Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware - AV Security, ARO, Weatherbug, Yoohoo [Closed]


  • This topic is locked This topic is locked

#16
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Thanks for that information.

Please do the following:

Please download GetPartitions from the link bellow. You must right click on the link and choose Save as.... Save it as GetPartitions.bat on your desktop

getpartitions.bat

Double click it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator").
It will produce C:\DiskReport.txt log please post results from that log here to me.
  • 0

Advertisements


#17
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Microsoft DiskPart version 6.0.6000
Copyright © 1999-2007 Microsoft Corporation.
On computer: THESINONS-PC

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 C ACER NTFS Partition 144 GB Healthy System
Volume 1 D DATA NTFS Partition 144 GB Healthy
Volume 2 H Removable 0 B No Media
Volume 3 I Removable 0 B No Media
Volume 4 E DVD-ROM 0 B No Media
Volume 5 F Removable 0 B No Media
Volume 6 G Removable 0 B No Media
  • 0

#18
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay, there is a possibility that you're infected with a relatively new infection.

I'd like to see what an online virus scan with ESET turns up.


ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

  • 0

#19
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
C:\ProgramData\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\ProgramData\AyBceCwcCVrA.exe.vir a variant of Win32/Kryptik.VTY trojan
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\smb.sys.vir a variant of Win32/Rootkit.Kryptik.ET trojan
C:\Users\All Users\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\The Sinons\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\8488737-1e21fdfc a variant of Win32/Kryptik.VOB trojan
C:\Users\The Sinons\AppData\Roaming\Microsoft\9673\5D84.tmp Win32/PSW.Agent.NTM trojan
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys a variant of Win32/Rootkit.Kryptik.ET trojan
C:\_OTL\MovedFiles\11212011_200151\C_Users\The Sinons\AppData\Roaming\EBC76\lvvm.exe a variant of Win32/Kryptik.VZB trojan
C:\_OTL\MovedFiles\11212011_200151\C_Users\The Sinons\AppData\Roaming\TYCwkUVrlBx0c1v\AV Security 2012v121.exe a variant of Win32/Kryptik.VZB trojan
  • 0

#20
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay.

Do you have access to a blank CD/DVD and have the ability to burn a file to it (roughly 120MB)? If not, do you have access to a flash drive that we could put a tool on?

Your logs are showing an infection, and I believe you're still infected with a TDSS infection, and possibly an infection known as ZeroAccess. It maybe easier if we try to go at this infection by booting up into an external environment and doing it that way.

Can you upload this file to VirusTotal and see what it turns up?

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Choose File button and search for the following file: c:\users\The Sinons\AppData\Roaming\Microsoft\9673\5D84.tmp
  • Click Open
  • Then click Send File
If it says already scanned -- click "reanalyze now"

  • Please be patient while the file is scanned.
  • Once the scan results appear, please click on the Compact button.
  • A new window should appear with a bunch of tabs at the top. Please click on the BBCode tab.
  • Copy and Paste the contents of the text in the BBCode into your next reply for me to review.


