BleepingComputer.com: Google redirect virus/malware

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Google redirect virus/malware

#1 User is offline   davidp23 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 11-October 11

Posted 13 October 2011 - 03:08 PM

Hi Everyone,
I have the search engine redirect virus/malware. I have gone through the basic steps as noted in my previous post here. In quick summary, the computer (windows xp pro) will redirect when clicking on search engine results. When the computer boots up, there is a suspicious file copying that runs that I did not initiate, and whats new is that the desktop icons have disappeared and often times the start menu taskbar. Things are moving very slow and all antivirus and malware programs get shutdown shortly after starting.

I have gone through the preparation guide and have copied the dds and attached the attach file. I tried to get a GMER log file but the program disappeared after running for a minute or so.

I would appreciate any help you could give me, and thanks in advance.

Dave

Here is the DDS.text file

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Bduggan at 14:42:48 on 2011-10-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1119 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\2263058039:2289638521.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uWinlogon: Shell=c:\documents and settings\bduggan\local settings\application data\7786e386\X
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [RemoteHelper] c:\program files\remote hd\remote helper\RemoteHelper.exe
uRun: [Push Client] c:\documents and settings\bduggan\local settings\application data\att connect\participant\pull.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\bduggan\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Tracker] c:\program files\mysoftware\myinvoices\tracker.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk"&"inst=NzctNzE2NzE2MzQ2LVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ"&"prod=90"&"ver=2012.0.1796"&"mid=81907d74cea047d1b86cd1544f7a57ec-c867b1d26da29d6fde8aeb42503fe637d4fd75e4
dRunOnce: [LabelMaker2.0] regsvr32 c:\program files\common files\mysoftware\regdll.dll /s
StartupFolder: c:\docume~1\bduggan\startm~1\programs\startup\zvremote.lnk - c:\program files\zeevee\zvremote\ZvRemote.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\newsfl~1.lnk - c:\program files\common files\mysoftware\Newsflsh.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\squeez~1.lnk - c:\program files\squeezebox\SqueezeTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
Trusted Zone: brandmuscle.net
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://173.18.253.61/RemoteWeb.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://67.233.224.23:100/VideoViewer.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://plugin.slingbox.com/plugin/downloads/pc/1.4.0.79/WebSlingPlayer.cab
DPF: {B9940246-4344-4D1B-BD82-DBAF7E657FF9} - hxxp://192.168.254.253/SysCamInst.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: Interfaces\{CFDD3F3A-BF44-49A8-8D81-2FCB46D954B5} : NameServer = 192.168.254.1,192.168.254.10
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-8 64512]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-8-11 232512]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\brother\bradmin professional 3\bratimer.exe [2011-2-23 73728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S1 MpKsl19ead53b;MpKsl19ead53b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e55c9d1e-606b-4cd8-923e-e1bcad03c607}\mpksl19ead53b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e55c9d1e-606b-4cd8-923e-e1bcad03c607}\MpKsl19ead53b.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-6-21 30192]
S3 PCD5SRVC{3F6A8B78-EC003E00-05040000};PCD5SRVC{3F6A8B78-EC003E00-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\dellsu~1\hwdiag\bin\PCD5SRVC.pkms [2007-12-5 20640]
S3 RTIUSB;RTI USB Driver;c:\windows\system32\drivers\RTIUSB.sys [2005-9-30 17920]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
.
=============== Created Last 30 ================
.
2011-10-13 14:28:29 -------- d-----w- c:\documents and settings\bduggan\application data\SUPERAntiSpyware.com
2011-10-13 14:27:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-13 14:27:30 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-11 22:18:38 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-10-11 22:15:23 -------- d-----w- c:\program files\Maware
2011-10-11 22:07:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-11 21:46:27 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 21:49:13 -------- d-sh--w- c:\documents and settings\bduggan\local settings\application data\7786e386
2011-10-05 14:10:19 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f696ceb8-cbea-4c6b-b654-9d5361d81fa1}\offreg.dll
2011-10-05 14:10:12 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f696ceb8-cbea-4c6b-b654-9d5361d81fa1}\mpengine.dll
2011-09-20 20:42:02 -------- d-----w- c:\program files\DVD Decrypter
.
==================== Find3M ====================
.
2011-10-11 22:18:35 441856 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-10-11 20:21:10 48016 --sha-w- c:\windows\system32\c_15646.nl_
2011-10-11 20:20:45 165648 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 21:54:55 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-08 20:20:36 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-09-06 14:24:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 17:05:57 4194304 ----a-w- c:\windows\system32\iahonoel.dll
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-18 20:25:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-11 18:49:00 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
============= FINISH: 14:44:04.04 ===============

Attached File(s)


#2 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 16 October 2011 - 02:18 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#3 User is offline   davidp23 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 11-October 11

Posted 18 October 2011 - 10:28 AM

Hi Gringo,

Thanks for helping me out. I ran combofix. The only problem I had was that it wanted me to close the Microsoft Security Essentials Scanner, which I thought I did from the task manager when requested, but Combofix then said it was going to run even though MSE was not closed and that it might cause problems. It said I had rootkit.zeroaccess and rebooted once or twice. The redirect problem seem to be working now, though I have not reinstalled any antivirus programs.

The log is too long to post, even broken in half to be posted in two sections. Please advise.

Thank you.
Dave

#4 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 October 2011 - 10:57 AM

See if you can attach it and if not remove the section called snapshot
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   davidp23 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 11-October 11

Posted 18 October 2011 - 03:33 PM

See Attached
Snapshot has been removed.

Attached File(s)


#6 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 October 2011 - 06:58 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\c_15646.nl_


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

    In your next post I need the following

    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   davidp23 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 11-October 11

Posted 20 October 2011 - 10:52 AM

Hi Gringo,

Thanks for your help. I am only on this computer twice a week, so sorry for the delay. I ran combofix with the cfscript and it seemed to work. below is the log file and the computer seems to be running better and the redirect problem is gone. I currently have no AV protection though. Is it safe to put that back on, and what would you recommend? I would prefer a free on is possible. Are there more steps?

Thanks.

david



ComboFix 11-10-20.05 - Bduggan 10/20/2011 10:13:32.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1282 [GMT -5:00]
Running from: c:\documents and settings\Bduggan\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Bduggan\Desktop\cfscript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\c_15646.nl_"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\23fe5d76b9491fa255db2281ac7687d5\Service.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-1344\perl510.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\14d02158d1dc4c498d1acd9638684120\Name.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\194ac47433b8bc54b2df1d99c554a72e\EV.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\2f0807b0946b0fe6a4923ffadf1218fc\vxs.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\461090bfc26706cc26ffa02662c1592c\Syck.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\48a4e6ef370984d8d9ce53660d66a7a5\Unicode.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\4e3813a1edb6903dcc223941e51f7e18\Parser.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\52831fecbfbbfee1a05b91977e499808\File.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\542ba247eebc159476ad07ad6bd76209\XS.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\5f6960e0234e0b14396e4c82a1f56c8f\HiRes.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\62aa3b09ac39e34fd76505142c94e975\Storable.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\64aa79000ff318c6735dfd0191e3b022\Scale.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\6c1da131f436ce35edb0690f338bdad8\File.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\6c25de79371a4db1d7e8eff0d11d5337\Base64.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\6eca2cf2961ac400050de852a1cbef9b\Byte.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\76c0175b78e6f49c7544e19221d4457d\IO.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\8245460bbc088712019f4f3ab3a844ff\icudt46.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\8245460bbc088712019f4f3ab3a844ff\icuin46.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\8245460bbc088712019f4f3ab3a844ff\icuuc46.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\8245460bbc088712019f4f3ab3a844ff\SQLite.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\8f8bffaa9136789fd266c59519e6a452\encoding.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\90198bd2c008178752393a8740fa6369\XS.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\9076f6dacaea506ecfb169822b132706\MD5.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\92d2aa3f2974636beefdb4636326e9c4\Scan.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\a33551806ec091669b28f0334ef049cc\DBI.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\c06adade199b7f380d57181669fb22c1\Util.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\c8b0e39733c3e73e232a64a5c305ca76\API.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\e1ea0dbaf8a3ac5d1f0be83f219f8571\FastCalc.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\e775fca35641b4340ecf5cdba1fc6f62\Expat.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\ea4a4f99088551dd603ccfbabfaf3932\XSAccessor.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\fc665959964b1312aee9d476290accdc\SHA1.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\fc8b9fd242032de837413f14e26ce21c\Zlib.dll
c:\docume~1\Bduggan\LOCALS~1\Temp\pdk-Bduggan-3948\perl510.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\23fe5d76b9491fa255db2281ac7687d5\Service.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-1344\perl510.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\14d02158d1dc4c498d1acd9638684120\Name.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\194ac47433b8bc54b2df1d99c554a72e\EV.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\2f0807b0946b0fe6a4923ffadf1218fc\vxs.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\461090bfc26706cc26ffa02662c1592c\Syck.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\48a4e6ef370984d8d9ce53660d66a7a5\Unicode.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\4e3813a1edb6903dcc223941e51f7e18\Parser.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\52831fecbfbbfee1a05b91977e499808\File.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\542ba247eebc159476ad07ad6bd76209\XS.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\5f6960e0234e0b14396e4c82a1f56c8f\HiRes.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\62aa3b09ac39e34fd76505142c94e975\Storable.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\64aa79000ff318c6735dfd0191e3b022\Scale.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\6c1da131f436ce35edb0690f338bdad8\File.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\6c25de79371a4db1d7e8eff0d11d5337\Base64.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\6eca2cf2961ac400050de852a1cbef9b\Byte.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\76c0175b78e6f49c7544e19221d4457d\IO.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\8245460bbc088712019f4f3ab3a844ff\icudt46.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\8245460bbc088712019f4f3ab3a844ff\icuin46.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\8245460bbc088712019f4f3ab3a844ff\icuuc46.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\8245460bbc088712019f4f3ab3a844ff\SQLite.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\8f8bffaa9136789fd266c59519e6a452\encoding.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\90198bd2c008178752393a8740fa6369\XS.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\9076f6dacaea506ecfb169822b132706\MD5.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\92d2aa3f2974636beefdb4636326e9c4\Scan.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\a33551806ec091669b28f0334ef049cc\DBI.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\c06adade199b7f380d57181669fb22c1\Util.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\c8b0e39733c3e73e232a64a5c305ca76\API.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\e1ea0dbaf8a3ac5d1f0be83f219f8571\FastCalc.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\e775fca35641b4340ecf5cdba1fc6f62\Expat.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\ea4a4f99088551dd603ccfbabfaf3932\XSAccessor.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\fc665959964b1312aee9d476290accdc\SHA1.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\fc8b9fd242032de837413f14e26ce21c\Zlib.dll
c:\documents and settings\Bduggan\Local Settings\temp\pdk-Bduggan-3948\perl510.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
2011-10-18 20:05 . 2011-10-18 20:07 -------- d-----w- c:\program files\iTunes
2011-10-18 00:44 . 2011-10-18 00:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-17 14:48 . 2011-10-17 14:48 -------- d-----w- c:\program files\Bonjour
2011-10-16 19:25 . 2011-10-16 19:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-10-13 14:28 . 2011-10-13 14:28 -------- d-----w- c:\documents and settings\Bduggan\Application Data\SUPERAntiSpyware.com
2011-10-13 14:27 . 2011-10-18 14:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-13 14:27 . 2011-10-13 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-11 22:15 . 2011-10-11 22:16 -------- d-----w- c:\program files\Maware
2011-10-11 22:07 . 2011-10-11 22:17 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-11 21:46 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 14:10 . 2011-10-05 14:10 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F696CEB8-CBEA-4C6B-B654-9D5361D81FA1}\offreg.dll
2011-10-05 14:10 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F696CEB8-CBEA-4C6B-B654-9D5361D81FA1}\mpengine.dll
2011-09-20 20:42 . 2011-09-20 20:42 -------- d-----w- c:\program files\DVD Decrypter
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-11 22:18 . 2008-05-27 03:18 441856 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-10-11 20:20 . 2011-04-18 18:18 165648 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-11 22:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-11 22:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-12 23:14 . 2011-09-10 08:25 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-09 09:12 . 2004-08-11 22:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 21:54 . 2011-09-08 21:54 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-08 20:20 . 2004-08-11 22:00 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-09-06 14:24 . 2011-06-28 11:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:20 . 2004-08-11 22:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-22 23:48 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-11 22:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-11 22:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-11 18:49 . 2011-08-11 18:36 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-18_14.54.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-18 16:01 . 2011-10-18 14:48 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-18 16:01 . 2011-10-20 15:26 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-18 16:01 . 2011-10-18 14:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-18 16:01 . 2011-10-20 15:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-18 16:01 . 2011-10-20 15:26 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-07-18 16:01 . 2011-10-18 14:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-10-18 20:07 . 2011-10-18 20:07 380928 c:\windows\Installer\{29ED20C9-5E15-4969-9279-25BF3727A3DA}\iTunesIco.exe
- 2011-10-17 14:57 . 2011-10-17 14:57 380928 c:\windows\Installer\{29ED20C9-5E15-4969-9279-25BF3727A3DA}\iTunesIco.exe
+ 2011-10-18 20:07 . 2011-10-18 20:07 5235200 c:\windows\Installer\89cbb1.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"RemoteHelper"="c:\program files\Remote HD\Remote Helper\RemoteHelper.exe" [2011-02-14 586752]
"Push Client"="c:\documents and settings\Bduggan\Local Settings\Application Data\ATT Connect\Participant\pull.exe" [2008-12-29 918768]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-12 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Tracker"="c:\program files\MySoftware\MyInvoices\tracker.exe" [2006-12-22 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzE2NzE2MzQ2LVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1796&mid=81907d74cea047d1b86cd1544f7a57ec-c867b1d26da29d6fde8aeb42503fe637d4fd75e4" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="c:\program files\Common Files\MySoftware\regdll.dll" [2006-08-03 94208]
.
c:\documents and settings\Bduggan\Start Menu\Programs\Startup\
ZvRemote.lnk - c:\program files\ZeeVee\ZvRemote\ZvRemote.exe [2009-9-21 1565944]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-21 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Newsflash.lnk - c:\program files\Common Files\MySoftware\Newsflsh.exe [2008-7-24 233472]
Squeezebox Server Tray Tool.lnk - c:\program files\Squeezebox\SqueezeTray.exe [2011-8-2 2162775]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-22 02:54 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-08-02 07:33 4910912 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-27 16:17 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RTI\\Integration Designer\\idesign.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Brother\\BRAdmin Professional 3\\discover.exe"=
"c:\\Program Files\\Brother\\BRAdmin Professional 3\\AuditorServer.exe"=
"c:\\Program Files\\Brother\\BRAdmin Professional 3\\bradminv3.exe"=
"c:\\Program Files\\Remote HD\\Remote Helper\\RemoteHelper.exe"=
"c:\\Program Files\\RTI\\Integration Designer\\PCEmu.exe"=
"c:\\Program Files\\Squeezebox\\server\\SqueezeSvr.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Program Files\\Handbrake\\Handbrake.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Program Files\\DivX\\DivX Update\\DivXUpdate.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\DTLite.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\WINDOWS\\system32\\HPZinw12.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Trend Micro\\HiJackThis\\HiJackThis.exe"=
"c:\\Documents and Settings\\Bduggan\\Local Settings\\Application Data\\ATT Connect\\Participant\\pull.exe"=
"c:\\Program Files\\Common Files\\MySoftware\\Newsflsh.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\PhotoshopElementsEditor.exe"=
"c:\\Documents and Settings\\Bduggan\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\Bduggan\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe"=
"c:\\Program Files\\Maware\\goddamit.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Program Files\\Squeezebox\\server\\squeezeboxcp.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Product Assistant\\bin\\hprbUpdate.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\com.google.ContactSync.client.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\MDCrashReportTool.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9000:TCP"= 9000:TCP:Squeezebox Server 9000 tcp (UI)
"9001:TCP"= 9001:TCP:Squeezebox Server 9001 tcp (UI)
"9002:TCP"= 9002:TCP:Squeezebox Server 9002 tcp (UI)
"9003:TCP"= 9003:TCP:Squeezebox Server 9003 tcp (UI)
"9004:TCP"= 9004:TCP:Squeezebox Server 9004 tcp (UI)
"9005:TCP"= 9005:TCP:Squeezebox Server 9005 tcp (UI)
"9006:TCP"= 9006:TCP:Squeezebox Server 9006 tcp (UI)
"9007:TCP"= 9007:TCP:Squeezebox Server 9007 tcp (UI)
"9008:TCP"= 9008:TCP:Squeezebox Server 9008 tcp (UI)
"9009:TCP"= 9009:TCP:Squeezebox Server 9009 tcp (UI)
"9010:TCP"= 9010:TCP:Squeezebox Server 9010 tcp (UI)
"9100:TCP"= 9100:TCP:Squeezebox Server 9100 tcp (UI)
"8000:TCP"= 8000:TCP:Squeezebox Server 8000 tcp (UI)
"10000:TCP"= 10000:TCP:Squeezebox Server 10000 tcp (UI)
"9090:TCP"= 9090:TCP:Squeezebox Server 9090 tcp (UI)
"3483:UDP"= 3483:UDP:Squeezebox Server 3483 udp
"3483:TCP"= 3483:TCP:Squeezebox Server 3483 tcp
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [8/11/2011 1:36 PM 232512]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]
R2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [2/23/2011 1:17 PM 73728]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
S1 MpKsl19ead53b;MpKsl19ead53b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E55C9D1E-606B-4CD8-923E-E1BCAD03C607}\MpKsl19ead53b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E55C9D1E-606B-4CD8-923E-E1BCAD03C607}\MpKsl19ead53b.sys [?]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [1/15/2007 4:11 PM 73728]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/21/2008 9:48 PM 30192]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 PCD5SRVC{3F6A8B78-EC003E00-05040000};PCD5SRVC{3F6A8B78-EC003E00-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [12/5/2007 4:47 PM 20640]
S3 RTIUSB;RTI USB Driver;c:\windows\system32\drivers\RTIUSB.sys [9/30/2005 4:04 PM 17920]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2815802652-1674557370-2013247479-1005Core.job
- c:\documents and settings\Bduggan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-08 11:33]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2815802652-1674557370-2013247479-1005UA.job
- c:\documents and settings\Bduggan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-08 11:33]
.
2011-10-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2011-10-20 c:\windows\Tasks\User_Feed_Synchronization-{57D9975E-3717-4641-8C83-A76E830040AC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: brandmuscle.net
TCP: Interfaces\{CFDD3F3A-BF44-49A8-8D81-2FCB46D954B5}: NameServer = 192.168.254.1,192.168.254.10
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://173.18.253.61/RemoteWeb.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://67.233.224.23:100/VideoViewer.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-20 10:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040000}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\progra~1\SQUEEZ~1\server\SQUEEZ~3.EXE
c:\windows\system32\msiexec.exe
c:\program files\Microsoft Office\Office12\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2011-10-20 10:34:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-20 15:34
ComboFix2.txt 2011-10-20 15:08
ComboFix3.txt 2011-10-18 15:02
ComboFix4.txt 2011-09-08 20:58
.
Pre-Run: 4,585,517,056 bytes free
Post-Run: 4,556,492,800 bytes free
.
- - End Of File - - 69EF194F7CC67A8AC164C8DB4A7CC807

#8 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 20 October 2011 - 02:59 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.




These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 8.3.0
    Java™ 6 Update 5


    and click on remove


Update Adobe Reader

    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

      If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.


Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts


Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.




: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

    In your next post I need the following

    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   davidp23 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 11-October 11

Posted 20 October 2011 - 04:05 PM

Hi,
I reinstalled java and reader, and ran mbam (see log below). I could not get HJT to run. I tried to run as admin, but apparently do not know the password. my user is an admin though. Computer seems to be running fine.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7989

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/20/2011 4:01:36 PM
mbam-log-2011-10-20 (16-01-36).txt

Scan type: Quick scan
Objects scanned: 192943
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 20 October 2011 - 04:11 PM

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 23 October 2011 - 02:03 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#12 User is offline   davidp23 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 11-October 11

Posted 23 October 2011 - 08:08 PM

Hi Gringo,
I do still need help, but wont be back on that computer till Tuesday. The eset scan took many hours and I had to leave before it finished and I could post the results.

If you want, you could just leave me the things to do next, and I can take it from here. Thank you for all your help.

dave

#13 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 23 October 2011 - 08:26 PM

I will wait for the scan



gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#14 User is offline   davidp23 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 11-October 11

Posted 25 October 2011 - 09:19 AM

Thanks for your patience.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=a5842ae10007ad47b7f816a2e9835d8b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-21 01:03:00
# local_time=2011-10-20 08:03:00 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 2901322 2901322 0 0
# compatibility_mode=1024 16777191 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=267813
# found=19
# cleaned=0
# scan_time=11817
C:\Program Files\Brother\BRAdmin Professional 3\agntsend.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Brother\BRAdmin Professional 3\ntfman.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Brother\BRAdmin Professional 3\stacheck.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Citrix\GoToAssist\514\g2aprocessfactory.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Dell Support Center\HWDiag\bin\pcd.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Bduggan\Local Settings\Application Data\7786e386\X.vir a variant of Win32/Kryptik.TPK trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\SUPERAntiSpyware\SASCORE.EXE.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\c_15646.nl_.vir a variant of Win32/Sirefef.CR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1147\A0081432.rbf Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1151\A0083150.sys a variant of Win32/Rootkit.Kryptik.DM trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1151\A0083151.ini a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1152\A0083793.ini a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1152\A0083795.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1152\A0083796.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1152\A0083797.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ngen.exe Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\drivers\dtsoftbus01.sys a variant of Win32/Rootkit.Kryptik.DM trojan (unable to clean) 00000000000000000000000000000000 I

#15 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 25 October 2011 - 12:32 PM

Greetings

There are somethings in the online scan I want to remove so run this scrript for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\Program Files\Brother\BRAdmin Professional 3\agntsend.exe
C:\Program Files\Brother\BRAdmin Professional 3\ntfman.exe
C:\Program Files\Brother\BRAdmin Professional 3\stacheck.exe
C:\Program Files\Citrix\GoToAssist\514\g2aprocessfactory.exe
C:\Program Files\Dell Support Center\HWDiag\bin\pcd.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ngen.exe
C:\WINDOWS\system32\drivers\dtsoftbus01.sys


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

    In your next post I need the following

    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users