Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

JS/TrojanDownloader.HackLoad.AG trojan

This is a discussion on JS/TrojanDownloader.HackLoad.AG trojan within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, While searching pictures on Google Images I clicked "Visit Page", which I had done numerous times before without any


 
 
Thread Tools Search this Thread
Old 02-10-2016, 10:02 PM   #1
Registered Member
 
Join Date: Jul 2009
Posts: 54
OS: XP



Hi,
While searching pictures on Google Images I clicked "Visit Page", which I had done numerous times before without any problems. Eset NOD32 popped up and terminated the connection with these meassages:

2/5/2016 5:26:55 PM Real-time file system protection file C:\Documents and Settings\Falko\Local Settings\Application Data\Mozilla\Firefox\Profiles\ex9wq5lh.default\cache2\entries\49B1EE37AB881213A038E82B6345B2F8BDADEA0F JS/TrojanDownloader.HackLoad.AG trojan cleaned by deleting FALKOPC\Falko Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe (9023C4288359CAA15A234CA22EFD0EAFB5474FB7). 5531A504B11E97CE848D5C7F2A3C0F35E6E72874

2/5/2016 5:26:34 PM HTTP filter file hxxp://oldwww.nyugatijelen.com/2001/2001. aprilis/april. 18 szerda/jelen.htm JS/TrojanDownloader.HackLoad.AG trojan connection terminated FALKOPC\Falko Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (9023C4288359CAA15A234CA22EFD0EAFB5474FB7). 75E33E05B8437996C1657B70DFD1BA3921E3AB23

I have the Firefox NoScript add-on installed and it was active at the time.

I have not experienced any major issues so far, but there have been a few instances that seem suspicious, like when temporarily allowing Javascript through NoScript and a Windows window popping up with a "Resend" message or a background application (acrotray.exe) shutting down.
My concern is I'll be in trouble when I restart Firefox or the computer.
Thank you.
Here is the dds:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 11.66.2
Run by Falko at 23:49:22 on 2016-02-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1198 [GMT -6:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_66\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_66\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_20_0_0_267_Plugin.exe -update plugin
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{D3284116-E7EA-4273-B08F-23EA62503736} : DHCPNameServer = 192.168.254.254
Notify: AtiExtEvent - Ati2evxx.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\falko\application data\mozilla\firefox\profiles\ex9wq5lh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.siasl.org/
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre1.8.0_66\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre1.8.0_66\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\winamp detect\npwachk.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_20_0_0_267.dll
FF - ExtSQL: !HIDDEN! 2011-01-03 18:49; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-8-3 95896]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [2008-12-17 16896]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-10-13 11520]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-6-29 1871160]
S2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-6-29 969016]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-16 23256]
.
=============== Created Last 30 ================
.
2016-01-15 19:12:59 392136 ----a-w- c:\program files\mozilla firefox\firefox.exe
2016-01-15 19:12:59 329672 ----a-w- c:\program files\mozilla firefox\freebl3.dll
2016-01-15 19:12:59 189896 ----a-w- c:\program files\mozilla firefox\gmp-clearkey\0.1\clearkey.dll
2016-01-15 19:12:58 3466856 ----a-w- c:\program files\mozilla firefox\d3dcompiler_47.dll
2016-01-15 19:12:58 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2016-01-15 19:12:55 282568 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2016-01-15 19:12:53 57288 ----a-w- c:\program files\mozilla firefox\browser\components\browsercomps.dll
2016-01-15 19:12:49 109000 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2016-01-15 19:12:42 19912 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
.
==================== Find3M ====================
.
2016-01-05 01:48:18 95840 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2016-01-05 01:48:05 146432 ----a-w- c:\windows\system32\javacpl.cpl
2016-01-05 01:39:13 796864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-01-05 01:39:13 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 23:49:57.47 ===============
Attached Files
File Type: txt attach.txt (19.8 KB, 33 views)
No-Know is offline  
Sponsored Links
Advertisement
 
Old 02-14-2016, 03:12 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Not sure what your concern is here. Not all images on Google are safe. NOD32 was just doing it's job.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Check for additional security risks:
  • Please download CKScanner by askey127 and save it to your desktop.
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, just click OK.
  • Post the contents of ckfiles.txt in your next reply. It is located on your desktop.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-14-2016, 10:39 PM   #3
Registered Member
 
Join Date: Jul 2009
Posts: 54
OS: XP



Hi chemist,
Thanks for your help.
My concern is, based on some atypical PC behavior, that something may have snuck by NOD32 and do serious damage after a restart.
Thanks again for your help.

Here is the AdwCleaner log:

# AdwCleaner v5.033 - Logfile created 15/02/2016 at 00:10:31
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.2 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Falko - FALKOPC
# Running from : C:\Documents and Settings\Falko\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Documents and Settings\Falko\Application Data\OpenCandy

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\distromatic
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [867 bytes] ##########

Here is the ckfile:

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\documents and settings\falko\my documents\docs\new folder\fuckall\welcome to vietcrack homepage.url
c:\documents and settings\falko\my documents\docs\new folder\fuckall\computer - web\google search faq groupalt.test.two.url
c:\downloads\kmspico9.3.3links.txt
----- EOF -----
No-Know is offline  
Sponsored Links
Advertisement
 
Old 02-15-2016, 12:58 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello No-Know. AdwCleaner didn't find much, so I don't think you have anything to worry about.

NOD32 is also very reliable. We'll look though.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-15-2016, 08:00 PM   #5
Registered Member
 
Join Date: Jul 2009
Posts: 54
OS: XP



Hi chemist,
Thanks for your quick reply. I ran ComboFix, but if there is nothing suspicious I'd be happy to mark the thread as solved.
Thanks a lot, No-Know

This is the ComboFix log:

ComboFix 16-02-15.01 - Falko 02/15/2016 21:39:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1087 [GMT -6:00]
Running from: c:\documents and settings\Falko\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Falko\My Documents\~WRL0003.tmp
c:\documents and settings\Falko\My Documents\~WRL1515.tmp
c:\documents and settings\Falko\My Documents\~WRL2510.tmp
c:\documents and settings\Falko\My Documents\~WRL3763.tmp
.
.
((((((((((((((((((((((((( Files Created from 2016-01-16 to 2016-02-16 )))))))))))))))))))))))))))))))
.
.
2016-02-15 06:06 . 2016-02-15 06:10 -------- d-----w- C:\AdwCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-02-15 06:12 . 2014-06-30 03:57 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-01-05 01:48 . 2014-04-21 15:16 95840 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2016-01-05 01:48 . 2015-03-23 03:08 146432 ----a-w- c:\windows\system32\javacpl.cpl
2016-01-05 01:39 . 2012-03-31 01:44 796864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-01-05 01:39 . 2011-05-23 22:04 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2015-11-09 596528]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe View=show_in_tray
.

View=show_in_tray [2010-1-21 9136960]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\NewsBin\\newsbinpro.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/21/2008 3:05 PM 436792]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 3:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]
R3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [12/17/2008 10:19 AM 16896]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [10/13/2010 11:53 AM 11520]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [6/29/2014 9:51 PM 1871160]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [6/29/2014 9:51 PM 969016]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/16/2011 3:52 PM 23256]
.
Contents of the 'Scheduled Tasks' folder
.
2016-02-15 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-04-08 01:59]
.
2016-02-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-04-08 01:59]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.254.254
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Falko\Application Data\Mozilla\Firefox\Profiles\ex9wq5lh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.siasl.org/
FF - ExtSQL: !HIDDEN! 2011-01-03 18:49; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2016-02-15 21:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_190_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_190_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\relog_ap.dll
.
Completion time: 2016-02-15 21:48:47
ComboFix-quarantined-files.txt 2016-02-16 03:48
.
Pre-Run: 64,853,458,944 bytes free
Post-Run: 64,934,105,088 bytes free
.
- - End Of File - - 4AF3EAE58A8F1B1CF7B7B18A0F6CB95B
8F558EB6672622401DA993E1E865C861
No-Know is offline  
Old 02-16-2016, 11:19 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, No-Know. You're very welcome! Are you aware your firewall is disabled? It is a must have.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Your Java is out of date.

Java(TM) 8 Update 66 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it. Also, let Java remove older versions if prompted.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options checked in the window to clear the cache - Leave BOTH Checked
      • Cached Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Cached Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable NOD32 before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.
  • Run AdwCleaner and select Uninstall
  • Confirm by clicking Yes
------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Keep MBAM, update and run a Scan('Threat Scan' by default, or 'Scan Now' under the Dashboard tab) weekly.

Empty your Recycle Bin if it does not do so automatically.

----------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-16-2016, 09:10 PM   #7
Registered Member
 
Join Date: Jul 2009
Posts: 54
OS: XP



Hi chemist,
Thanks for all your help.
I uninstalled ComboFix although NOD32 was still running. I must have pressed no instead of yes to "Are you sure...".
I'm behind a router (wired, wireless turned off), which I understand works as a hardware firewall.
Again, thanks for your help, No-Know.
Problem resolved.
No-Know is offline  
Old 02-17-2016, 07:36 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, No-Know! Glad to have helped.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware/trojan help
Hello, My computer is running considerably slower than normal. Additionally, the computer appears to be infected by the trojan Cryptowall. Thanks in advance for your help. FYI I do not have a boot CD (or CD drive) easily accessible. Here is my DDS log: DDS (Ver_2012-11-20.01) -...
challett Resolved HJT Threads 25 12-15-2014 08:43 AM
can't install or uninstall programs
I've tried to install my printer software but when it gets to the last phase of the installation process it says 'unable to install software' I tried to download and install AVG 2012 and the same thing it got to the last step and said set up error: general internal error: additional message:MSI...
reedkwize1 Virus/Trojan/Spyware Help 59 11-10-2011 04:40 PM
google redirect and script errors
Hi, When I use google any link I click is redirected to random websites. Also I am constantly getting pop up notifications from internet explorer that there is a script error. Thanks for any help DDS Log . DDS (Ver_11-03-05.01) - NTFSx86 Run by Susan at 13:09:47.78 on Thu...
healys818 Resolved HJT Threads 18 05-12-2011 06:42 AM
Malware/popup/redirects
Hi Recently my machines been running very slow (Win XP, SP 4), then recently on Mozilla 4.0 new tabs started appearing. I found a folder in Documents and Settings/Network Service/Local Settings which was 'temp' which had lots of jpgs/html/javascript, like these were the dodgy HTML pages...
psj3809 Resolved HJT Threads 48 04-14-2011 01:45 PM
url redirects plus some other spurious behavior
Was unable to complete an Amazon transaction yesterday -- checkout pages wouldn't load without repeated attempts. Then found that search engine results were being redirected. Tried System Restore to several different known-clean restore points -- all failed. Have also noticed these intermittent...
tooleyweeds Resolved HJT Threads 14 04-13-2011 11:42 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 08:56 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts