1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New incarnation of FBI?

Discussion in 'Virus & Other Malware Removal' started by Addreamy, Dec 26, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Addreamy

    Addreamy Thread Starter

    Joined:
    Dec 8, 2003
    Messages:
    32
    Hi - I am at my parents' for Christmas. Their Toshiba laptop running Vista has been having some odd problems for the past week, but yesterday it clearly came down with a variant of the FBI virus. I was able to download copies of Hijack this, DDS, and GMER onto a flash drive, but when I launched safe mode, all I got was a screen saying "unable to connect to the internet" without any way to get rid of the screen. I tried Ctrl/Alt/Del, which allowed me to access options, but none of the options bypassed the screen so I could get to the desktop to open the stick.

    They're leaving for Florida in 2 days; I'd like to be able to help get this cleared up before they go, if I can - but I'm stuck!

    Any advice on how I can access the programs on the stick?

    (PS: they have an old Dell desktop which is how I downloaded the programs. I'm on my iPad...)
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK see if you can do the following:

    Download Farbar Recovery Scan Tool on a clean PC (if possible) and save to a flash drive (memory stick). Use which ever of the folllowing is applicable to your system. (32 or 64 bit)

    Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ <--- 64 bit version Save to USB flash drive

    Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ <--- 32 bit version Save to USB Flash drive

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options I give two methods, use whichever is convenient for you.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select Your Country as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select Your Country as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Kevin
     
  3. Addreamy

    Addreamy Thread Starter

    Joined:
    Dec 8, 2003
    Messages:
    32
    Thanks for the quick reply, Kevin!

    I'm using my MacBook Pro as the clean PC and will be back as soon as I've attempted what you've asked.
     
  4. Addreamy

    Addreamy Thread Starter

    Joined:
    Dec 8, 2003
    Messages:
    32
    OK - here's the FRST:

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-12-2012 01
    Ran by SYSTEM at 26-12-2012 16:59:26
    Running from F:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [TPwrMain] "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [411192 2007-03-29] (TOSHIBA Corporation)
    HKLM\...\Run: [SmoothView] "C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [448080 2007-06-15] (TOSHIBA Corporation)
    HKLM\...\Run: [00TCrdMain] "C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [538744 2007-05-22] (TOSHIBA Corporation)
    HKLM\...\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe" [291760 2007-06-11] ()
    HKLM\...\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe" [20480 2007-04-30] ()
    HKLM\...\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s [312240 2007-06-11] ()
    HKLM\...\Run: [HostManager] C:\Program Files\Common Files\AOL\1199836769\ee\AOLSoftware.exe [41800 2010-02-10] (AOL Inc.)
    HKLM\...\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-08-15] (Synaptics, Inc.)
    HKLM\...\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [49152 2006-12-10] (Hewlett-Packard Co.)
    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [Skytel] Skytel.exe [x]
    HKLM\...\Run: [VERIZONDM] "C:\Program Files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM [206120 2010-09-29] (SupportSoft, Inc.)
    HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2569616 2010-07-25] (CANON INC.)
    HKLM\...\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1213848 2010-09-14] (CANON INC.)
    HKLM\...\Run: [IJNetworkScannerSelectorEX] C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE [452016 2010-09-09] (CANON INC.)
    HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-05-18] ()
    HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-05-18] ()
    HKU\owner\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
    HKU\owner\...\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{503DFD8B-67F2-4D91-A5F0-9E0F8A7CDE55} [13312 2012-02-28] (Microsoft Corporation)
    HKU\owner\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-12-29] (Google Inc.)
    HKU\owner\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
    HKU\owner\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
    HKU\owner\...\Run: [ZZChw4ZycSefR9m] C:\Users\owner\AppData\Roaming\1.exe [394841 2012-12-25] ()
    HKU\owner\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_5_502_110_Plugin.exe -update plugin [697272 2012-11-24] (Adobe Systems Incorporated)
    HKU\owner\...\Winlogon: [Userinit] C:\Users\owner\AppData\Roaming\1.exe [394841 2012-12-25] ()
    HKU\owner\...\Winlogon: [Shell] C:\Users\owner\AppData\Roaming\1.exe [394841 2012-12-25] ()
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$e0ffb675b0f6443da7bb1c5851ce6f3c\n. ATTENTION! ====> ZeroAccess
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
    Startup: C:\Users\owner\Start Menu\Programs\Startup\ja.lnk
    ShortcutTarget: ja.lnk -> (No File)

    ==================== Services (Whitelisted) ===================

    2 AOL ACS; "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" [46640 2006-10-23] (AOL LLC)
    2 Automatic LiveUpdate Scheduler; "C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe" [243064 2007-08-23] (Symantec Corporation)
    3 GameConsoleService; "C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [181784 2007-09-24] (WildTangent, Inc.)
    3 GoogleDesktopManager; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [1862144 2007-11-06] (Google)
    2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [335888 2012-06-11] (Verizon)
    3 LiveUpdate; "C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE" [3192184 2007-08-23] (Symantec Corporation)
    2 lxddCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [99248 2007-05-25] (Lexmark International, Inc.)
    2 lxdd_device; C:\Windows\system32\lxddcoms.exe -service [537520 2007-05-25] ( )
    2 pinger; C:\TOSHIBA\IVP\ISM\pinger.exe [136816 2007-01-25] ()
    2 sprtsvc_verizondm; C:\Program Files\VERIZONDM\bin\sprtsvc.exe /service /p verizondm [206120 2010-09-29] (SupportSoft, Inc.)
    2 tgsrvc_verizondm; C:\Program Files\VERIZONDM\bin\tgsrvc.exe /p verizondm [185640 2010-09-29] (SupportSoft, Inc.)
    2 TosCoSrv; "C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe" [427576 2007-03-29] (TOSHIBA Corporation)
    2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)

    ==================== Drivers (Whitelisted) ====================

    3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [252416 2007-06-01] (Realtek Semiconductor Corporation )
    3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [13616 2009-02-19] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2009-04-01] (Symantec Corporation)
    3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [96560 2009-02-19] (Symantec Corporation)
    1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [24112 2009-02-19] (Symantec Corporation)
    3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [41008 2009-02-19] (Symantec Corporation)
    3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [22320 2009-02-19] (Symantec Corporation)
    1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [184496 2009-02-19] (Symantec Corporation)
    3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-29] (America Online, Inc.)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    2 CWMonitor; \??\C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys [x]
    3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 SVRPEDRV; \??\C:\Windows\System32\sysprep\UP_date\PEDrv.sys [x]
    3 SymIMMP; C:\Windows\System32\DRIVERS\SymIM.sys [x]
    3 Tosrfcom; [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2012-12-26 16:59 - 2012-12-26 16:59 - 00000000 ____D C:\FRST
    2012-12-25 16:51 - 2012-12-25 16:51 - 00394841 ____A C:\Users\owner\AppData\Roaming\1.exe

    ==================== One Month Modified Files and Folders ========

    2012-12-26 16:59 - 2012-12-26 16:59 - 00000000 ____D C:\FRST
    2012-12-25 19:38 - 2006-11-02 02:33 - 00703214 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-12-25 18:53 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-12-25 18:53 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-12-25 18:32 - 2010-04-03 10:10 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-12-25 16:53 - 2012-05-08 12:43 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
    2012-12-25 16:53 - 2010-04-03 10:10 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-12-25 16:53 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-12-25 16:52 - 2006-11-02 05:01 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-12-25 16:51 - 2012-12-25 16:51 - 00394841 ____A C:\Users\owner\AppData\Roaming\1.exe
    2012-12-25 16:37 - 2008-05-10 17:42 - 00000000 ____D C:\Program Files\Mozilla Firefox
    2012-12-25 16:24 - 2008-04-09 11:49 - 00000418 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{503DFD8B-67F2-4D91-A5F0-9E0F8A7CDE55}.job
    2012-12-20 17:26 - 2010-11-14 21:32 - 00000000 ____D C:\Users\owner\AppData\Roaming\QuickScan
    2012-12-13 18:38 - 2011-12-27 11:21 - 00001982 ____A C:\Users\Public\Desktop\Google Chrome.lnk

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-1714088805-4286387499-517085011-1000\$e0ffb675b0f6443da7bb1c5851ce6f3c

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-18\$e0ffb675b0f6443da7bb1c5851ce6f3c