Please post the results in your next reply
  • 0

#21
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
I'm not sure how to burn stuff to a disc but I do have some available if you can tell me how to do it! Here's the results from VirusTotal:
Antivirus results
AhnLab-V3 - 2011.11.27.00 - 2011.11.27 - Trojan/Win32.Jorik
AntiVir - 7.11.18.84 - 2011.11.28 - BDS/Cycbot.G.5
Antiy-AVL - 2.0.3.7 - 2011.11.28 - Trojan/win32.agent.gen
Avast - 6.0.1289.0 - 2011.11.28 - Win32:Cycbot-OP [Trj]
AVG - 10.0.0.1190 - 2011.11.28 - PSW.Agent.AREZ
BitDefender - 7.2 - 2011.11.28 - Gen:Variant.Graftor.4612
ByteHero - 1.0.0.1 - 2011.11.14 - -
CAT-QuickHeal - 12.00 - 2011.11.28 - Backdoor.Cycbot.B
ClamAV - 0.97.3.0 - 2011.11.28 - -
Commtouch - 5.3.2.6 - 2011.11.28 - -
Comodo - 10791 - 2011.11.27 - UnclassifiedMalware
DrWeb - 5.0.2.03300 - 2011.11.28 - Trojan.PWS.Multi.358
Emsisoft - 5.1.0.11 - 2011.11.28 - Trojan-PWS.Agent!IK
eSafe - 7.0.17.0 - 2011.11.27 - -
eTrust-Vet - 37.0.9590 - 2011.11.28 - Win32/Gbot.E!generic
F-Prot - 4.6.5.141 - 2011.11.27 - -
F-Secure - 9.0.16440.0 - 2011.11.28 - Gen:Variant.Graftor.4612
Fortinet - 4.3.370.0 - 2011.11.27 - W32/KAZY.SMO!tr
GData - 22 - 2011.11.28 - Gen:Variant.Graftor.4612
Ikarus - T3.1.1.109.0 - 2011.11.28 - Trojan-PWS.Agent
Jiangmin - 13.0.900 - 2011.11.27 - -
K7AntiVirus - 9.119.5542 - 2011.11.25 - Trojan
Kaspersky - 9.0.0.837 - 2011.11.28 - HEUR:Trojan.Win32.Generic
McAfee - 5.400.0.1158 - 2011.11.28 - BackDoor-EXI.gen.aa
McAfee-GW-Edition - 2010.1D - 2011.11.28 - BackDoor-EXI.gen.aa
Microsoft - 1.7801 - 2011.11.28 - PWS:Win32/Fareit
NOD32 - 6665 - 2011.11.28 - Win32/PSW.Agent.NTM
Norman - 6.07.13 - 2011.11.28 - W32/Cycbot.EP
nProtect - 2011-11-28.02 - 2011.11.28 - Gen:Variant.Graftor.4612
Panda - 10.0.3.5 - 2011.11.27 - Generic Malware
PCTools - 8.0.0.5 - 2011.11.28 - Backdoor.Cycbot
Prevx - 3.0 - 2011.11.28 - -
Rising - 23.86.00.01 - 2011.11.28 - -
Sophos - 4.71.0 - 2011.11.28 - Mal/FakeAV-IS
SUPERAntiSpyware - 4.40.0.1006 - 2011.11.26 - Trojan.Agent/Gen-NumTemp
Symantec - 20111.2.0.82 - 2011.11.28 - Backdoor.Cycbot!gen9
TheHacker - 6.7.0.1.350 - 2011.11.27 - Trojan/Agent.ntm
TrendMicro - 9.500.0.1008 - 2011.11.28 - BKDR_CYCBOT.SMJO
TrendMicro-HouseCall - 9.500.0.1008 - 2011.11.28 - BKDR_CYCBOT.SMJO
VBA32 - 3.12.16.4 - 2011.11.25 - -
VIPRE - 11169 - 2011.11.28 - Trojan.Win32.FakeAV.IS (v)
ViRobot - 2011.11.28.4797 - 2011.11.28 - Trojan.Win32.Jorik.101888.B
VirusBuster - 14.1.87.0 - 2011.11.27 - Trojan.Cycbot.Gen!Pac.5
File info:
MD5: 09fc60480d260601d7287a6fa0b2585e
SHA1: 9bfbd669b666fda097fcd630d6a920f7f9b7d32c
SHA256: ac81a274ba5a25f9d61e0fb236e266bf4841b7081e06f39bf4ce4820b4f16bb2
File size: 101888 bytes
Scan date: 2011-11-28 11:37:35 (UTC)
  • 0

#22
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Lets try running this script with ComboFix, and see if we still need to boot into an external environment after running iy.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
C:\Users\All Users\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll
C:\Users\The Sinons\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\8488737-1e21fdfc
C:\Users\The Sinons\AppData\Roaming\Microsoft\9673\5D84.tmp
C:\ProgramData\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys
Folder::
Registry::
Driver::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  • 0

#23
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
ComboFix 11-11-29.04 - The Sinons 11/29/2011 7:11:11.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1791.1182 [GMT -5:00]
Running from: C:\Users\The Sinons\Desktop\ComboFix.exe
Command switches used :: C:\Users\The Sinons\Desktop\CFSCRIPT.txt

FILE ::
"C:\ProgramData\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll"
"C:\Users\All Users\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll"
"C:\Users\The Sinons\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\8488737-1e21fdfc"
"C:\Users\The Sinons\AppData\Roaming\Microsoft\9673\5D84.tmp"
"C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys"
  • 0

#24
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Was that the complete ComboFix log file? It looks like some information is missing from it.
  • 0

#25
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
It won't work..I've tried it several times and the logfile never opens. I am able to run Combofix in regular mode but then when I try to open IE to post the log it tells me that it's not allowed bc it's been marked for deletion or removed. So then I try in safemode and the log doesn't pop up.
  • 0

Advertisements


#26
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay, please try running ComboFix in Normal mode again, and if you get that message about a registry entry marked for deletion, reboot your computer and the error message should go away.
  • 0

#27
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
ComboFix 11-12-02.02 - The Sinons 12/02/2011 20:34:50.8.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1791.1405 [GMT -5:00]
Running from: c:\users\The Sinons\Desktop\ComboFix.exe
Command switches used :: c:\users\The Sinons\Desktop\CFScript.txt
.
FILE ::
"c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll"
"c:\users\All Users\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll"
"c:\users\The Sinons\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\8488737-1e21fdfc"
"c:\users\The Sinons\AppData\Roaming\Microsoft\9673\5D84.tmp"
"c:\windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\programdata\SPL3C66.tmp
c:\programdata\SPL4D0A.tmp
c:\programdata\SPL6769.tmp
c:\programdata\SPLCD3A.tmp
c:\programdata\SPLF5B3.tmp
c:\programdata\SPLFB19.tmp
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setup.dll
c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.dat
c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.exe
c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.ico
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-11-03 to 2011-12-03 )))))))))))))))))))))))))))))))
.
.
2011-12-03 01:41 . 2011-12-03 01:41 -------- d-----w- c:\users\eeglzfan69\AppData\Local\temp
2011-12-03 01:41 . 2011-12-03 01:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-27 22:27 . 2011-11-27 22:27 -------- d-----w- c:\program files\ESET
2011-11-22 01:01 . 2011-11-22 01:01 -------- d-----w- C:\_OTL
2011-11-18 07:24 . 2011-11-18 07:24 -------- d-----w- c:\users\The Sinons\AppData\Roaming\Sammsoft
2011-11-18 07:24 . 2011-11-18 07:24 -------- d-----w- c:\program files\ARO 2011
2011-11-18 00:58 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-11-18 00:58 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-11-18 00:57 . 2011-11-18 03:38 -------- d-----w- C:\VIPRERESCUE
2011-11-17 02:51 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{12DDAD3D-0D5E-4AC7-B1EF-6B0042A10A25}\mpengine.dll
2011-11-11 19:07 . 2011-11-11 19:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-11 19:05 . 2011-11-11 19:05 18944 ----a-r- c:\users\The Sinons\AppData\Roaming\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-11-11 19:04 . 2011-11-11 19:04 -------- d-----w- c:\program files\Surf Canyon
2011-11-11 18:54 . 2011-11-12 02:45 -------- d-----w- c:\users\The Sinons\AppData\Roaming\Fighters
2011-11-11 18:54 . 2011-11-12 02:45 -------- d-----w- c:\programdata\Fighters
2011-11-11 18:54 . 2011-11-11 19:04 -------- d-----w- c:\program files\Free Offers from Freeze.com
2011-11-11 18:53 . 2011-11-17 02:30 -------- d-----w- c:\programdata\WeCareReminder
2011-11-11 18:53 . 2011-11-11 19:08 -------- d-----w- c:\programdata\Yahoo! Companion
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69CE821F-3668-475A-B66F-94719B322DE3}]
2010-10-29 14:18 1530368 ----a-w- c:\program files\Dallas Cowboys\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f722f063-925c-43d2-8308-584cfc1297fe}]
2010-03-08 13:28 2349080 ----a-w- c:\program files\Philadelphia_Phillies\tbPhi0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f722f063-925c-43d2-8308-584cfc1297fe}"= "c:\program files\Philadelphia_Phillies\tbPhi0.dll" [2010-03-08 2349080]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2010-10-29 1530368]
.
[HKEY_CLASSES_ROOT\clsid\{f722f063-925c-43d2-8308-584cfc1297fe}]
.
[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{48278695-E203-419E-99F3-EAB173862A53}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F722F063-925C-43D2-8308-584CFC1297FE}"= "c:\program files\Philadelphia_Phillies\tbPhi0.dll" [2010-03-08 2349080]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2010-10-29 1530368]
.
[HKEY_CLASSES_ROOT\clsid\{f722f063-925c-43d2-8308-584cfc1297fe}]
.
[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{48278695-E203-419E-99F3-EAB173862A53}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winupd"="\\?\globalroot\Device\HarddiskVolume2\Users\THESIN~1\AppData\Local\Temp:winupd.exe" [?]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-19 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"AROReminder"="c:\program files\ARO 2011\ARO.exe" [2011-10-07 2314608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PCM Media Sharing.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PCM Media Sharing.lnk
backup=c:\windows\pss\PCM Media Sharing.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^The Sinons^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\users\The Sinons\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2007-01-24 17:27 319488 ----a-w- c:\acer\Empowering Technology\SysMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-10-15 20:43 3387392 ----a-w- c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
2007-02-16 01:39 151552 ----a-w- c:\acer\AcerTour\Reminder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 00:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-15 01:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Software]
2009-04-24 06:57 1025320 ----a-w- c:\program files\Common Files\SupportSoft\bin\bcont.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2007-02-07 07:04 464168 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2006-11-02 12:35 125440 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-09-15 21:17 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 18:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2008-09-09 06:21 623880 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iXL_MiddleWare]
2010-04-28 08:36 52280 ----a-w- c:\program files\Fisher-Price\iXL\iXL.Middleware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5300 Series Fax Server]
2007-06-22 03:18 307888 ----a-w- c:\program files\Lexmark 5300 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkamon]
2007-06-01 08:06 20480 ----a-w- c:\program files\Lexmark 5300 Series\lxdkamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkmon.exe]
2007-06-22 03:17 455344 ----a-w- c:\program files\Lexmark 5300 Series\lxdkmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 22:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 16:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-03-23 11:04 4423680 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-02-19 08:07 1232896 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-02-02 08:37 630784 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-04-19 18:30 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VRQ Uploader]
2011-06-16 11:50 2305464 ----a-r- c:\program files\NortonVRQ\Engine\5.0.6.3\VRQUploadFiles.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-02-19 08:15 1006264 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2006-11-02 12:34 2159104 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4013189884-1841922214-460819658-1000]
"EnableNotificationsRef"=dword:00000001
.
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20111109.030\IDSvix86.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 135664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-09-15 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 135664]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-11-09 98392]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2007-04-05 266343]
S2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe [2007-06-14 598960]
S2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdkserv.exe [2007-06-14 99248]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 11:14]
.
2011-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 11:14]
.
2011-12-02 c:\windows\Tasks\User_Feed_Synchronization-{5E74FB6E-B0A5-4C81-AA2F-BECAC1E7FC9D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/?ilc=1
uInternet Settings,ProxyOverride = localhost;*.local
TCP: DhcpNameServer = 68.87.64.150 68.87.75.198
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Smb]
"ImagePath"="s\00y\00s\00t\00e\00m\003\002\00\\00D\00R\00I\00V\00E\00R\00S\00\\00s\00m\00b\00.\00s\00y\00s"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4013189884-1841922214-460819658-1000\@* 8*]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:76,bc,22,15,54,e9,67,00
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxdkserv.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\ehome\ehmsas.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-12-02 20:48:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-03 01:47
ComboFix2.txt 2011-12-01 02:13
ComboFix3.txt 2011-11-25 18:07
ComboFix4.txt 2011-11-24 02:28
.
Pre-Run: 49,797,668,864 bytes free
Post-Run: 47,802,216,448 bytes free
.
- - End Of File - - FF1CDECD848C40C1516421A6744C15D0
  • 0

#28
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
How are things running?

Please go ahead and run a new scan with ESET Online Scanner and post the log back with what it finds.
  • 0

#29
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Hey there! It seems to be running okay..some weird things in IE, like if I type in a web address & hit "enter" it does nothing..I have to hit this yellow "search" button on my browser.

C:\Qoobox\Quarantine\C\ProgramData\AyBceCwcCVrA.exe.vir a variant of Win32/Kryptik.VTY trojan
C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\Users\The Sinons\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\8488737-1e21fdfc.vir a variant of Win32/Kryptik.VOB trojan
C:\Qoobox\Quarantine\C\Users\The Sinons\AppData\Roaming\Microsoft\9673\5D84.tmp.vir Win32/PSW.Agent.NTM trojan
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\smb.sys.vir a variant of Win32/Rootkit.Kryptik.ET trojan
C:\Qoobox\Quarantine\C\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys.vir a variant of Win32/Rootkit.Kryptik.ET trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\fe48b4f-1ab50012 a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\fe48b4f-3d23f261 a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\fe48b4f-4236d6d0 a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\fe48b4f-69497071 a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\fe48b4f-6e969720 a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\fe48b4f-71fcb72a a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\_OTL\MovedFiles\11212011_200151\C_Users\The Sinons\AppData\Roaming\EBC76\lvvm.exe a variant of Win32/Kryptik.VZB trojan
C:\_OTL\MovedFiles\11212011_200151\C_Users\The Sinons\AppData\Roaming\TYCwkUVrlBx0c1v\AV Security 2012v121.exe a variant of Win32/Kryptik.VZB trojan
  • 0

#30
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

That's interesting.

Please run this scan for me:

Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP