WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Pretty sure I have a virus

2 posters

descriptionPretty sure I have a virus - Page 1 EmptyRe: Pretty sure I have a virus18th March 2014, 7:05 pm

more_horiz
Were you able to run ComboFix?

descriptionPretty sure I have a virus - Page 1 EmptyRe: Pretty sure I have a virus18th March 2014, 8:42 pm

more_horiz
I attempted to run it a few times this morning. It was taking a bit of time. I will run it this evening and post results tomorrow morning.

Thanks for all your help!
Lance

descriptionPretty sure I have a virus - Page 1 EmptyRe: Pretty sure I have a virus18th March 2014, 10:09 pm

more_horiz
Lance Forney wrote:
I attempted to run it a few times this morning.  It was taking a bit of time. I will run it this evening and post results tomorrow morning.

Thanks for all your help!
Lance

Ok, please keep me informed.

descriptionPretty sure I have a virus - Page 1 EmptyRe: Pretty sure I have a virus19th March 2014, 4:00 pm

more_horiz
ComboFix 14-03-16.01 - Administrator 03/18/2014 17:06:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3046.2367 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG AntiVirus 2014 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP1632\A0210077.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-02-19 to 2014-03-19 )))))))))))))))))))))))))))))))
.
.
2014-03-18 21:42 . 2014-03-18 21:53 -------- d-----w- C:\access
2014-03-18 16:57 . 2014-03-18 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG2014
2014-03-18 16:56 . 2014-03-18 16:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Avg2014
2014-03-18 16:56 . 2014-03-18 16:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2014-03-18 16:55 . 2014-03-18 16:55 -------- d-----w- C:\$AVG
2014-03-18 16:55 . 2014-03-18 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2014
2014-03-18 16:53 . 2014-03-18 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2014-03-18 16:53 . 2014-03-18 16:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Avg2014
2014-03-18 16:53 . 2014-03-18 16:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\MFAData
2014-03-18 00:13 . 2014-03-18 00:13 -------- d-----w- c:\windows\ERUNT
2014-03-17 23:46 . 2014-03-17 23:45 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-03-17 23:36 . 2014-03-17 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2014-03-08 00:47 . 2014-03-08 00:55 -------- d-----w- C:\AdwCleaner
2014-03-08 00:20 . 2014-03-08 00:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2014-03-08 00:20 . 2014-03-08 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-03-08 00:20 . 2014-03-08 00:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-03-08 00:20 . 2013-04-04 22:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-17 23:45 . 2010-09-01 16:24 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-03-03 16:22 . 2012-08-29 15:21 42784 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2014-01-30 18:55 . 2014-01-30 18:25 73216 ----a-w- c:\windows\ST6UNST.EXE
2014-01-20 04:46 . 2014-01-20 04:46 22808 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-06-05 4489472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"CHotkey"="mHotkey.exe" [2004-09-21 550400]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"ledpointer"="CNYHKey.exe" [2004-03-03 5576704]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"Mixersel"="c:\program files\Realtek\InstallShield\mixersel.exe" [2003-11-11 369664]
"SoundMan"="SOUNDMAN.EXE" [2004-10-21 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-22 2744832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-06 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2014-01-22 4962320]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2014\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1069:TCP"= 1069:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [11/25/2013 9:56 PM 149272]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [10/31/2013 10:30 PM 222520]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/10/2013 12:43 AM 27448]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [11/25/2013 9:49 PM 120600]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [11/25/2013 9:56 PM 210712]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [1/19/2014 9:46 PM 22808]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/31/2013 11:00 PM 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [8/1/2013 4:08 PM 193848]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [8/29/2012 8:21 AM 42784]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [5/26/2004 12:30 PM 14336]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [1/22/2014 12:19 PM 3788816]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [9/24/2013 1:33 AM 348008]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [3/7/2014 5:20 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/7/2014 5:20 PM 701512]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [10/8/2012 5:04 PM 166912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/7/2014 5:20 PM 22856]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2/2/2011 3:08 PM 18656]
S2 vToolbarUpdater18.0.0;vToolbarUpdater18.0.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe [?]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [5/17/2013 8:50 AM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [10/8/2012 5:04 PM 21248]
S3 WPEServ;WPEServ;c:\program files\Common Files\WPE\wpeserv.exe [3/9/2007 12:39 PM 323584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-17 15:45 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 21:02]
.
2014-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 22:33]
.
2014-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 22:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com
TCP: Interfaces\{83953282-6822-4422-9D17-5544F0E7543B}: NameServer = 4.2.2.1,4.2.2.2
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
AddRemove-BigFix - c:\program files\BigFix\Uninst.isu
AddRemove-Topcon Link v.8 - c:\documents and settings\All Users\Application Data\{A599C51D-52F6-44B7-868A-E282F23A19EF}\TopconLinkSetup.8.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-18 19:25
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3152786837-564042706-46695988-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,13,2e,01,1f,a4,04,41,b7,46,01,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,58,de,8c,ee,07,74,3b,46,8f,f1,9a,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,6f,e6,18,12,33,50,4a,8d,0e,bd,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,6f,e6,18,12,33,50,4a,8d,0e,bd,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,6f,e6,18,12,33,50,4a,8d,0e,bd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1304)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\mHotkey.exe
c:\windows\CNYHKey.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2014-03-18 19:33:09 - machine was rebooted
ComboFix-quarantined-files.txt 2014-03-19 02:33
.
Pre-Run: 50,098,872,320 bytes free
Post-Run: 60,338,827,264 bytes free
.
- - End Of File - - D92AFF3AD28851D8D52571E667312CF9
B20939CD98B7710036274839082AE757

descriptionPretty sure I have a virus - Page 1 EmptyRe: Pretty sure I have a virus19th March 2014, 4:01 pm

more_horiz
Here are the combo fix results. Thanks!

descriptionPretty sure I have a virus - Page 1 EmptyRe: Pretty sure I have a virus19th March 2014, 5:10 pm

more_horiz
Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

descriptionPretty sure I have a virus - Page 1 EmptyRe: Pretty sure I have a virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum