Issue with Redirecting Links

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Issue with Redirecting Links Hijacking problem I think

#1 damadhatterb

New Member

Group: Members
Posts: 9
Joined: 01-November 11

Posted 01 November 2011 - 02:09 PM

Within the last month or so, I have had multiple viruses that were very hard to remove (would blue screen in safe-mode, would not allow exe files to be run, etc). At the moment, my issue is whenever I click a link from a search engine (usually Google), it redirects me to some other link. I have to click back twice to get to the search screen and click the link again to actually go to the link. I have followed the step-by-step page on preparing to post here. I realized thanks to you guys, that my Firewall wasn't even on. Hopefully it being on will help eliminate the viruses that seem to be flowing in as of late. My guess is one of the previous viruses I had must have turned it off. I only have the DDS logs because when I run GMER, I get a blue screen error during the scan and am forced to restart computer. I'm not sure if you guys allow outside links and if you don't let me know and I will edit my post. Here is a picture I took of the blue-screen error I receive every time I scan with GMER (http://i1222.photobucket.com/albums/dd485/damadhatterb/IMG056.jpg). Thanks ahead of time for any help provided from you guys.

Now for the logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by brand0 at 14:41:06 on 2011-11-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.354 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
D:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uLocal Page =
uStart Page =
uInternet Settings,ProxyOverride = *.local
BHO: {3f12904e-39b7-49e6-9016-6a18774ca2f7} - c:\documents and settings\brand0\local settings\application data\NetworkUser.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 0 (0x0)
uPolicies-explorer: NoResolveTrack = 0 (0x0)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: Interfaces\{4B36EEE5-ECBA-4115-B578-7D5B74A45AD9} : NameServer = 209.18.47.61,209.18.47.62
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\brand0\application data\mozilla\firefox\profiles\1esc2iio.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2005-2-11 16640]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-10-19 18816]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-19 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-19 22216]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
=============== Created Last 30 ================
.
2011-11-01 18:28:59 388096 ----a-r- c:\documents and settings\brand0\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-01 18:28:59 -------- d-----w- c:\program files\Trend Micro
2011-10-31 21:40:26 -------- d-----w- c:\program files\IObit
2011-10-31 21:40:26 -------- d-----w- c:\documents and settings\all users.windows\application data\IObit
2011-10-30 01:02:16 0 ---ha-w- c:\documents and settings\brand0\aeemtcbqwh.tmp
2011-10-30 00:33:23 358912 ----a-w- c:\documents and settings\brand0\local settings\application data\NetworkUser.dll
2011-10-27 18:18:59 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-10-27 18:18:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-20 01:15:07 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-20 01:03:06 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-10-20 00:36:01 -------- d-----w- c:\program files\Sophos
2011-10-19 18:52:23 -------- d-sh--w- c:\documents and settings\brand0\local settings\application data\4bfcd315
2011-10-12 21:00:51 -------- d-----w- c:\windows\.jagex_cache_32
.
==================== Find3M ====================
.
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-18 19:03:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-01-27 16:58:43 2959376 ----a-w- c:\program files\dotnetfx35setup.exe
2010-11-27 17:20:24 1478773 ----a-w- c:\program files\CNTsetup.exe
2002-06-28 15:19:38 723456 ----a-w- c:\program files\HLSS 3.00.exe
.
============= FINISH: 14:41:46.42 ===============

Attached File(s)

attach.txt (11.03K)
Number of downloads: 2

This post has been edited by damadhatterb: 01 November 2011 - 02:10 PM

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 November 2011 - 02:48 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 damadhatterb

New Member

Group: Members
Posts: 9
Joined: 01-November 11

Posted 02 November 2011 - 12:36 PM

ComboFix 11-11-02.03 - brand0 11/02/2011 13:07:32.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.534 [GMT -4:00]
Running from: c:\documents and settings\brand0\Desktop\ComboFix1.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\brand0\aeemtcbqwh.tmp
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{44d22856-fc7a-4312-841c-a09660b41d71}
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{44d22856-fc7a-4312-841c-a09660b41d71}\chrome.manifest
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{44d22856-fc7a-4312-841c-a09660b41d71}\chrome\xulcache.jar
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{44d22856-fc7a-4312-841c-a09660b41d71}\defaults\preferences\xulcache.js
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{44d22856-fc7a-4312-841c-a09660b41d71}\install.rdf
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{e46d740e-2905-41d2-9c2e-0cad0c06da75}
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{e46d740e-2905-41d2-9c2e-0cad0c06da75}\chrome.manifest
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{e46d740e-2905-41d2-9c2e-0cad0c06da75}\chrome\xulcache.jar
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{e46d740e-2905-41d2-9c2e-0cad0c06da75}\defaults\preferences\xulcache.js
c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{e46d740e-2905-41d2-9c2e-0cad0c06da75}\install.rdf
c:\documents and settings\brand0\Local Settings\Application Data\NetworkUser.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-10-02 to 2011-11-02 )))))))))))))))))))))))))))))))
.
.
2011-11-01 18:28 . 2011-11-01 18:28 388096 ----a-r- c:\documents and settings\brand0\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-01 18:28 . 2011-11-01 18:28 -------- d-----w- c:\program files\Trend Micro
2011-10-31 21:40 . 2011-10-31 21:40 -------- d-----w- c:\program files\IObit
2011-10-31 21:40 . 2011-10-31 21:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IObit
2011-10-27 18:18 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-10-27 18:18 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-20 01:15 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-20 01:03 . 2011-05-12 18:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-10-20 00:36 . 2011-10-20 00:36 -------- d-----w- c:\program files\Sophos
2011-10-19 18:59 . 2011-10-19 18:59 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-10-19 18:52 . 2011-10-19 23:17 -------- d-sh--w- c:\documents and settings\brand0\Local Settings\Application Data\4bfcd315
2011-10-12 21:00 . 2011-10-12 21:00 -------- d-----w- c:\windows\.jagex_cache_32
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-20 17:37 . 2011-09-20 17:37 14744 ----a-w- c:\documents and settings\brand0\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-18 19:03 . 2011-08-18 19:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-01-27 16:58 . 2011-04-21 20:05 2959376 ----a-w- c:\program files\dotnetfx35setup.exe
2010-11-27 17:20 . 2010-11-27 17:20 1478773 ----a-w- c:\program files\CNTsetup.exe
2002-06-28 15:19 . 2010-07-23 08:28 723456 ----a-w- c:\program files\HLSS 3.00.exe
2011-09-30 20:06 . 2011-05-12 14:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-27_18.23.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-28 23:22 . 2011-10-30 01:53 735984 c:\windows\Installer\SandboxieInstall32.exe
- 2011-07-28 23:22 . 2011-09-08 00:27 735984 c:\windows\Installer\SandboxieInstall32.exe
+ 2011-05-20 20:23 . 2011-10-29 17:09 152748 c:\windows\DIIUnin.dat
+ 2011-11-01 18:28 . 2011-11-01 18:28 1094656 c:\windows\Installer\dedf9df.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-07-04 398568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2002-06-10 07:15 309760 ----a-w- c:\program files\AIM+\AIM+.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HanPurple Update]
2011-10-30 00:33 223744 ----a-w- c:\documents and settings\brand0\Local Settings\Application Data\Adobe\AdobeUpdate\Adobeup.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel AppUp(SM) center]
2011-04-21 20:11 943 ----a-w- c:\program files\Intel\IntelAppStore\bin\serviceManager.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-08-31 21:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-07-06 23:52 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamjojo.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-06-07 21:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-06-07 21:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
2004-12-20 21:12 131072 ----a-w- c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-06-03 04:48 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-07-04 09:49 398568 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 19:28 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-09-08 02:04 1242448 ----a-w- d:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Kaiba Corp VDS\\KCVDS.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Steam\\steamapps\\brand0nist00nice\\counter-strike source\\hl2.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
.
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2/11/2005 6:11 PM 16640]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [10/19/2011 9:03 PM 18816]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/19/2011 9:15 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/19/2011 9:15 PM 22216]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page =
uInternet Settings,ProxyOverride = *.local
TCP: Interfaces\{4B36EEE5-ECBA-4115-B578-7D5B74A45AD9}: NameServer = 209.18.47.61,209.18.47.62
FF - ProfilePath - c:\documents and settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-MicrosoftTrayOnline - c:\documents and settings\All Users.WINDOWS\Application Data\MicrosoftTrayOnline.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-02 13:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2011-11-02 13:14:58
ComboFix-quarantined-files.txt 2011-11-02 17:14
ComboFix2.txt 2011-10-27 18:27
ComboFix3.txt 2011-09-07 00:39
ComboFix4.txt 2010-09-27 22:58
.
Pre-Run: 10,157,367,296 bytes free
Post-Run: 10,338,672,640 bytes free
.
- - End Of File - - 675BF741067805D1B3A77515F36090CD

Thank you for replying to me Gringo,

The issues I am still having at the moment are:

When I click links in search engines, they get redirected and I have to go back then try again to make it work.
My security access must have been altered or something because I cannot delete or open any .exe files that I already had on my computer. If I download a new .exe then it works fine. I checked my access and it says Administrator and I am the only user of this pc.

So because I cannot delete .exe files I already had, and I already had ComboFix.exe on my Desktop, I had to rename the install to ComboFix1.exe. I hope the name change won't matter. And the computer right now other than those issues seems to be alright. I can still do other things without too many issues/lag.

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 November 2011 - 12:58 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#5 damadhatterb

New Member

Group: Members
Posts: 9
Joined: 01-November 11

Posted 03 November 2011 - 12:20 AM

TDSSKiller Found 0. Here is the text file.

01:18:01.0460 3320 TDSS rootkit removing tool 2.6.14.0 Oct 28 2011 11:11:01
01:18:01.0726 3320 ============================================================
01:18:01.0726 3320 Current date / time: 2011/11/03 01:18:01.0726
01:18:01.0726 3320 SystemInfo:
01:18:01.0726 3320
01:18:01.0726 3320 OS Version: 5.1.2600 ServicePack: 3.0
01:18:01.0726 3320 Product type: Workstation
01:18:01.0726 3320 ComputerName: BRAND0S
01:18:01.0726 3320 UserName: brand0
01:18:01.0726 3320 Windows directory: C:\WINDOWS
01:18:01.0726 3320 System windows directory: C:\WINDOWS
01:18:01.0726 3320 Processor architecture: Intel x86
01:18:01.0726 3320 Number of processors: 1
01:18:01.0726 3320 Page size: 0x1000
01:18:01.0726 3320 Boot type: Normal boot
01:18:01.0726 3320 ============================================================
01:18:02.0413 3320 Initialize success
01:18:07.0491 2588 ============================================================
01:18:07.0491 2588 Scan started
01:18:07.0491 2588 Mode: Manual;
01:18:07.0491 2588 ============================================================
01:18:08.0054 2588 Abiosdsk - ok
01:18:08.0101 2588 abp480n5 - ok
01:18:08.0226 2588 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
01:18:08.0226 2588 ACPI - ok
01:18:08.0382 2588 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
01:18:08.0382 2588 ACPIEC - ok
01:18:08.0476 2588 adpu160m - ok
01:18:08.0569 2588 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
01:18:08.0569 2588 aec - ok
01:18:08.0679 2588 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
01:18:08.0694 2588 AFD - ok
01:18:08.0773 2588 Aha154x - ok
01:18:08.0804 2588 aic78u2 - ok
01:18:08.0851 2588 aic78xx - ok
01:18:09.0101 2588 ALCXWDM (dd8520280304b6145a6be31008748c7c) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
01:18:09.0319 2588 ALCXWDM - ok
01:18:09.0413 2588 AliIde - ok
01:18:09.0476 2588 amsint - ok
01:18:09.0569 2588 asc - ok
01:18:09.0601 2588 asc3350p - ok
01:18:09.0632 2588 asc3550 - ok
01:18:09.0694 2588 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
01:18:09.0710 2588 AsyncMac - ok
01:18:09.0773 2588 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
01:18:09.0773 2588 atapi - ok
01:18:09.0819 2588 Atdisk - ok
01:18:09.0898 2588 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
01:18:09.0898 2588 Atmarpc - ok
01:18:09.0976 2588 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
01:18:09.0976 2588 audstub - ok
01:18:10.0054 2588 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
01:18:10.0054 2588 Beep - ok
01:18:10.0194 2588 catchme - ok
01:18:10.0319 2588 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
01:18:10.0319 2588 cbidf2k - ok
01:18:10.0366 2588 cd20xrnt - ok
01:18:10.0460 2588 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
01:18:10.0460 2588 Cdaudio - ok
01:18:10.0585 2588 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
01:18:10.0585 2588 Cdfs - ok
01:18:10.0663 2588 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
01:18:10.0663 2588 Cdrom - ok
01:18:10.0694 2588 Changer - ok
01:18:10.0757 2588 CmdIde - ok
01:18:10.0788 2588 Cpqarray - ok
01:18:10.0819 2588 dac2w2k - ok
01:18:10.0866 2588 dac960nt - ok
01:18:10.0976 2588 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
01:18:10.0991 2588 Disk - ok
01:18:11.0101 2588 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
01:18:11.0132 2588 dmboot - ok
01:18:11.0226 2588 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
01:18:11.0241 2588 dmio - ok
01:18:11.0319 2588 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
01:18:11.0319 2588 dmload - ok
01:18:11.0382 2588 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
01:18:11.0398 2588 DMusic - ok
01:18:11.0476 2588 dpti2o - ok
01:18:11.0538 2588 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
01:18:11.0538 2588 drmkaud - ok
01:18:11.0663 2588 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
01:18:11.0663 2588 Fastfat - ok
01:18:11.0726 2588 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
01:18:11.0726 2588 Fdc - ok
01:18:11.0804 2588 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
01:18:11.0804 2588 Fips - ok
01:18:11.0866 2588 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
01:18:11.0866 2588 Flpydisk - ok
01:18:11.0976 2588 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
01:18:11.0976 2588 FltMgr - ok
01:18:12.0038 2588 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
01:18:12.0038 2588 Fs_Rec - ok
01:18:12.0132 2588 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
01:18:12.0148 2588 Ftdisk - ok
01:18:12.0210 2588 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
01:18:12.0210 2588 GEARAspiWDM - ok
01:18:12.0304 2588 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
01:18:12.0304 2588 Gpc - ok
01:18:12.0382 2588 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
01:18:12.0382 2588 HidUsb - ok
01:18:12.0444 2588 hpn - ok
01:18:12.0507 2588 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
01:18:12.0523 2588 HTTP - ok
01:18:12.0601 2588 i2omgmt - ok
01:18:12.0632 2588 i2omp - ok
01:18:12.0663 2588 i8042prt - ok
01:18:12.0726 2588 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
01:18:12.0726 2588 Imapi - ok
01:18:12.0819 2588 ini910u - ok
01:18:12.0851 2588 IntelIde - ok
01:18:12.0944 2588 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
01:18:12.0944 2588 Ip6Fw - ok
01:18:13.0023 2588 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
01:18:13.0023 2588 IpFilterDriver - ok
01:18:13.0101 2588 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
01:18:13.0101 2588 IpInIp - ok
01:18:13.0148 2588 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
01:18:13.0163 2588 IpNat - ok
01:18:13.0257 2588 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
01:18:13.0273 2588 IPSec - ok
01:18:13.0335 2588 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
01:18:13.0335 2588 IRENUM - ok
01:18:13.0382 2588 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
01:18:13.0382 2588 isapnp - ok
01:18:13.0460 2588 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
01:18:13.0460 2588 Kbdclass - ok
01:18:13.0523 2588 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
01:18:13.0523 2588 kbdhid - ok
01:18:13.0616 2588 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
01:18:13.0616 2588 kmixer - ok
01:18:13.0710 2588 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
01:18:13.0710 2588 KSecDD - ok
01:18:13.0757 2588 lbrtfdc - ok
01:18:13.0835 2588 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
01:18:13.0835 2588 MBAMProtector - ok
01:18:13.0929 2588 MBAMSwissArmy - ok
01:18:13.0960 2588 MEMSWEEP2 - ok
01:18:14.0054 2588 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
01:18:14.0054 2588 mnmdd - ok
01:18:14.0132 2588 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
01:18:14.0132 2588 Modem - ok
01:18:14.0241 2588 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
01:18:14.0241 2588 Mouclass - ok
01:18:14.0335 2588 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
01:18:14.0335 2588 mouhid - ok
01:18:14.0429 2588 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
01:18:14.0429 2588 MountMgr - ok
01:18:14.0460 2588 mraid35x - ok
01:18:14.0538 2588 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
01:18:14.0538 2588 MRxDAV - ok
01:18:14.0663 2588 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
01:18:14.0694 2588 MRxSmb - ok
01:18:14.0804 2588 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
01:18:14.0804 2588 Msfs - ok
01:18:14.0851 2588 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
01:18:14.0866 2588 MSKSSRV - ok
01:18:14.0976 2588 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
01:18:14.0976 2588 MSPCLOCK - ok
01:18:15.0038 2588 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
01:18:15.0038 2588 MSPQM - ok
01:18:15.0101 2588 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
01:18:15.0101 2588 mssmbios - ok
01:18:15.0194 2588 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
01:18:15.0194 2588 Mup - ok
01:18:15.0304 2588 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
01:18:15.0304 2588 NDIS - ok
01:18:15.0382 2588 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
01:18:15.0382 2588 NdisTapi - ok
01:18:15.0460 2588 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
01:18:15.0460 2588 Ndisuio - ok
01:18:15.0554 2588 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
01:18:15.0569 2588 NdisWan - ok
01:18:15.0648 2588 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
01:18:15.0648 2588 NDProxy - ok
01:18:15.0726 2588 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
01:18:15.0726 2588 NetBIOS - ok
01:18:15.0804 2588 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
01:18:15.0819 2588 NetBT - ok
01:18:15.0944 2588 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
01:18:15.0944 2588 Npfs - ok
01:18:16.0023 2588 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
01:18:16.0054 2588 Ntfs - ok
01:18:16.0194 2588 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
01:18:16.0194 2588 Null - ok
01:18:16.0710 2588 nv (18281a647f8d2a0afd00f4a9f52c59f4) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
01:18:17.0085 2588 nv - ok
01:18:17.0210 2588 nvatabus (83f0275a21d9772b51cef57e35afae61) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
01:18:17.0210 2588 nvatabus - ok
01:18:17.0288 2588 nvax (2cfb1d1a2851d97bd78060dc447b1762) C:\WINDOWS\system32\drivers\nvax.sys
01:18:17.0304 2588 nvax - ok
01:18:17.0382 2588 nvcchflt (fb7213bc5279c1af5e4e9ca05d944f2c) C:\WINDOWS\system32\DRIVERS\nvcchflt.sys
01:18:17.0382 2588 nvcchflt - ok
01:18:17.0444 2588 NVENETFD (468e839f0f7aff5c9baa4717b82cdd11) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
01:18:17.0444 2588 NVENETFD - ok
01:18:17.0507 2588 nvnetbus (7a6444c5f0d53c7e6e7f500bc4c930f7) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
01:18:17.0507 2588 nvnetbus - ok
01:18:17.0601 2588 nvnforce (24a515429c91a905b97781752110d7fe) C:\WINDOWS\system32\drivers\nvapu.sys
01:18:17.0616 2588 nvnforce - ok
01:18:17.0710 2588 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
01:18:17.0710 2588 NwlnkFlt - ok
01:18:17.0804 2588 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
01:18:17.0804 2588 NwlnkFwd - ok
01:18:17.0898 2588 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
01:18:17.0898 2588 Parport - ok
01:18:17.0991 2588 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
01:18:17.0991 2588 PartMgr - ok
01:18:18.0069 2588 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
01:18:18.0069 2588 ParVdm - ok
01:18:18.0132 2588 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
01:18:18.0132 2588 PCI - ok
01:18:18.0194 2588 PCIDump - ok
01:18:18.0273 2588 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
01:18:18.0273 2588 PCIIde - ok
01:18:18.0351 2588 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
01:18:18.0351 2588 Pcmcia - ok
01:18:18.0413 2588 PDCOMP - ok
01:18:18.0444 2588 PDFRAME - ok
01:18:18.0491 2588 PDRELI - ok
01:18:18.0523 2588 PDRFRAME - ok
01:18:18.0554 2588 perc2 - ok
01:18:18.0585 2588 perc2hib - ok
01:18:18.0679 2588 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
01:18:18.0679 2588 PptpMiniport - ok
01:18:18.0741 2588 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
01:18:18.0741 2588 Processor - ok
01:18:18.0804 2588 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
01:18:18.0804 2588 PSched - ok
01:18:18.0882 2588 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
01:18:18.0882 2588 Ptilink - ok
01:18:18.0960 2588 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
01:18:18.0960 2588 PxHelp20 - ok
01:18:19.0007 2588 ql1080 - ok
01:18:19.0038 2588 Ql10wnt - ok
01:18:19.0069 2588 ql12160 - ok
01:18:19.0101 2588 ql1240 - ok
01:18:19.0132 2588 ql1280 - ok
01:18:19.0194 2588 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
01:18:19.0194 2588 RasAcd - ok
01:18:19.0288 2588 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
01:18:19.0288 2588 Rasl2tp - ok
01:18:19.0366 2588 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
01:18:19.0366 2588 RasPppoe - ok
01:18:19.0444 2588 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
01:18:19.0444 2588 Raspti - ok
01:18:19.0523 2588 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
01:18:19.0523 2588 Rdbss - ok
01:18:19.0616 2588 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
01:18:19.0616 2588 RDPCDD - ok
01:18:19.0726 2588 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
01:18:19.0726 2588 RDPWD - ok
01:18:19.0835 2588 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
01:18:19.0835 2588 redbook - ok
01:18:19.0929 2588 SAVRKBootTasks (e5c587c0668f83e799d1c43bc53e5e37) C:\WINDOWS\system32\SAVRKBootTasks.sys
01:18:19.0944 2588 SAVRKBootTasks - ok
01:18:20.0069 2588 SbieDrv (2cdab8553e703c7754be9ce1c4454eb5) C:\Program Files\Sandboxie\SbieDrv.sys
01:18:20.0069 2588 SbieDrv - ok
01:18:20.0210 2588 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
01:18:20.0210 2588 Secdrv - ok
01:18:20.0304 2588 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
01:18:20.0304 2588 serenum - ok
01:18:20.0366 2588 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
01:18:20.0366 2588 Serial - ok
01:18:20.0507 2588 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
01:18:20.0507 2588 Sfloppy - ok
01:18:20.0569 2588 Simbad - ok
01:18:20.0601 2588 Sparrow - ok
01:18:20.0663 2588 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
01:18:20.0663 2588 splitter - ok
01:18:20.0726 2588 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
01:18:20.0726 2588 sr - ok
01:18:20.0804 2588 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
01:18:20.0835 2588 Srv - ok
01:18:20.0960 2588 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
01:18:20.0960 2588 swenum - ok
01:18:21.0069 2588 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
01:18:21.0069 2588 swmidi - ok
01:18:21.0132 2588 symc810 - ok
01:18:21.0163 2588 symc8xx - ok
01:18:21.0194 2588 sym_hi - ok
01:18:21.0226 2588 sym_u3 - ok
01:18:21.0319 2588 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
01:18:21.0335 2588 sysaudio - ok
01:18:21.0444 2588 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
01:18:21.0460 2588 Tcpip - ok
01:18:21.0585 2588 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
01:18:21.0585 2588 TDPIPE - ok
01:18:21.0648 2588 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
01:18:21.0648 2588 TDTCP - ok
01:18:21.0726 2588 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
01:18:21.0726 2588 TermDD - ok
01:18:21.0788 2588 TosIde - ok
01:18:21.0882 2588 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
01:18:21.0882 2588 Udfs - ok
01:18:21.0913 2588 ultra - ok
01:18:22.0007 2588 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
01:18:22.0023 2588 Update - ok
01:18:22.0148 2588 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
01:18:22.0148 2588 USBAAPL - ok
01:18:22.0226 2588 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
01:18:22.0241 2588 usbccgp - ok
01:18:22.0319 2588 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
01:18:22.0319 2588 usbehci - ok
01:18:22.0413 2588 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
01:18:22.0429 2588 usbhub - ok
01:18:22.0476 2588 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
01:18:22.0476 2588 usbohci - ok
01:18:22.0554 2588 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:18:22.0554 2588 USBSTOR - ok
01:18:22.0648 2588 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
01:18:22.0648 2588 VgaSave - ok
01:18:22.0679 2588 ViaIde - ok
01:18:22.0710 2588 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
01:18:22.0726 2588 VolSnap - ok
01:18:22.0788 2588 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
01:18:22.0788 2588 Wanarp - ok
01:18:22.0819 2588 WDICA - ok
01:18:22.0898 2588 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
01:18:22.0898 2588 wdmaud - ok
01:18:23.0007 2588 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
01:18:23.0101 2588 \Device\Harddisk0\DR0 - ok
01:18:23.0132 2588 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk1\DR1
01:18:23.0976 2588 \Device\Harddisk1\DR1 - ok
01:18:23.0976 2588 Boot (0x1200) (6320ff08d057d709808b8c15d61b1bbb) \Device\Harddisk0\DR0\Partition0
01:18:23.0976 2588 \Device\Harddisk0\DR0\Partition0 - ok
01:18:23.0991 2588 Boot (0x1200) (913a904a1eeb61baab93399797fd1a4a) \Device\Harddisk1\DR1\Partition0
01:18:23.0991 2588 \Device\Harddisk1\DR1\Partition0 - ok
01:18:23.0991 2588 ============================================================
01:18:23.0991 2588 Scan finished
01:18:23.0991 2588 ============================================================
01:18:24.0007 3940 Detected object count: 0
01:18:24.0007 3940 Actual detected object count: 0
01:19:06.0179 3528 Deinitialize success

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 03 November 2011 - 12:30 AM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0

Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo

<-- Don't worry every little bit helps.

#7 damadhatterb

New Member

Group: Members
Posts: 9
Joined: 01-November 11

Posted 03 November 2011 - 11:29 AM

Okay, for now it seems the links are okay from Google. However, I am still having issues opening .exe files. Whenever I try to open a .exe file that hasn't recently been downloaded, I get this error: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Also, I'm not sure if this is supposed to happen, but junc.bat from my Desktop deleted itself after it ran. Here is the log.

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

..
Failed to open \\?\c:\\Documents and Settings\brand0\Desktop\ComboFix.exe: Access is denied.

Failed to open \\?\c:\\Documents and Settings\brand0\Desktop\HijackThis.exe: Access is denied.

.

...

...

...

...

...
Failed to open \\?\c:\\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe: Access is denied.

...

...

...

...

...

...

...

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbamjojo.exe: Access is denied.

...

...

...

...

...

...

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

...

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 03 November 2011 - 02:31 PM

Hello

We need to reset some permisions that the virus changed

Download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\Documents and Settings\brand0\Desktop\ComboFix.exe
c:\Documents and Settings\brand0\Desktop\HijackThis.exe
c:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe
c:\Program Files\Malwarebytes' Anti-Malware\mbamjojo.exe

Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Scan with exeHelper:

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Gringo

<-- Don't worry every little bit helps.

#9 damadhatterb

New Member

Group: Members
Posts: 9
Joined: 01-November 11

Posted 03 November 2011 - 03:37 PM

GrantPerms by Farbar
Ran by brand0 at 2011-11-03 16:36:08

===============================================
\\?\c:\Documents and Settings\brand0\Desktop\ComboFix.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\brand0\Desktop\HijackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\Malwarebytes' Anti-Malware\mbamjojo.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

exeHelperlog

exeHelper by Raktor
Build 20100414
Run at 16:36:47 on 11/03/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

#10 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 03 November 2011 - 09:06 PM

has it helped any?

gringo

<-- Don't worry every little bit helps.

#11 damadhatterb

New Member

Group: Members
Posts: 9
Joined: 01-November 11

Posted 04 November 2011 - 02:27 AM

Yea. The system seems to be running much nicer, thank you Gringo. Would you suggest any other programs or utilities or anything that would help keep my system clean? Thanks again for your help.

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 04 November 2011 - 02:54 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter

File sharing infects 500,000 computers

USAToday

infoworld

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

start

settings

control panel

add/remove programs

Adobe Reader 9.4.0

remove

Update Adobe Reader

http://www.adobe.com/products/acrobat/readstep2.html

Adobe Reader

here

Note:

AskBar

Your Java is out of date.

It can be updated by the Java control panel

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
An update should begin;
follow the prompts

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#13 damadhatterb

New Member

Group: Members
Posts: 9
Joined: 01-November 11

Posted 04 November 2011 - 12:01 PM

MBAM LOG:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8083

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/4/2011 12:54:36 PM
mbam-log-2011-11-04 (12-54-36).txt

Scan type: Quick scan
Objects scanned: 233750
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:00:02 PM, on 11/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\brand0\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B36EEE5-ECBA-4115-B578-7D5B74A45AD9}: NameServer = 209.18.47.61,209.18.47.62
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (file missing)
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 3570 bytes

Had no problems doing any of the steps you suggested. TFC cleaned up about 160 MBs of stuff. The system seems to be much better thank you. Like I asked before, are there any programs/utilities you would suggest having once this is all said and done to keep my computer clean/safe?

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 04 November 2011 - 04:58 PM

Hello

Like I asked before, are there any programs/utilities you would suggest having once this is all said and done to keep my computer clean/safe?

When we are complete I will give you a list of tools to use to help be safer also some links to read

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brakets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the activex control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Click Scan
Wait for the scan to finish
Click on copy to clipboard and paste the results here in this topic
you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

<-- Don't worry every little bit helps.

#15 damadhatterb

New Member

Group: Members
Posts: 9
Joined: 01-November 11

Posted 04 November 2011 - 08:20 PM

Wow! Considering how smoothly my computer has been running since you have helped me, and considering Malware Byte's found 0 threats, I was very shocked at the scanner results. Here they are:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinProlacop.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\brand0\Desktop\AntiMalware Programs\After_2009\keyfinder_changer.v1.51.zip a variant of Win32/PSWTool.RAS.A application
C:\Documents and Settings\brand0\Local Settings\Application Data\Adobe\AdobeUpdate\Adobeup.dll a variant of Win32/Kryptik.UQZ trojan
C:\Documents and Settings\Brandon\Desktop\EXE's\EvID4226Patch223d-en.zip Win32/Tool.EvID4226 application
C:\Documents and Settings\Brandon\Desktop\stuff for upstairs\Driver Detective 6.4.0.7 + Crack\DriverDetective.exe probably a variant of Win32/Autorun.LMWPDJQ worm
C:\Documents and Settings\Brandon\Desktop\stuff for upstairs\Nero 7.8.5.0\Nero 7.8.5.0.exe Win32/Toolbar.AskSBar application
C:\Documents and Settings\Brandon\Desktop\stuff for upstairs\Slingo Quest + Keygen\!REFLEXIVE NEW KEYGEN\KeyGen.exe a variant of Win32/Keygen.BG application
C:\Qoobox\Quarantine\C\Documents and Settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{44d22856-fc7a-4312-841c-a09660b41d71}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\brand0\Application Data\Mozilla\Firefox\Profiles\1esc2iio.default\extensions\{e46d740e-2905-41d2-9c2e-0cad0c06da75}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\brand0\Local Settings\Application Data\NetworkUser.dll.vir a variant of Win32/Kryptik.UQZ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\brand0\Local Settings\Application Data\Microsoft\MicrosoftUpdate\Microsoftup.dll.vir a variant of Win32/Kryptik.UQZ trojan
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul.vir Win32/Dursg.A trojan
C:\System Volume Information\_restore{3E3CFCB3-4955-480D-A9CE-B8CC9460690C}\RP405\A0105610.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP10\A0016440.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP10\A0016460.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP10\A0016478.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP10\A0016479.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP10\A0016492.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP10\A0016493.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP10\A0016502.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP10\A0016503.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP10\A0016524.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP11\A0018742.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP11\A0018743.dll a variant of Win32/Kryptik.UQZ trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP15\A0019043.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP15\A0020982.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP15\A0021012.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP15\A0021013.dll a variant of Win32/Kryptik.UQZ trojan
C:\System Volume Information\_restore{5506A22A-0222-4283-A302-260C6A7CF954}\RP3\A0006461.exe a variant of Win32/InstallCore.D application

By the way, I never clicked the Finish button on the scanner yet, I was hoping you would reply soon and would tell me if you want me to scan again and remove them. If so I would just remove them now considering that the scan took nearly 2 hours, and I have done nothing on my computer in between then and now besides being on these forums. Thanks.

This post has been edited by damadhatterb: 04 November 2011 - 08:42 PM