-06-28 01:22 -------- d-----w- C:\FRST
2013-06-26 02:38 . 2013-06-26 02:38 -------- d-----w- C:\TDSSKiller_Quarantine
2013-06-25 11:55 . 2013-06-25 11:55 -------- d-----w- C:\Stinger_Quarantine
2013-06-25 11:55 . 2013-06-25 11:59 -------- d-----w- c:\program files\stinger
2013-06-23 19:43 . 2013-06-23 19:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-06-23 19:43 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-23 17:14 . 2013-06-23 17:14 -------- d-----w- c:\programdata\Citrix
2013-06-23 17:11 . 2013-06-23 17:11 -------- d-----w- c:\program files\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 06:06 . 2009-10-03 04:39 238872 ------w- c:\windows\system32\MpSigStub.exe
2007-11-15 03:53 . 2007-11-15 03:53 411248 ----a-w- c:\program files\FLV PlayerRCSetup.exe
2009-09-14 02:10 . 2013-05-22 03:32 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2007-03-09 08:12 27648 --sh--w- c:\windows\System32\AVSredirect.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\saicoink\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\saicoink\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\saicoink\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\saicoink\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-03-12 90191]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-03-12 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-12 7770112]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
.
c:\users\saicoink\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-6 113664]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-6 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
w800bus
P17xfi
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-28 c:\windows\Tasks\GBM - Saicoink-Full.job
- c:\program files\Genie-Soft\GBALite8LaCie\GBM8.exe [2009-07-10 15:14]
.
2013-07-06 c:\windows\Tasks\User_Feed_Synchronization-{D3B927D7-35BB-44E3-85A4-77E8C7A308A2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
uSearchURL,(Default) = hxxp://ca.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 206.248.154.22 206.248.154.170
FF - ProfilePath - c:\users\saicoink\AppData\Roaming\Mozilla\Firefox\Profiles\vlxpr8g8.default-1366383230636\
FF - ExtSQL: 2013-05-21 10:17; [email protected]; c:\users\saicoink\AppData\Roaming\Mozilla\Firefox\Profiles\vlxpr8g8.default-1366383230636\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
HKU-Default-Run-ctfmon32.exe - c:\progra~2\rundll32.exe
SafeBoot-49224448.sys
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-06 16:34
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\[email protected]"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-07-06 16:45:24
ComboFix-quarantined-files.txt 2013-07-06 20:45
.
Pre-Run: 51,213,574,144 bytes free
Post-Run: 53,121,503,232 bytes free
.
- - End Of File - - 683D469D84B968E5FB829332CA28AED2
8913823FF508CCF109DB74B636C301DA
  • 0

#96
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Oops, I missed a piece of that infection. Posted Image

Can you try Windows Updates now?
  • 0

#97
lillie_nemo

lillie_nemo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
No worries :thumbsup:

And I ran the SP1.exe both in normal mode and in a clean boot but still getting the same error. :wacko:
Tried the Windows Update from Control Panel and the only thing that would update was the Windows Defender update - the others still encounter the same error as before.
  • 0

#98
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Kind of running out of ideas here...could you borrow a Vista 32-bit CD with no service packs?


  • Download the attached CFScript.txt to your desktop. (Make sure Combofix.exe is on your desktop as well.)
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


  • 0

#99
lillie_nemo

lillie_nemo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
I don't think any of my friends might have something like a bootdisc, but I suppose it won't hurt to ask around. Does it matter if my version of Vista is Vista Home Edition?

Here is the log! Should I try running the updates to see if it works?

ComboFix 13-07-06.03 - saicoink 2013/07/08 22:16:55.2.4 - x86
Running from: c:\users\saicoink\Desktop\ComboFix.exe
Command switches used :: c:\users\saicoink\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!explorer.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-06-09 to 2013-07-09 )))))))))))))))))))))))))))))))
.
.
2013-07-09 02:33 . 2013-07-09 02:38 -------- d-----w- c:\users\saicoink\AppData\Local\temp
2013-07-09 02:33 . 2013-07-09 02:33 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2013-07-09 02:33 . 2013-07-09 02:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-07 02:25 . 2013-06-17 06:10 7068072 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0B9B724E-5510-4595-B8AF-E32CD8888BF8}\mpengine.dll
2013-07-05 14:29 . 2006-11-02 08:51 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2013-07-04 17:50 . 2013-07-04 17:50 -------- d-----w- c:\program files\Common Files\Skype
2013-07-04 17:50 . 2013-07-04 17:50 -------- d-----r- c:\program files\Skype
2013-07-04 15:26 . 2013-07-04 15:26 -------- d-----w- C:\e58eb3509435b08a3c86038f2627
2013-07-03 16:23 . 2013-07-03 16:23 -------- d-----w- c:\windows\system32\EventProviders
2013-07-02 21:36 . 2013-07-02 21:36 -------- d-----w- c:\windows\CheckSur
2013-07-01 20:09 . 2013-07-01 20:14 -------- d-----w- C:\a96d2516f9ed8aef795f
2013-07-01 20:02 . 2013-07-01 20:02 -------- d-----w- C:\bed74e8316d85149c782e6dbdab458
2013-07-01 18:47 . 2010-02-20 23:54 24064 ----a-w- c:\windows\system32\nshhttp.dll
2013-07-01 18:47 . 2010-02-20 21:30 396800 ----a-w- c:\windows\system32\drivers\http.sys
2013-07-01 18:47 . 2010-02-20 23:51 31232 ----a-w- c:\windows\system32\httpapi.dll
2013-07-01 18:39 . 2010-03-04 19:24 434176 ----a-w- c:\windows\system32\vbscript.dll
2013-07-01 18:39 . 2009-10-14 15:02 10922496 ----a-w- c:\program files\Movie Maker\MOVIEMK.dll
2013-07-01 18:39 . 2009-10-14 15:06 195072 ----a-w- c:\program files\Movie Maker\WMM2AE.dll
2013-07-01 18:39 . 2009-10-14 15:06 23040 ----a-w- c:\program files\Movie Maker\WMM2EXT.dll
2013-07-01 18:39 . 2009-10-14 12:54 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2013-07-01 18:39 . 2010-02-18 14:54 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-01 18:39 . 2010-02-18 14:54 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-26 14:45 . 2013-06-28 01:22 -------- d-----w- C:\FRST
2013-06-26 02:38 . 2013-06-26 02:38 -------- d-----w- C:\TDSSKiller_Quarantine
2013-06-25 11:55 . 2013-06-25 11:55 -------- d-----w- C:\Stinger_Quarantine
2013-06-25 11:55 . 2013-06-25 11:59 -------- d-----w- c:\program files\stinger
2013-06-23 19:43 . 2013-06-23 19:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-06-23 19:43 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-06-23 17:14 . 2013-06-23 17:14 -------- d-----w- c:\programdata\Citrix
2013-06-23 17:11 . 2013-06-23 17:11 -------- d-----w- c:\program files\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 06:06 . 2009-10-03 04:39 238872 ------w- c:\windows\system32\MpSigStub.exe
2007-11-15 03:53 . 2007-11-15 03:53 411248 ----a-w- c:\program files\FLV PlayerRCSetup.exe
2009-09-14 02:10 . 2013-05-22 03:32 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\saicoink\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\saicoink\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\saicoink\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\saicoink\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-03-12 90191]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-03-12 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-12 7770112]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
.
c:\users\saicoink\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-6 113664]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-6 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
w800bus
P17xfi
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-28 c:\windows\Tasks\GBM - Saicoink-Full.job
- c:\program files\Genie-Soft\GBALite8LaCie\GBM8.exe [2009-07-10 15:14]
.
2013-07-09 c:\windows\Tasks\User_Feed_Synchronization-{D3B927D7-35BB-44E3-85A4-77E8C7A308A2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
uSearchURL,(Default) = hxxp://ca.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 206.248.154.22 206.248.154.170
FF - ProfilePath - c:\users\saicoink\AppData\Roaming\Mozilla\Firefox\Profiles\vlxpr8g8.default-1366383230636\
FF - ExtSQL: 2013-05-21 10:17; [email protected]; c:\users\saicoink\AppData\Roaming\Mozilla\Firefox\Profiles\vlxpr8g8.default-1366383230636\extensions\[email protected]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-08 22:38
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\[email protected]"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2620)
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\RtHDVCpl.exe
c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
c:\windows\System32\rundll32.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe
c:\windows\system32\NLSSRV32.EXE
c:\windows\system32\PSIService.exe
c:\windows\system32\Wacom_Tablet.exe
c:\windows\system32\TsService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2013-07-08 22:49:31 - machine was rebooted
ComboFix-quarantined-files.txt 2013-07-09 02:49
ComboFix2.txt 2013-07-06 20:45
.
Pre-Run: 40,109,375,488 bytes free
Post-Run: 39,947,489,280 bytes free
.
- - End Of File - - 0C190303B8CB9FC7F55A6F5E6F13780C
8913823FF508CCF109DB74B636C301DA
  • 0

#100
lillie_nemo

lillie_nemo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
BTW, I have a lot of programs and files on my Desktop from the clean-up. Can I get rid of some of them?
  • 0

Advertisements


#101
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
We'll clean up the desktop when we finish; don't worry about it for now. If you need to clear some space, you can delete old logs.

Try updating before and after these next instructions.

First, please download this file, right-click on it and select "Merge."



  • Download the attached CFScript.txt to your desktop. (Make sure Combofix.exe is on your desktop as well.)
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


  • 0

#102
lillie_nemo

lillie_nemo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Still getting errors with the updates so I tried to merge the reg file but it said that "Not all data was successfully written to the registry. Some keys are open by the system or other processes."

Should I proceed with Combofix or no?
  • 0

#103
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Okay, try this first:

Click Start, type cmd in the Start Search box, right-click cmd in the Programs list, and then click Run as administrator.


Then type sc stop rdpcdd followed by enter and see if it indicates success.


Then continue with the registry merge and Combofix.
  • 0

#104
lillie_nemo

lillie_nemo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Just tried the sc stop line and it said 'stop pending.'
  • 0

#105
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Okay, try it one more time, and if it doesn't start, use this command. Make sure you type it exactly the same.

sc config rdpcdd start= disabled


Then restart your computer and continue with the other steps.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP