Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware removal request : google redirect problem


  • Please log in to reply
11 replies to this topic

#1 dgwozdz

dgwozdz

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 13 December 2009 - 04:26 AM

Like many of the other users on these forums, I too am having problems with my browser being redirected to a web page other than that which I had originally clicked (most often through google search links). I have attempted to diagnose a specific problem that is wrong with my pc, but I just don't know what it is. These pop ups seem to be more annoying than malicious, but I have a strong feeling that if I don't do anything soon the problem will get worse. The reason that I say this is because I tried to start my computer in safe mode and Windows refuses to boot properly (I was given an error message that told me that Windows failed to initialize in safe mode). I know that the problem is not SmitFraud because I have had experience with that before. As I stated, these pop-ups are the result of redirected google searches and are not happening when I am not browsing the web.

Some of the websites that I have been getting redirected to include:

green-insulation.net
zanuga.com
freewareplus.com
searchfindsite.com
innatpenn.com
search27.info.com
iwa-spain.com
mylocalhero.com
online-scaner-software.net
nyas.com

...and many, MANY more.

The only other clue that I have which might help to lead to a solution is that almost every single redirect site uses the same exact logo on the browser tab next to the name of the website. I have attached a small .jpg file which shows the logo that I am speaking about. (a second logo of a wire frame green sphere appears less often but still often enough to be noteworthy)

I would have attempted to follow the steps of someone who has previously had the same problems as I am having, but after reading a few different threads I decided that these types of problems are more unique than they might at first seem.

I am using firefox version 3.5.5 and chrome version 3.0.195.33

What follows after this point is the DDS.txt log. I appreciate the help and the time in advance, and I am looking forward to working with you to get rid of this annoying problem.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Daniel Gwozdz at 3:37:17.46 on Sun 12/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.295 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\AsScrPro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Daniel Gwozdz\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Google Update] "c:\documents and settings\daniel gwozdz\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daniel~1\applic~1\mozilla\firefox\profiles\lvuh8gs6.default\
FF - plugin: c:\documents and settings\daniel gwozdz\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-22 1684736]

=============== Created Last 30 ================

2009-12-13 06:37:22 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-13 05:56:58 0 d-----w- C:\VundoFix Backups
2009-12-13 02:52:46 0 d-----w- c:\docume~1\daniel~1\applic~1\Malwarebytes
2009-12-13 02:52:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-13 02:52:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-13 02:52:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-13 02:52:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 01:50:34 0 d-----w- c:\program files\SymNetDrv
2009-11-24 19:35:29 3243 ----a-w- c:\windows\system32\wbem\Outlook_01ca6d3d474611cc.mof
2009-11-13 18:43:16 0 d-----w- c:\program files\GPLGS
2009-11-13 18:40:46 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-11-13 18:40:35 0 d-----w- c:\program files\Acro Software

==================== Find3M ====================

2009-11-13 01:11:25 38 ----a-w- c:\documents and settings\daniel gwozdz\jagex_runescape_preferences.dat
2009-11-13 01:10:35 63 ----a-w- c:\documents and settings\daniel gwozdz\jagex_runescape_preferences2.dat
2009-11-12 05:59:57 320 ---h--w- c:\docume~1\alluse~1\applic~1\emopts.dat
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 05:37:44 27136 ----a-w- c:\windows\sysk32.dll

============= FINISH: 3:40:24.56 ===============

--UPDATE #1--
Norton Anti-virus is catching some of these pop-ups every once in
a while, and diagnoses the problem as, "http fake scan web page 5"
I have gone to Symantec's website and followed the steps to get rid of this problem, but have had no success

--UPDATE #2--
My laptop monitor is flickering periodically, and my CPU performance is hovering around 50%

--UPDATE #3--
Other notable symptoms include the unexplained loss of my computer's
wallpaper display and the screeching halt of my browser speed (both firefox and chrome)
Also, this thing is driving me effing insane

Attached Files


Edited by dgwozdz, 13 December 2009 - 02:08 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 25 December 2009 - 01:55 PM

hi dgwozdz,

Sorry for the delay. If you still need help with the redirects simply reply to my post.

How Can I Reduce My Risk to Malware?


#3 dgwozdz

dgwozdz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 28 December 2009 - 07:43 AM

Absolutely, I would love some help.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 28 December 2009 - 04:40 PM

ok. We will get a download to use. Its called Combofix. There is a guide you need to read first. Read the guide, download combofix to your desktop. Disable any running AV etc as explained in the guide. Double click the icon on your desktop and follow the prompts. post the Combofix log in your reply.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 dgwozdz

dgwozdz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 30 December 2009 - 11:53 PM

here is the combofix log

ComboFix 09-12-30.01 - Daniel Gwozdz 12/30/2009 23:04:23.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.516 [GMT -5:00]
Running from: c:\documents and settings\Daniel Gwozdz\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000006
c:\recycler\NPROTECT\00000008
c:\recycler\NPROTECT\00000009
c:\recycler\NPROTECT\00000012.DAT
c:\recycler\NPROTECT\00000013
c:\recycler\NPROTECT\00000014
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000019
c:\recycler\NPROTECT\00000020.DAT
c:\recycler\NPROTECT\00000021
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023.DAT
c:\recycler\NPROTECT\00000024
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036.dat
c:\recycler\NPROTECT\00000037
c:\recycler\NPROTECT\00000038
c:\recycler\NPROTECT\00000041
c:\recycler\NPROTECT\00000042
c:\recycler\NPROTECT\00000043
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000045
c:\recycler\NPROTECT\00000046
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000051
c:\recycler\NPROTECT\00000052
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000054
c:\recycler\NPROTECT\00000055
c:\recycler\NPROTECT\00000056
c:\recycler\NPROTECT\00000057
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000061
c:\recycler\NPROTECT\00000063
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000068
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000074
c:\recycler\NPROTECT\00000075
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000079
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000081
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000083
c:\recycler\NPROTECT\00000084
c:\recycler\NPROTECT\00000085
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000087
c:\recycler\NPROTECT\00000088
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000092
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099
c:\recycler\NPROTECT\00000100
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000104
c:\recycler\NPROTECT\00000105
c:\recycler\NPROTECT\00000106
c:\recycler\NPROTECT\00000108
c:\recycler\NPROTECT\00000109
c:\recycler\NPROTECT\00000110
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000112
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000117
c:\recycler\NPROTECT\00000121
c:\recycler\NPROTECT\00000122.dat
c:\recycler\NPROTECT\00000123.dat
c:\recycler\NPROTECT\00000124
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000127
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000129
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000132
c:\recycler\NPROTECT\00000134.dat
c:\recycler\NPROTECT\00000136
c:\recycler\NPROTECT\00000137.bat
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000139
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000145
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000149
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000156
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000158
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000160
c:\recycler\NPROTECT\00000161
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000170
c:\recycler\NPROTECT\00000171
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000173
c:\recycler\NPROTECT\00000174
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000177
c:\recycler\NPROTECT\00000178
c:\recycler\NPROTECT\00000181
c:\recycler\NPROTECT\00000184
c:\recycler\NPROTECT\00000185
c:\recycler\NPROTECT\00000186
c:\recycler\NPROTECT\00000187
c:\recycler\NPROTECT\00000188.dat
c:\recycler\NPROTECT\00000189
c:\recycler\NPROTECT\00000190
c:\recycler\NPROTECT\00000191
c:\recycler\NPROTECT\00000192
c:\recycler\NPROTECT\00000193
c:\recycler\NPROTECT\00000194.bad
c:\recycler\NPROTECT\00000195
c:\recycler\NPROTECT\00000196
c:\recycler\NPROTECT\00000197
c:\recycler\NPROTECT\00000198
c:\recycler\NPROTECT\00000199
c:\recycler\NPROTECT\00000205
c:\recycler\NPROTECT\00000206.md5
c:\recycler\NPROTECT\00000214
c:\recycler\NPROTECT\00000215
c:\windows\SNMPAPI.DLL
c:\windows\sysk32.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\sinvfct.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\recycler\NPROTECT . . . . failed to delete
c:\recycler\NPROTECT\NPROTECT.LOG . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-13 19:51 . 2009-12-13 19:51 72704 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\RemoteControl.dll
2009-12-13 19:51 . 2009-12-13 19:51 630272 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\CrashRpt.dll
2009-12-13 19:51 . 2009-12-13 19:51 613888 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\WMASoundPlugin.dll
2009-12-13 19:51 . 2009-12-13 19:51 5439488 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\PamelaPCR.exe
2009-12-13 19:51 . 2009-12-13 19:51 53760 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\zlib.dll
2009-12-13 19:51 . 2009-12-13 19:51 489984 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\dbghelp.dll
2009-12-13 19:51 . 2009-12-13 19:51 444928 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\SystemMP3SoundPlugin.dll
2009-12-13 19:51 . 2009-12-13 19:51 1603072 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\VorbisOGGSoundPlugin.dll
2009-12-13 19:51 . 2009-12-13 19:51 1495040 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\lng.dll
2009-12-13 19:51 . 2009-12-13 19:51 1138688 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\libeay32.dll
2009-12-13 19:33 . 2009-12-13 19:33 -------- d-----w- c:\documents and settings\Daniel Gwozdz\Application Data\skypePM
2009-12-13 19:27 . 2009-12-13 19:54 -------- d-----w- c:\documents and settings\Daniel Gwozdz\Application Data\Skype
2009-12-13 06:37 . 2009-11-25 16:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-13 05:56 . 2009-12-13 05:56 -------- d-----w- C:\VundoFix Backups
2009-12-13 02:52 . 2009-12-13 02:52 -------- d-----w- c:\documents and settings\Daniel Gwozdz\Application Data\Malwarebytes
2009-12-13 02:52 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-13 02:52 . 2009-12-13 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-13 02:52 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-13 02:52 . 2009-12-13 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 01:50 . 2009-12-13 01:50 -------- d-----w- c:\program files\SymNetDrv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 04:33 . 2009-10-02 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-30 21:59 . 2009-10-02 18:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-17 05:49 . 2009-10-14 17:10 -------- d-----w- c:\documents and settings\Daniel Gwozdz\Application Data\vlc
2009-12-14 00:56 . 2009-05-20 19:07 327192 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-13 23:42 . 2009-10-02 06:33 -------- d-----w- c:\program files\PokerStars
2009-12-13 23:38 . 2009-10-02 05:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-13 19:58 . 2009-10-02 05:59 -------- d-----w- c:\documents and settings\Daniel Gwozdz\Application Data\uTorrent
2009-12-13 19:33 . 2009-12-13 19:33 32 ----a-w- c:\documents and settings\All Users\Application Data\ezsid.dat
2009-12-13 01:50 . 2009-10-02 18:08 -------- d-----w- c:\program files\Symantec
2009-12-09 15:11 . 2009-06-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-07 17:03 . 2009-10-02 18:09 -------- d-----w- c:\program files\Norton SystemWorks
2009-11-13 18:43 . 2009-11-13 18:43 -------- d-----w- c:\program files\GPLGS
2009-11-13 18:40 . 2009-11-13 18:40 -------- d-----w- c:\program files\Acro Software
2009-11-13 01:11 . 2009-11-13 00:57 38 ----a-w- c:\documents and settings\Daniel Gwozdz\jagex_runescape_preferences.dat
2009-11-13 01:10 . 2009-11-13 00:59 63 ----a-w- c:\documents and settings\Daniel Gwozdz\jagex_runescape_preferences2.dat
2009-11-12 05:59 . 2009-11-12 05:59 320 ---h--w- c:\documents and settings\All Users\Application Data\emopts.dat
2009-11-11 07:32 . 2009-11-11 07:32 0 ----a-w- c:\windows\nsreg.dat
2009-11-05 13:39 . 2009-11-13 18:40 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-11-04 08:41 . 2009-10-09 00:26 -------- d-----w- c:\program files\Java
2009-11-04 08:37 . 2009-11-04 08:37 152576 ----a-w- c:\documents and settings\Daniel Gwozdz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-04 08:37 . 2009-11-04 08:37 79488 ----a-w- c:\documents and settings\Daniel Gwozdz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-02 17:00 . 2009-10-02 14:42 92344 ----a-w- c:\documents and settings\Daniel Gwozdz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:46 . 2009-05-20 19:07 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2009-05-20 19:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2009-05-20 19:07 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2009-05-20 19:07 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2009-05-20 19:07 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2009-05-20 19:07 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2009-05-20 19:07 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2009-05-20 19:07 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-10-09 00:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 00:25 . 2009-10-09 00:25 152576 ----a-w- c:\documents and settings\Daniel Gwozdz\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-02 18:09 . 2009-10-02 18:09 4608 ----a-w- c:\windows\system32\drivers\symlcbrd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2008-07-25 15:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2008-07-25 15:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-09-24 1685816]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-06-23 3054136]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-12-13 100056]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/22/2009 11:03 PM 55152]
R2 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~2\NORTON~1\NPROTECT.EXE [1/24/2005 5:54 PM 95824]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 2:26 AM 38912]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 2:26 AM 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 10:49 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 8:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2009-12-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Daniel Gwozdz.job
- c:\progra~1\NORTON~2\NORTON~3\Navw32.exe [2005-01-10 17:54]

2009-12-07 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-01-25 02:27]

2009-12-17 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-01-18 05:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Daniel Gwozdz\Application Data\Mozilla\Firefox\Profiles\lvuh8gs6.default\
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 23:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x870D5618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75ccf28
\Driver\ACPI -> ACPI.sys @ 0xf745fcb8
\Driver\atapi -> atapi.sys @ 0xf7417852
\Driver\iaStor -> iaStor.sys @ 0xf7374e74
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Atheros AR8132 PCI-E Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7249bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7238a0d
SendHandler -> NDIS.sys @ 0xf724cb40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3892)
c:\windows\system32\WININET.dll
c:\program files\ASUS\Eee Storage\XPClient.dll
c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll
c:\program files\ASUS\Eee Storage\EcaremeDLL.dll
c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll
c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-12-30 23:46:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 04:46

Pre-Run: 59,660,206,080 bytes free
Post-Run: 59,479,474,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 928C515069FB4099A3CC125EF3EAAF1A

#6 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 31 December 2009 - 08:16 PM

ok. good. Check Malwarebytes for updates and do a full scan with it. Are the re-directs gone?

How Can I Reduce My Risk to Malware?


#7 dgwozdz

dgwozdz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 01 January 2010 - 05:50 PM

It appears as though they have gone! What was wrong? Can you tell just from the combofix log?

#8 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 01 January 2010 - 08:16 PM

You had malware installed on your machine that combofix removed. check malwarebytes for updates and do a scan and post the log:

click the MBAM icon on your desktop. Once the program has loaded, click the Update tab, then check for updates. Select Scanner tab, Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items. If prompted please chose yes to restart your computer.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

How Can I Reduce My Risk to Malware?


#9 dgwozdz

dgwozdz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 05 January 2010 - 09:41 PM

it seems as though I still have a few issues in the log....


Malwarebytes' Anti-Malware 1.43
Database version: 3499
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/5/2010 9:39:31 PM
mbam-log-2010-01-05 (21-39-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 148441
Time elapsed: 33 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP6\A0001209.SYS (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP6\A0001289.SYS (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5723442-0BB4-47D1-BD0E-A6181D2923BF}\RP6\A0002415.SYS (Malware.Trace) -> Quarantined and deleted successfully.

#10 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 08 January 2010 - 08:38 PM

hi dgwozdz,

sorry for the delay. Malwarebytes removed some malware in your restore archive. you can remove combofix with this utility:

Please download OTCleanIt and save it to desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

always check Malwarebytes for updates before a scan. good practice to keep it updated even if you dont scan that much with it. We can make a new restore point. The how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

How Can I Reduce My Risk to Malware?


#11 dgwozdz

dgwozdz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 11 January 2010 - 04:42 PM

After a brief recess, the pop ups have slowly begun coming back.. are there any more steps we could take?

#12 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 16 January 2010 - 06:24 PM

hi,

Sorry for the delay. The pop ups are back now? We will get two downloads to use:

Please download DDS and save it to your desktop.
Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Please Copy/paste both logs in your reply.

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users