|
|
|
Deadly 66.230.188.67 virus
|
|
|
slub77
Newbie
|
14. September 2010 @ 15:49 |
Link to this message
|
I keep getting redirected to various pages when ever i click links, checking what it normally redirects to me to: 66.230.188.67 : and then to a diffrent site.
This is getting veryyyyyyyyyyyy annoying and i i am sure it's doing more then redirecting me.
Now i have scanned using all most everything here is my Hijackthis file log:
Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48:42, on 14/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [*msgauthparse.exe] "C:\WINDOWS\system32\config\systemprofile\msgauthparse.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 3149 bytes
|
|
Advertisement
|
|
|
|
AfterDawn Addict
|
14. September 2010 @ 22:18 |
Link to this message
|
slub77,
Use HijackThis to Fix (remove) the following lines:
O4 - HKLM\..\RunOnce: [*msgauthparse.exe] "C:\WINDOWS\system32\config\systemprofile\msgauthparse.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Go to Safe Mode by tapping F8 while rebooting.
In Safe Mode use Windows Explorer to follow the path to and delete the file in Red.
C:\WINDOWS\system32\config\systemprofile\msgauthparse.exe
Reboot:
Download and run SuperAntiSpyware and post the Log here.
I don?t see an AntiVirus running on this computer. You need one!
Free AntiVirus, choose one here:
http://www.techsupportalert.com/best-free-anti-virus-software.htm
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 14. September 2010 @ 22:20
|
|
slub77
Newbie
|
15. September 2010 @ 06:52 |
Link to this message
|
Ok i have done as you said here is the log from SuperAntiSpyware :)
Quote:
Adware. Tracking cookie
That's the only thing it fount.
This message has been edited since posting. Last time this message was edited on 15. September 2010 @ 07:07
|
AfterDawn Addict
|
15. September 2010 @ 09:02 |
Link to this message
|
|
ok, what's the outcome? how's the 'puter acting?
p.s. that's not the "Log"
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 15. September 2010 @ 09:03
|
|
slub77
Newbie
|
15. September 2010 @ 13:34 |
Link to this message
|
|
Well now when i scan it it still says it's clean, so i will see how it is today, then report back tomorrow :)
|
|
slub77
Newbie
|
16. September 2010 @ 15:48 |
Link to this message
|
|
Still bad news it seems to still be happening.
|
AfterDawn Addict
|
16. September 2010 @ 17:38 |
Link to this message
|
|
Scratching my head..... gee I haven't a clue, yet.
Try running MalwareBytes and post the whole log. maybe can see something there..
|
|
slub77
Newbie
|
17. September 2010 @ 11:35 |
Link to this message
|
Quote:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4639
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
17/09/2010 16:33:53
mbam-log-2010-09-17 (16-33-53).txt
Scan type: Full scan (C:\|)
Objects scanned: 187694
Time elapsed: 51 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*audioprovcenter.exe (Malware.Packer.Gen) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\LocalService\Application Data\audioprovcenter.exe (Malware.Packer.Gen) -> No action taken.
C:\RECYCLER\S-1-5-21-1645522239-2111687655-1417001333-1004\Dc2.exe (Malware.Packer.Gen) -> No action taken.
C:\System Volume Information\_restore{418553CA-17D2-4812-9B2D-EEE8BB2B0415}\RP96\A0023694.exe (Malware.Packer.Gen) -> No action taken.
C:\System Volume Information\_restore{418553CA-17D2-4812-9B2D-EEE8BB2B0415}\RP99\A0024673.exe (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\pss\basefileaction.exeStartup (Malware.Packer.Gen) -> No action taken.
|
AfterDawn Addict
|
17. September 2010 @ 11:58 |
Link to this message
|
|
Doesn't look like you removed anything i.e. -> No action taken.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
also give an update on how it's acting.....
|
|
funkk
Newbie
|
22. September 2010 @ 18:49 |
Link to this message
|
Hello,
I am having the same issue. All my search links (both from Google and Yahoo) are getting redirected to some random ad sites when clicked. I ran a full McCafee scan, full MalwareBytes scan and also ran the Spybot S&D. Nothing is helping. Here is my HJT log file. Please help! Thanks.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:30:30 PM, on 9/22/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://train.ps.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://train.ps.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.cci.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Lotus Quickr Monitor.lnk = C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Make a Screenshot - res://C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL/202
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: IE Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
O9 - Extra 'Tools' menuitem: Make a Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: IE Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Make a Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL (HKCU)
O15 - Trusted Zone: *.perotsystems.com
O15 - Trusted Zone: *.perotsystems.net
O15 - Trusted Zone: *.ps.net
O15 - Trusted Zone: *.scglobal.com
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resourc...s/wlscctrl2.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://psconnectvpn.perotsystems.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://psconnectvpn.perotsystems.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0828,1604
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://gmgdvs01.gmsg.net:1024/VirtualSer...tiveXClient.cab
O16 - DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} (IBM Browser plug-in for documents) - http://portalprodqkr.venturafoods.com:10...in/DMPlugin.cab
O16 - DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} (JDEWebRTFEditU Control) - http://jdesbx1.scglobal.com:7777/jde/axctls/jdewebctlsU.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - https://train.ps.net/orgchart/OrgPubX.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://psconnectvpn.perotsystems.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2009,0622,1850
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/pho...NPUplden-us.cab
O16 - DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} (JDEExcelAutoU Control) - http://localhost:8888/jde/axctls/jdeexpimpU.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\Software\..\Telephony: DomainName = perotsystems.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perotsystems.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: OracleE1LocalTNSListener - Unknown owner - C:\Oracle\E1Local\BIN\TNSLSNR.exe
O23 - Service: OracleServiceE1LOCAL - Oracle Corporation - c:\oracle\e1local\bin\ORACLE.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\STacSV.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
--
End of file - 12225 bytes
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks and Regards.
|
AfterDawn Addict
|
22. September 2010 @ 21:05 |
Link to this message
|
Hi funkk,
Use HijackThis to "Fix" the following lines:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.cci.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
After removing those lines run a complete scan with SUPERAntiSpyware and remove anything it finds.
Then let us know how it's going...
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
funkk
Newbie
|
23. September 2010 @ 08:42 |
Link to this message
|
Thank you. I removed those 2 entries. Its still doing the same... I am now downloading SUPERAntiSpyware. Will install and do the clean up using that. Also, I ran the Hitman Pro, a malware removal software suggested in several websites for this google redirect virus, it keeps complaining about wininit.exe as RootKit virus infected. But I have Vista and thought wininit.exe is needed for Vista and no issue there.
I will let you know after I run the SUPERAntiSpyware. Please let me know if anything else I should do on the wininit.exe part. Thanks again.
Thanks and Regards.
|
|
funkk
Newbie
|
23. September 2010 @ 09:46 |
Link to this message
|
Here is the update. I ran the SuperAntiSpyware and it found about 75 adware infections. Fixed all of them. It didnt report anything else. But I still have the same issue. Google search links are redirecting to random ad websites.
One other thing I noticed, which may give you some insight: WHen I double click IE to open, it flickers the first 2 or 3 times and doesnt open the browser. I can see the browser trying to open, like a flicker and it closes right away, you dont see the whole browser but just an attempt to open. It happens the first 2 or 3 times and only opens on 3rd or 4th attempt. I ran complete virus scan with McCafe...ran the Malwarebytes full scan...ran the spybot S&D...ran the Hitman Pro...now ran the SUPERantispyware full scan too... nothing seemed to have any difference... Any clues? Here is the latest HJT log files. Please help. Thanks again for your time and help.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:40:34 AM, on 9/23/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://train.ps.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://train.ps.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Lotus Quickr Monitor.lnk = C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Make a Screenshot - res://C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL/202
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: IE Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
O9 - Extra 'Tools' menuitem: Make a Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: IE Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Make a Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL (HKCU)
O15 - Trusted Zone: *.perotsystems.com
O15 - Trusted Zone: *.perotsystems.net
O15 - Trusted Zone: *.ps.net
O15 - Trusted Zone: *.scglobal.com
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resourc...s/wlscctrl2.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://psconnectvpn.perotsystems.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://psconnectvpn.perotsystems.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0828,1604
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://gmgdvs01.gmsg.net:1024/VirtualSer...tiveXClient.cab
O16 - DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} (IBM Browser plug-in for documents) - http://portalprodqkr.venturafoods.com:10...in/DMPlugin.cab
O16 - DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} (JDEWebRTFEditU Control) - http://jdesbx1.scglobal.com:7777/jde/axctls/jdewebctlsU.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - https://train.ps.net/orgchart/OrgPubX.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://psconnectvpn.perotsystems.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2009,0622,1850
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/pho...NPUplden-us.cab
O16 - DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} (JDEExcelAutoU Control) - http://localhost:8888/jde/axctls/jdeexpimpU.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\Software\..\Telephony: DomainName = perotsystems.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perotsystems.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: OracleE1LocalTNSListener - Unknown owner - C:\Oracle\E1Local\BIN\TNSLSNR.exe
O23 - Service: OracleServiceE1LOCAL - Oracle Corporation - c:\oracle\e1local\bin\ORACLE.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\STacSV.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
--
End of file - 12019 bytes
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks and Regards.
|
|
funkk
Newbie
|
24. September 2010 @ 13:29 |
Link to this message
|
Hello 2OldGeek,
Please help! Anything else I can try to get rid of this virus. None of the antivirus anti-malware software I have seem to help with this. I can't do any search on google or yahoo either. Links from both of them are getting redirected to some random ad sites. Please help. Thanks,
Thanks and Regards.
|
AfterDawn Addict
|
24. September 2010 @ 18:44 |
Link to this message
|
funkk,
Well it looks like you've picked up a tough one.
I see you're using Vista and it looks like the 32bit version.. If it's 64bit the following won't work so, don't even try it..... let me know and maybe we can figure something else out...
When done with this please post the log and I will go through it. I will be tied up this weekend but will try to get back to you as soon as possible.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop but DO NOT RUN IT!
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.
Quote:
"%userprofile%\desktop\combofix.exe" /killall
3. Combo will begin to run DO NOTHING while this is happening.
? It will kill a few processes and disconnect you from the internet.
? If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
? This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
If when it's completed you can not get on the internet just reboot the computer
Post the log from comboFix for me located in
c:\comboFix.txt
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
funkk
Newbie
|
29. September 2010 @ 20:54 |
Link to this message
|
|
Sorry for the late respone. Had an emergency work that kept me out for few days. Thanks for all your help. ComboFix seems to have taken care of the issue. I tried few different searches and links and everything is working fine. Thanks again for all your help and time.
Thanks and Regards.
|
AfterDawn Addict
|
29. September 2010 @ 21:03 |
Link to this message
|
|
That's great, funkk.
If you will post the Log from comboFix for me located in
c:\comboFix.txt we'll see if you have any underlying problems, like rootkits, that may come back to haunt you..... you may not be clean, yet...
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
funkk
Newbie
|
29. September 2010 @ 23:24 |
Link to this message
|
Hello 2oldGeek,
Here is the log file combofix.txt found in the computer. Please let me know if I should be worried. Thanks.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ComboFix 10-09-24.05 - MuthupK 09/25/2010 8:54.1.2 - x86
Microsoft® Windows Vista? Enterprise 6.0.6002.2.1252.1.1033.18.3571.2543 [GMT -5:00]
Running from: c:\users\MUTHUPK\Desktop\combofix.exe
Command switches used :: /killall
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}
c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}\chrome.manifest
c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}\chrome\content\_cfg.js
c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}\chrome\content\overlay.xul
c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}\install.rdf
----- BITS: Possible infected sites -----
hxxp://psc.perotsystems.net:80
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
.
2010-09-25 14:01 . 2010-09-25 20:10 -------- d-----w- c:\users\MUTHUPK\AppData\Local\temp
2010-09-25 14:01 . 2010-09-25 14:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-25 14:01 . 2010-09-25 14:01 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-09-24 17:50 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-09-24 17:50 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-09-24 17:50 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-09-24 17:50 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-09-24 17:50 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-09-24 17:50 . 2010-09-24 17:50 -------- d-----w- c:\program files\Trojan Remover
2010-09-24 17:50 . 2010-09-24 17:50 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Simply Super Software
2010-09-24 17:50 . 2010-09-24 17:50 -------- d-----w- c:\programdata\Simply Super Software
2010-09-24 16:52 . 2010-09-24 16:53 -------- d-----w- c:\program files\QuickTime
2010-09-23 12:45 . 2010-09-23 12:45 63488 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-23 12:45 . 2010-09-23 12:45 52224 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-23 12:45 . 2010-09-23 12:45 117760 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com
2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-22 22:27 . 2010-09-22 22:27 388096 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-22 22:27 . 2010-09-22 22:27 -------- d-----w- c:\program files\Trend Micro
2010-09-22 19:42 . 2010-09-24 17:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-09-22 19:42 . 2010-09-22 19:46 -------- d-----w- c:\programdata\Hitman Pro
2010-09-22 19:42 . 2010-09-22 19:42 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-22 02:34 . 2010-09-22 02:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-22 02:34 . 2010-09-22 02:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-21 16:17 . 2010-09-21 16:17 120 ----a-w- c:\users\MUTHUPK\AppData\Local\Gveqahi.dat
2010-09-21 16:17 . 2010-09-21 16:17 0 ----a-w- c:\users\MUTHUPK\AppData\Local\Xbalexizuxawo.bin
2010-09-06 16:35 . 2007-03-23 10:05 29272 ----a-r- c:\windows\system32\AdobePDF.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 20:11 . 2009-11-02 21:35 158395 ----a-w- c:\programdata\nvModes.dat
2010-09-21 16:47 . 2010-06-12 21:40 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Ripen
2010-09-21 16:47 . 2010-08-11 22:46 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Koemyx
2010-09-11 19:07 . 2009-12-09 22:20 -------- d-----w- c:\programdata\FLEXnet
2010-09-04 20:02 . 2009-03-18 20:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-26 13:39 . 2010-08-26 13:39 -------- d-----w- c:\programdata\Brother
2010-08-18 18:11 . 2010-08-18 18:10 -------- d-----w- c:\program files\SpeedFan
2010-08-04 04:36 . 2010-08-04 04:32 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-03 03:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-03 03:45 . 2009-03-18 19:48 -------- d-----w- c:\programdata\Microsoft Help
2010-07-16 15:55 . 2010-07-16 15:55 45056 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut2_E14B8A0842B346769E911D39F8158DA1.exe
2010-07-16 15:55 . 2010-07-16 15:55 45056 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut1_E14B8A0842B346769E911D39F8158DA1.exe
2010-07-03 23:09 . 2010-07-03 23:09 439816 ----a-w- c:\users\MUTHUPK\AppData\Roaming\Real\Update\setup3.11\setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-23 483420]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-11 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-03-11 96800]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-06-16 624056]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-12 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-07-05 1167296]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Lotus Quickr Monitor.lnk - c:\program files\IBM\Lotus Quickr connectors\DIMon.exe [2009-11-2 591496]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63169\Scripts\Logon\0\0]
"Script"=PerotLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63169\Scripts\Logon\1\0]
"Script"=PerotLogon.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-16 00:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MeetingLauncher]
2009-11-03 16:50 480560 ----a-w- c:\program files\Web Meeting\Modules\Launcher\mcLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 17:57 128296 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 19:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-12 13:12 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
R3 dc21x4vm;dc21x4VM Based Network Adapter Driver;c:\windows\system32\DRIVERS\dc21x4vm.sys [2006-11-02 52224]
R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [2009-10-27 54544]
R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [2009-10-27 22032]
R3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\DRIVERS\PTUMWCSP.sys [2009-10-27 160400]
R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [2009-10-27 12048]
R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [2009-10-27 160400]
R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [2009-10-27 115216]
R3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\DRIVERS\PTUMWNSP.sys [2009-10-27 160400]
R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [2009-10-27 160400]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
R4 OracleJobSchedulerE1LOCAL;OracleJobSchedulerE1LOCAL;c:\oracle\e1local\Bin\extjob.exe E1LOCAL [x]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
R4 WQ_USBCBAF;WiQuest Cable Association driver;c:\windows\system32\drivers\wq_cba.sys [2008-08-27 34104]
R4 WQ_USBDWA;WiQuest Device Wire Adapter driver;c:\windows\system32\drivers\wq_dwa.sys [2008-08-27 112184]
R4 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\wq_hwa.sys [2008-08-27 176696]
R4 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\wq_ldr.sys [2008-08-27 33720]
R4 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\wq_rci.sys [2008-08-27 79416]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\aestsrv.exe [2009-02-12 81920]
S2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\DRIVERS\CdpPacket.sys [2007-09-07 35692]
S2 OracleE1LocalTNSListener;OracleE1LocalTNSListener;c:\oracle\E1Local\BIN\TNSLSNR [x]
S2 OracleServiceE1LOCAL;OracleServiceE1LOCAL;c:\oracle\e1local\bin\ORACLE.EXE E1LOCAL [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-02-11 172328]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-04-04 224384]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-11-26 133472]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-02-19 279520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Make a Screenshot - c:\progra~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL/202
IE: {{84A11D82-2732-40ed-BF71-80F1FAF3807F} - {6BFA42E6-23F8-4ca7-A4E2-680EFB1F6DAE} - c:\progra~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
Trusted Zone: perotsystems.com
Trusted Zone: perotsystems.net
Trusted Zone: ps.net
Trusted Zone: scglobal.com
DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxp://gmgdvs01.gmsg.net:1024/VirtualServer/activex/VMRCActiveXClient.cab
DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} - hxxp://portalprodqkr.venturafoods.com:10038/lotus/PA_1_3F2DNS521GKI602HUIA3VB00K5/plugins/com.ibm.wps.dm/jsp/common/plugin/DMPlugin.cab
DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://jdesbx1.scglobal.com:7777/jde/axctls/jdewebctlsU.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxps://train.ps.net/orgchart/OrgPubX.cab
DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} - hxxp://localhost:8888/jde/axctls/jdeexpimpU.cab
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ActiveSetup-{095DE041-4EC2-4FAE-A23C-401B47593EF4} - del
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-25 15:11
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\TMP0000004050F795056ABE235E 524288 bytes
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OracleE1LocalTNSListener]
"ImagePath"="c:\oracle\E1Local\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3120)
c:\program files\IBM\Lotus Quickr connectors\DINSE.dll
c:\program files\IBM\Lotus Quickr connectors\DICore.dll
c:\program files\IBM\Lotus Quickr connectors\xerces240.dll
c:\program files\IBM\Lotus Quickr connectors\DILibDocs.dll
c:\program files\IBM\Lotus Quickr connectors\DIRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\STacSV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\oracle\E1Local\BIN\TNSLSNR.exe
c:\oracle\e1local\bin\ORACLE.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Hitman Pro 3.5\HitmanPro35.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-09-25 15:15:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-25 20:15
Pre-Run: 22,274,486,272 bytes free
Post-Run: 21,657,870,336 bytes free
- - End Of File - - 3BFCD19BC6D65FBBC8FB49A718003D6D
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks and Regards.
|
AfterDawn Addict
|
30. September 2010 @ 11:19 |
Link to this message
|
ComboFix fix
You have a Rootkit that may or may not cause problems because it has been disconnected but it?s best to remove it. Assuming you still have ComboFix, if not, please download it.
1. Close any open browsers
2. Please Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
3. open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
Rootkit::
c:\windows\TEMP\TMP0000004050F795056ABE235E 524288 bytes
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
That will clear you and the next thing you should do is Uninstall ComboFix (just deleting it does not remove it)
Click START then RUN
Now copy/paste Combofix /u in runbox and click OK.
Note the space between the X and the U, it needs to be there.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 30. September 2010 @ 11:22
|
|
funkk
Newbie
|
30. September 2010 @ 13:24 |
Link to this message
|
Thanks for the detailed instructions. I did run the combofix again as you suggested. Here is the log file from this run: Please let me know what i should do next, if any. Thanks again.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ComboFix 10-09-29.04 - MuthupK 09/30/2010 12:06:46.2.2 - x86
Microsoft® Windows Vista? Enterprise 6.0.6002.2.1252.1.1033.18.3571.2241 [GMT -5:00]
Running from: c:\users\MUTHUPK\Desktop\ComboFix.exe
Command switches used :: c:\users\MUTHUPK\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
.
2010-09-30 17:11 . 2010-09-30 17:15 -------- d-----w- c:\users\MUTHUPK\AppData\Local\temp
2010-09-30 17:11 . 2010-09-30 17:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-30 17:11 . 2010-09-30 17:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-30 17:11 . 2010-09-30 17:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-09-24 16:52 . 2010-09-24 16:53 -------- d-----w- c:\program files\QuickTime
2010-09-23 12:45 . 2010-09-23 12:45 63488 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-23 12:45 . 2010-09-23 12:45 52224 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-23 12:45 . 2010-09-23 12:45 117760 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com
2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-22 22:27 . 2010-09-22 22:27 388096 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-22 22:27 . 2010-09-22 22:27 -------- d-----w- c:\program files\Trend Micro
2010-09-22 19:42 . 2010-09-25 20:15 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-09-22 19:42 . 2010-09-22 19:46 -------- d-----w- c:\programdata\Hitman Pro
2010-09-22 19:42 . 2010-09-22 19:42 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-22 02:34 . 2010-09-22 02:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-22 02:34 . 2010-09-22 02:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-21 16:17 . 2010-09-21 16:17 120 ----a-w- c:\users\MUTHUPK\AppData\Local\Gveqahi.dat
2010-09-21 16:17 . 2010-09-21 16:17 0 ----a-w- c:\users\MUTHUPK\AppData\Local\Xbalexizuxawo.bin
2010-09-06 16:35 . 2007-03-23 10:05 29272 ----a-r- c:\windows\system32\AdobePDF.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-30 17:15 . 2009-11-02 21:35 158395 ----a-w- c:\programdata\nvModes.dat
2010-09-21 16:47 . 2010-06-12 21:40 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Ripen
2010-09-21 16:47 . 2010-08-11 22:46 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Koemyx
2010-09-11 19:07 . 2009-12-09 22:20 -------- d-----w- c:\programdata\FLEXnet
2010-09-04 20:02 . 2009-03-18 20:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-26 13:39 . 2010-08-26 13:39 -------- d-----w- c:\programdata\Brother
2010-08-18 18:11 . 2010-08-18 18:10 -------- d-----w- c:\program files\SpeedFan
2010-08-04 04:36 . 2010-08-04 04:32 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-03 03:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-03 03:45 . 2009-03-18 19:48 -------- d-----w- c:\programdata\Microsoft Help
2010-07-16 15:55 . 2010-07-16 15:55 45056 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut2_E14B8A0842B346769E911D39F8158DA1.exe
2010-07-16 15:55 . 2010-07-16 15:55 45056 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut1_E14B8A0842B346769E911D39F8158DA1.exe
2010-07-03 23:09 . 2010-07-03 23:09 439816 ----a-w- c:\users\MUTHUPK\AppData\Roaming\Real\Update\setup3.11\setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-23 483420]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-11 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-03-11 96800]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-06-16 624056]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-12 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Lotus Quickr Monitor.lnk - c:\program files\IBM\Lotus Quickr connectors\DIMon.exe [2009-11-2 591496]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63169\Scripts\Logon\0\0]
"Script"=PerotLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63169\Scripts\Logon\1\0]
"Script"=PerotLogon.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-16 00:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MeetingLauncher]
2009-11-03 16:50 480560 ----a-w- c:\program files\Web Meeting\Modules\Launcher\mcLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 17:57 128296 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 19:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-12 13:12 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
R3 dc21x4vm;dc21x4VM Based Network Adapter Driver;c:\windows\system32\DRIVERS\dc21x4vm.sys [2006-11-02 52224]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-09-25 16968]
R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [2009-10-27 54544]
R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [2009-10-27 22032]
R3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\DRIVERS\PTUMWCSP.sys [2009-10-27 160400]
R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [2009-10-27 12048]
R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [2009-10-27 160400]
R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [2009-10-27 115216]
R3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\DRIVERS\PTUMWNSP.sys [2009-10-27 160400]
R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [2009-10-27 160400]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
R4 OracleJobSchedulerE1LOCAL;OracleJobSchedulerE1LOCAL;c:\oracle\e1local\Bin\extjob.exe E1LOCAL [x]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
R4 WQ_USBCBAF;WiQuest Cable Association driver;c:\windows\system32\drivers\wq_cba.sys [2008-08-27 34104]
R4 WQ_USBDWA;WiQuest Device Wire Adapter driver;c:\windows\system32\drivers\wq_dwa.sys [2008-08-27 112184]
R4 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\wq_hwa.sys [2008-08-27 176696]
R4 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\wq_ldr.sys [2008-08-27 33720]
R4 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\wq_rci.sys [2008-08-27 79416]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\aestsrv.exe [2009-02-12 81920]
S2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\DRIVERS\CdpPacket.sys [2007-09-07 35692]
S2 OracleE1LocalTNSListener;OracleE1LocalTNSListener;c:\oracle\E1Local\BIN\TNSLSNR [x]
S2 OracleServiceE1LOCAL;OracleServiceE1LOCAL;c:\oracle\e1local\bin\ORACLE.EXE E1LOCAL [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-02-11 172328]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-04-04 224384]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-11-26 133472]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-02-19 279520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Make a Screenshot - c:\progra~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL/202
IE: {{84A11D82-2732-40ed-BF71-80F1FAF3807F} - {6BFA42E6-23F8-4ca7-A4E2-680EFB1F6DAE} - c:\progra~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
Trusted Zone: perotsystems.com
Trusted Zone: perotsystems.net
Trusted Zone: ps.net
Trusted Zone: scglobal.com
DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxp://gmgdvs01.gmsg.net:1024/VirtualServer/activex/VMRCActiveXClient.cab
DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} - hxxp://portalprodqkr.venturafoods.com:10038/lotus/PA_1_3F2DNS521GKI602HUIA3VB00K5/plugins/com.ibm.wps.dm/jsp/common/plugin/DMPlugin.cab
DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://jdesbx1.scglobal.com:7777/jde/axctls/jdewebctlsU.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxps://train.ps.net/orgchart/OrgPubX.cab
DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} - hxxp://localhost:8888/jde/axctls/jdeexpimpU.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-30 12:15
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OracleE1LocalTNSListener]
"ImagePath"="c:\oracle\E1Local\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(2860)
c:\program files\IBM\Lotus Quickr connectors\DINSE.dll
c:\program files\IBM\Lotus Quickr connectors\DICore.dll
c:\program files\IBM\Lotus Quickr connectors\xerces240.dll
c:\program files\IBM\Lotus Quickr connectors\DILibDocs.dll
c:\program files\IBM\Lotus Quickr connectors\DIRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\STacSV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\oracle\E1Local\BIN\TNSLSNR.exe
c:\oracle\e1local\bin\ORACLE.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\msiexec.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wbem\WmiApSrv.exe
.
**************************************************************************
.
Completion time: 2010-09-30 12:21:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-30 17:21
ComboFix2.txt 2010-09-25 20:15
Pre-Run: 22,401,675,264 bytes free
Post-Run: 22,005,366,784 bytes free
- - End Of File - - A25173DC166A092C6F9FC1961762646E
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks and Regards.
|
AfterDawn Addict
|
30. September 2010 @ 13:38 |
Link to this message
|
|
That got rid of the Rootkit and I see No Other Ghosts that might haunt you. :)
You're Clean!
Have a Happy!
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
funkk
Newbie
|
30. September 2010 @ 13:52 |
Link to this message
|
|
Thats great...Thank you very much...Now I can browse/use computer happily knowing there is no scare. Thanks again for all your time and help.
Thanks and Regards.
|
|
sirk
Newbie
|
18. October 2010 @ 09:44 |
Link to this message
|
Hi 2oldGeek,
I have been having similar problem to funkk and slub77 and was hoping you could have a look at my scan logs.
Sometimes I do get redirected to other sites and sometimes Ad-Aware live watch stops the IP66.230.188.67 to redirect me.
I have tried to follow the instructions you have posted for funk but then when I scan with Superantispyware it keeps finding this one ad-ware which I regularly remove and that keeps reappearing.
When click on links from google searches I get redirected about once every 3 times.
Would you be so kind to help me ,if and when, you have a moment please?It's driving me insane.
Please see below my scan logs for HiJackthis,Combofix (for some reason I am not able to see the scan log for SuperAntispyware but the item found was C:User\Kristiano\AppData\Roaming\Microsoft\Windows\Cookies\kristiano@atdmt[2].txt.
Thank you in advance for your help and time.
Regards
This is the log before running Combofix
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:59:07, on 18/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Kristiano\Things\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...d=smb&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...d=smb&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-GB;_rv:1.9.2.3)_Gecko/20100401_Firefox/3.6.3_(.NET_CLR_3.5.30729)" -"http://www.bbc.co.uk/gardening/htbg2/virtual_garden/shockwave/garden3.shtml"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resourc...b/wlscctrl2.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8403 bytes
ComboFix 10-10-17.03 - Kristiano 18/10/2010 11:35:45.1.2 - x86
Microsoft® Windows Vista? Home Basic 6.0.6002.2.1252.44.1033.18.1015.333 [GMT 1:00]
Running from: c:\users\Kristiano\Desktop\combofix.exe
Command switches used :: /killall
FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}
c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}\chrome.manifest
c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}\chrome\content\_cfg.js
c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}\chrome\content\overlay.xul
c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}\install.rdf
.
((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
.
2010-10-18 10:44 . 2010-10-18 10:59 -------- d-----w- c:\users\Kristiano\AppData\Local\temp
2010-10-18 10:44 . 2010-10-18 10:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-16 12:06 . 2010-10-16 12:06 -------- d-----w- c:\users\Kristiano\AppData\Roaming\SUPERAntiSpyware.com
2010-10-16 12:06 . 2010-10-16 12:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-10-16 12:06 . 2010-10-16 12:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-15 06:00 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EC6BD40B-5D29-4A23-88C6-D998BA24C575}\mpengine.dll
2010-10-14 11:21 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-14 11:21 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 11:20 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-14 11:19 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-14 11:19 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-14 11:19 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-14 11:19 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-14 11:19 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-14 11:17 . 2010-09-08 17:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-29 07:04 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 09:40 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-28 08:40 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-28 08:40 . 2010-09-28 08:40 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-28 08:33 . 2010-09-28 08:33 -------- d-----w- c:\users\Kristiano\AppData\Local\Sunbelt Software
2010-09-28 08:32 . 2010-09-28 08:32 -------- dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-23 11:41 . 2010-09-23 11:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-22 17:10 . 2010-09-22 17:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 17:10 . 2010-09-22 17:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-24 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-12 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-12 129560]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 159744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-26 202256]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 135664]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-08-12 15008]
R3 pxldqpoc;pxldqpoc;c:\users\KRISTI~1\AppData\Local\Temp\pxldqpoc.sys [x]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-26 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-06-07 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-06-07 166632]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-10-06 1357464]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-10-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-02 18:47]
2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 06:08]
2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 06:08]
2010-10-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2068407642-2866006614-1426285444-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Kristiano\AppData\Roaming\Mozilla\Firefox\Profiles\ybjau5gz.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\users\Kristiano\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Lame MP3 Codec (for the ACM) - c:\windows\IFinst26.exe
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-10-18 12:07:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-18 11:07
Pre-Run: 33,524,584,448 bytes free
Post-Run: 34,412,359,680 bytes free
- - End Of File - - 7641E9673405EDFBF02329A3EEE41AEC
This is the one after Combofix scan
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:17:05, on 18/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\Explorer.exe
C:\Users\Kristiano\Things\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...d=smb&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-GB;_rv:1.9.2.3)_Gecko/20100401_Firefox/3.6.3_(.NET_CLR_3.5.30729)" -"http://www.bbc.co.uk/gardening/htbg2/virtual_garden/shockwave/garden3.shtml"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resourc...b/wlscctrl2.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9139 bytes
|
AfterDawn Addict
|
18. October 2010 @ 18:43 |
Link to this message
|
Hi sirk,
Both of your HJT Logs are clean and I find nothing in the Combo Log to suggest what you are experiencing, no rootkits, etc.
Let?s give this a whirl:
Download Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
? Please post the MBAM Log and a fresh HJT log in your next reply.
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Advertisement
|
|
|
|
sirk
Newbie
|
19. October 2010 @ 12:34 |
Link to this message
|
Hi 2oG,
Thanks for your reply
I have run scan with mbam and didnt find anything,
my pc seems to be working ok at moment and not getting redirected to other sites,
had a bit of problem uninstalling Combo,later found out that the command is Combofix /uninstall,however, I use to have ad-aware which stopped working so had to uninstall it but now cannot re-install it anymore (it installs fine but gets stuck when applying updated)was wondering if it might clash with Superantispyware(free)as is the only new software I have downloaded lately or if Combofix has deleted some file that was needed for that(not a clue) .
Would you have any idea on regard of that?
Apart form that,maybe I was a bit overzealous and your instructions on the thread were spot on thanks for posting.
I will let you know if problem comes back.
In the mean time cheers and thanks for you time.
|
|
