Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser redirects and hxxp://67.201.36.16/nolink popups


  • This topic is locked This topic is locked
111 replies to this topic

#1 micknjd

micknjd

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 November 2009 - 04:06 AM

Hi guys , im having a problem with search redirects and pop up / under ads from hxxp://67.201.36.16/nolink.html .
My regular av ( avira ) hasnt picked anything up nor did sophos free and i have scanned my machine with ad-aware , spybot s&d and superantispyware , but none of them show up anything
so i was wondering if you could help me

Here is my hjt log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:56:05, on 03/11/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
D:\New Folder\AutoUpdate\ALMon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\Explorer.exe
D:\Program Files\Comodo\Firewall\cfp.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\mickandjd\Downloads\RootRepeal.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min/nosplash
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "D:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Global Startup: AutoUpdate Monitor.lnk.disabled
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O20 - AppInit_DLLs: C:\Windows\System32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Roxio UPnP Renderer 11 - Unknown owner - C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - D:\New Folder\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - D:\New Folder\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - D:\New Folder\AutoUpdate\ALsvc.exe
O23 - Service: XJLG - Unknown owner - C:\Users\MICKAN~1\AppData\Local\Temp\XJLG.exe (file missing)
O23 - Service: XT - Unknown owner - C:\Users\MICKAN~1\AppData\Local\Temp\XT.exe (file missing)

--
End of file - 5741 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:43 AM

Posted 03 November 2009 - 07:56 AM

Hi micknjd,

Welcome to BC HijackThis forum . I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning with other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • Please download Malwarebytes' Anti-Malware from one of these ocations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 micknjd

micknjd
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 November 2009 - 11:26 AM

Ok back from work so here are the log files you requested.
One thing tho , i followed the instructions about turning of av/firewall for combofix to run but it still said they
were active , dunno if this will affect anything


Malwarebytes' Anti-Malware 1.41
Database version: 3092
Windows 6.0.6002 Service Pack 2

03/11/2009 15:39:29
mbam-log-2009-11-03 (15-39-29).txt

Scan type: Quick Scan
Objects scanned: 98602
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and



ComboFix 09-11-02.04 - mickandjd 03/11/2009 15:59.3.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3071.1969 [GMT 0:00]
Running from: d:\downloads\ComboFix.exe
AV: AVG 7.5.518 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
SP: Avira AntiVir PersonalEdition *enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Sophos Anti-Virus *disabled* (Updated) {A8CA403D-C4B1-4BBA-9FA7-B73C144CBC5C}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-03 16:10 . 2009-11-03 16:10 -------- d-----w- c:\users\mickandjd\AppData\Local\temp
2009-11-03 16:10 . 2009-11-03 16:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-03 16:10 . 2009-11-03 16:10 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-03 16:10 . 2009-11-03 16:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-02 14:41 . 2009-11-02 14:41 -------- d-----w- c:\users\mickandjd\AppData\Roaming\Malwarebytes
2009-11-02 14:41 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 14:41 . 2009-11-02 14:41 -------- d-----w- c:\programdata\Malwarebytes
2009-11-02 14:41 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 13:08 . 2009-11-02 13:08 -------- d-----w- c:\users\mickandjd\AppData\Local\Sophos
2009-11-02 13:03 . 2008-12-10 08:21 130088 ----a-w- c:\windows\system32\sdccoinstaller.dll
2009-11-02 13:03 . 2009-11-02 13:03 -------- d-----w- c:\program files\Common Files\Cisco Systems
2009-11-02 13:03 . 2008-12-09 16:10 23552 ----a-w- c:\windows\system32\SophosBootTasks.exe
2009-11-02 13:02 . 2009-11-02 13:03 -------- d-----w- c:\programdata\Sophos
2009-11-02 13:01 . 2008-05-23 08:39 20288 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2009-11-02 13:01 . 2008-07-18 11:50 85312 ----a-w- c:\windows\system32\drivers\savonaccess.sys
2009-11-02 01:01 . 2009-11-02 01:00 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-02 00:52 . 2009-06-30 10:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-01 23:22 . 2009-11-01 23:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-30 01:08 . 2009-10-30 00:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-30 00:57 . 2009-10-30 00:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-30 00:53 . 2009-10-30 00:53 -------- dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-30 00:53 . 2009-10-30 00:58 -------- d-----w- c:\programdata\Lavasoft
2009-10-29 00:43 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-29 00:43 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-29 00:43 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-29 00:43 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-29 00:43 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-29 00:43 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-29 00:43 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-29 00:43 . 2009-08-06 19:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-29 00:43 . 2009-08-06 18:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-28 04:54 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 04:54 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-17 19:35 . 2009-10-17 19:35 -------- d-----w- c:\users\mickandjd\AppData\Roaming\Motive
2009-10-17 19:34 . 2009-10-17 19:34 -------- d-----w- c:\programdata\Motive
2009-10-17 19:34 . 2009-10-17 19:34 -------- d-----w- c:\program files\Common Files\Motive
2009-10-17 19:33 . 2009-10-17 19:33 -------- d-----w- c:\program files\BT Broadband Desktop Help
2009-10-16 19:22 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 19:22 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 19:22 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 20:21 . 2009-10-14 20:21 -------- d-----w- c:\users\mickandjd\AppData\Local\Blizzard Entertainment
2009-10-09 23:52 . 2009-10-09 23:52 -------- d-----w- c:\program files\Common Files\Sony Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 23:38 . 2008-09-18 21:05 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-02 22:16 . 2008-02-05 18:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-02 22:06 . 2008-11-25 23:02 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-02 13:09 . 2008-02-05 21:04 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-02 12:58 . 2008-02-20 22:27 -------- d-----w- c:\users\mickandjd\AppData\Roaming\GetRightToGo
2009-11-02 10:36 . 2009-11-02 10:36 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-02 01:15 . 2008-09-20 08:44 -------- d-----w- c:\program files\Sony Setup
2009-11-02 00:25 . 2008-02-06 23:24 -------- d-----w- c:\users\mickandjd\AppData\Roaming\uTorrent
2009-11-01 23:18 . 2009-11-01 23:18 0 ----a-w- c:\windows\system32\RENB61F.tmp
2009-11-01 23:18 . 2009-11-01 23:18 0 ----a-w- c:\windows\system32\RENB61E.tmp
2009-11-01 23:18 . 2009-11-01 23:18 0 ----a-w- c:\windows\system32\RENB61D.tmp
2009-10-17 06:52 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-01 09:29 . 2009-10-02 20:00 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-22 19:42 . 2009-09-22 19:42 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-09-18 19:36 . 2008-03-12 00:19 74328 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-09-18 19:36 . 2008-03-12 00:19 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-18 19:36 . 2008-03-12 00:19 29520 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-18 19:36 . 2008-03-12 00:19 128888 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-09-16 20:52 . 2008-02-05 18:39 680 ----a-w- c:\users\mickandjd\AppData\Local\d3d9caps.dat
2009-09-14 09:29 . 2009-10-16 19:21 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-09 06:32 . 2008-03-03 21:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 11:41 . 2009-10-16 19:21 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27 . 2009-09-02 23:08 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 23:08 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-16 19:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-16 19:21 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-16 19:21 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-16 19:21 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 16:27 . 2009-09-09 06:15 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 06:15 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 06:15 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 06:15 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 06:15 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 06:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 06:15 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 06:15 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 06:15 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 06:15 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 06:15 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-07 18:51 . 2009-08-07 18:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-07 18:51 . 2009-08-07 18:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-06 20:24 . 2009-07-16 20:20 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2008-02-11 21:09 . 2008-02-11 20:55 48 --sh--w- c:\windows\S74FA9AC7.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"NVIDIA nTune"="d:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"COMODO Internet Security"="d:\program files\Comodo\Firewall\cfp.exe" [2009-09-18 1799952]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-05-10 4468736]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk.disabled [2009-11-2 602]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-02-16 19:46 9216 ------w- c:\windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DualCoreCenter.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DualCoreCenter.lnk
backup=c:\windows\pss\DualCoreCenter.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^mickandjd^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Broadband Download Monitor.lnk]
path=c:\users\mickandjd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Broadband Download Monitor.lnk
backup=c:\windows\pss\Broadband Download Monitor.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^mickandjd^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^SpeedTester.lnk]
path=c:\users\mickandjd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SpeedTester.lnk
backup=c:\windows\pss\SpeedTester.lnk.Startup
backupExtension=.Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Uniblue SpyEraser"="g:\program files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:9b,52,86,9b,90,08,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3087080181-2358576822-2620536135-1000]
"EnableNotificationsRef"=dword:00000001

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [02/11/2009 00:52 28552]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [12/03/2008 00:19 128888]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [12/03/2008 00:19 29520]
R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [16/08/2008 22:00 12800]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 10:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 10:01 72944]
R1 SAVOnAccess;SAVOnAccess;c:\windows\System32\drivers\savonaccess.sys [02/11/2009 13:01 85312]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 SAVService;Sophos Anti-Virus;d:\new folder\Sophos Anti-Virus\SavService.exe [09/12/2008 16:44 98304]
S3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\System32\drivers\avgwfp.sys [08/03/2008 08:13 53768]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 10:01 7408]
S3 XJLG;XJLG;c:\users\MICKAN~1\AppData\Local\Temp\XJLG.exe --> c:\users\MICKAN~1\AppData\Local\Temp\XJLG.exe [?]
S3 XT;XT;c:\users\MICKAN~1\AppData\Local\Temp\XT.exe --> c:\users\MICKAN~1\AppData\Local\Temp\XT.exe [?]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16/07/2009 20:20 108289]
S4 gupdate1ca2ff229354829;Google Update Service (gupdate1ca2ff229354829);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1179232]
S4 SAVAdminService;Sophos Anti-Virus status reporter;d:\new folder\Sophos Anti-Virus\SAVAdminService.exe [09/12/2008 16:46 69632]
S4 SophosBootDriver;SophosBootDriver;c:\windows\System32\drivers\SophosBootDriver.sys [02/11/2009 13:01 20288]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
FF - ProfilePath - c:\users\mickandjd\AppData\Roaming\Mozilla\Firefox\Profiles\zon4woeh.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.orange.co.uk
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: d:\program files\Real Player\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Real Player\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Real Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 16:10
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86E0E1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86e0e1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2B54.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3087080181-2358576822-2620536135-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c0,ba,ae,1c,45,4e,4f,67,ee,f2,76,7e,5e,09,b5,d4,89,4b,ea,67,76,41,88,
f9,d8,8d,c6,a6,aa,54,fc,d5,d9,22,2a,f1,65,b7,86,25,74,4e,43,05,b3,2a,97,46,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-3087080181-2358576822-2620536135-1000\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"Percents"="0 0.0835 0.2046 0.3814 0.8655 0.9171 0.923 "
"Increment"=".003802"
"FRT"="utXbkytR4+TAGtplApEtLUH537Od2djkPLm3wIphtiC4SGNB1g55+g=="
"PLCK"="YLZSLnNNbkN7Z9RnZ7AFHuGLpnbTGNrO"
"PHSH"=""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-11-03 16:14
ComboFix-quarantined-files.txt 2009-11-03 16:14

Pre-Run: 1,347,739,648 bytes free
Post-Run: 1,293,606,912 bytes free

Edited by micknjd, 03 November 2009 - 11:27 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:43 AM

Posted 03 November 2009 - 03:29 PM

Well done. :(
  • Combofix is run 3 times. Looks there is no log of the first run. Has you run it before?

    Please go to Start, copy and paste the bold line in the Start Search box and click OK: C:\Qoobox\ComboFix3.txt
    If a text file opens up, copy and paste the content to your reply.

  • Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

    Run Command Prompt as administrator:
  • Click on Start button.
  • Type Cmd in the Start Search text box.
  • Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator.
Copy and paste the following lines one by one in the open command window and press Enter after each line:

cd\
c:\mbr.exe -t
c:\mbr.log


A log file (c:\mbr.log) will open. Post the contents of it to your reply.


#5 micknjd

micknjd
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 November 2009 - 06:12 PM

Here is the mbr log you wanted , and yeah , had run combofix earlier but seemed to crash , no log file to be found sry






Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86E0E1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86e0e1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:43 AM

Posted 03 November 2009 - 06:33 PM

  • Tell me if you are still getting redirected.

  • Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.

  • You have installed Daemon Tools and it might interfere with our scanners. Please uninstall it for now. You can install it later on when we are done.

  • After uninstalling Daemon Tools reboot the computer and run the MBR command from the previous post again and post the log.


#7 micknjd

micknjd
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 November 2009 - 07:03 PM

Unilstalled Daemon tools and rebooted
Went to google and done some random searches , didnt seem to be redirected at all
and no pop up/under adds from hxxp://67.201.36.16/nolink or the other 4-6 that came up in the same window in different tabs as of yet , but they were somewhat random in frequency

Add-Remove Programs.txt

AAC Decoder
AC3Filter 1.61b
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.7
Adobe Shockwave Player
Age of Conan - Hyborian Adventures
Anarchy Online
Apple Software Update
Assassin's Creed
µTorrent
Audacity 1.2.6
AutoUpdate
Avira AntiVir Personal - Free Antivirus
Bounce Out
BT Broadband Desktop Help
Call of Duty® - World at War™
CCleaner (remove only)
Choice Guard
COMODO Firewall Pro
Curse Client
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Dual-Core Optimizer
Fallout 3
FEAR
Gears of War
Google Update Helper
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Processor ID Utility
Java™ 6 Update 16
K-Lite Codec Pack 5.0.0 (Full)
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Media Go
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WSE 3.0 Runtime
Microsoft XML Parser
MKV Splitter
Mozilla Firefox (3.5.4)
MSVCRT
MSXML 4.0 SP2 (KB954430)
Nero 8
neroxml
NVIDIA Drivers
NVIDIA nTune
NVIDIA PhysX
NVIDIA System Monitor
NVIDIA System Update
Photosynth 2.0.1403.12
Pingus
PlayStation®Network Downloader
PlayStation®Store
QuickTime
RealPlayer
Realtek High Definition Audio Driver
SimPE 0.68 (alpha)
Smart Menus (Windows Live Toolbar)
Sony Media Manager for PSP 3.0
Sophos Anti-Rootkit 1.5.0
Sophos Anti-Virus
Sophos AutoUpdate
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 HomeCrafter Plus
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Celebration! Stuff
The Sims™ 2 H&M® Fashion Stuff
The Sims™ 2 IKEA® Home Stuff
The Sims™ 2 Seasons
The Sims™ 2 Teen Style Stuff
The Sims™ 3
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.762
Windows Installer Clean Up
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Upload Tool
Windows Media Player Firefox Plugin
Wisdom-soft ScreenHunter 5.0 Free


mbr log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86E0D1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86e0d1f8
IoDeviceObjectType -> DeleteProcedure -> 0x348a023
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x348a023
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:43 AM

Posted 03 November 2009 - 07:15 PM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions

There is something suspicious on the log. While we are doing the following tell me if you get redirected, then we come back to it later on.
  • Beside Avira you have also Sophos antivirus. Either totally uninstall Sophos or make sure they both are never active at the same time as it might causes system problems.

  • Run CCleaner once.

  • Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#9 micknjd

micknjd
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 November 2009 - 07:45 PM

Ok well i uninstalled Sophos as you said
then ran CCleaner and while i was waiting for Kaspersky Online Scanner to update ,
i was searching google and had pop ups for hxxp://67.201.36.16/nolink.html and others for search terms
i just used in google
hxxp://www.help+dnschanger+zlob.com/
hxxp://www.help+dnschanger.com
are just a couple of them

Edited by micknjd, 03 November 2009 - 07:46 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:43 AM

Posted 03 November 2009 - 07:51 PM

Thanks for letting me know, I had the suspicious it will come back, just wanted to make sure and don't do any unneeded fix.

Let me know when you finished Kaspersky, I might see the log tomorrow as it is too late over here.

#11 micknjd

micknjd
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 November 2009 - 07:57 PM

yeah same here 1am :/ cheers so far anyway

#12 micknjd

micknjd
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 04 November 2009 - 03:58 AM

Well Kaspersky didnt find anything , heres the log file



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 4, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, November 03, 2009 19:39:25
Records in database: 3120356
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Q:\

Scan statistics:
Objects scanned: 198386
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:24:51

No threats found. Scanned area is clean.

Selected area has been scanned.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:43 AM

Posted 04 November 2009 - 05:38 AM

Yes the computer is clean except for the rootkit.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#14 micknjd

micknjd
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 04 November 2009 - 06:16 AM

Here ya go mate


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 11:13 on 04/11/2009 by mickandjd (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a--- 21560 bytes [17:05 13/02/2008] [17:05 13/02/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [16:29 19/07/2009] [22:32 10/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [07:07 17/04/2008] [22:41 18/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [16:29 19/07/2009] [22:32 10/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [17:05 13/02/2008] [17:05 13/02/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [17:05 13/02/2008] [17:05 13/02/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [07:07 17/04/2008] [22:41 18/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [16:29 19/07/2009] [22:32 10/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

-=End Of File=-

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:43 AM

Posted 04 November 2009 - 07:01 AM

Please download the attached batch file.
Right-click and select "Run as Administrator" to run it.
A text file opens, please post the content of it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users