Laptop shutting down automatically and restarting
Solved/Closed
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
-
Jun 12, 2013 at 11:25 AM
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Jun 22, 2013 at 05:04 AM
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Jun 22, 2013 at 05:04 AM
Hi,
My laptop is shutting down automatically after 5 to 10 minutes without any reason... and restarting.
recently I have downloaded a movie using mu torrent
please help me in this
My laptop is shutting down automatically after 5 to 10 minutes without any reason... and restarting.
recently I have downloaded a movie using mu torrent
please help me in this
Related:
- Laptop shuts down and restarts itself
- How to type # in laptop - Guide
- Gta 5 download apk laptop - Download - Action and adventure
- Laptop restarts on its own - Guide
- Minecraft free download laptop - Download - Sandbox
- Wattpad download for laptop - Download - Books and comics
20 responses
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 22, 2013 at 05:04 AM
Jun 22, 2013 at 05:04 AM
Please, delete the previous ZHPDiag logs just like I previously explained, produce a new one and upload on speedyshare.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 14, 2013 at 05:35 PM
Jun 14, 2013 at 05:35 PM
Greetings,
Thank you for the log. I'm impressed as to how well you succeeded to infect your computer.
You don't have any antivirus software or programme ! You are lucky to have survived for this long without one.
Your computer is indeed very infected by
1. adware,
2. a rogue Trojan Horse
3. a rootkit,
4. a USB infection
5. a worm.
All of the above infection originate from the downloads you have made from peer to peer applications: u.torrent and Go for files.
All of the above infections can be removed but to insure that your system stay stable, we must proceed step by step. From what I gather, you are in Singapore, we are not in the same time zone, hence it may take two, perhaps three days before we solve the issue.
Are you willing to stick with me through the procedures ? Let me know and we shall begin.
The certificate error you got from GMail is due to the rootkit which has changed the time and date of your computer. Try to adjust it, but it may get changed again.
When you answer me, I must know if your Windows XP is genuine or if it's a copy.
Waiting for your reply,
Best regards
Thank you for the log. I'm impressed as to how well you succeeded to infect your computer.
You don't have any antivirus software or programme ! You are lucky to have survived for this long without one.
Your computer is indeed very infected by
1. adware,
2. a rogue Trojan Horse
3. a rootkit,
4. a USB infection
5. a worm.
All of the above infection originate from the downloads you have made from peer to peer applications: u.torrent and Go for files.
All of the above infections can be removed but to insure that your system stay stable, we must proceed step by step. From what I gather, you are in Singapore, we are not in the same time zone, hence it may take two, perhaps three days before we solve the issue.
Are you willing to stick with me through the procedures ? Let me know and we shall begin.
The certificate error you got from GMail is due to the rootkit which has changed the time and date of your computer. Try to adjust it, but it may get changed again.
When you answer me, I must know if your Windows XP is genuine or if it's a copy.
Waiting for your reply,
Best regards
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 20, 2013 at 02:16 AM
Jun 20, 2013 at 02:16 AM
Hi Please find below link for log.
Please help me to clean my machine..
http://speedy.sh/tweJD/ZHPDiag.txt
Thanks,
Please help me to clean my machine..
http://speedy.sh/tweJD/ZHPDiag.txt
Thanks,
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 21, 2013 at 05:10 PM
Jun 21, 2013 at 05:10 PM
Hello,
Thank you for the log.
When you performed the scan:
1. Where any items found?
2. Did you click "continue" or "skip"?
3. Why do you have oracle in your system ?
Please, delete the previous ZHPDiag logs just like I previously explained, produce a new one and upload on speedyshare.
Thank you again for your patience. As you must be aware now, your computer was badly infected by severe viruses and it take time to clean without having to reformat and lose all of your data and applications.
Regards
Thank you for the log.
When you performed the scan:
1. Where any items found?
2. Did you click "continue" or "skip"?
3. Why do you have oracle in your system ?
Please, delete the previous ZHPDiag logs just like I previously explained, produce a new one and upload on speedyshare.
Thank you again for your patience. As you must be aware now, your computer was badly infected by severe viruses and it take time to clean without having to reformat and lose all of your data and applications.
Regards
Didn't find the answer you are looking for?
Ask a question
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 22, 2013 at 02:14 AM
Jun 22, 2013 at 02:14 AM
Hi,
Thank you for your reply.
I clicked on continue, did not changed any.
I am learning Oracle tools. It was installed year before.
Please help to clean my laptop.
Thanks,
Thank you for your reply.
I clicked on continue, did not changed any.
I am learning Oracle tools. It was installed year before.
Please help to clean my laptop.
Thanks,
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 12, 2013 at 05:37 PM
Jun 12, 2013 at 05:37 PM
To help you and precribe a remedy, I must make a diagnostic and to do so, I require a log.
1. Boot in safemode with networking.
2. Open this link and download ZHPDiag2 :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. )
3. Save the file on your Desktop.
4. Double click on ZHPDiag.exe and follow the installation instructions.
the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).
5. Double click on the short cut ZHPDiag on your Destktop.
6. Click on the eyedropper icon and ensure all of the items.
7. Click on the Magnifying glass with the + sign and run the analysys.
Wait for the tool to finished (maybe a long time)
8. Close ZHPDiag.
9. To transmit the report, click on this link :
https://authentification.site
10. Usually on your desktop or C:\Program Files\ZHPDiag).
11. Select the file ZHPDiag.txt.
12. Click on "upload ยป
13. Copy the url and post it here
Best regards
Ambucias
Moderator, Security Contributor
1. Boot in safemode with networking.
2. Open this link and download ZHPDiag2 :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. )
3. Save the file on your Desktop.
4. Double click on ZHPDiag.exe and follow the installation instructions.
the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).
5. Double click on the short cut ZHPDiag on your Destktop.
6. Click on the eyedropper icon and ensure all of the items.
7. Click on the Magnifying glass with the + sign and run the analysys.
Wait for the tool to finished (maybe a long time)
8. Close ZHPDiag.
9. To transmit the report, click on this link :
https://authentification.site
10. Usually on your desktop or C:\Program Files\ZHPDiag).
11. Select the file ZHPDiag.txt.
12. Click on "upload ยป
13. Copy the url and post it here
Best regards
Ambucias
Moderator, Security Contributor
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 14, 2013 at 01:06 PM
Jun 14, 2013 at 01:06 PM
Hi,
I have ran as per the steps given by you and below is the link. Because of this issue internet is not opening in my laptop. if try to open gmail it is displaying message as 'The server's security certificate is revoked!'
http://speedy.sh/9HmB7/ZHPDiag.txt
Thanks,
Rajesh
I have ran as per the steps given by you and below is the link. Because of this issue internet is not opening in my laptop. if try to open gmail it is displaying message as 'The server's security certificate is revoked!'
http://speedy.sh/9HmB7/ZHPDiag.txt
Thanks,
Rajesh
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 15, 2013 at 11:46 AM
Jun 15, 2013 at 11:46 AM
Hi,
Thanks for reply.
I am ready to coordinate with you. I dont know windows XP is guinine or not. I bought laptop 4 yrs before.
Thanks,
Thanks for reply.
I am ready to coordinate with you. I dont know windows XP is guinine or not. I bought laptop 4 yrs before.
Thanks,
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 15, 2013 at 05:40 PM
Jun 15, 2013 at 05:40 PM
Hello,
Very well, but I must tell you now that your Windows is counterfeited which may create problems in the future if you try to update it. Since it seems that it was not your doing I will help you.
First, lets attack the rootkit which is the cause of the main headache:
Gmer is a powerful rootkit detector and can remove many Rootkits.
Download here:
http://www.gmer.net
Once the tool download completed, right-click on the set up Gmer.Exe and select Run. This will launch the program and autoscan of your computer system
Second, lets take care of the rogue
Please follow the following procedure carefully and to the letter.
You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.
You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.
To kill the processes:
1. Download to your desktop and run Rogue Kill:
https://download.bleepingcomputer.com/grinler/rkill.com
2. You should now see a window that shows all of your desktop icons, including the rkill.com program.
3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.
As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))
Please, DO NOT REBOOT your computer or the processes will come back to haunt you!
Download to your desktop Malwarebyte.
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Once on your desktop, we must still outwit the virus.
Right click on the MBAM icon and click on rename. Rename it kioskea.exe.
Install Malwarebyte and launch it. From the second tab, update it.
Please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.
Third, some viruses will still be there.
Delete your previous ZHP Diag log, produce a new one and uploaded on speedyshare for my analysis.
Good luck
Very well, but I must tell you now that your Windows is counterfeited which may create problems in the future if you try to update it. Since it seems that it was not your doing I will help you.
First, lets attack the rootkit which is the cause of the main headache:
Gmer is a powerful rootkit detector and can remove many Rootkits.
Download here:
http://www.gmer.net
Once the tool download completed, right-click on the set up Gmer.Exe and select Run. This will launch the program and autoscan of your computer system
Second, lets take care of the rogue
Please follow the following procedure carefully and to the letter.
You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.
You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.
To kill the processes:
1. Download to your desktop and run Rogue Kill:
https://download.bleepingcomputer.com/grinler/rkill.com
2. You should now see a window that shows all of your desktop icons, including the rkill.com program.
3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.
As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))
Please, DO NOT REBOOT your computer or the processes will come back to haunt you!
Download to your desktop Malwarebyte.
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Once on your desktop, we must still outwit the virus.
Right click on the MBAM icon and click on rename. Rename it kioskea.exe.
Install Malwarebyte and launch it. From the second tab, update it.
Please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.
Third, some viruses will still be there.
Delete your previous ZHP Diag log, produce a new one and uploaded on speedyshare for my analysis.
Good luck
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 16, 2013 at 10:25 AM
Jun 16, 2013 at 10:25 AM
Hi,
Thanks for your update for help.
please find the below link as requested.
http://speedy.sh/Jp86C/ZHPDiag.txt
Thanks,
Thanks for your update for help.
please find the below link as requested.
http://speedy.sh/Jp86C/ZHPDiag.txt
Thanks,
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 16, 2013 at 10:26 AM
Jun 16, 2013 at 10:26 AM
Still it is shutting down after 5 min..d
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 16, 2013 at 05:44 PM
Jun 16, 2013 at 05:44 PM
Hi
It still is shutting down because the rootkit, the rogue and the worm still present. If you followed my directions to the letter to kill the rootkit and the rogue, it is not suppose to shut down.
Here is what will do, but after you are done, again, delete the previous ZHP Diag log and produce a new one to upload on Speedyshare.
To keep your system safe, you must follow the instructions hereunder to the letter:
1. Download Combofix to your desktop.
https://www.bleepingcomputer.com/download/combofix/
(click on the download @ bleeping computer button)
2.Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
3. Double click on the ComboFix icon.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
4. Accept the disclaimer and the recovery
5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.
ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.
If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.
Good luck
It still is shutting down because the rootkit, the rogue and the worm still present. If you followed my directions to the letter to kill the rootkit and the rogue, it is not suppose to shut down.
Here is what will do, but after you are done, again, delete the previous ZHP Diag log and produce a new one to upload on Speedyshare.
To keep your system safe, you must follow the instructions hereunder to the letter:
1. Download Combofix to your desktop.
https://www.bleepingcomputer.com/download/combofix/
(click on the download @ bleeping computer button)
2.Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
3. Double click on the ComboFix icon.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
4. Accept the disclaimer and the recovery
5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.
ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.
If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.
Good luck
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 18, 2013 at 03:02 AM
Jun 18, 2013 at 03:02 AM
Thanks a lot for your help.
Now it is not restarting automatically.
Please find the ZHP log in below link and let me know if anything I need to do.
http://speedy.sh/ZrmYc/ZHPDiag.txt
Thanks,
Now it is not restarting automatically.
Please find the ZHP log in below link and let me know if anything I need to do.
http://speedy.sh/ZrmYc/ZHPDiag.txt
Thanks,
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 18, 2013 at 06:50 AM
Jun 18, 2013 at 06:50 AM
Hi
Either you sent me the same log or your computer is still infected.
Please paste here the following file:
C:\ComboFix.txt
Regards
Either you sent me the same log or your computer is still infected.
Please paste here the following file:
C:\ComboFix.txt
Regards
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 19, 2013 at 12:46 PM
Jun 19, 2013 at 12:46 PM
Hi,
Please find below combofix.txt
ComboFix 13-06-17.01 - Administrator 06/18/2013 10:14:30.1.2 - x86
Running from: e:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
D:\Autorun.inf
e:\windows\$NtUninstallKB45099$
e:\windows\$NtUninstallKB45099$\2554745541
e:\windows\$NtUninstallKB45099$\4100342861\@
e:\windows\$NtUninstallKB45099$\4100342861\Desktop.ini
e:\windows\$NtUninstallKB45099$\4100342861\L\00000004.@
e:\windows\$NtUninstallKB45099$\4100342861\L\201d3dde
e:\windows\$NtUninstallKB45099$\4100342861\L\76603ac3
e:\windows\$NtUninstallKB45099$\4100342861\L\aodripvi
e:\windows\$NtUninstallKB45099$\4100342861\U\00000004.@
e:\windows\$NtUninstallKB45099$\4100342861\U\00000008.@
e:\windows\$NtUninstallKB45099$\4100342861\U\000000cb.@
e:\windows\$NtUninstallKB45099$\4100342861\U\80000000.@
e:\windows\$NtUninstallKB45099$\4100342861\U\80000032.@
e:\windows\AutoRun.ini
e:\windows\system32\c__10082.nls
e:\windows\system32\cttype.nls
e:\windows\system32\regobj.dll
.
Infected copy of e:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2013-05-18 to 2013-06-18 )))))))))))))))))))))))))))))))
.
.
2013-06-18 02:06 . 2004-08-03 17:44 162816 -c--a-w- e:\windows\system32\dllcache\netbt.sys
2013-06-18 02:06 . 2004-08-03 17:44 162816 ----a-w- e:\windows\system32\drivers\netbt.sys
2013-06-16 08:16 . 2013-06-16 08:16 -------- d-----w- e:\documents and settings\Administrator\Application Data\Malwarebytes
2013-06-16 08:16 . 2013-06-16 08:16 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2013-06-16 08:16 . 2013-04-04 06:50 22856 ----a-w- e:\windows\system32\drivers\mbam.sys
2013-06-16 08:16 . 2013-06-16 09:21 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2013-06-12 15:45 . 2013-06-16 14:10 -------- d-----w- E:\ZHP
2013-06-12 15:45 . 2013-06-16 14:10 -------- d-----w- e:\program files\ZHPDiag
2013-06-12 14:59 . 2013-06-12 14:59 175616 ----a-w- e:\documents and settings\All Users\Application Data\Microsoft\Media Tools\temp\tmpF.exe
2013-06-11 18:31 . 2013-06-11 18:31 -------- d-----w- e:\documents and settings\All Users\Application Data\Systweak
2013-06-11 18:31 . 2012-07-25 04:03 17136 ----a-w- e:\windows\system32\sasnative32.exe
2013-06-11 18:31 . 2013-06-11 18:31 -------- d-----w- e:\program files\Amazon
2013-06-11 18:31 . 2013-06-12 15:04 -------- d-----w- e:\program files\MyPC Backup
2013-06-11 18:30 . 2013-06-11 18:32 -------- d-----w- e:\documents and settings\Administrator\Application Data\Systweak
2013-06-11 18:03 . 2013-06-11 18:22 -------- d-----w- e:\documents and settings\All Users\Application Data\MFAData
2013-06-11 18:03 . 2013-06-11 18:03 -------- d-----w- e:\documents and settings\All Users\Application Data\Common Files
2013-06-11 18:03 . 2013-06-11 18:03 -------- d-----w- e:\documents and settings\Administrator\Local Settings\Application Data\MFAData
2013-06-11 18:03 . 2013-06-11 18:03 -------- d-----w- e:\documents and settings\Administrator\Local Settings\Application Data\Avg2013
2013-06-11 17:28 . 2013-06-11 17:49 -------- d-----w- e:\windows\system32\MpEngineStore
2013-06-11 01:20 . 2013-06-11 14:55 -------- d-----w- e:\program files\Mega Codec Pack
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 16:16 . 2013-03-02 10:31 692104 ----a-w- e:\windows\system32\FlashPlayerApp.exe
2013-06-12 16:16 . 2011-05-19 17:50 71048 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 08:58 . 2013-04-21 06:12 229648 ----a-w- e:\windows\system32\aswBoot.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-10-12 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . e:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . e:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2013-06-11 01:21 224256 ----a-w- e:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="e:\program files\uTorrent\uTorrent.exe" [2011-05-01 399736]
"Messenger (Yahoo!)"="e:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-05-24 6595928]
"Skype"="e:\program files\Skype\Phone\Skype.exe" [2013-01-08 18705664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 544768]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-25 18789408]
"IgfxTray"="e:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="e:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="e:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"GrooveMonitor"="e:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2010-09-03 136600]
"oc4j"="e:\oraclebi\oc4j_bi\bin\oc4j.cmd" [2010-09-03 4991]
.
e:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2006-10-27 98632]
.
e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-12-27 113664]
AutoCAD Startup Accelerator.lnk - e:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-6 11000]
McAfee Security Scan Plus.lnk - e:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R?2 OracleCSService;OracleCSService;e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service --> e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service [?]
R2 BMFMySQL;BMFMySQL;e:\program files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe [10/23/2005 2:05 AM 4431872]
R2 HWDeviceService.exe;HWDeviceService.exe;e:\documents and settings\All Users\Application Data\DatacardService\HWDeviceService.exe [3/14/2011 11:27 PM 271712]
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR --> e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR [?]
R2 OracleServiceORCL;OracleServiceORCL;e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL --> e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL [?]
R2 sawjavahostsvc;Oracle BI Java Host;e:\oraclebi\web\bin\sawjavahostsvc.exe [9/3/2010 3:47 PM 94208]
R2 sawsvc;Oracle BI Presentation Server;e:\oraclebi\web\bin\sawserver.exe [9/3/2010 3:47 PM 86016]
R2 Skype C2C Service;Skype C2C Service;e:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [5/14/2013 3:56 PM 3289208]
R2 SkypeUpdate;Skype Updater;e:\program files\Skype\Updater\Updater.exe [1/8/2013 3:25 PM 161536]
R2 vpnagent;Cisco AnyConnect VPN Agent;e:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/18/2009 6:32 AM 497856]
R3 huawei_enumerator;huawei_enumerator;e:\windows\system32\drivers\ew_jubusenum.sys [9/6/2012 2:42 AM 73216]
S2 Oracle BI Server;Oracle BI Server;e:\oraclebi\server\Bin\NQSServer.exe [9/3/2010 3:40 PM 49152]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;e:\windows\system32\drivers\ew_hwusbdev.sys [9/6/2012 2:42 AM 102784]
S3 hwusbdev;Huawei DataCard USB PNP Device;e:\windows\system32\DRIVERS\ewusbdev.sys --> e:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;e:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [2/5/2013 11:48 PM 235216]
S3 Oracle BI Cluster Controller;Oracle BI Cluster Controller;e:\oraclebi\server\Bin\NQSClusterController.exe [9/3/2010 4:24 PM 33792]
S3 Oracle BI Scheduler;Oracle BI Scheduler;e:\oraclebi\server\Bin\NQScheduler.exe [9/3/2010 4:26 PM 122880]
S3 OracleOraDb10g_home1SNMPPeerEncapsulator;OracleOraDb10g_home1SNMPPeerEncapsulator;e:\oracle\product\10.1.0\db_1\BIN\encsvc.exe [9/3/2010 4:43 PM 187392]
S3 OracleOraDb10g_home1SNMPPeerMasterAgent;OracleOraDb10g_home1SNMPPeerMasterAgent;e:\oracle\product\10.1.0\db_1\BIN\agntsvc.exe [9/3/2010 4:43 PM 254464]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;e:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [9/1/2012 11:57 AM 105472]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;e:\oracle\product\10.1.0\db_1\Bin\extjob.exe ORCL --> e:\oracle\product\10.1.0\db_1\Bin\extjob.exe ORCL [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 15:37 1165776 ----a-w- e:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-16 e:\windows\Tasks\Adobe Flash Player Updater.job
- e:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-02 16:16]
.
2013-06-18 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2013-01-21 17:14]
.
2013-06-16 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2013-01-21 17:14]
.
2013-06-10 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1547161642-839522115-500Core.job
- e:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-26 20:08]
.
2013-06-16 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1547161642-839522115-500UA.job
- e:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-26 20:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://https://in.yahoo.com/?fr=mkg029.yahoo.com
mStart Page = hxxp://https://in.yahoo.com/?fr=mkg029.yahoo.com
uSearchURL,(Default) = hxxp://in.rd.yahoo.com/customize/ycomp/defaults/su/*https://in.yahoo.com/
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - e:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - e:\windows\web\related.htm
TCP: DhcpNameServer = 192.168.0.1
DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} - hxxps://webvpn.in.capgemini.com/+CSCOL+/csvrloader32.cab
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Advanced System Protector_startup - e:\program files\Advanced System Protector\AdvancedSystemProtector.exe
e:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk - (no file)
AddRemove-00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1 - e:\program files\Advanced System Protector\unins000.exe
AddRemove-{488b57a8-0004-4dc7-a7fb-711868ce44eb} - e:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-18 10:29
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2408)
e:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
e:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Cisco Systems\VPN Client\cvpnd.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\windows\sm56hlpr.exe
e:\windows\RTHDCPL.EXE
e:\windows\system32\igfxsrvc.exe
e:\program files\Microsoft Office\Office12\ONENOTEM.EXE
e:\oracle\product\10.1.0\db_1\bin\ocssd.exe
e:\oracle\product\10.1.0\db_1\bin\isqlplussvc.exe
e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR.exe
e:\oracle\product\10.1.0\db_1\jdk\bin\java.exe
e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
.
**************************************************************************
.
Completion time: 2013-06-18 10:30:13 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-18 02:29
.
Pre-Run: 6,727,073,792 bytes free
Post-Run: 7,179,554,816 bytes free
.
- - End Of File - - EDA011D2694594245A7911350F6434C4
8F558EB6672622401DA993E1E865C861
Please find below combofix.txt
ComboFix 13-06-17.01 - Administrator 06/18/2013 10:14:30.1.2 - x86
Running from: e:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
D:\Autorun.inf
e:\windows\$NtUninstallKB45099$
e:\windows\$NtUninstallKB45099$\2554745541
e:\windows\$NtUninstallKB45099$\4100342861\@
e:\windows\$NtUninstallKB45099$\4100342861\Desktop.ini
e:\windows\$NtUninstallKB45099$\4100342861\L\00000004.@
e:\windows\$NtUninstallKB45099$\4100342861\L\201d3dde
e:\windows\$NtUninstallKB45099$\4100342861\L\76603ac3
e:\windows\$NtUninstallKB45099$\4100342861\L\aodripvi
e:\windows\$NtUninstallKB45099$\4100342861\U\00000004.@
e:\windows\$NtUninstallKB45099$\4100342861\U\00000008.@
e:\windows\$NtUninstallKB45099$\4100342861\U\000000cb.@
e:\windows\$NtUninstallKB45099$\4100342861\U\80000000.@
e:\windows\$NtUninstallKB45099$\4100342861\U\80000032.@
e:\windows\AutoRun.ini
e:\windows\system32\c__10082.nls
e:\windows\system32\cttype.nls
e:\windows\system32\regobj.dll
.
Infected copy of e:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2013-05-18 to 2013-06-18 )))))))))))))))))))))))))))))))
.
.
2013-06-18 02:06 . 2004-08-03 17:44 162816 -c--a-w- e:\windows\system32\dllcache\netbt.sys
2013-06-18 02:06 . 2004-08-03 17:44 162816 ----a-w- e:\windows\system32\drivers\netbt.sys
2013-06-16 08:16 . 2013-06-16 08:16 -------- d-----w- e:\documents and settings\Administrator\Application Data\Malwarebytes
2013-06-16 08:16 . 2013-06-16 08:16 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2013-06-16 08:16 . 2013-04-04 06:50 22856 ----a-w- e:\windows\system32\drivers\mbam.sys
2013-06-16 08:16 . 2013-06-16 09:21 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2013-06-12 15:45 . 2013-06-16 14:10 -------- d-----w- E:\ZHP
2013-06-12 15:45 . 2013-06-16 14:10 -------- d-----w- e:\program files\ZHPDiag
2013-06-12 14:59 . 2013-06-12 14:59 175616 ----a-w- e:\documents and settings\All Users\Application Data\Microsoft\Media Tools\temp\tmpF.exe
2013-06-11 18:31 . 2013-06-11 18:31 -------- d-----w- e:\documents and settings\All Users\Application Data\Systweak
2013-06-11 18:31 . 2012-07-25 04:03 17136 ----a-w- e:\windows\system32\sasnative32.exe
2013-06-11 18:31 . 2013-06-11 18:31 -------- d-----w- e:\program files\Amazon
2013-06-11 18:31 . 2013-06-12 15:04 -------- d-----w- e:\program files\MyPC Backup
2013-06-11 18:30 . 2013-06-11 18:32 -------- d-----w- e:\documents and settings\Administrator\Application Data\Systweak
2013-06-11 18:03 . 2013-06-11 18:22 -------- d-----w- e:\documents and settings\All Users\Application Data\MFAData
2013-06-11 18:03 . 2013-06-11 18:03 -------- d-----w- e:\documents and settings\All Users\Application Data\Common Files
2013-06-11 18:03 . 2013-06-11 18:03 -------- d-----w- e:\documents and settings\Administrator\Local Settings\Application Data\MFAData
2013-06-11 18:03 . 2013-06-11 18:03 -------- d-----w- e:\documents and settings\Administrator\Local Settings\Application Data\Avg2013
2013-06-11 17:28 . 2013-06-11 17:49 -------- d-----w- e:\windows\system32\MpEngineStore
2013-06-11 01:20 . 2013-06-11 14:55 -------- d-----w- e:\program files\Mega Codec Pack
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 16:16 . 2013-03-02 10:31 692104 ----a-w- e:\windows\system32\FlashPlayerApp.exe
2013-06-12 16:16 . 2011-05-19 17:50 71048 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 08:58 . 2013-04-21 06:12 229648 ----a-w- e:\windows\system32\aswBoot.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-10-12 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . e:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . e:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2013-06-11 01:21 224256 ----a-w- e:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="e:\program files\uTorrent\uTorrent.exe" [2011-05-01 399736]
"Messenger (Yahoo!)"="e:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-05-24 6595928]
"Skype"="e:\program files\Skype\Phone\Skype.exe" [2013-01-08 18705664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 544768]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-25 18789408]
"IgfxTray"="e:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="e:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="e:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"GrooveMonitor"="e:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2010-09-03 136600]
"oc4j"="e:\oraclebi\oc4j_bi\bin\oc4j.cmd" [2010-09-03 4991]
.
e:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2006-10-27 98632]
.
e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-12-27 113664]
AutoCAD Startup Accelerator.lnk - e:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-6 11000]
McAfee Security Scan Plus.lnk - e:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R?2 OracleCSService;OracleCSService;e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service --> e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service [?]
R2 BMFMySQL;BMFMySQL;e:\program files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe [10/23/2005 2:05 AM 4431872]
R2 HWDeviceService.exe;HWDeviceService.exe;e:\documents and settings\All Users\Application Data\DatacardService\HWDeviceService.exe [3/14/2011 11:27 PM 271712]
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR --> e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR [?]
R2 OracleServiceORCL;OracleServiceORCL;e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL --> e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL [?]
R2 sawjavahostsvc;Oracle BI Java Host;e:\oraclebi\web\bin\sawjavahostsvc.exe [9/3/2010 3:47 PM 94208]
R2 sawsvc;Oracle BI Presentation Server;e:\oraclebi\web\bin\sawserver.exe [9/3/2010 3:47 PM 86016]
R2 Skype C2C Service;Skype C2C Service;e:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [5/14/2013 3:56 PM 3289208]
R2 SkypeUpdate;Skype Updater;e:\program files\Skype\Updater\Updater.exe [1/8/2013 3:25 PM 161536]
R2 vpnagent;Cisco AnyConnect VPN Agent;e:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/18/2009 6:32 AM 497856]
R3 huawei_enumerator;huawei_enumerator;e:\windows\system32\drivers\ew_jubusenum.sys [9/6/2012 2:42 AM 73216]
S2 Oracle BI Server;Oracle BI Server;e:\oraclebi\server\Bin\NQSServer.exe [9/3/2010 3:40 PM 49152]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;e:\windows\system32\drivers\ew_hwusbdev.sys [9/6/2012 2:42 AM 102784]
S3 hwusbdev;Huawei DataCard USB PNP Device;e:\windows\system32\DRIVERS\ewusbdev.sys --> e:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;e:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [2/5/2013 11:48 PM 235216]
S3 Oracle BI Cluster Controller;Oracle BI Cluster Controller;e:\oraclebi\server\Bin\NQSClusterController.exe [9/3/2010 4:24 PM 33792]
S3 Oracle BI Scheduler;Oracle BI Scheduler;e:\oraclebi\server\Bin\NQScheduler.exe [9/3/2010 4:26 PM 122880]
S3 OracleOraDb10g_home1SNMPPeerEncapsulator;OracleOraDb10g_home1SNMPPeerEncapsulator;e:\oracle\product\10.1.0\db_1\BIN\encsvc.exe [9/3/2010 4:43 PM 187392]
S3 OracleOraDb10g_home1SNMPPeerMasterAgent;OracleOraDb10g_home1SNMPPeerMasterAgent;e:\oracle\product\10.1.0\db_1\BIN\agntsvc.exe [9/3/2010 4:43 PM 254464]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;e:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [9/1/2012 11:57 AM 105472]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;e:\oracle\product\10.1.0\db_1\Bin\extjob.exe ORCL --> e:\oracle\product\10.1.0\db_1\Bin\extjob.exe ORCL [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 15:37 1165776 ----a-w- e:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-16 e:\windows\Tasks\Adobe Flash Player Updater.job
- e:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-02 16:16]
.
2013-06-18 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2013-01-21 17:14]
.
2013-06-16 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2013-01-21 17:14]
.
2013-06-10 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1547161642-839522115-500Core.job
- e:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-26 20:08]
.
2013-06-16 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1547161642-839522115-500UA.job
- e:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-26 20:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://https://in.yahoo.com/?fr=mkg029.yahoo.com
mStart Page = hxxp://https://in.yahoo.com/?fr=mkg029.yahoo.com
uSearchURL,(Default) = hxxp://in.rd.yahoo.com/customize/ycomp/defaults/su/*https://in.yahoo.com/
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - e:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - e:\windows\web\related.htm
TCP: DhcpNameServer = 192.168.0.1
DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} - hxxps://webvpn.in.capgemini.com/+CSCOL+/csvrloader32.cab
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Advanced System Protector_startup - e:\program files\Advanced System Protector\AdvancedSystemProtector.exe
e:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk - (no file)
AddRemove-00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1 - e:\program files\Advanced System Protector\unins000.exe
AddRemove-{488b57a8-0004-4dc7-a7fb-711868ce44eb} - e:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-18 10:29
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2408)
e:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
e:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Cisco Systems\VPN Client\cvpnd.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\windows\sm56hlpr.exe
e:\windows\RTHDCPL.EXE
e:\windows\system32\igfxsrvc.exe
e:\program files\Microsoft Office\Office12\ONENOTEM.EXE
e:\oracle\product\10.1.0\db_1\bin\ocssd.exe
e:\oracle\product\10.1.0\db_1\bin\isqlplussvc.exe
e:\oracle\product\10.1.0\db_1\BIN\TNSLSNR.exe
e:\oracle\product\10.1.0\db_1\jdk\bin\java.exe
e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
.
**************************************************************************
.
Completion time: 2013-06-18 10:30:13 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-18 02:29
.
Pre-Run: 6,727,073,792 bytes free
Post-Run: 7,179,554,816 bytes free
.
- - End Of File - - EDA011D2694594245A7911350F6434C4
8F558EB6672622401DA993E1E865C861
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 19, 2013 at 04:55 PM
Jun 19, 2013 at 04:55 PM
Hello,
Okay, the rootkit has been removed but it seems that your system is still vulnerable.
Delete the ZHPDiag.txt log on your desktop as well as the folder C:/ZHP
Produce a new ZHP Diag log and post upload it on Speedyshare.
Best regards
Okay, the rootkit has been removed but it seems that your system is still vulnerable.
Delete the ZHPDiag.txt log on your desktop as well as the folder C:/ZHP
Produce a new ZHP Diag log and post upload it on Speedyshare.
Best regards
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 20, 2013 at 06:07 AM
Jun 20, 2013 at 06:07 AM
Hello
ZHP Diag created on your desktop an icon called ZHP Fix. (looks like a seringe)
1. Open ZHP Fix.
2. Copy the lines below
3. In ZHP Fix click on the button clipboard which will paste the lines in the window.
4. Click on the GO button below which will delete the lines.
Here are the lines to copy
[HKCU\Software\SweetIM] =>PUP.SweetIM
[HKLM\Software\SweetIM] =>PUP.SweetIM
O81 - IFC: Internet Feature Controls [HKUS\.DEFAULT] [FEATURE_BROWSER_EMULATION] -- svchost.exe => Infection Rootkit (Rootkit.TDSS)
O81 - IFC: Internet Feature Controls [HKUS\S-1-5-18] [FEATURE_BROWSER_EMULATION] -- svchost.exe => Infection Rootkit (Rootkit.TDSS)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Smart Fortress 2012] =>Rogue.Multiple
[HKCU\Software\HackFacebookProfiles] =>Hacker.FaceBook
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF] =>PUP.Dealio
E:\Program Files\Mozilla Firefox\Extensions\wtxpcom@mybrowserbar.com =>PUP.Dealio
E:\Documents and Settings\Administrator\Application Data\Software =>Adware.Boxore
O90 - PUC: "8AF9A797EFE4EF14DA807A1569655976" . (.pdfforge Toolbar v7.1.) -- E:\WINDOWS\Installer\{797A9FA8-4EFE-41FE-AD08-A75196569567}\ARPPRODUCTICON.exe
5. Paste the ZHP Fix log here (It will be on your desktop)
6. Again, delete all ZHP Diag logs
7. Produce a new one and upload on Speedyshare and post the URL here
Regards
ZHP Diag created on your desktop an icon called ZHP Fix. (looks like a seringe)
1. Open ZHP Fix.
2. Copy the lines below
3. In ZHP Fix click on the button clipboard which will paste the lines in the window.
4. Click on the GO button below which will delete the lines.
Here are the lines to copy
[HKCU\Software\SweetIM] =>PUP.SweetIM
[HKLM\Software\SweetIM] =>PUP.SweetIM
O81 - IFC: Internet Feature Controls [HKUS\.DEFAULT] [FEATURE_BROWSER_EMULATION] -- svchost.exe => Infection Rootkit (Rootkit.TDSS)
O81 - IFC: Internet Feature Controls [HKUS\S-1-5-18] [FEATURE_BROWSER_EMULATION] -- svchost.exe => Infection Rootkit (Rootkit.TDSS)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Smart Fortress 2012] =>Rogue.Multiple
[HKCU\Software\HackFacebookProfiles] =>Hacker.FaceBook
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21] =>PUP.Dealio
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF] =>PUP.Dealio
E:\Program Files\Mozilla Firefox\Extensions\wtxpcom@mybrowserbar.com =>PUP.Dealio
E:\Documents and Settings\Administrator\Application Data\Software =>Adware.Boxore
O90 - PUC: "8AF9A797EFE4EF14DA807A1569655976" . (.pdfforge Toolbar v7.1.) -- E:\WINDOWS\Installer\{797A9FA8-4EFE-41FE-AD08-A75196569567}\ARPPRODUCTICON.exe
5. Paste the ZHP Fix log here (It will be on your desktop)
6. Again, delete all ZHP Diag logs
7. Produce a new one and upload on Speedyshare and post the URL here
Regards
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 21, 2013 at 12:22 AM
Jun 21, 2013 at 12:22 AM
Really Thanks for your help.
Please find the below fix log.
Rapport de ZHPFix 2013.6.12.3 par Nicolas Coolman, Update du 12/06/2013
Fichier d'export Registre :
Run by Administrator at 6/21/2013 12:09:52 PM
High Elevated Privileges : OK
Windows XP Professional Service Pack 2 (Build 2600)
Recycle Files Deleted
========== Registry Key ==========
DELETED Key: HKCU\Software\SweetIM
DELETED Key: HKLM\Software\SweetIM
DELETED Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Smart Fortress 2012
DELETED Key: HKCU\Software\HackFacebookProfiles
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF
DELETED Key: \Software\Classes\Installer\Products\\8AF9A797EFE4EF14DA807A1569655976
DELETED Key: \Software\Classes\Installer\Features\8AF9A797EFE4EF14DA807A1569655976
========== Registry Value ==========
NOT FOUND IFC: [FEATURE_BROWSER_EMULATION] svchost.exe
========== Repertory ==========
DELETED Folder: e:\program files\mozilla firefox\extensions\wtxpcom@mybrowserbar.com
DELETED Folder: e:\documents and settings\administrator\application data\software
========== Summary ==========
12 : Registry Key
1 : Registry Value
2 : Repertory
End of clean in 01mn AMs
========== Report File ==========
E:\ZHP\ZHPFix[R1].txt - 6/21/2013 12:09:52 PM [1961]
And link for diag log.
http://speedy.sh/TqVqR/ZHPDiag.txt
Please find the below fix log.
Rapport de ZHPFix 2013.6.12.3 par Nicolas Coolman, Update du 12/06/2013
Fichier d'export Registre :
Run by Administrator at 6/21/2013 12:09:52 PM
High Elevated Privileges : OK
Windows XP Professional Service Pack 2 (Build 2600)
Recycle Files Deleted
========== Registry Key ==========
DELETED Key: HKCU\Software\SweetIM
DELETED Key: HKLM\Software\SweetIM
DELETED Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Smart Fortress 2012
DELETED Key: HKCU\Software\HackFacebookProfiles
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
DELETED Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF
DELETED Key: \Software\Classes\Installer\Products\\8AF9A797EFE4EF14DA807A1569655976
DELETED Key: \Software\Classes\Installer\Features\8AF9A797EFE4EF14DA807A1569655976
========== Registry Value ==========
NOT FOUND IFC: [FEATURE_BROWSER_EMULATION] svchost.exe
========== Repertory ==========
DELETED Folder: e:\program files\mozilla firefox\extensions\wtxpcom@mybrowserbar.com
DELETED Folder: e:\documents and settings\administrator\application data\software
========== Summary ==========
12 : Registry Key
1 : Registry Value
2 : Repertory
End of clean in 01mn AMs
========== Report File ==========
E:\ZHP\ZHPFix[R1].txt - 6/21/2013 12:09:52 PM [1961]
And link for diag log.
http://speedy.sh/TqVqR/ZHPDiag.txt
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Jun 21, 2013 at 06:12 AM
Jun 21, 2013 at 06:12 AM
Hello
Thanks for the logs.
Rootkits are difficult to kill and it is still there.
1. Please download Kapersky's TDSS Killer here:
https://support.kaspersky.com/downloads/utils/tdsskiller.zip
2. Open TDSS and click on start scan
3. If items are found click on continue and then on reboot.
4. A log will appear when the computer restart, copy it and paste it here.
Have a nice day and thank you for your patience.
Thanks for the logs.
Rootkits are difficult to kill and it is still there.
1. Please download Kapersky's TDSS Killer here:
https://support.kaspersky.com/downloads/utils/tdsskiller.zip
2. Open TDSS and click on start scan
3. If items are found click on continue and then on reboot.
4. A log will appear when the computer restart, copy it and paste it here.
Have a nice day and thank you for your patience.
orapps20
Posts
11
Registration date
Wednesday June 12, 2013
Status
Member
Last seen
June 22, 2013
Jun 21, 2013 at 11:46 AM
Jun 21, 2013 at 11:46 AM
Hi,
you are helping me a lot.
Please find log in below link.
http://speedy.sh/bsw9M/tdss.txt
Thanks,
you are helping me a lot.
Please find log in below link.
http://speedy.sh/bsw9M/tdss.txt
Thanks,