BleepingComputer.com: Google Redirect

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 6 Pages +
  • « First
  • 4
  • 5
  • 6
  • You cannot start a new topic
  • This topic is locked

Google Redirect Help Needed Please

#76 User is offline   Pizza and Pepsi 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 203
  • Joined: 27-April 11

Posted 08 September 2011 - 07:33 PM

Defogger says it is unable to open file. This happend after clicking renable.
Use Malwarebytes, SuperAntispyware, ESET online scan, then repeat.

#77 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 September 2011 - 07:38 PM

not a problem means that it is already enabled or you don't have that software


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#78 User is offline   Pizza and Pepsi 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 203
  • Joined: 27-April 11

Posted 08 September 2011 - 07:55 PM

Here is the log:



ComboFix 11-09-08.03 - Ken 09/08/2011 17:37:13.7.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1525 [GMT -7:00]
Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {C516F58A-9C7C-4517-813C-608F6D4363CD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\WindowsUpdate.log
.
.
((((((((((((((((((((((((( Files Created from 2011-08-09 to 2011-09-09 )))))))))))))))))))))))))))))))
.
.
2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-03 00:27 . 2011-09-03 00:27 -------- d-----w- c:\documents and settings\Ken\Application Data\f-secure
2011-09-03 00:26 . 2011-09-03 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2011-08-30 23:00 . 2011-08-30 23:00 102400 ----a-w- c:\windows\RegBootClean.exe
2011-08-26 01:50 . 2011-08-26 01:50 -------- d-----w- C:\Parking
2011-08-21 18:58 . 2011-08-21 18:59 388096 ----a-r- c:\documents and settings\Ken\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-16 23:25 . 2011-08-16 23:25 -------- d-----w- c:\documents and settings\Ken\Application Data\QuickScan
2011-08-11 17:03 . 2011-09-07 22:25 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-11 17:03 . 2011-09-07 22:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-11 17:03 . 2011-09-07 22:25 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-11 17:03 . 2011-09-07 22:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-11 17:03 . 2011-09-07 22:25 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-11 17:03 . 2011-09-07 22:25 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-11 17:03 . 2011-09-07 22:25 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-11 17:03 . 2011-09-07 22:25 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-10 17:07 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 17:07 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-07 22:27 . 2011-06-01 16:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-03 10:17 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-07 20:55 . 2011-08-07 20:55 1409 ----a-w- c:\windows\QTFont.for
2011-08-05 20:55 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-08-05 20:55 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2004-08-04 12:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45 . 2004-08-04 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec
2011-06-21 04:09 . 2008-08-03 17:12 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-07 22:25 . 2011-08-11 17:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-07-18 710000]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHM Reminders.lnk]
path=
backup=c:\windows\pss\PHM Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^STK017 PNP Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\STK017 PNP Monitor.lnk
backup=c:\windows\pss\STK017 PNP Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray.exe]
2005-10-24 23:45 2462208 ----a-w- c:\acer\Empowering Technology\admtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtrlVol]
2003-09-16 21:28 20480 ----a-w- c:\program files\Launch Manager\CtrlVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2005-07-26 18:36 69632 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2006-01-02 17:31 397312 ----a-w- c:\acer\Empowering Technology\eRecovery\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-02-07 05:10 98304 ----a-w- c:\program files\Lexmark 2400 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2006-02-02 08:11 290816 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-08-24 19:47 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-08-24 19:51 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-08-24 19:50 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
2005-07-25 20:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2005-11-08 17:45 69632 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
2005-07-25 17:45 241664 ----a-w- c:\program files\Launch Manager\OSDCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
2006-01-22 17:45 286720 ----a-w- c:\program files\Lexmark 2400 Series\lxcrmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NACAgentUI]
2009-11-22 03:35 454400 ----a-w- c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2005-09-01 02:59 147456 ------w- c:\program files\Acer\Acer Arcade\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerKey]
2002-08-30 22:02 94208 ----a-w- c:\program files\Launch Manager\Powerkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\preload]
2005-05-20 00:09 32768 ----a-w- c:\windows\RUNXMLPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 22:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-04-15 18:01 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-04 18:11 708698 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-04 18:12 102490 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-08-05 20:55 273544 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-01-26 16:46 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
2005-11-08 17:19 81920 ----a-w- c:\program files\Launch Manager\WButton.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
2005-04-23 02:49 397312 ----a-w- c:\progra~1\Yahoo!\YOP\yop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"NACAgent"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Symantec Core LC"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19532:TCP"= 19532:TCP:Trend Micro OfficeScan Listener
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [7/18/2007 9:58 AM 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [7/18/2007 9:58 AM 36432]
S1 mailKmd;mailKmd; [x]
S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\g:\garena\safedrv.sys --> g:\garena\safedrv.sys [?]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [7/29/2006 6:12 PM 2343]
S4 ImapiService32;IMAPI CD-Burning COM Service ; [x]
S4 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2/5/2010 5:28 PM 742144]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/18/2007 9:58 AM 575064]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 21:21]
.
2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1049095898-568075592-3202847216-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-09-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1049095898-568075592-3202847216-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: eset.com\go
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\j5v9y374.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-upgrd&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-08 17:46
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService32]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(704)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\admServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\windows\TEMP\YM21E3.EXE
c:\windows\system32\lxcrcoms.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
.
**************************************************************************
.
Completion time: 2011-09-08 17:48:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-09 00:48
.
Pre-Run: 3,151,691,776 bytes free
Post-Run: 3,120,676,864 bytes free
.
- - End Of File - - A3AA01CDB83D8587E7D43D90D891589A








The popup appeared after the combofix reboot.
Use Malwarebytes, SuperAntispyware, ESET online scan, then repeat.

#79 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 September 2011 - 08:02 PM

Hello


about the popup you are going to have to check in the windows forum as I have no idea whaty is causing it

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window: 

SecCenter::
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

    In your next post I need the following

    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#80 User is offline   Pizza and Pepsi 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 203
  • Joined: 27-April 11

Posted 10 September 2011 - 04:52 PM

Here is the log:


ComboFix 11-09-08.03 - Ken 09/10/2011 14:41:07.8.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1675 [GMT -7:00]
Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ken\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {C516F58A-9C7C-4517-813C-608F6D4363CD}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-08-10 to 2011-09-10 )))))))))))))))))))))))))))))))
.
.
2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-03 00:27 . 2011-09-03 00:27 -------- d-----w- c:\documents and settings\Ken\Application Data\f-secure
2011-09-03 00:26 . 2011-09-03 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2011-08-30 23:00 . 2011-08-30 23:00 102400 ----a-w- c:\windows\RegBootClean.exe
2011-08-26 01:50 . 2011-08-26 01:50 -------- d-----w- C:\Parking
2011-08-21 18:58 . 2011-08-21 18:59 388096 ----a-r- c:\documents and settings\Ken\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-16 23:25 . 2011-08-16 23:25 -------- d-----w- c:\documents and settings\Ken\Application Data\QuickScan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-07 22:27 . 2011-06-01 16:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-03 10:17 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-07 20:55 . 2011-08-07 20:55 1409 ----a-w- c:\windows\QTFont.for
2011-08-05 20:55 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-08-05 20:55 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2004-08-04 12:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45 . 2004-08-04 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec
2011-06-21 04:09 . 2008-08-03 17:12 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-07 22:25 . 2011-08-11 17:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-09_00.44.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-10 21:32 . 2011-09-10 21:32 16384 c:\windows\temp\Perflib_Perfdata_76c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-07-18 710000]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHM Reminders.lnk]
path=
backup=c:\windows\pss\PHM Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^STK017 PNP Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\STK017 PNP Monitor.lnk
backup=c:\windows\pss\STK017 PNP Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray.exe]
2005-10-24 23:45 2462208 ----a-w- c:\acer\Empowering Technology\admtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtrlVol]
2003-09-16 21:28 20480 ----a-w- c:\program files\Launch Manager\CtrlVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2005-07-26 18:36 69632 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2006-01-02 17:31 397312 ----a-w- c:\acer\Empowering Technology\eRecovery\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-02-07 05:10 98304 ----a-w- c:\program files\Lexmark 2400 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2006-02-02 08:11 290816 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-08-24 19:47 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-08-24 19:51 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-08-24 19:50 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
2005-07-25 20:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2005-11-08 17:45 69632 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
2005-07-25 17:45 241664 ----a-w- c:\program files\Launch Manager\OSDCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
2006-01-22 17:45 286720 ----a-w- c:\program files\Lexmark 2400 Series\lxcrmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NACAgentUI]
2009-11-22 03:35 454400 ----a-w- c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2005-09-01 02:59 147456 ------w- c:\program files\Acer\Acer Arcade\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerKey]
2002-08-30 22:02 94208 ----a-w- c:\program files\Launch Manager\Powerkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\preload]
2005-05-20 00:09 32768 ----a-w- c:\windows\RUNXMLPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 22:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-04-15 18:01 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-04 18:11 708698 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-04 18:12 102490 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-08-05 20:55 273544 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-01-26 16:46 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
2005-11-08 17:19 81920 ----a-w- c:\program files\Launch Manager\WButton.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
2005-04-23 02:49 397312 ----a-w- c:\progra~1\Yahoo!\YOP\yop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"NACAgent"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Symantec Core LC"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19532:TCP"= 19532:TCP:Trend Micro OfficeScan Listener
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [7/18/2007 9:58 AM 36432]
S1 mailKmd;mailKmd; [x]
S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [7/18/2007 9:58 AM 249424]
S3 GGSAFERDriver;GGSAFER Driver;\??\g:\garena\safedrv.sys --> g:\garena\safedrv.sys [?]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [7/29/2006 6:12 PM 2343]
S4 ImapiService32;IMAPI CD-Burning COM Service ; [x]
S4 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2/5/2010 5:28 PM 742144]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/18/2007 9:58 AM 575064]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 21:21]
.
2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1049095898-568075592-3202847216-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-09-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1049095898-568075592-3202847216-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: eset.com\go
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\j5v9y374.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-upgrd&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-10 14:47
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService32]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2660)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-10 14:48:44
ComboFix-quarantined-files.txt 2011-09-10 21:48
ComboFix2.txt 2011-09-09 00:48
.
Pre-Run: 4,457,005,056 bytes free
Post-Run: 4,433,166,336 bytes free
.
- - End Of File - - 595B9D605DD908546681A0567FD1ED98



Do I need the Windows Recovery Console that Combofix installed? I think it might be taking up a lot of hardrive space.
Use Malwarebytes, SuperAntispyware, ESET online scan, then repeat.

#81 User is offline   Pizza and Pepsi 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 203
  • Joined: 27-April 11

Posted 11 September 2011 - 03:18 PM

If I had a question about increasing speed, would I post in the windows forum.
Use Malwarebytes, SuperAntispyware, ESET online scan, then repeat.

#82 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 11 September 2011 - 04:28 PM

Hello


Do I need the Windows Recovery Console that Combofix installed? I think it might be taking up a lot of hardrive space.

Yes It is a safty net in case it is needed in the future and it only takes up between 5 and 10 Megabytes so it is small


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#83 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 14 September 2011 - 09:24 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 6 Pages +
  • « First
  • 4
  • 5
  • 6
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users