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-10-12 12:05:36
    Restore point made on: 2012-10-17 15:49:51
    Restore point made on: 2012-10-23 10:10:26
    Restore point made on: 2012-10-24 16:06:26
    Restore point made on: 2012-10-25 14:59:31
    Restore point made on: 2012-10-27 11:06:51
    Restore point made on: 2012-10-28 13:59:55
    Restore point made on: 2012-10-30 13:14:32
    Restore point made on: 2012-10-31 12:30:52
    Restore point made on: 2012-11-01 11:10:23
    Restore point made on: 2012-11-02 10:21:30
    Restore point made on: 2012-11-04 12:03:19
    Restore point made on: 2012-11-08 07:17:28
    Restore point made on: 2012-11-09 16:49:50
    Restore point made on: 2012-11-14 17:17:57
    Restore point made on: 2012-11-15 06:39:11
    Restore point made on: 2012-11-17 13:45:56
    Restore point made on: 2012-11-23 12:28:21
    Restore point made on: 2012-11-27 17:27:37

    ==================== Memory info ===========================

    Percentage of memory in use: 17%
    Total physical RAM: 2037.81 MB
    Available physical RAM: 1677.57 MB
    Total Pagefile: 1866.29 MB
    Available Pagefile: 1727.97 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1975.72 MB

    ==================== Partitions =============================

    1 Drive c: (SQ004585V03) (Fixed) (Total:147.58 GB) (Free:88.92 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
    4 Drive f: () (Removable) (Total:7.54 GB) (Free:7.39 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 3897 KB
    Disk 1 Online 7740 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 1500 MB 1024 KB
    Partition 2 Primary 148 GB 1501 MB

    =========================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C SQ004585V03 NTFS Partition 148 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7740 MB 16 KB

    =========================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 F FAT32 Removable 7740 MB Healthy

    =========================================================

    Last Boot: 2012-12-25 16:59

    ==================== End Of Log ============================
     
  5. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

    Code:
    start
    HKU\owner\...\Run: [ZZChw4ZycSefR9m] C:\Users\owner\AppData\Roaming\1.exe [394841 2012-12-25] ()
    C:\Users\owner\AppData\Roaming\1.exe
    HKU\owner\...\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{503DFD8B-67F2-4D91-A5F0-9E0F8A7CDE55} [13312 2012-02-28] (Microsoft Corporation)
    HKU\owner\...\Winlogon: [Userinit] C:\Users\owner\AppData\Roaming\1.exe [394841 2012-12-25] ()
    HKU\owner\...\Winlogon: [Shell] C:\Users\owner\AppData\Roaming\1.exe [394841 2012-12-25] ()
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$e0ffb675b0f6443da7bb1c5851ce6f3c\n. ATTENTION! ====> ZeroAccess
    Startup: C:\Users\owner\Start Menu\Programs\Startup\ja.lnk
    ShortcutTarget: ja.lnk -> (No File)
    C:\$Recycle.Bin\S-1-5-21-1714088805-4286387499-517085011-1000\$e0ffb675b0f6443da7bb1c5851ce6f3c
    C:\$Recycle.Bin\S-1-5-18\$e0ffb675b0f6443da7bb1c5851ce6f3c
    C:\Windows\assembly\GAC\Desktop.ini
    end
    
    Now please enter System Recovery Options as you did to get the log.

    Run FRST64 or FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Also boot the system and see if it will now run OK...
     
  6. Addreamy

    Addreamy Thread Starter

    Joined:
    Dec 8, 2003
    Messages:
    32
    sorry about that - i had to make sure that i wasn't using the mac's RTF default.

    Here's the printout:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-12-2012 01
    Ran by SYSTEM at 2012-12-26 17:49:01 Run:1
    Running from F:\

    ==============================================

    HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\ZZChw4ZycSefR9m Value deleted successfully.
    C:\Users\owner\AppData\Roaming\1.exe moved successfully.
    HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\RunSpySweeperScheduleAtStartup Value deleted successfully.
    HKEY_USERS\owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value deleted successfully.
    HKEY_USERS\owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
    C:\Users\owner\Start Menu\Programs\Startup\ja.lnk moved successfully.
    ShortcutTarget: ja.lnk -> (No File) not found.
    Could not move C:\$Recycle.Bin\S-1-5-21-1714088805-4286387499-517085011-1000\$e0ffb675b0f6443da7bb1c5851ce6f3c.
    Could not move C:\$Recycle.Bin\S-1-5-18\$e0ffb675b0f6443da7bb1c5851ce6f3c.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.

    ==== End of Fixlog ====
     
  7. Addreamy

    Addreamy Thread Starter

    Joined:
    Dec 8, 2003
    Messages:
    32
    AND - i just remembered to reboot, and it was successful!

    I assume we're not done, but I'm thrilled with the progress!
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Does the system boot? oops we cross post.. give 5 mins to look at FRST again..
     
  9. Addreamy

    Addreamy Thread Starter

    Joined:
    Dec 8, 2003
    Messages:
    32
    headed to dinner - i'll be back later. Thanks again for all your help, Kevin!
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    ZeroAccess infections are nasty, they will use backdoor access especially to harvest information, also passwords that may have financial impact.
    If the system has been used for anything to do with Credit Cards or Banking then maybe a good idea to contact those services and make them aware incase of possible fraudulent actions.
    All passwords should be changed from a clean PC if possible or this one when we are sure it is clean..

    Ok as you are already aware we are not finished, there may still be further malware or infected files/patches present. Run the following and we take it from there:

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  11. Addreamy

    Addreamy Thread Starter

    Joined:
    Dec 8, 2003
    Messages:
    32
    OK - here's the ComboFix scan. Incidentally, during the scan, several times I got the following error message: Host Process for Windows Services Has Stopped Working (along with a generic error message saying that Windows would close the program and notify me if a solution was available). Mom claims this has been happening periodically for the past several months. Is it related?

    Anyway - here's the scan:

    ComboFix 12-12-25.02 - owner 12/26/2012 19:48:27.1.2 - x86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.1.1033.18.2038.1028 [GMT -5:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\$recycle.bin\S-1-5-21-1714088805-4286387499-517085011-1000\$e0ffb675b0f6443da7bb1c5851ce6f3c\@
    c:\$recycle.bin\S-1-5-21-1714088805-4286387499-517085011-1000\$e0ffb675b0f6443da7bb1c5851ce6f3c\n
    c:\programdata\Microsoft\Windows\DRM\CD8B.tmp
    c:\programdata\SPL51E.tmp
    c:\programdata\SPL7FA2.tmp
    c:\users\owner\GoToAssistDownloadHelper.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-27 to 2012-12-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-26 00:37 . 2012-12-26 00:37 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
    2012-12-26 00:37 . 2012-12-26 00:37 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
    2012-12-26 00:37 . 2012-12-26 00:37 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
    2012-12-26 00:37 . 2012-12-26 00:37 96224 ----a-w- c:\program files\Mozilla Firefox\webapprt-stub.exe
    2012-12-26 00:37 . 2012-12-26 00:37 157272 ----a-w- c:\program files\Mozilla Firefox\webapp-uninstaller.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-25 02:50 . 2012-03-30 15:48 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-11-25 02:50 . 2011-06-08 00:30 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-11-08 18:00 . 2012-11-23 20:29 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{60520B2B-EE5F-41CB-820C-566AC70E9DC3}\mpengine.dll
    2012-12-26 00:37 . 2012-04-28 02:31 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn3\yt.dll" [2012-06-11 1524056]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-29 39408]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
    "lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]
    "lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
    "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]
    "HostManager"="c:\program files\Common Files\AOL\1199836769\ee\AOLSoftware.exe" [2010-02-10 41800]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
    "Skytel"="Skytel.exe" [2007-04-13 1822720]
    "VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2010-09-29 206120]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]
    "IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1145860967]
    2007-03-19 20:59 65603 ----a-w- c:\program files\Toshiba Registration\Registration.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2007-11-06 22:47 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2007-04-25 19:14 4444160 ----a-w- c:\windows\RtHDVCpl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
    2007-08-15 23:31 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
    2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiSpywareOverride"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-03 18:10]
    .
    2012-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-03 18:10]
    .
    2012-12-27 c:\windows\Tasks\User_Feed_Synchronization-{503DFD8B-67F2-4D91-A5F0-9E0F8A7CDE55}.job
    - c:\windows\system32\msfeedssync.exe [2012-05-03 08:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.toshibadirect.com/dpdstart
    uInternet Settings,ProxyOverride = *.local
    IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\zezyhb9n.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.aol.com/?favsSelect=bookmarks&icid=aolcomfav#
    FF - ExtSQL: !HIDDEN! 2009-12-27 18:59; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
    MSConfigStartUp-AcctMgr - c:\program files\Common Files\Symantec Shared\coShared\CIM\1.5\AcctMgr.exe
    MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
    MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
    MSConfigStartUp-NDSTray - NDSTray.exe
    MSConfigStartUp-nppCfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-26 20:05
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\users\owner\AppData\Roaming\Microsoft\Windows\Cookies\153QQAH6.txt
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
    c:\windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
    c:\windows\system32\lxddcoms.exe
    c:\toshiba\IVP\ISM\pinger.exe
    c:\program files\VERIZONDM\bin\sprtsvc.exe
    c:\program files\VERIZONDM\bin\tgsrvc.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\conime.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2012-12-26 20:11:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-12-27 01:11
    .
    Pre-Run: 93,350,248,448 bytes free
    Post-Run: 96,001,720,320 bytes free
    .
    - - End Of File - - 1A019D166A66D8769E53B4F9D3122260
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Yes ZeroAccess patches into system services and can have dramatic effect, windows does attempt to repair itself but is not always able.
    FRST did attempt to kill Recycle bin patched service files but was unable, Combofix did that for us, maybe why we see alerts happen.

    Continue as following:

    Step 1

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    ClearJavaCache::
    File::
    c:\users\owner\AppData\Roaming\Microsoft\Windows\Cookies\153QQAH6.txt
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 2

    Run Eset Online Scanner

    **Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

    Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • click on the Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
      Click Start
    • When asked, allow the add/on to be installed
      Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
      Click Scan
    • wait for the virus definitions to be downloaded
    • Wait for the scan to finish
    When the scan is complete

    • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
    If threats were found

    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    close program
    copy and paste the report here

    Step 3

    Download Security Check by screen317 from either of the following:
    http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Post those three logs, let me know if there are any remaining issues or concerns,,,

    Kevin
     
  13. Addreamy

    Addreamy Thread Starter

    Joined:
    Dec 8, 2003
    Messages:
    32
    Ok, here are the 3 scans:

    Combofix:
    ComboFix 12-12-25.02 - owner 12/27/2012 9:06.2.2 - x86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.1.1033.18.2038.1179 [GMT -5:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    Command switches used :: c:\users\owner\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\owner\AppData\Roaming\Microsoft\Windows\Cookies\153QQAH6.txt"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-27 to 2012-12-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-27 14:14 . 2012-12-27 14:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-12-27 14:14 . 2012-12-27 14:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-27 00:59 . 2012-12-27 00:59 -------- d-----w- C:\FRST
    2012-12-26 00:37 . 2012-12-26 00:37 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
    2012-12-26 00:37 . 2012-12-26 00:37 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
    2012-12-26 00:37 . 2012-12-26 00:37 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
    2012-12-26 00:37 . 2012-12-26 00:37 96224 ----a-w- c:\program files\Mozilla Firefox\webapprt-stub.exe
    2012-12-26 00:37 . 2012-12-26 00:37 157272 ----a-w- c:\program files\Mozilla Firefox\webapp-uninstaller.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-25 02:50 . 2012-03-30 15:48 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-11-25 02:50 . 2011-06-08 00:30 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-11-08 18:00 . 2012-11-23 20:29 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{60520B2B-EE5F-41CB-820C-566AC70E9DC3}\mpengine.dll
    2012-12-26 00:37 . 2012-04-28 02:31 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn4\yt.dll" [2012-11-26 1525088]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-29 39408]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
    "lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]
    "lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
    "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]
    "HostManager"="c:\program files\Common Files\AOL\1199836769\ee\AOLSoftware.exe" [2010-02-10 41800]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
    "Skytel"="Skytel.exe" [2007-04-13 1822720]
    "VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2010-09-29 206120]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]
    "IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1145860967]
    2007-03-19 20:59 65603 ----a-w- c:\program files\Toshiba Registration\Registration.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2007-11-06 22:47 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2007-04-25 19:14 4444160 ----a-w- c:\windows\RtHDVCpl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
    2007-08-15 23:31 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
    2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiSpywareOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-03 18:10]
    .
    2012-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-03 18:10]
    .
    2012-12-27 c:\windows\Tasks\User_Feed_Synchronization-{503DFD8B-67F2-4D91-A5F0-9E0F8A7CDE55}.job
    - c:\windows\system32\msfeedssync.exe [2012-05-03 08:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.toshibadirect.com/dpdstart
    uInternet Settings,ProxyOverride = *.local
    IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\zezyhb9n.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.aol.com/?favsSelect=bookmarks&icid=aolcomfav#
    FF - ExtSQL: !HIDDEN! 2009-12-27 18:59; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-27 09:14
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2012-12-27 09:17:35
    ComboFix-quarantined-files.txt 2012-12-27 14:17
    ComboFix2.txt 2012-12-27 01:11
    .
    Pre-Run: 95,915,446,272 bytes free
    Post-Run: 95,910,227,968 bytes free
    .
    - - End Of File - - C996CA59E7988243CA18F7FBCA101837

    ESET scan:

    C:\FRST\Quarantine\1.exe a variant of Win32/LockScreen.AML trojan
    C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-21-1714088805-4286387499-517085011-1000\$e0ffb675b0f6443da7bb1c5851ce6f3c\n.vir Win32/Sirefef.EV trojan
    C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\owner\awt43abr.exe Win32/Olmarik.AYR trojan
    C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\owner\wgsdgsdgdsgsd.exe a variant of Win32/LockScreen.AML trojan
    C:\Users\owner\Downloads\IWantThis.exe Win32/Toolbar.CrossRider application

    Security Check:
    Results of screen317's Security Check version 0.99.56
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 8 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Java(TM) 6 Update 2
    Java version out of Date!
    Adobe Flash Player 11.5.502.110
    Adobe Reader 8 Adobe Reader out of Date!
    Mozilla Firefox (17.0.1)
    Google Chrome 21.0.1180.83
    Google Chrome 21.0.1180.89
    Google Chrome 22.0.1229.79
    Google Chrome 22.0.1229.92
    Google Chrome 22.0.1229.94
    Google Chrome 23.0.1271.64
    Google Chrome 23.0.1271.91
    Google Chrome 23.0.1271.95
    Google Chrome 23.0.1271.97
    ````````Process Check: objlist.exe by Laurent````````
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 5 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````
     
  14. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK, do the following:

    download OTM from either of the following links and save to your Desktop:
    http://oldtimer.geekstogo.com/OTM.exe.
    http://www.itxassociates.com/OT-Tools/OTM.com
    http://www.itxassociates.com/OT-Tools/OTM.exe
    Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....
    • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files
      ipconfig /flushdns /c
      C:\FRST
      C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\owner\awt43abr.exe
      C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\owner\wgsdgsdgdsgsd.exe
      C:\Users\owner\Downloads\IWantThis.exe
      :Commands
      [EmptyTemp]
      
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

    Next,

    I do not see any Anti-Virus program installed, is that correct? If so continue;

    To keep safe when online you need a good Antivirus/Antspyware/Antimalware/Anti-Rootkit combination application. Microsoft Security Essentials covers all of those bases, but better still it is free. Go here http://www.microsoft.com/security_essentials/ select your Operating System, download, install and follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen. Let me know if tit finds anything from the scan...

    Tell me how the system responds after those actions, also tell me what issues/concerns remain...

    Kevin
     
  15. Addreamy

    Addreamy Thread Starter

    Joined:
    Dec 8, 2003
    Messages:
    32
    OTM printout

    All processes killed
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\owner\Desktop\cmd.bat deleted successfully.
    C:\Users\owner\Desktop\cmd.txt deleted successfully.
    C:\FRST\Quarantine folder moved successfully.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\owner\awt43abr.exe moved successfully.
    C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\owner\wgsdgsdgdsgsd.exe moved successfully.
    C:\Users\owner\Downloads\IWantThis.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: owner
    ->Temp folder emptied: 75694 bytes
    ->Temporary Internet Files folder emptied: 73688134 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 78319550 bytes
    ->Google Chrome cache emptied: 19705106 bytes
    ->Flash cache emptied: 7664 bytes

    I hadn't realized that my parents were running without protection - I appreciate both the heads-up and the recommendation. I installed MSE and ran the scan with no problems noted. I also checked the problem that my mother had initially reported (that she couldn't access their AOL email account) and that, too, is now cleared up. They will be changing that password as soon as I can get her to the screen to do it.

    They now have their Firewall up and running along with WSE. Anything else you would recommend that I install for them or have them do?

    They do use Firefox for their primary browser, and I noticed that a couple of programs (Java, Adobe) need to be updated; I'll take care of that next.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1082464

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice