Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Automatic Proxy Override+ProxyServer = localhost:2323


  • This topic is locked This topic is locked
6 replies to this topic

#1 Sue Trolley

Sue Trolley

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2010 - 11:35 PM

Hi,
I picked up that fake virus cleaner advertising thingy which proceeded to try and take control of my system. Using Task Manager and Process Explorer - I held it at bay and kept killing the pop up processes whilst running SuperAntiSpyware to hopefully clean the elements out of my system.

When I needed to reboot, I couldn't get passed the logon screen as it seemed to quickly do a return back to the logon screen. Safeboot was not functional either.

So I used my System Recovery Console boot disk and ended up returning my system registry to first successful setup using the following batch command.....
[codebox]md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default[/codebox]

This enabled me to get back into Windows properly and after running Stinger and SuperAntiSW again, thought I'd sorted the system, loaded profile etc etc from backups BUT quickly realised the dreaded single 100% CPU Svchosts file going nuts! and that all of my browsers (Chrome, IE7, Firefox) were hijacked. Killed the 100% usage 'svchosts' process to get my laptop responding again.. and then....

Checked the HOSTS file, and sure enough... all the major search engines were listed with a redirect to a foreign IP address. Checked Internet settings and a Proxy to localhost was also in place using PORT 2323 !!! ...

I cleaned out the HOSTS file to read just 127.0.0.1 removed the Proxy settings and then rebooted. HOSTS file stayed clean, however the Proxy settings had returned. So I removed all Java installs, put AntiVir on the system and carried out deep clean. Every time the system reboots, it adds a couple of registry settings regarding the creating of a Proxy host in the following area of the registry :

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323

As a stopgap I have put DENY write/modify permissions on the RegKey "Internet Settings" within the registry to stop the automatic changes happening,,, which is allowing me to continue to browse the internet and call for help here in BleepingComputer.com ;-)

I have attached both the DDS Attach file and the RootRepeal ARK files for any assistance you folks can provide, along with the following:

------------------------------


DDS (Ver_09-12-01.01) - NTFSx86
Run by Sue at 1:59:18.65 on 28/01/2010
Internet Explorer: 6.0.2900.3264 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.702.189 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Advanced System Optimizer\adblock.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Process Explorer\procexp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Sue.SUES-TIPTOP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Sue.SUES-TIPTOP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Sue.SUES-TIPTOP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Sue.SUES-TIPTOP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Sue.SUES-TIPTOP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Sue.SUES-TIPTOP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\MyDocuments\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.co.uk/
mStart Page = hxxp://google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: IEPlugin Class: {cf7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\advanced system optimizer\iehelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Systweak Ad and Popup Blocker] "c:\program files\advanced system optimizer\adblock.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\sue~1.sue\startm~1\programs\startup\proces~1.lnk - c:\program files\process explorer\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
uPolicies-explorer: MaxRecentDocs = 10 (0xa)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sue~1.sue\applic~1\mozilla\firefox\profiles\a9f399cu.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.co.uk/
FF - plugin: c:\documents and settings\sue.sues-tiptop\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 aaatimeo;aaatimeo;c:\windows\system32\drivers\aaatimeo.sys [2006-2-26 4928]
R0 afamgt;afamgt;c:\windows\system32\drivers\afamgt.sys [2006-3-28 91707]
R0 siwinacc;siwinacc;c:\windows\system32\drivers\siwinacc.sys [2004-11-1 10368]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-27 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-27 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-27 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-27 55656]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2010-1-21 211200]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-01-27 21:40:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-27 21:30:07 0 d-----w- C:\ComboTFix
2010-01-27 19:49:37 537829 ----a-w- C:\HaxFix.exe
2010-01-27 12:18:19 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-27 12:18:14 0 d-----w- c:\program files\Avira
2010-01-27 12:18:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-26 23:47:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-26 23:21:48 86656 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-26 23:20:40 86656 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-26 20:58:22 0 d-----w- c:\windows\HaxFix
2010-01-26 20:30:52 0 d-----w- c:\windows\system32\appmgmt
2010-01-26 20:02:29 0 d-----w- c:\windows\system32\LogFiles
2010-01-26 18:41:23 0 d-----w- c:\program files\Hjt
2010-01-26 18:26:33 0 d-----w- c:\docume~1\sue~1.sue\applic~1\Malwarebytes
2010-01-26 18:12:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 18:12:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 18:12:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 18:12:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-26 13:30:25 0 d-s---w- c:\documents and settings\sue.sues-tiptop\UserData
2010-01-26 13:20:43 0 d-----w- c:\docume~1\sue~1.sue\applic~1\LimeWire
2010-01-26 13:17:08 0 d-----w- c:\documents and settings\sue.sues-tiptop\Contacts
2010-01-26 13:11:00 0 d-----w- c:\docume~1\sue~1.sue\applic~1\SUPERAntiSpyware.com
2010-01-26 12:44:42 0 d-----w- c:\docume~1\sue~1.sue\applic~1\Systweak
2010-01-26 12:29:30 0 d-----w- c:\documents and settings\sue.sues-tiptop\backup
2010-01-26 12:03:54 0 d-----w- C:\Sue
2010-01-25 18:02:21 3038 ----a-w- C:\fix_svchost.txt.bat
2010-01-25 16:56:37 507904 ------w- c:\windows\system32\WINLOGON.EXE
2010-01-25 14:54:17 57344 ----a-w- c:\windows\system32\RO6133.tmp
2010-01-25 12:37:51 0 d-----w- c:\windows\pss
2010-01-25 11:50:50 0 d-----w- c:\windows\tmp
2010-01-25 00:30:37 0 d-----w- c:\program files\common files\L&H
2010-01-24 23:32:11 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-01-24 23:32:11 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-01-24 00:53:08 0 d-sha-r- C:\cmdcons
2010-01-24 00:53:04 0 d-----w- c:\windows\setup.pss
2010-01-24 00:49:59 262144 ---ha-w- c:\windows\system32\RO6160.bac
2010-01-24 00:49:56 1572864 ---ha-w- c:\windows\system32\RO615B.bac
2010-01-24 00:49:40 262144 ---ha-w- c:\windows\system32\RO6158.bac
2010-01-24 00:49:39 524288 ---ha-w- c:\windows\system32\RO6153.bac
2010-01-24 00:49:34 262144 ---ha-w- c:\windows\system32\RO6150.bac
2010-01-24 00:49:32 524288 ---ha-w- c:\windows\system32\RO614B.bac
2010-01-24 00:49:15 262144 ----a-w- c:\windows\system32\RO6143.bac
2010-01-23 22:26:13 112128 ----a-w- c:\windows\system32\0
2010-01-23 22:10:25 0 d-----w- c:\program files\Process Explorer
2010-01-23 19:47:03 0 d-----w- c:\program files\McAfee
2010-01-23 14:42:37 0 d-----w- c:\windows\system32\KB905474
2010-01-22 21:03:27 0 d-----w- c:\program files\common files\Macrovision Shared
2010-01-22 21:02:48 45392 ----a-r- c:\windows\system32\AdobePDF.dll
2010-01-22 21:02:48 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-01-22 20:41:49 143360 ----a-w- c:\windows\system32\ImageDrive.cpl
2010-01-22 20:18:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Nero
2010-01-22 20:18:34 0 d-----w- c:\program files\Nero
2010-01-22 02:09:32 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-22 02:09:32 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-22 02:09:31 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-21 21:06:59 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-01-21 21:06:59 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-01-21 20:41:01 0 d-----w- c:\program files\Microsoft
2010-01-21 20:40:32 0 d-----w- c:\program files\Windows Live SkyDrive
2010-01-21 20:35:33 0 d-----w- c:\program files\common files\Windows Live
2010-01-21 20:16:44 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-21 20:16:33 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-21 20:16:03 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-21 19:35:53 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-21 19:35:53 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-21 19:35:03 0 d-----w- c:\program files\iPod
2010-01-21 19:34:57 0 d-----w- c:\program files\iTunes
2010-01-21 19:34:57 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-21 19:34:34 0 d-----w- c:\program files\Bonjour
2010-01-21 19:30:34 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-21 19:29:21 0 d-----r- c:\program files\Skype
2010-01-21 19:27:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-21 19:22:41 0 d-----w- c:\program files\LimeWire
2010-01-21 18:45:21 0 d-----w- c:\program files\Driver Genius
2010-01-21 18:30:28 0 d-----r- C:\MyDocuments
2010-01-21 18:14:42 0 d-----w- C:\Outlook Messages
2010-01-21 11:11:27 0 d--h--w- c:\windows\PIF
2010-01-21 09:27:14 0 d-----w- c:\windows\system32\CatRoot_bak
2010-01-21 09:21:12 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-21 09:21:12 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-21 09:15:28 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-21 09:15:19 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-21 09:15:16 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-21 09:13:43 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-21 09:08:05 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-21 09:01:03 0 d-----w- c:\windows\system32\PreInstall
2010-01-21 09:00:58 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-01-21 09:00:56 0 d--h--w- c:\windows\$hf_mig$
2010-01-21 02:43:12 376 ----a-w- c:\windows\ODBC.INI
2010-01-21 02:43:06 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-21 02:42:20 0 d-----w- c:\program files\Microsoft ActiveSync
2010-01-21 02:41:44 0 d-----w- c:\windows\SHELLNEW
2010-01-21 02:31:33 0 d-----w- C:\Temp
2010-01-21 01:39:54 52864 -c--a-w- c:\windows\system32\dllcache\dmusic.sys
2010-01-21 01:39:54 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2010-01-21 01:39:45 6272 -c--a-w- c:\windows\system32\dllcache\splitter.sys
2010-01-21 01:39:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-01-21 01:39:34 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-01-21 01:39:34 142592 ------w- c:\windows\system32\drivers\aec.sys
2010-01-21 01:38:13 0 d-----w- c:\program files\CONEXANT
2010-01-21 01:38:11 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2010-01-21 01:38:11 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-01-21 01:38:11 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-01-21 01:38:11 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-01-21 01:38:10 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-01-21 01:38:10 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-01-21 01:38:10 129536 -c--a-w- c:\windows\system32\dllcache\ksproxy.ax
2010-01-21 01:38:10 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-01-21 01:29:08 0 d-----w- c:\program files\Advanced System Optimizer
2010-01-21 01:25:54 0 d-s---w- c:\windows\system32\Microsoft
2010-01-21 01:01:50 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-01-21 00:55:48 0 d-sh--w- c:\documents and settings\all users\DRM
2010-01-21 00:55:24 0 d--h--w- c:\program files\WindowsUpdate
2010-01-21 00:54:30 0 d-----w- c:\program files\common files\MSSoap
2010-01-21 00:52:12 0 d-----w- c:\program files\Online Services
2010-01-21 00:51:36 0 d-----w- c:\program files\Messenger
2010-01-21 00:51:31 0 d-----w- c:\program files\MSN Gaming Zone
2010-01-21 00:50:36 0 d-----w- c:\program files\Windows NT
2010-01-20 18:45:52 0 d-----w- c:\program files\common files\ODBC
2010-01-20 18:45:47 0 d-----w- c:\program files\common files\SpeechEngines
2010-01-20 18:42:04 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-01-25 14:55:11 4 ----a-w- C:\WINDOWSRegDefrag.dat
2010-01-21 00:52:45 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 1:59:40.95 ===============


Looking forward to hearing from my saviour as to how I can finally kill whatever it is that is rewriting the proxy setting on port 2323 consistently at boot time. and will not do anything else with the XP Professional machine until I hear back from you.

Many thanks in advance....

Compliance Sue x

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 02 February 2010 - 06:22 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 06 February 2010 - 02:57 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 Sue Trolley

Sue Trolley
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 07 February 2010 - 11:48 AM

Hi, yes... so sorry,
I was out of town on business....

I can confirm that I still need your help... I understood clearly from the general help directions about not letting anybody mess with the computer after I've asked BleepingCompter computer to assist me, so I actually turned off the computer and have left if alone completely untouched until you instruct me on how to clear whatever it is on the machine. So the reports above and the attachments I have supplied are as current as they can be.

Please go ahead and glean from them whatever mysterious bug is hiding on my other machine.

Thank you so much for taking on this case and lets hope we can sort my problem with little fuss.

Many thanks,
Sue.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 08 February 2010 - 08:16 PM

Hello again.

Okay, let's see what we can do. We will start off with |Combofix first.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 12 February 2010 - 04:45 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 PM

Posted 19 February 2010 - 05:24 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users