Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

XP, something is running slowing computer to a crawl


  • Please log in to reply
122 replies to this topic

#16 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 05 August 2014 - 11:51 PM

Hi gcdi,


Something definately has a grip on that computer. Disconnect from the internet and see if that helps stabilize the computer. If the computer is better let me know and we can continue with out the internet. Don't reconnect yet, use the other computer to post back.

If just disconnecting from the internet doesn't help try booting to Safe Mode.

To boot to SafeMode:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove


#17 gcdi

gcdi

    Authentic Member

  • Authentic Member
  • PipPip
  • 119 posts

Posted 06 August 2014 - 12:13 AM

still can not get otl to run, any suggestions?



#18 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 06 August 2014 - 11:21 PM

Hi gcdi,


Will the computer eventually load?

Do you have youe Windows XP CD?

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#19 gcdi

gcdi

    Authentic Member

  • Authentic Member
  • PipPip
  • 119 posts

Posted 06 August 2014 - 11:43 PM

sorry i think i got a reply behind you.

so heres the latest, the computer will not boot in safe mode. it starts to but then i can see a quick flash of the blue screen of death and the computer restarts.

i haven't tried safe with command or safe with network.

i did get otl to run i think but unfortunately i couldn't save the report. i got it to run by booting the computer with the router disconnected, when it started it said it needed to restart the computer, after it restarted the report was there, a short report that if i remember correctly all lines started with error.

so far i have not been able to get it to run again.

yes i do have the original cd.



#20 gcdi

gcdi

    Authentic Member

  • Authentic Member
  • PipPip
  • 119 posts

Posted 06 August 2014 - 11:45 PM

sorry, you also asked if it will load and yes it will. i get the desktop with icons and some things will run, sometimes can get on the internet but otl just starts to load but doesn't finish.



#21 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 07 August 2014 - 11:12 PM

Hi gcdi,

Since you have the Cd it gives us a few options. We can create a boot disc to run the computer ouside of windows. From there we can either try to clean the machine or attempt to retrieve anything of importance.

Another option if there isn't anything of value on the computer is to wipe it clean and reinstall windows.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#22 gcdi

gcdi

    Authentic Member

  • Authentic Member
  • PipPip
  • 119 posts

Posted 08 August 2014 - 08:16 PM

i would think that there ate some things i would like to keep.

not having much knowlegde with this type of thing, would this virus affect all files or just the OS and what about files on the other drives?



#23 gcdi

gcdi

    Authentic Member

  • Authentic Member
  • PipPip
  • 119 posts

Posted 08 August 2014 - 08:17 PM

not ate some things but are some things



#24 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 10 August 2014 - 10:48 AM

Hi gcdi,

would this virus affect all files or just the OS and what about files on the other drives?

CryptoWall targets your data files. While the infection runs in the Windows enviroment it doesn't really infect the OS. It adds it's own files to be run while windows is running. These files can be processes to download other files, communucate with the authors, etc.

Some info HERE ,

what about files on the other drives?

CryptoWall will encrypt data files on network shares only if that network share is mapped as a drive letter on the infected computer. If it is not mapped as a drive letter, then CryptoWall will not encrypt any files on a network share.

It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CryptoWall.


Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#25 gcdi

gcdi

    Authentic Member

  • Authentic Member
  • PipPip
  • 119 posts

Posted 10 August 2014 - 02:17 PM

Hi oldman960,

i look at the info link and i don't recall ever receiving a message asking for $ or my files would be encrypted.

also didn't understand about network share, i was asking if it would affect all hard drives or maybe just the c drive.

so, what would you suggest i do next?


    Advertisements

Register to Remove


#26 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 12 August 2014 - 03:07 AM

Hi gcdi,

Network shares are files that are on another computer which you can access from your computer. These remote computers are usually safe from this infection unless the remote computer is assigned a drive letter. The infction looks for data files, whether they are pictures documents, etc on any drive it finds connected to the infected computer.

We could try a more powerful tool and see if it can get the computer stablized.

Let me know what you would like to try.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#27 gcdi

gcdi

    Authentic Member

  • Authentic Member
  • PipPip
  • 119 posts

Posted 12 August 2014 - 01:36 PM

OK, i didn't have any network shares, just multiple drives on the computer in question.

Do you still think it's cryptoWall even though i don't recall getting that message?

Yes, I would be willing to try a more powerful tool, if you think that would be better than the other possibilities that you mentioned.



#28 gcdi

gcdi

    Authentic Member

  • Authentic Member
  • PipPip
  • 119 posts

Posted 12 August 2014 - 01:56 PM

the computer seemed a bit better today so I tried the last OTL you requested, here is the log.

 

All processes killed
Error: Unable to interpret <MOD - C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll ()> in the current context!
Error: Unable to interpret <DRV - (gfmnidzs) -- C:\WINDOWS\system32\drivers\gfmnidzs.sys File not found> in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}> in the current context!
Error: Unable to interpret <IE - HKCU\..\SearchScopes\{67D06BCF-9EF0-4D55-A736-5DBD0B58BABB}: "URL" = http://search.condui...8601233467&UM=2> in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes,DefaultScope = {1D0C0448-EB8B-4bc6-943B-AAC32A1C7BFC}> in the current context!
Error: Unable to interpret <IE - HKCU\..\SearchScopes,DefaultScope = {3906D159-82FC-450d-A57A-92D10437A2F5}> in the current context!
Error: Unable to interpret <[2013/06/26 12:40:28 | 000,228,503 | ---- | M] () (No name found) -- C:\Documents and Settings\MIKE\Application Data\Mozilla\Firefox\Profiles\sywhhfyw.default-1368204256093\extensions\ftd@ftd.com.xpi> in the current context!
Error: Unable to interpret <O20 - Winlogon\Notify\rckonne: DllName - (C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll) - C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll ()> in the current context!
Error: Unable to interpret <[2014/08/04 00:44:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\EderMevif> in the current context!
Error: Unable to interpret <[2014/08/04 00:08:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\EnaqVawci> in the current context!
Error: Unable to interpret <[2014/08/02 15:04:39 | 000,008,198 | ---- | M] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML> in the current context!
Error: Unable to interpret <[2014/08/02 15:04:39 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL> in the current context!
Error: Unable to interpret <[2014/08/02 23:54:43 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\MIKE\Application Data\1233740586> in the current context!
Error: Unable to interpret <[2014/08/02 23:54:07 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\MIKE\Application Data\2302247755> in the current context!
Error: Unable to interpret <[2014/07/31 09:49:07 | 000,008,198 | ---- | M] () -- C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.HTML> in the current context!
Error: Unable to interpret <[2014/07/31 09:49:07 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.URL> in the current context!
Error: Unable to interpret <[2014/07/31 09:49:06 | 000,008,198 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.HTML> in the current context!
Error: Unable to interpret <[2014 /07/31 09:49:06 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.URL> in the current context!
Error: Unable to interpret <[2014/08/02 15:04:39 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML> in the current context!
Error: Unable to interpret <[2014/08/02 15:04:39 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL> in the current context!
Error: Unable to interpret <[2014/08/02 14:50:27 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\MIKE\Application Data\DECRYPT_INSTRUCTION.HTML> in the current context!
Error: Unable to interpret <[2014/08/02 14:50:27 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\MIKE\Application Data\DECRYPT_INSTRUCTION.URL> in the current context!
Error: Unable to interpret <[2014/08/01 00:33:50 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\MIKE\Application Data\2302247755> in the current context!
Error: Unable to interpret <[2014/07/31 09:49:12 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML> in the current context!
Error: Unable to interpret <[2014/07/31 09:49:12 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\DECRYPT_INSTRUCTION.HTML> in the current context!
Error: Unable to interpret <[2014/07/31 09:49:12 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL> in the current context!
Error: Unable to interpret <[2014/07/31 09:49:12 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\DECRYPT_INSTRUCTION.URL :Reg> in the current context!
Error: Unable to interpret <[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]> in the current context!
Error: Unable to interpret <"UhocMimp"=- :Files> in the current context!
Error: Unable to interpret <ipconfig /flushdns /c :Commands> in the current context!
Error: Unable to interpret <[emptytemp]> in the current context!
Error: Unable to interpret <[createrestorepoint]> in the current context!
 
OTL by OldTimer - Version 3.2.69.0 log created on 08122014_144004

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 



#29 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 12 August 2014 - 07:53 PM

Hi gcdi

Yes the fies that indicate CryptoWall are present. It's very possible that your security programs crippled the infection enough so it did not execute completely.

I see what happened to the OTL fix. The forum software scrambled it a bit.

Let's go about it this then. First run the corrected OTL fix then procede to the next part which will involve using Combofix.

Next, Double click on OTL.exe

 
:Services 

:OTL
MOD - C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll ()
DRV - (gfmnidzs) -- C:\WINDOWS\system32\drivers\gfmnidzs.sys File not found
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKCU\..\SearchScopes\{67D06BCF-9EF0-4D55-A736-5DBD0B58BABB}: "URL" = http://search.condui...8601233467&UM=2
IE - HKLM\..\SearchScopes,DefaultScope = {1D0C0448-EB8B-4bc6-943B-AAC32A1C7BFC}
IE - HKCU\..\SearchScopes,DefaultScope = {3906D159-82FC-450d-A57A-92D10437A2F5}
[2013/06/26 12:40:28 | 000,228,503 | ---- | M] () (No name found) -- C:\Documents and Settings\MIKE\Application Data\Mozilla\Firefox\Profiles\sywhhfyw.default-1368204256093\extensions\ftd@ftd.com.xpi
O20 - Winlogon\Notify\rckonne: DllName - (C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll) - C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll ()
[2014/08/04 00:44:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\EderMevif
[2014/08/04 00:08:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\EnaqVawci
[2014/08/02 15:04:39 | 000,008,198 | ---- | M] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/08/02 15:04:39 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
[2014/08/02 23:54:43 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\MIKE\Application Data\1233740586
[2014/08/02 23:54:07 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\MIKE\Application Data\2302247755
[2014/07/31 09:49:07 | 000,008,198 | ---- | M] () -- C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.HTML
[2014/07/31 09:49:07 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.URL
[2014/07/31 09:49:06 | 000,008,198 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.HTML
[2014 /07/31 09:49:06 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.URL
[2014/08/02 15:04:39 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/08/02 15:04:39 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
[2014/08/02 14:50:27 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\MIKE\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/08/02 14:50:27 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\MIKE\Application Data\DECRYPT_INSTRUCTION.URL
[2014/08/01 00:33:50 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\MIKE\Application Data\2302247755
[2014/07/31 09:49:12 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/07/31 09:49:12 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/07/31 09:49:12 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
[2014/07/31 09:49:12 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\DECRYPT_INSTRUCTION.URL 

:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UhocMimp"=- 

:Files
ipconfig /flushdns /c 

:Commands
[emptytemp]
[createrestorepoint]
  • Then click the Run Fix button at the top
    • Let the program run unhindered
    • Please save the resulting log to be posted in your next reply.
    • Reboot your computer
    Please post the OTL log.


    NEXT

    Please read through these instructions to familarize yourself with what to expect when this tool runs

    Download ComboFix from one of this locations:

    Link 1

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RCUpdate1.png


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    RC2-1.png

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please post back with
  • OTL fix log
  • Cmbofix log
Any better?

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#30 gcdi

gcdi

    Authentic Member

  • Authentic Member
  • PipPip
  • 119 posts

Posted 14 August 2014 - 03:57 AM

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Service gfmnidzs stopped successfully!
Service gfmnidzs deleted successfully!
File  C:\WINDOWS\system32\drivers\gfmnidzs.sys File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67D06BCF-9EF0-4D55-A736-5DBD0B58BABB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67D06BCF-9EF0-4D55-A736-5DBD0B58BABB}\ not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
File C:\Documents and Settings\MIKE\Application Data\Mozilla\Firefox\Profiles\sywhhfyw.default-1368204256093\extensions\ftd@ftd.com.xpi not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rckonne\ not found.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll not found.
C:\Documents and Settings\All Users\Application Data\EderMevif folder moved successfully.
C:\Documents and Settings\All Users\Application Data\EnaqVawci folder moved successfully.
C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML moved successfully.
C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL moved successfully.
C:\Documents and Settings\MIKE\Application Data\1233740586 moved successfully.
C:\Documents and Settings\MIKE\Application Data\2302247755 moved successfully.
C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.HTML moved successfully.
C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.URL moved successfully.
C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.HTML moved successfully.
C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.URL moved successfully.
File C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML not found.
File C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL not found.
C:\Documents and Settings\MIKE\Application Data\DECRYPT_INSTRUCTION.HTML moved successfully.
C:\Documents and Settings\MIKE\Application Data\DECRYPT_INSTRUCTION.URL moved successfully.
File C:\Documents and Settings\MIKE\Application Data\2302247755 not found.
C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML moved successfully.
C:\Documents and Settings\LocalService\Application Data\DECRYPT_INSTRUCTION.HTML moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL moved successfully.
C:\Documents and Settings\LocalService\Application Data\DECRYPT_INSTRUCTION.URL moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\UhocMimp not found.
========== FILES ==========
< ipconfig /flushdns /c  >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\MIKE\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\MIKE\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: MIKE
->Temp folder emptied: 859882122 bytes
->Temporary Internet Files folder emptied: 452524432 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 20492969 bytes
->Google Chrome cache emptied: 7679968 bytes
->Flash cache emptied: 34315 bytes
 
User: NetworkService
->Temp folder emptied: 205266 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: UpdatusUser.GCDI-F7150E40D8
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: UpdatusUser.GCDI-F7150E40D8.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: UpdatusUser.GCDI-F7150E40D8.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 204941030 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 324942395 bytes
RecycleBin emptied: 602112 bytes
 
Total Files Cleaned = 1,785.00 mb
 
Restore point Set: OTL Restore Point
 
OTL by OldTimer - Version 3.2.69.0 log created on 08142014_014010

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\MIKE\Local Settings\Temp\etilqs_6yAQJg6w6COsJ8K not found!
File\Folder C:\Documents and Settings\MIKE\Local Settings\Temp\etilqs_ELhen5y20RWeIhu not found!
File\Folder C:\Documents and Settings\MIKE\Local Settings\Temp\etilqs_fp0J8dItkbqPaAA not found!
C:\Documents and Settings\MIKE\Local Settings\Temp\WCESLog.log moved successfully.
C:\WINDOWS\temp\fla9F.tmp moved successfully.
C:\WINDOWS\temp\flaB4.tmp moved successfully.
File\Folder C:\WINDOWS\temp\flaB7.tmp not found!
File\Folder C:\WINDOWS\temp\flaB8.tmp not found!
File\Folder C:\WINDOWS\temp\flaB9.tmp not found!
File\Folder C:\WINDOWS\temp\flaBB.tmp not found!
File\Folder C:\WINDOWS\temp\flaBC.tmp not found!
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YVIKFRMA\blinkx_com[1].txt moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YVIKFRMA\fontawesome-webfont[3].eot moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YVIKFRMA\FreightSansBook[2].eot moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DN5MKT6J\HelveticaNeueLTStd[3].eot moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DN5MKT6J\vp_c[2].html moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5AMVADFT\085ccf33-946f-4fe3-8810-87f48b20edde[1].flv moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5AMVADFT\blinkx_com[1].txt moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5AMVADFT\blinkx_com[4].txt moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5AMVADFT\blinkx_com[5].txt moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5AMVADFT\FreightSansMediumSC[3].eot moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5AMVADFT\FreightSansMedium[3].eot moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\19YZPE0Z\blinkx_com[3].txt moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\19YZPE0Z\blinkx_com[4].txt moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\19YZPE0Z\follow_button[2].html moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\19YZPE0Z\FreightSansLight[2].eot moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\19YZPE0Z\like[2].php moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

 

I think this is the correct combo log but I'm not positive. After combofix finished and showed the log what looked like a webpage opened from health nation

there was no box to close it, right click would not work, would not allow the task bar to unhide so I had to reboot.

 

ComboFix 14-08-14.02 - MIKE 08/14/2014   2:50:12.3.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3198.2305 [GMT -5:00]
Running from: C:\Documents and Settings\MIKE\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\cuiquijuihib.exe
C:\Documents and Settings\All Users\fafofsukhoff.exe
C:\Documents and Settings\MIKE\Application Data\1131910924
C:\Documents and Settings\MIKE\Application Data\1233740586
C:\Documents and Settings\MIKE\Application Data\1396467839
C:\Documents and Settings\MIKE\Application Data\1396467839\disksvc.dll
C:\Documents and Settings\MIKE\Application Data\1396467839\mouseclient.dll
C:\Documents and Settings\MIKE\Application Data\1396467839\sysservice.dll
C:\Documents and Settings\MIKE\Application Data\1540959521
C:\Documents and Settings\MIKE\Application Data\1946099523
C:\Documents and Settings\MIKE\Application Data\2302247755
C:\Documents and Settings\MIKE\Application Data\4073586247
C:\Documents and Settings\MIKE\Application Data\4073586247\1272530492.js
C:\Documents and Settings\MIKE\Application Data\4073586247\210351943.js
C:\Documents and Settings\MIKE\Application Data\4073586247\manifest.json
C:\Documents and Settings\MIKE\Application Data\98132781
C:\Documents and Settings\MIKE\Application Data\98132781\1272530492.js
C:\Documents and Settings\MIKE\Application Data\98132781\210351943.js
C:\Documents and Settings\MIKE\Application Data\98132781\manifest.json
C:\END
C:\install.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\c088cf6.exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\jakheba.dll
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\jakmiba.dll
C:\WINDOWS\wininit.ini


CLSID={73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} - infected with Poweliks and removed.

(((((((((((((((((((((((((   Files Created from 2014-07-14 to 2014-08-14  )))))))))))))))))))))))))))))))


2014-08-14 08:18:10 . 2014-08-14 08:18:10    63115    ----a-w-    C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2014-08-14 08:18:08 . 2014-08-14 08:18:10    4599    ----a-w-    C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2014-08-14 08:18:07 . 2014-08-14 08:18:07    6429    ----a-w-    C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2014-08-14 08:18:06 . 2014-08-14 08:18:06    8646    ----a-w-    C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2014-08-14 08:18:05 . 2014-08-14 08:18:05    9310    ----a-w-    C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2014-08-14 08:18:05 . 2014-08-14 08:18:05    5927    ----a-w-    C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2014-08-14 07:31:32 . 2014-08-14 07:31:32    --------    d-----w-    C:\Documents and Settings\All Users\Application Data\UpexEwudj
2014-08-09 17:26:47 . 2014-07-02 03:11:37    8217224    ----a-w-    C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{432C8C14-1084-497B-BE3D-077D2879B792}\mpengine.dll
2014-08-06 03:43:02 . 2014-08-06 03:43:02    --------    d-----w-    C:\Documents and Settings\All Users\Application Data\UppoVsip
2014-08-05 22:00:10 . 2014-08-06 02:59:47    --------    d-----w-    C:\Documents and Settings\MIKE\Application Data\Saepwoe
2014-08-05 21:56:35 . 2014-08-05 21:56:35    --------    d-----w-    C:\Documents and Settings\All Users\Application Data\EthiKuwn
2014-08-05 01:56:39 . 2014-08-05 21:22:39    --------    d-----w-    C:\Documents and Settings\MIKE\Application Data\Ebtyzau
2014-08-05 01:55:18 . 2014-08-05 01:55:18    --------    d-----w-    C:\Documents and Settings\All Users\Application Data\UrjiTopiy
2014-08-04 06:49:37 . 2014-08-04 06:56:49    --------    d-----w-    C:\Documents and Settings\MIKE\Local Settings\Application Data\browser_dir
2014-08-03 04:43:59 . 2014-08-03 04:43:59    --------    d-----w-    C:\_OTL
2014-08-02 20:09:44 . 2014-08-02 20:09:46    49088    ----a-w-    C:\WINDOWS\system32\drivers\mrckvjsi.sys
2014-08-02 19:49:56 . 2014-08-02 20:36:58    --------    d-----w-    C:\Documents and Settings\MIKE\Application Data\Nuhiveu
2014-08-02 19:38:26 . 2014-08-12 19:43:11    --------    d-----w-    C:\Documents and Settings\All Users\Application Data\UhocMimp
2014-08-01 05:35:02 . 2014-08-01 05:35:02    --------    d-----w-    C:\Documents and Settings\MIKE\Application Data\0c7610
2014-08-01 05:34:14 . 2014-08-14 08:07:25    --------    d-----w-    C:\Documents and Settings\MIKE\Local Settings\Application Data\0c7610
2014-08-01 05:22:42 . 2014-08-01 05:33:48    --------    d-----w-    C:\Documents and Settings\MIKE\Local Settings\Application Data\2085198906
2014-08-01 05:06:48 . 2014-07-02 03:11:37    8217224    ----a-w-    C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-07-31 14:48:12 . 2008-04-14 00:12:09    221184    ----a-w-    C:\WINDOWS\system32\wmpns.dll
2014-07-31 13:46:48 . 2014-07-31 13:46:48    --------    d-----w-    C:\c088cf6
2014-07-31 09:25:10 . 2014-07-31 09:25:11    --------    d-----w-    C:\Program Files\NetSurveillance
2014-07-27 19:01:33 . 2014-07-27 19:03:18    --------    d-----w-    C:\Program Files\CMS
2014-07-24 09:12:29 . 2014-07-24 09:12:35    --------    d--h--w-    C:\Documents and Settings\All Users\Application Data\{18BE06AC-473B-448E-9193-AFA952B8E90B}
.


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2014-08-14 08:15:57 . 2012-09-16 21:01:57    17488    ----a-w-    C:\WINDOWS\gdrv.sys
2014-08-14 07:27:36 . 2014-07-14 08:14:24    110296    ----a-w-    C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 18:39:52 1289000]
"EthiKuwn"="C:\Documents and Settings\All Users\Application Data\EthiKuwn\EthiKuwn.dat" [2014-08-05 21:56:35 269216]
"UpexEwudj"="C:\Documents and Settings\All Users\Application Data\UpexEwudj\UpexEwudj.dat" [2014-08-14 07:31:32 266240]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-16 05:59:08 18782720]
"NUSB3MON"="C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-09-25 14:59:18 106496]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 06:25:30 28160]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 06:36:18 36864]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 04:42:09 176128]
"CTxfiHlp"="CTXFIHLP.EXE" [2010-05-06 00:56:42 25600]
"ContentTransferWMDetector.exe"="C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-19 23:15:46 583016]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 16:57:26 959904]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2009-08-26 08:49:48 1970176]
"EasyTuneV"="C:\Program Files\Gigabyte\ET5\ETcall.exe" [2007-08-14 19:10:12 20480]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2007-08-31 15:48:28 262144]
"ADSK DLMSession"="C:\Program Files\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe" [2012-05-16 00:56:08 1632216]
"NvMediaCenter"="NvMCTray.dll" [2013-06-21 09:54:09 223008]
"Nvtmru"="C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 14:44:05 1012000]
"MSC"="c:\Program Files\Microsoft Security Client\msseces.exe" [2013-06-20 22:25:44 995176]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 02:43:52 59720]
"SDTray"="C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 16:19:26 5624784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2013-06-21 09:54:10 15677728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2013-05-01 08:59:04 421888]
"BCU"="C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 22:29:52 346320]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2007-08-07 18:49:18 348160]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2007-07-11 21:09:48 20480]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
ezoxid.exe [2014-8-4 303266]
ifvai.exe [2014-7-31 307232]
taid.exe [2014-8-2 305269]
wolea.exe [2014-8-5 302329]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
duusak.exe [2014-8-5 302329]
egciot.exe [2014-8-2 305269]
ezru.exe [2014-7-31 307232]
itizew.exe [2014-8-4 303266]

C:\Documents and Settings\UpdatusUser.GCDI-F7150E40D8.001\Start Menu\Programs\Startup\
ahekyl.exe [2014-8-5 302329]
avqo.exe [2014-8-4 303266]
evuwyq.exe [2014-7-31 307232]
olke.exe [2014-8-2 305269]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHELPER
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"E:\\Program Files\\TmUnitedForever\\TmForever.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"C:\\Program Files\\Codemasters\\DiRT\\DiRT.exe"=
"E:\\Program Files\\Activision Value\\Baja 1000\\Baja.exe"=
"C:\\Program Files\\real\\realplayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Codemasters\\FUEL\\FUEL.exe"=
"C:\\Program Files\\Electronic Arts\\Need for Speed ProStreet\\nfs.exe"=
"C:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"C:\\Program Files\\Atari\\TDU2\\UpLauncher.exe"=
"C:\\Program Files\\Atari\\TDU2\\TestDrive2.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2011b\\RpcAgentSrv.exe"=
"C:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Gigabyte\\@BIOS\\gwflash.exe"=
"C:\\Program Files\\Gigabyte\\ET5\\update.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"C:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"C:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"C:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"C:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"E:\\Program Files\\steam\\Steam.exe"=
"E:\\Program Files\\steam\\SteamApps\\common\\RIDGE RACER Driftopia\\RIDGE RACER Driftopia_46358301.exe"=
"E:\\Program Files\\steam\\SteamApps\\common\\GTI Racing\\GTIRacing.exe"=
"C:\\Program Files\\Activision\\Blur™\\Blur.exe"=
"C:\\Program Files\\Electronic Arts\\SHIFT 2 UNLEASHED\\shift2u.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2011b\\WNt500x86\\RpcSandraSrv.exe"=
"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"=
"C:\\Program Files\\CMS\\CMS.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3074:TCP"= 3074:TCP:fuel
"3074:UDP"= 3074:UDP:fuel
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\WINDOWS\system32\drivers\pe3ah4nc.sys [5/18/2007 2:53:01 PM 64880]
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\WINDOWS\system32\drivers\ps6ah4nc.sys [5/18/2007 2:52:38 PM 55160]
R2 BCUService;Browser Configuration Utility Service;C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/24/2011 3:50:07 AM 219360]
R2 ES lite Service;ES lite Service for program management.;C:\Program Files\Gigabyte\EasySaver\essvr.exe [3/26/2010 11:52:48 PM 68136]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;C:\WINDOWS\system32\drivers\RtNdPt5x.sys [10/24/2011 3:39:29 AM 22016]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\WINDOWS\system32\drivers\CT20XUT.sys [6/4/2009 3:46:34 AM 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\WINDOWS\system32\drivers\CTEXFIFX.sys [6/4/2009 3:46:56 AM 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\WINDOWS\system32\drivers\CTHWIUT.sys [6/4/2009 3:46:42 AM 72792]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\WINDOWS\system32\drivers\nusb3hub.sys [9/25/2009 9:57:36 AM 56576]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\WINDOWS\system32\drivers\nusb3xhc.sys [9/25/2009 9:57:40 AM 138240]
S1 kgcidxyp;kgcidxyp;\??\C:\WINDOWS\system32\drivers\kgcidxyp.sys --> C:\WINDOWS\system32\drivers\kgcidxyp.sys [?]
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\WINDOWS\system32\pr2ah4nc.exe svc --> C:\WINDOWS\system32\pr2ah4nc.exe svc [?]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [10/29/2013 11:46:28 PM 3921880]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [10/29/2013 11:46:38 PM 1042272]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [10/29/2013 11:46:40 PM 171416]
S3 Ambfilt;Ambfilt;C:\WINDOWS\system32\drivers\Ambfilt.sys [3/26/2010 11:53:27 PM 1684736]
S3 AODDriver;AODDriver;\??\C:\Program Files\GIGABYTE\ET6\i386\AODDriver.sys --> C:\Program Files\GIGABYTE\ET6\i386\AODDriver.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [5/31/2011 3:08:51 AM 79360]
S3 CT20XUT;CT20XUT;C:\WINDOWS\system32\drivers\CT20XUT.sys [6/4/2009 3:46:34 AM 171096]
S3 CTEXFIFX;CTEXFIFX;C:\WINDOWS\system32\drivers\CTEXFIFX.sys [6/4/2009 3:46:56 AM 1324120]
S3 CTHWIUT;CTHWIUT;C:\WINDOWS\system32\drivers\CTHWIUT.sys [6/4/2009 3:46:42 AM 72792]
S3 etdrv;etdrv;C:\WINDOWS\etdrv.sys [3/27/2010 2:02:59 AM 17488]
S3 GVTDrv;GVTDrv;C:\WINDOWS\system32\drivers\GVTDrv.sys [3/27/2010 12:10:16 AM 24944]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\MARKFUN.W32 [9/28/2012 4:31:52 PM 17912]
S3 mosuport;USB Serial/Parallel Ports;C:\WINDOWS\system32\DRIVERS\mosuport.sys --> C:\WINDOWS\system32\DRIVERS\mosuport.sys [?]
S3 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [4/16/2013 3:07:08 AM 39056]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;C:\WINDOWS\system32\drivers\rcblan.sys [3/28/2010 1:46:16 PM 39704]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;C:\WINDOWS\system32\drivers\RTLTEAMING.SYS [10/24/2011 3:39:35 AM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;C:\WINDOWS\system32\drivers\RTLVLAN.SYS [9/16/2012 3:37:34 AM 17536]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011b\RpcAgentSrv.exe [1/24/2011 2:47:43 AM 93848]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WS2IFSL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-07-18 18:31:35    1104200    ----a-w-    C:\Program Files\Google\Chrome\Application\36.0.1985.125\Installer\chrmstp.exe

Contents of the 'Scheduled Tasks' folder

2014-07-15 C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
- C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-10-30 04:46:38 . 2013-09-20 15:57:22]

2014-07-15 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-05-25 06:34:02 . 2010-05-25 06:33:58]

2014-07-15 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-05-25 06:34:02 . 2010-05-25 06:33:58]

2014-07-15 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-2000478354-839522115-1003Core1cc6f98ed6cb1dc.job
- C:\Documents and Settings\MIKE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-27 22:31:45 . 2011-05-27 22:31:44]

2014-07-15 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-2000478354-839522115-1003UA.job
- C:\Documents and Settings\MIKE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-27 22:31:45 . 2011-05-27 22:31:44]

2014-07-15 C:\WINDOWS\Tasks\HP Photo Creations Communicator.job
- C:\Documents and Settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2013-03-11 11:47:21 . 2013-03-11 11:47:21]

2014-08-14 C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\Program Files\Microsoft Security Client\MpCmdRun.exe [2013-06-20 23:05:14 . 2013-06-20 23:05:14]

2014-07-15 C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- C:\WINDOWS\system32\xp_eos.exe [2014-03-27 06:55:42 . 2014-02-26 01:59:05]

2014-07-15 C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- C:\WINDOWS\system32\xp_eos.exe [2014-03-27 06:55:42 . 2014-02-26 01:59:05]

2014-07-15 C:\WINDOWS\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1085031214-2000478354-839522115-1003.job
- C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe [2013-04-16 08:09:06 . 2013-04-16 08:09:06]

2014-07-15 C:\WINDOWS\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1085031214-2000478354-839522115-1003.job
- C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe [2013-04-16 08:07:10 . 2013-04-16 08:07:10]

2014-07-15 C:\WINDOWS\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1085031214-2000478354-839522115-1003.job
- C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe [2013-04-16 08:07:10 . 2013-04-16 08:07:10]

2014-07-15 C:\WINDOWS\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1085031214-2000478354-839522115-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45:42 . 2013-04-16 17:45:42]

2014-07-15 C:\WINDOWS\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1085031214-2000478354-839522115-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45:42 . 2013-04-16 17:45:42]

2014-07-15 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1085031214-2000478354-839522115-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45:42 . 2013-04-16 17:45:42]

2014-07-15 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1085031214-2000478354-839522115-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45:42 . 2013-04-16 17:45:42]

2014-07-15 C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-10-30 04:46:32 . 2013-09-20 15:49:14]

2014-07-15 C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job
- C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2013-10-30 04:46:32 . 2013-09-20 15:51:08]

2014-07-15 C:\WINDOWS\Tasks\User_Feed_Synchronization-{7256C714-F702-4676-8958-FD1AD3CD13D2}.job
- C:\WINDOWS\system32\msfeedssync.exe [2007-08-13 23:36:40 . 2009-03-08 09:31:54]


------- Supplementary Scan -------

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
Trusted Zone: $talisma_url$
Trusted Zone: gigabyte.us\www
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
DPF: {01025D1C-BB03-4369-8344-732CD0DCCCF0} - hxxp://www.geforce.com/services_toolkit/ShimGen/1.1.28.1/GPU_Reader.cab
DPF: {714E667D-360C-4BFB-8C1A-E4812B608CC1} - hxxp://service.samsungportal.com/EP/web/common/cabfiles/ACUBETrustChecker.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
FF - ProfilePath - C:\Documents and Settings\MIKE\Application Data\Mozilla\Firefox\Profiles\rkflthgg.default-1407273293984\

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{5043442D-472D-5637-00A7-7A786E7484D7} - (no file)
HKCU-Run-EA Core - C:\Program Files\Electronic Arts\EADM\Core.exe
HKCU-Run-Akamai NetSession Interface - C:\Documents and Settings\MIKE\Local Settings\Application Data\Akamai\netsession_win.exe
HKCU-Run-ISUSPM - C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
HKCU-Run-Myyfamukbe - C:\Documents and Settings\MIKE\Application Data\Ebtyzau\wuwuiv.exe
HKCU-Run-Uvolgiam - C:\Documents and Settings\MIKE\Application Data\Saepwoe\elewka.exe
Notify-SDWinLogon - SDWinLogon.dll
MSConfigStartUp-CTFMON - (no file)
AddRemove-{C9BED750-1211-4480-B1A5-718A3BE15525} - C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\Setup.Exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-14 03:18:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MarkFun_NT]
"ImagePath"="\??\C:\Program Files\Gigabyte\ET5\markfun.w32"

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
@DACL=(02 0000)
"DWQueuedReporting"="\"c:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"IsemhAwixp"="regsvr32.exe \"C:\\Documents and Settings\\All Users\\Application Data\\IsemhAwixp\\IsemhAwixp.dat\""

[HKEY_USERS\S-1-5-21-1085031214-2000478354-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\*]
@Allowed: (Read) (Administrators)

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3400)
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\IME\SPGRMR.DLL
C:\WINDOWS\system32\msi.dll
C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
C:\PROGRA~1\WINDOW~2\wmpband.dll
C:\WINDOWS\system32\ieframe.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\WPDShServiceObj.dll
C:\WINDOWS\system32\PortableDeviceTypes.dll
C:\WINDOWS\system32\PortableDeviceApi.dll

------------------------ Other Running Processes ------------------------

c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Google\Update\1.3.24.15\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

**************************************************************************

Completion time: 2014-08-14  04:03:31 - machine was rebooted
ComboFix-quarantined-files.txt  2014-08-14 09:03:26
ComboFix2.txt  2014-07-31 13:49:12
ComboFix3.txt  2011-05-25 07:16:33

Pre-Run: 866,408,722,432 bytes free
Post-Run: 866,701,197,312 bytes free

- - End Of File - - 652D48BD417C4C2279E199F4EDEBEBCC
8F558EB6672622401DA993E1E865C861
 

 


Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users