|
#61
June 24th, 2012, 01:22 AM
|
||||
|
||||
|
John, go ahead and unleash all those services that are disabled there. Unless we have a clear shot at things, we may miss something.
Go to Start - Run, type msconfig (and Enter). Under the General tab, click Normal Startup, then Apply/OK to close msconfig. Allow the reboot at this time. You can expect to receive alerts/error messages at reboot after this, but we will be addressing all this during the repairs. Then run a new ComboFix scan please. 
|
|
#63
June 24th, 2012, 01:51 AM
|
||||
|
||||
|
Latest Log:
ComboFix 12-06-23.05 - Carl Robinson 24/06/2012 12:37:41.7.2 - x86 Running from: e:\document and settings\My Documents\Downloads\ComboFix.exe . . ((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 ))))))))))))))))))))))))))))))) . . 2012-06-23 00:26 . 2012-06-23 00:26 -------- d-----w- c:\windows\system32\CatRoot2 2012-06-16 21:10 . 2012-06-16 21:10 -------- d-----w- C:\CAT-Logs 2012-06-14 21:35 . 2012-06-14 21:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2012-06-19 11:11 . 2012-06-23 00:38 138496 ----a-w- c:\windows\system32\drivers\afd.svs 2012-06-19 11:11 . 2004-08-10 04:37 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2012-05-06 01:16 . 2012-03-29 03:32 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-06 01:16 . 2011-08-21 20:15 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-11 13:14 . 2004-08-10 04:38 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-04-11 13:12 . 2004-08-10 04:38 1862272 ----a-w- c:\windows\system32\win32k.sys 2012-04-11 12:35 . 2004-08-03 10:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-07-19 04:17 . 2009-07-19 04:17 347024 ----a-w- c:\program files\difference.exe 2008-12-15 10:09 . 2008-12-15 10:09 179395 ----a-w- c:\program files\GameHouse-Installer_am-bejeweledtwisttm_gamehouse.exe 2008-12-13 22:42 . 2008-12-13 22:42 16710688 ----a-w- c:\program files\IE8-WindowsXP-x86-ENU.exe 2012-04-28 03:24 . 2012-01-03 02:57 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . Cryptography Services Error !! . ((((((((((((((((((((((((((((( SnapShot@2012-06-16_04.36.18 ))))))))))))))))))))))))))))))))))))))))) . + 2012-06-24 00:35 . 2012-06-24 00:35 16384 c:\windows\Temp\Perflib_Perfdata_504.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-06 297808] . [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}] [HKEY_CLASSES_ROOT\agihelper.AGUtils] [HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}] [HKEY_CLASSES_ROOT\agcutils.AGSearchHook] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}] 2009-11-06 13:07 297808 ----a-w- c:\windows\system32\mscoree.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480] "EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-28 17148552] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-30 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-30 118784] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-04 180269] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584] "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208] "VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2004-03-04 299008] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-13 155648] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168] "PCMService"="c:\apps\Powercinema\PCMService.e xe" [2004-10-07 81920] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952] "DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968] "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-01 24576] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-01 843712] "SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-24 49152] "ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 49152] "D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 1544192] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-19 851968] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0smartdefragboottime.exe . [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"= . R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 136176] R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-02-28 158856] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPl ayerUpdateService.exe [2012-05-06 257696] R3 Cap713x;Cap713x Video Capture;c:\windows\system32\DRIVERS\Cap713x.sys [2005-01-28 671104] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 136176] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-28 129976] S0 SmartDefragDriver;SmartDefragDriver;c:\windows\Sys tem32\Drivers\SmartDefragDriver.sys [2011-02-23 13496] S1 vcsmpdrv;vcsmpdrv;c:\windows\system32\DRIVERS\vcsm pdrv.sys [2003-06-16 49024] S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-28 20480] S2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\system\vcssecs.exe [2002-05-15 139264] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs Maplom V0070VID papyjoy thpsrv mfehidk pae_1394 LCcfltr p2pgasvc NETw5x32 lxbt_device cvintdrv RTLE8023xp PolarUSB application USBModem CXAVXBAR HSFHWICH RTSTOR ovt519 TVALG EL90X smservauth wacomvhid prosync1 . Contents of the 'Scheduled Tasks' folder . 2012-06-10 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpda teService.exe [2012-03-29 01:16] . 2012-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 00:54] . 2012-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 00:54] . 2010-12-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_e xe.job - c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13] . 2012-06-09 c:\windows\Tasks\SDMsgUpdate (TE).job - c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-07-25 14:29] . 2012-03-26 c:\windows\Tasks\SmartDefrag_Schedule.job - e:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-25 05:19] . 2012-06-09 c:\windows\Tasks\SmartDefrag_Startup.job - e:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-25 05:19] . 2012-06-10 c:\windows\Tasks\User_Feed_Synchronization-{F53A9CAC-3971-412A-90EC-C9E41D691AA6}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 16:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.stuff.co.nz/ uDefault_Search_URL = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm TCP: DhcpNameServer = 192.168.1.2 Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://clubgames-uk.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cab FF - ProfilePath - c:\documents and settings\Carl Robinson\Application Data\Mozilla\Firefox\Profiles\e2e72qnm.default\ pref(dom.disable_open_during_load, true); FF - user.js: browser.cache.memory.capacity - 16000 FF - user.js: browser.chrome.favicons - fales FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: dom.disable_window_status_change - true FF - user.js: network.http.max-connections - 32 FF - user.js: network.http.max-connections-per-server - 8 FF - user.js: network.http.max-persistent-connections-per-proxy - 8 FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 750 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . . ************************************************** ************************ . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-24 12:45 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2917399008-2723173826-3342422287-1007\Software\Microsoft\SystemCertificates\Address Book*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(472) c:\windows\system32\l3codeca.acm . Completion time: 2012-06-24 12:48:35 ComboFix-quarantined-files.txt 2012-06-24 00:48 ComboFix2.txt 2012-06-23 23:47 ComboFix3.txt 2012-06-23 01:02 ComboFix4.txt 2012-06-21 22:42 ComboFix5.txt 2012-06-24 00:30 . Pre-Run: 48,542,961,664 bytes free Post-Run: 48,530,919,424 bytes free . - - End Of File - - 08A6732CF4E403F33E992820D4FF0120
|
|
#64
June 25th, 2012, 12:54 AM
|
||||
|
||||
|
Code:
Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc] "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00 "Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start." "DisplayName"="Cryptographic Services" "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "ObjectName"="LocalSystem" "Start"=dword:00000002 "Type"=dword:00000020 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Parameters] "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\ 00 "ServiceMain"="CryptServiceMain" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Security] "Security"=hex:00,00,0e,00,01 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Enum] "0"="Root\\LEGACY_CRYPTSVC\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon] "Description"="Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start." "DisplayName"="Secondary Logon" "ErrorControl"=dword:00000000 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "Objectname"="LocalSystem" "Start"=dword:00000002 "Type"=dword:00000120 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Parameters] "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 73,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,\ 00 "ServiceMain"="SvcEntry_Seclogon" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Security] "Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\ 05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\ 01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Enum] "0"="Root\\LEGACY_SECLOGON\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler] "DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00 "Description"="Loads files to memory for later printing." "DisplayName"="Print Spooler" "ErrorControl"=dword:00000001 "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,e8,47,0c,\ 00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00 "Group"="SpoolerGroup" "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,70,00,6f,00,6f,00,6c,00,73,00,76,00,2e,00,65,00,78,00,65,00,00,00 "ObjectName"="LocalSystem" "Start"=dword:00000002 "Type"=dword:00000110 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Parameters] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Performance] "Close"="PerfClose" "Collect"="PerfCollect" "Collect Timeout"=dword:000007d0 "Library"="winspool.drv" "Object List"="1450" "Open"="PerfOpen" "Open Timeout"=dword:00000fa0 "WbemAdapFileSignature"=hex:12,6c,5c,67,9c,9d,52,12,37,ca,57,4b,78,a2,8d,55 "WbemAdapFileTime"=hex:00,88,ab,ca,c9,e7,a8,01 "WbemAdapFileSize"=dword:00020400 "WbemAdapStatus"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Security] "Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\ 05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\ 01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Enum] "0"="Root\\LEGACY_SPOOLER\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 Open Notepad (Start - Run, type notepad and press Enter). Copy/paste the above text (inside the Code box) into the open text box, then save this to your desktop as "crypto.reg" Be sure to include the "" quotes in the name. Then right click crypto.reg, select Merge, and allow it to merge the new information with the Registry. ---------- Please go ahead and uninstall these - that Defrag program is loading very early in the bootup sequence, and other than being pretty useless, may be causing issues there: Smart Defrag 2 Mozilla Maintenance Service As a mention, I tried to check on that MP3Suite install, to learn more about it. Every time I tried to click anything to do that at their website, I got: Sorry an error occured in click gate!!! Is that still a valid service? ----------- Reboot, and run and post the log of a ComboFix scan please.
|
|
#65
June 25th, 2012, 12:56 AM
|
||||
|
||||
|
Forgot a step. Before you reboot, do this:
Go to Start - Run, type msconfig (and Enter). Under the Services tab, click Enable All, then Apply/OK to close msconfig. Allow the reboot at this time. You can expect to receive alerts/error messages at reboot after this, but we will be addressing all this during the repairs.
|
|
#66
June 25th, 2012, 10:13 PM
|
||||
|
||||
|
Quote:
The only thing I could find for MP3 suite were some orphaned shortcuts which I deleted. Combo fix is running now log to follow..
|
|
#67
June 25th, 2012, 10:15 PM
|
||||
|
||||
|
ComboFix 12-06-25.03 - Carl Robinson 26/06/2012 9:02.8.2 - x86
Running from: e:\document and settings\My Documents\Downloads\ComboFix.exe . . ((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 ))))))))))))))))))))))))))))))) . . 2012-06-23 00:26 . 2012-06-23 00:26 -------- d-----w- c:\windows\system32\CatRoot2 2012-06-16 21:10 . 2012-06-16 21:10 -------- d-----w- C:\CAT-Logs 2012-06-14 21:35 . 2012-06-14 21:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2012-06-19 11:11 . 2012-06-23 00:38 138496 ----a-w- c:\windows\system32\drivers\afd.svs 2012-06-19 11:11 . 2004-08-10 04:37 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2012-05-06 01:16 . 2012-03-29 03:32 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-06 01:16 . 2011-08-21 20:15 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-11 13:14 . 2004-08-10 04:38 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-04-11 13:12 . 2004-08-10 04:38 1862272 ----a-w- c:\windows\system32\win32k.sys 2012-04-11 12:35 . 2004-08-03 10:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-07-19 04:17 . 2009-07-19 04:17 347024 ----a-w- c:\program files\difference.exe 2008-12-15 10:09 . 2008-12-15 10:09 179395 ----a-w- c:\program files\GameHouse-Installer_am-bejeweledtwisttm_gamehouse.exe 2008-12-13 22:42 . 2008-12-13 22:42 16710688 ----a-w- c:\program files\IE8-WindowsXP-x86-ENU.exe 2012-04-28 03:24 . 2012-01-03 02:57 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . Cryptography Services Error !! . ((((((((((((((((((((((((((((( SnapShot@2012-06-16_04.36.18 ))))))))))))))))))))))))))))))))))))))))) . + 2012-06-25 21:00 . 2012-06-25 21:00 16384 c:\windows\Temp\Perflib_Perfdata_4fc.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-06 297808] . [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}] [HKEY_CLASSES_ROOT\agihelper.AGUtils] [HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}] [HKEY_CLASSES_ROOT\agcutils.AGSearchHook] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}] 2009-11-06 13:07 297808 ----a-w- c:\windows\system32\mscoree.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480] "EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-28 17148552] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-30 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-30 118784] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-04 180269] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584] "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208] "VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2004-03-04 299008] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-13 155648] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168] "PCMService"="c:\apps\Powercinema\PCMService.e xe" [2004-10-07 81920] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952] "DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968] "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-01 24576] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-01 843712] "SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-24 49152] "ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 49152] "D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 1544192] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-19 851968] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208] . [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"= . R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 136176] R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-02-28 158856] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPl ayerUpdateService.exe [2012-05-06 257696] R3 Cap713x;Cap713x Video Capture;c:\windows\system32\DRIVERS\Cap713x.sys [2005-01-28 671104] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 136176] S1 vcsmpdrv;vcsmpdrv;c:\windows\system32\DRIVERS\vcsm pdrv.sys [2003-06-16 49024] S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-28 20480] S2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\system\vcssecs.exe [2002-05-15 139264] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs Maplom V0070VID papyjoy thpsrv mfehidk pae_1394 LCcfltr p2pgasvc NETw5x32 lxbt_device cvintdrv RTLE8023xp PolarUSB application USBModem CXAVXBAR HSFHWICH RTSTOR ovt519 TVALG EL90X smservauth wacomvhid prosync1 . Contents of the 'Scheduled Tasks' folder . 2012-06-10 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpda teService.exe [2012-03-29 01:16] . 2012-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 00:54] . 2012-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 00:54] . 2010-12-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_e xe.job - c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13] . 2012-06-09 c:\windows\Tasks\SDMsgUpdate (TE).job - c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-07-25 14:29] . 2012-06-10 c:\windows\Tasks\User_Feed_Synchronization-{F53A9CAC-3971-412A-90EC-C9E41D691AA6}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 16:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.stuff.co.nz/ uDefault_Search_URL = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm TCP: DhcpNameServer = 192.168.1.2 Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://clubgames-uk.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cab FF - ProfilePath - c:\documents and settings\Carl Robinson\Application Data\Mozilla\Firefox\Profiles\e2e72qnm.default\ pref(dom.disable_open_during_load, true); FF - user.js: browser.cache.memory.capacity - 16000 FF - user.js: browser.chrome.favicons - fales FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: dom.disable_window_status_change - true FF - user.js: network.http.max-connections - 32 FF - user.js: network.http.max-connections-per-server - 8 FF - user.js: network.http.max-persistent-connections-per-proxy - 8 FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 750 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . . ************************************************** ************************ . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-26 09:09 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2917399008-2723173826-3342422287-1007\Software\Microsoft\SystemCertificates\Address Book*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(464) c:\windows\system32\l3codeca.acm . Completion time: 2012-06-26 09:11:24 ComboFix-quarantined-files.txt 2012-06-25 21:11 ComboFix2.txt 2012-06-24 00:48 ComboFix3.txt 2012-06-23 23:47 ComboFix4.txt 2012-06-23 01:02 ComboFix5.txt 2012-06-25 20:56 . Pre-Run: 48,533,495,808 bytes free Post-Run: 48,520,560,640 bytes free . - - End Of File - - D3D6225D609B505EED9DF577F729418C
|
|
#68
June 26th, 2012, 01:43 AM
|
||||
|
||||
|
Sorry JayTee, I was wrong with msconfig - missed all those services were being listed just as services running under the NetSvcs svchost group:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs I was just informed that this ComboFix Crypto error is just a function of ComboFix when a ZAccess bootkit exists, and has been corrected for in the latest version. Tough bootkit malware has been there, not real sure it is gone, and also not real sure why ComboFix is displaying all those NetSvcs services. May be due to a McAfee service hanging out there. FYI - to date, the scans are no longer reflecting bootkit/rootkit activity. ----------- Go here and follow the steps under: Step 2 - Download and run MCPR.exe Be sure to reboot after running that. ---------- Delete the existing copy of ComboFix, and download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive. Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. ---------- Assuming we haven't done this yet, and let me know if we have, nn Firefox, go to Help - Restart with Add-ons Disabled. In that "Firefox Safe Mode" display that opens, place checks next to the following, then click "Make changes and restart". Reset toolbars and controls Reset all user preferences to Firefox defaults Restore default search engines You can change those later to whatever you prefer, but for now, too many search hijackers have altered things there. ---------- Download HijackThis from Here. Then click on the downloaded file, install HijackThis, and select Do a system scan and save logfile. Use copy/paste and post that log back here for review. Need it to clear out some malware remnants.
|
|
#69
June 26th, 2012, 11:07 AM
|
||||
|
||||
|
[QUOTE]Go here and follow the steps under:
Step 2 - Download and run MCPR.exe Be sure to reboot after running that.[QUOTE] MCPR.exe returns error: Uninstall unsuccessful Could not gain necesary permissions see log: click view log returns: cannot view being used by another procces
|
|
#71
June 27th, 2012, 02:05 AM
|
||||
|
||||
|
Enough of this then.
Disable all security software. Download subinacl.msi from here to your desktop, then click the file to start the installer. Accept any agreements, and when it suggests it install SubInACL.exe to it's "C:\Program Files\Windows Resource Kits\Tools\" folder, instead click Browse, and direct it to your C folder, so it will then be C:\SubInACL.exe. -------- Once you have done that open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file: Code:
cd\ subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=everyone=f /grant=system=f subinacl /subkeyreg HKEY_CURRENT_USER /grant=everyone=f /grant=system=f subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=everyone=f /grant=system=f subinacl /subdirectories %SystemDrive% /grant=everyone=f /grant=system=f subinacl /subdirectories %windir%\*.* /grant=everyone=f /grant=system=f Make sure to use the quotes "" in the name. Then double-click on permdo.bat. A window should open and you will see some procedures run (actually, tons of command window activity) --- this is normal. Once they have completed the changes the window should close. Reboot after, and for the moment, try running that McAfee uninstaller again.
|
|
#72
June 27th, 2012, 12:05 PM
|
||||
|
||||
|
Ok. The download went well but when I tried to install I got an error msg:
"The Windows installer could not be accessed. This can occur if you are running in safe mode , or if Windows installer is not correctly installed. Contact your support person".
|
|
#73
June 27th, 2012, 05:31 PM
|
|||
|
|||
Crisis Aversion tool doesn't work for me either.
I tried to use the Crisis Aversion Tool and I get a message : Error : variable must be of type Object.
I tried to do all the things you wrote here (notepad and cmd) but for each line I got : Open service échec 1060 - specified service doesn't exist as installed service. What do I have to do please ? Nothing works : Windows installer doesn't work anymore. I have to make an upgrade of Windows live and it doesn't work either because of Windows Installer. Thanks in advance.
|
|
#74
June 28th, 2012, 01:38 AM
|
||||
|
||||
|
Follow the steps here to uninstall Service Pack 3.
Reboot, go ahead and reinstall Service Pack 3. The easiest way I found to complete that is to download the independent installer from here (disregard the verbiage - that is the normal installer for SP3). That way you are not dependent on MS updates to complete the job. This can also be downloaded at a different location and transferred, if other download locations are faster there. Once that has downloaded temp disable all security software, to include disabling it from starting at reboot if you can, and click that downloaded file to start the upgrade process. It will take a good long time to complete. See if that makes corrections, though right now, I still sense a hard drive corruption issue.
|
|
#75
June 30th, 2012, 11:44 PM
|
||||
|
||||
|
I tried uninstalling SP3 but was unsuccessful
The add remove programs window will not give a remove option and the command line fails with errors culminating in the system cannot find file.......
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 07:51 AM.
