50 replies to this topic

[OCD]

Hi mikej62,,

Is the LSP error, currently the only issue your experiencing?

[mikej62]

Hi mikej62,,

Is the LSP error, currently the only issue your experiencing?

 

Right now the only issues is the LSP error, the computer still randomly shutting down a few times per day.

[OCD]

Hi mikej62,
 

the computer still randomly shutting down a few times per day.

Is the computer running hot at all?

[mikej62]

Hi mikej62,
 

the computer still randomly shutting down a few times per day.

Is the computer running hot at all?

 

When it turns off, it feels hot in the back next to the fan, the rest of the computer doesn't feel like anything

[OCD]

Hi mikej62,,
 

When it turns off, it feels hot in the back next to the fan, the rest of the computer doesn't feel like anything

 

 

Sometimes excessive heat can a cause a computer to reboot/shutdown unexpectedly. Please ensure you have ample room around the back to allow for proper ventilation. You might also consider getting a can of compressed air and periodically clean the dust from around the fan. It is also possible to open the case (not very difficult) and remove any dust in there as well with the compressed air. Although, you might want to do that outside if possible. There will probably be a considerable amount of dust if it hasn't been done before.

 

=========================

RogueKiller

Download to your desktop RogueKiller (by tigzy)

• • Windows XP : Double click on the icon to run it.
  • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
• Quit all programs
• Wait until Prescan has finished ...
• Click on Scan, Do Not Fix Anything at this point.
• Click the Report button, save the report to your desktop

=========================

In your next post please provide the following:

• RKreport.txt

[mikej62]

RK report:

 

RogueKiller V8.8.2 [Jan 17 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Nashih [Admin rights]
Mode : Scan -- Date : 01/20/2014 13:42:32
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x8A653470)
[Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (Unknown @ 0x8A6BB208)
[Address] SSDT[47] : NtCreateProcess @ 0x805D1280 -> HOOKED (Unknown @ 0x8A6F67A0)
[Address] SSDT[48] : NtCreateProcessEx @ 0x805D11CA -> HOOKED (Unknown @ 0x8A68DD68)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8A6FEFA8)
[Address] SSDT[63] : NtDeleteKey @ 0x80624706 -> HOOKED (Unknown @ 0x8A6E0438)
[Address] SSDT[65] : NtDeleteValueKey @ 0x806248D6 -> HOOKED (Unknown @ 0x8A6E01E8)
[Address] SSDT[180] : NtQueueApcThread @ 0x805D2786 -> HOOKED (Unknown @ 0x8A6534E8)
[Address] SSDT[186] : NtReadVirtualMemory @ 0x805B42F6 -> HOOKED (Unknown @ 0x8A653380)
[Address] SSDT[192] : NtRenameKey @ 0x80623C8C -> HOOKED (Unknown @ 0x8A6B8150)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x8A6535D8)
[Address] SSDT[226] : NtSetInformationKey @ 0x80622F84 -> HOOKED (Unknown @ 0x8A6BD340)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8A6DE1B0)
[Address] SSDT[229] : NtSetInformationThread @ 0x805CC154 -> HOOKED (Unknown @ 0x8A6BB2F8)
[Address] SSDT[247] : NtSetValueKey @ 0x806227DC -> HOOKED (Unknown @ 0x8A6DF148)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A680FA8)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x8A653560)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8A6F6690)
[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A6BEA30)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A6533F8)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A455408)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8939D2B8)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x892EC468)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x892EC3F0)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A6604F8)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A5C33F8)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8937F230)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89383210)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x898786E8)
[Inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL -> HOOKED (Unknown @ 0xC8F7333C)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD2500JS-00MHB0 +++++
--- User ---
[MBR] 60ee72a8c62d5aca3878aeec218a387a
[BSP] c7847ef6be8e54a0e7137c6b0922e082 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )

Finished : << RKreport[0]_S_01202014_134232.txt >>

[OCD]

Hi mikej62,,

Are you still getting the DriverWhiz error message?

=========================

Download Farbar Service Scanner and save it to your desktop.

• Internet Services
• Windows Firewall
• System Restore
• Security Center
• Windows Update
• Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply

=========================

• rKill
  
  Print out these instructions as we may need to close every window that is open later in the fix.
  
  It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
  
  Do not reboot your computer after running rkill as the malware programs will start again.
  
  Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
  There are 5 different versions. If one of them won't run then download and try to run the other one.
  Vista and Win7 users need to right click and choose Run as Admin
  You only need to get one of them to run, not all of them.
  • rkill.exe
  • rkill.com
  • rkill.scr
  • WiNlOgOn.exe
  • uSeRiNiT.exe
  • Do not reboot your computer after running rkill as the malware programs will start again.
  =========================
  
  When we first started I asked you to run this tool and you were unsuccessful, please try again. There is no need to download it again if you still have it on your desktop.
  
  Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
  =========================
  
  In your next post please provide the following:
  • FSS.txt
  • OTL.txt
  • Extras.txt

[mikej62]

When I ran the rkill I did get a similar bad image popup to the driverwhiz one but I was able to x it out and the program ran. But in the middle of the OTL scan I got a similar popup and wasn't able to x it.

 

fss:

 

Farbar Service Scanner Version: 08-01-2014
Ran by Nashih (administrator) on 20-01-2014 at 14:23:46
Running from "C:\Documents and Settings\Nashih\My Documents\Downloads"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
LAN connected.
Attempt to access Google IP returned error. Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.

sr Service is not running. Checking service configuration:
The start type of sr service is OK.
The ImagePath of sr service is OK.


System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys
[2009-10-06 21:01] - [2008-04-13 13:36] - 0073472 ____C () 3C756678976E449CF6330781786AA48A

ATTENTION!=====> C:\WINDOWS\system32\Drivers\sr.sys IS INFECTED.

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

[mikej62]

I know you don't want me to attach logs but I have to attach the rkill log because its too long to post

 

Attached Files

•  Rkill.txt   570.64KB   260 downloads

Edited by mikej62, 20 January 2014 - 01:39 PM.

[OCD]

Hi mikej62,
 

When I ran the rkill I did get a similar bad image popup to the driverwhiz one but I was able to x it out and the program ran. But in the middle of the OTL scan I got a similar popup and wasn't able to x it.

Can you tell me what information is contained with the pop-up? What does the pop-up state? What information is contained in the header of the pop-up?

= = = = = = = = = = = = = = = = = = = =

Copy and paste these lines in Notepad.
 

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Double click to run.
*** note: Win Vista and Win 7 need to right click and choose to "run as Administrator" .. the computer will reboot itself.

= = = = = = = = = = = = = = = = = = = =

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  sr.sys
  
  :file
  C:\WINDOWS\system32\Drivers\sr.sys
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

=========================

In your next post please provide the following:

• SystemLook.txt

[mikej62]

Here is the popup I get when running OTL. OTL freezes when I try to run it:

 

"OTL (1).exe- Bad Image

The application or DLL c:\WINDOWS\Microsoft.NET\framework\v.2.0.50727\shfusion.dll is  not a valid Windows image. Please check this against your installation diskette."
 

 

system look log:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 11:57 on 21/01/2014 by Nashih
Administrator - Elevation successful

========== filefind ==========

Searching for "sr.sys"
C:\WINDOWS\$NtServicePackUninstall$\sr.sys    -----c- 73472 bytes    [00:14 08/10/2009]    [01:07 04/08/2004] E41B6D037D6CD08461470AF04500DC24
C:\WINDOWS\ServicePackFiles\i386\sr.sys    -----c- 73472 bytes    [18:36 13/04/2008]    [18:36 13/04/2008] 76BB022C2FB6902FD5BDD4F78FC13A5D
C:\WINDOWS\snack\sr.sys    --a---- 73472 bytes    [18:42 20/01/2014]    [18:36 13/04/2008] 3C756678976E449CF6330781786AA48A
C:\WINDOWS\system32\dllcache\sr.sys    -----c- 73472 bytes    [02:01 07/10/2009]    [18:36 13/04/2008] 76BB022C2FB6902FD5BDD4F78FC13A5D
C:\WINDOWS\system32\drivers\sr.sys    -----c- 73472 bytes    [02:01 07/10/2009]    [18:36 13/04/2008] 3C756678976E449CF6330781786AA48A

========== file ==========

C:\WINDOWS\system32\Drivers\sr.sys - File found and opened.
MD5: 3C756678976E449CF6330781786AA48A
Created at 02:01 on 07/10/2009
Modified at 18:36 on 13/04/2008
Size: 73472 bytes
Attributes: -----c-
No version information available.

-= EOF =-

[OCD]

Hi mikej62,

ComboFix Script

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the code-box below into it:

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\sr.sys | C:\WINDOWS\system32\Drivers\sr.sys

Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, please post the C:\ComboFix.txt for further review.

=========================

DDS by sUBs from one of the following links and save it to your desktop.

• • DDS.scr
  • DDS.com
  • DDS.pif
• Disable any script blocking protection (How to Disable your Security Programs)
  Right click and select "Run as Administrator"
• Right click DDS icon to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scrolling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

In your next post please provide the following:

• Combofix.txt
• DDS.txt

[mikej62]

combofix log:

 

ComboFix 14-01-21.03 - Nashih 01/21/2014  13:08:32.7.2 - x86
Running from: c:\documents and settings\Nashih\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nashih\Desktop\cfscript.txt
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Nashih\My Documents\~WRL0003.tmp
.
.
--------------- FCopy ---------------
.
c:\windows\$NtServicePackUninstall$\sr.sys --> c:\windows\system32\Drivers\sr.sys
.
(((((((((((((((((((((((((   Files Created from 2013-12-21 to 2014-01-21  )))))))))))))))))))))))))))))))
.
.
2014-01-20 18:42 . 2014-01-20 18:42    --------    d-----w-    c:\windows\snack
2014-01-20 17:33 . 2014-01-20 17:33    --------    d-----w-    c:\documents and settings\Administrator
2014-01-16 16:32 . 2014-01-21 18:07    --------    d-----w-    c:\windows\system32\CatRoot2
2014-01-16 16:21 . 2014-01-16 16:34    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2014-01-16 16:19 . 2014-01-16 16:19    --------    d-----w-    C:\RegBackup
2014-01-16 16:18 . 2014-01-16 16:18    --------    d-----w-    c:\program files\Tweaking.com
2014-01-13 21:42 . 2014-01-13 21:42    --------    d-----w-    c:\documents and settings\Nashih\Local Settings\Application Data\VS Revo Group
2014-01-13 21:42 . 2014-01-13 21:42    --------    d-----w-    c:\documents and settings\All Users\Application Data\VS Revo Group
2014-01-13 21:42 . 2009-12-30 15:20    27064    ----a-w-    c:\windows\system32\drivers\revoflt.sys
2014-01-13 21:42 . 2014-01-13 21:42    --------    d-----w-    c:\program files\VS Revo Group
2014-01-10 19:21 . 2014-01-18 02:56    --------    d-----w-    C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-27 20:21 . 2004-08-04 01:07    40960    ------w-    c:\windows\system32\drivers\ndproxy.sys
2013-11-13 02:59 . 2004-08-04 01:07    150528    ------w-    c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2004-08-04 01:07    591360    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2009-10-08 00:06    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2004-08-04 01:07    1879040    ------w-    c:\windows\system32\win32k.sys
2013-10-29 07:57 . 2004-08-04 01:07    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-29 07:57 . 2004-08-04 01:07    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-10-29 07:57 . 2004-08-04 01:07    18944    ------w-    c:\windows\system32\corpol.dll
2013-10-29 07:57 . 2004-08-04 01:07    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-10-29 00:45 . 2004-08-04 01:07    385024    ------w-    c:\windows\system32\html.iec
2013-10-23 23:45 . 2004-08-04 01:07    172032    ------w-    c:\windows\system32\scrrun.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-14 536576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"ICF"="c:\program files\Internet Content Filter\mfp.exe" [2010-03-09 1280016]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2011-04-05 6156336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27064]
R3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUPnPRenderer11.exe [x]
R3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\Drivers\XLoader.sys [2004-09-04 13184]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2011-03-22 29832]
S2 fpUpdateSvc;Family Protection Update Service;c:\program files\Internet Content Filter\UpdateService.exe [2010-03-09 235024]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2013-09-13 350792]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-21 50704]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2011-07-04 1201656]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-14 23:24    1211672    ----a-w-    c:\program files\Google\Chrome\Application\32.0.1700.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-05 17:32]
.
2014-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-11 17:24]
.
2014-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-11 17:24]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.0.1
FF - ProfilePath - c:\documents and settings\Nashih\Application Data\Mozilla\Firefox\Profiles\unz3zo6e.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-21 13:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2014-01-21  13:16:25
ComboFix-quarantined-files.txt  2014-01-21 18:16
ComboFix2.txt  2014-01-13 17:07
ComboFix3.txt  2014-01-13 16:57
ComboFix4.txt  2014-01-12 19:56
.
Pre-Run: 121,955,942,400 bytes free
Post-Run: 121,957,203,968 bytes free
.
- - End Of File - - 192F520F2C2E5F1424697A52EAAD968F
8F558EB6672622401DA993E1E865C861
 

 

 

DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_30
Run by Nashih at 13:17:41 on 2014-01-21
.
============== Running Processes ================
.
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Internet Content Filter\mfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Internet Content Filter\UpdateService.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [SkyTel] "SkyTel.EXE"
mRun: [Samsung PanelMgr] "c:\windows\samsung\panelmgr\SSMMgr.exe" /autorun
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] "c:\program files\common files\ahead\lib\NeroCheck.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ICF] "c:\program files\internet content filter\mfp.exe" -noact
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRunOnce: [GrpConv] grpconv -o
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1 192.168.0.1
TCP: Interfaces\{1FC53C2F-BC7B-4ADE-9B0F-416256927116} : DHCPNameServer = 192.168.1.1 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\32.0.1700.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nashih\application data\mozilla\firefox\profiles\unz3zo6e.default\
FF - plugin: c:\documents and settings\nashih\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1165635.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_171.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2014-01-20 18:42:22    --------    d-----w-    c:\windows\snack
2014-01-16 16:32:28    --------    d-----w-    c:\windows\system32\CatRoot2
2014-01-16 16:19:35    --------    d-----w-    C:\RegBackup
2014-01-16 16:18:48    --------    d-----w-    c:\program files\Tweaking.com
2014-01-13 21:42:41    --------    d-----w-    c:\documents and settings\nashih\local settings\application data\VS Revo Group
2014-01-13 21:42:29    27064    ----a-w-    c:\windows\system32\drivers\revoflt.sys
2014-01-13 21:42:29    --------    d-----w-    c:\documents and settings\all users\application data\VS Revo Group
2014-01-13 21:42:27    --------    d-----w-    c:\program files\VS Revo Group
2014-01-12 19:42:37    98816    ----a-w-    c:\windows\sed.exe
2014-01-12 19:42:37    256000    ----a-w-    c:\windows\PEV.exe
2014-01-12 19:42:37    208896    ----a-w-    c:\windows\MBR.exe
2014-01-10 19:21:03    --------    d-----w-    C:\FRST
.
==================== Find3M  ====================
.
2013-11-27 20:21:06    40960    ------w-    c:\windows\system32\drivers\ndproxy.sys
2013-11-13 02:59:42    150528    ------w-    c:\windows\system32\imagehlp.dll
2013-11-07 05:38:51    591360    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-11-06 01:03:31    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-10-30 02:26:17    1879040    ------w-    c:\windows\system32\win32k.sys
2013-10-29 07:57:34    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-29 07:57:33    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-10-29 07:57:33    18944    ------w-    c:\windows\system32\corpol.dll
2013-10-29 07:57:33    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-10-29 00:45:02    385024    ------w-    c:\windows\system32\html.iec
2013-10-23 23:45:49    172032    ------w-    c:\windows\system32\scrrun.dll
.
============= FINISH: 13:17:50.78 ===============
 

Attached Files

•  attach.txt   17.53KB   224 downloads

[OCD]

Hi mikej62,

Your logs look good.

Uninstall via Add/Remove Programs

• Please go to Start > Control Panel > Add Remove Programs.
  Locate the following programs: (if present)
  • Java™ 6 Update 30
• Click Remove and allow Windows to completely remove each one in turn.
• Then reboot your computer to complete this part of the process.

=========================

Update Java

• Get the current version of Java (Version 7 Update 51) by going to http://java.com/en/d...d/installed.jsp
• Select the Verify Java Version button and follow the onscreen instructions to update if necessary.

=========================

Re- run AdwCleaner

It should be on your desktop

• • Windows XP : Double click on the icon to run it.
  • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
• Click on the Scan button.
• AdwCleaner will begin to scan your computer like it did before.
• After the scan has finished...
• This time, click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a log file report (AdwCleaner[S0].txt) will open automatically.
• Copy and paste the contents of that log file in your next reply.
• A copy of that log file will also be saved in the C:\AdwCleaner folder.

=========================

In your next post please provide the following:

• AdwCleaner.txt
• How is the computer running?

[mikej62]

I uninstalled the java but when I tried to download the update from the website, it says "we are unable to verify if java is currently installed and enabled in your browser"

 

 

adwcleaner log:

 

# AdwCleaner v3.017 - Report created 22/01/2014 at 11:58:49
# Updated 12/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Nashih - HOME-7992934537
# Running from : C:\Documents and Settings\Nashih\My Documents\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\fbphotozoom
File Deleted : C:\Documents and Settings\Nashih\Application Data\Mozilla\Firefox\Profiles\unz3zo6e.default\searchplugins\web-search.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Documents and Settings\Nashih\Application Data\Mozilla\Firefox\Profiles\unz3zo6e.default\prefs.js ]


-\\ Google Chrome v32.0.1700.76

[ File : C:\Documents and Settings\Nashih\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2839 octets] - [22/01/2014 11:56:24]
AdwCleaner[S0].txt - [2806 octets] - [22/01/2014 11:58:49]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2866 octets] ##########