Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect Combofix log attached


  • This topic is locked This topic is locked
7 replies to this topic

#1 nightowl1

nightowl1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 20 April 2010 - 11:11 AM

Hello, and thank you in advance for your help! : )

Just recently I have been having problems with a browser redirect virus. I have IE8, and am using Windows XP Home Edition.

This redirect is not overly aggressive but just plain annoying. It usually does not kick in right away but after I have been surfing for a bit. It will redirect me once, and when I go back and try the link for the second time it will always take me to the page I want.

I researched the net for this and read that combofix may take care of this. I downloaded it and followed all the instructions on this site for how to use it. Everything ran just as described. But there was one difference that I did not see described. Just seconds after launching combofix a box came up reading that it had found a rootkit and needed to reboot. I found this instruction surprising as it was not mentioned anywhere on the page, and wasn't sure if I should, but as I could not do anything else I clicked on okay. The computer rebooted and the scan picked up where it left off and ran just as described.

I believe the problem has been taken care of. I tested it out by surfing the net for a little while before coming here. So far there have not been any redirects. And my computer is running a LOT faster!

The reason I am posting here is it was suggested that combofix may not have caught other viruses present and to post a log here to ensure my computer is clean. Below is my combofix log.

Also recently our ISP has informed us that one of the computers in our house is infected with the torpig virus. I researched it on the net and wrote down the list of names under which this virus can be found, I checked the Start Up menu, Task manager, and the Registry key. I also looked in ALL application files and ALL Windows system 32 files, and did not find any of the file names present. I believe mine is not the infected computer in the house. Just wondering if you see anything in there.

I see combofix has removed a number of orphan files that I have been trying to get rid of such as a Xerox file that refused to be deleted, and remnants of AVG that I could not find in Program files anywhere, as well as that horrible sysguard virus that was still in my Start Up menu. I had disabled it and removed it from my registry key but was unable to completely get it out of my Start Up menu. THANK YOU combofix!

I have also been getting a blue screen instructing me to run a system diagnostic utility. In particular a memory check, and check for faulty or mismatched memory. It said to try changing video adapters. To disable any newly installed hardware or software.

I am thinking that combofix may have fixed this problem too. If I do get the blue screen again I am going to run a sfc/scannow.

Again thank you for all your time and effort in helping me, it is MUCH appreciated!

MY COMBOFIX LOG:

ComboFix 10-04-19.05 - Default 04/20/2010 7:14.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.258 [GMT -7:00]
Running from: c:\documents and settings\Default\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-842925246-789336058-682003330-1004
C:\Thumbs.db
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-19 23:35 . 2010-04-19 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-04-19 23:34 . 2010-04-19 23:34 -------- d-----w- c:\program files\Common Files\iS3
2010-04-19 23:32 . 2010-04-19 23:32 390656 ----a-w- C:\STOPzilla_Setup.exe
2010-04-18 23:12 . 2010-04-18 23:28 -------- d-----w- c:\documents and settings\Default\Application Data\vlc
2010-04-18 22:53 . 2010-04-18 22:53 13034384 ----a-w- C:\GraboidVideoSetup-1.71e-complete.exe
2010-04-18 17:43 . 2010-04-18 17:43 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-18 17:42 . 2010-04-18 17:38 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-04-18 17:42 . 2010-04-18 17:05 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-04-18 17:42 . 2010-04-18 17:42 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-18 17:42 . 2010-04-18 17:42 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-18 17:42 . 2010-04-18 17:42 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-04-18 17:42 . 2010-04-18 17:42 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-04-18 17:40 . 2010-04-18 17:40 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-18 17:40 . 2010-04-18 17:40 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-04-18 17:09 . 2010-04-18 17:41 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-18 17:08 . 2010-04-18 17:40 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-18 17:05 . 2010-04-18 17:42 -------- d-----w- c:\program files\DivX
2010-04-18 17:05 . 2010-04-18 17:38 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-18 17:05 . 2010-04-18 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-04-18 17:05 . 2010-04-18 17:05 1180952 ----a-w- C:\DivXInstaller.exe
2010-04-18 00:55 . 2010-04-18 00:55 3103640 ----a-w- C:\spywareblastersetup43.exe
2010-03-31 03:04 . 2010-03-31 03:07 -------- dc-h--w- c:\windows\ie8
2010-03-31 03:02 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-31 03:02 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-31 02:59 . 2010-03-31 02:59 16883056 ----a-w- C:\IE8-WindowsXP-x86-ENU.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 14:26 . 2010-02-03 05:35 23718944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-20 14:12 . 2010-02-03 05:35 759840 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-20 14:12 . 2010-02-03 05:35 71804 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-20 14:12 . 2010-02-03 05:35 316964 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-20 13:45 . 2009-04-30 11:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-19 23:48 . 2010-04-19 23:46 1816 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-19 23:47 . 2010-04-19 23:47 424 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-04-19 23:34 . 2010-02-04 14:00 -------- d-----w- c:\program files\SpywareGuard
2010-04-18 23:10 . 2009-04-10 00:55 -------- d-----w- c:\program files\Graboid
2010-04-18 17:41 . 2010-04-18 17:41 -------- d-----w- c:\documents and settings\Default\Application Data\DivX
2010-04-18 17:41 . 2010-04-18 17:41 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-04-18 17:41 . 2010-04-18 17:41 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-04-18 17:08 . 2004-10-29 03:11 -------- d-----w- c:\program files\Google
2010-04-18 01:03 . 2010-03-16 19:59 117760 ----a-w- c:\documents and settings\Default\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-18 00:57 . 2010-02-04 13:34 -------- d-----w- c:\program files\SpywareBlaster
2010-04-14 16:47 . 2010-02-04 09:42 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-02-04 09:42 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:35 . 2010-02-04 09:43 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-02-04 09:43 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-02-04 09:43 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-02-04 09:43 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-02-04 09:43 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-02-04 09:43 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-02-04 09:43 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-14 01:35 . 2007-05-19 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 00:37 . 2008-04-14 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 00:37 . 2009-04-30 10:03 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-01 20:44 . 2008-07-31 01:40 -------- d-----w- c:\program files\McAfee
2010-03-31 01:58 . 2010-04-18 17:41 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2010-04-18 17:41 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2007-08-13 18:41 44944 ----a-w- c:\windows\system32\drivers\PxHelp20.sys
2010-03-31 01:58 . 2007-08-13 18:41 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-30 07:46 . 2009-04-30 10:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-04-30 10:04 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 20:06 . 2009-04-22 05:39 -------- d-----w- c:\documents and settings\Default\Application Data\DNA
2010-03-17 01:35 . 2009-04-22 05:39 -------- d-----w- c:\program files\DNA
2010-03-16 19:59 . 2010-03-16 19:59 52224 ----a-w- c:\documents and settings\Default\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-16 19:58 . 2010-03-16 19:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-16 19:58 . 2008-04-15 16:34 -------- d-----w- c:\documents and settings\Default\Application Data\SUPERAntiSpyware.com
2010-03-16 19:58 . 2010-03-16 19:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-16 19:58 . 2010-03-16 19:58 7757856 ----a-w- C:\SUPERAntiSpyware.exe
2010-03-13 23:05 . 2010-03-13 23:05 13130096 ----a-w- C:\GraboidVideoSetup-1.71-complete.exe
2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24 . 2004-01-21 23:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2010-03-17 02:53 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-17 16:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2002-08-29 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-08 09:35 . 2010-02-08 09:35 80295704 ----a-w- C:\jdk-6u18-windows-i586.exe
2010-02-04 13:58 . 2010-02-04 13:58 2062665 ----a-w- C:\spywareguardsetup.exe
2010-02-04 13:33 . 2010-02-04 13:33 3012768 ----a-w- C:\spywareblastersetup42.exe
2010-02-04 09:41 . 2010-02-04 09:41 43550760 ----a-w- C:\setup_av_free.exe
2006-09-22 05:12 . 2005-06-29 06:39 104 --sh--r- c:\windows\system32\54E29170F5.sys
2006-09-22 05:12 . 2005-06-29 06:14 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-11-01 12:36 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-16 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

c:\documents and settings\Default\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL 9.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 9.LNK
backup=c:\windows\pss\CorelCENTRAL 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL Alarms.LNK
backup=c:\windows\pss\CorelCENTRAL Alarms.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 9.LNK
backup=c:\windows\pss\Desktop Application Director 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 12:25 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-03 16:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-14 16:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 13:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 23:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-08-01 01:44 271672 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 09:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 19:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 13:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 16:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 11:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 23:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Graboid\\GraboidVideo\\1.5.0.0\\GraboidClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"9157:TCP"= 9157:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9928:TCP"= 9928:TCP:Services
"5367:TCP"= 5367:TCP:Services
"9396:TCP"= 9396:TCP:Services
"6584:TCP"= 6584:TCP:Services
"3246:TCP"= 3246:TCP:Services
"7349:TCP"= 7349:TCP:Services
"8474:TCP"= 8474:TCP:Services
"3504:TCP"= 3504:TCP:Services
"2502:TCP"= 2502:TCP:Services
"9606:TCP"= 9606:TCP:Services
"5553:TCP"= 5553:TCP:Services
"5616:TCP"= 5616:TCP:Services
"9732:TCP"= 9732:TCP:Services
"9796:TCP"= 9796:TCP:Services
"5648:TCP"= 5648:TCP:Services
"3009:TCP"= 3009:TCP:Services
"4518:TCP"= 4518:TCP:Services
"6756:TCP"= 6756:TCP:Services
"6757:TCP"= 6757:TCP:Services

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/4/2010 2:43 AM 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/4/2010 2:43 AM 19024]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [1/8/2010 4:42 PM 285744]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/30/2008 6:40 PM 93320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 12:04 AM 135664]
S3 EPROTNT;EPROTNT; [x]
S3 OPFDRV;OPFDRV;\??\c:\windows\system32\drivers\OPFDRV.sys --> c:\windows\system32\drivers\OPFDRV.sys [?]
S3 OPFFLT;OPFFLT;\??\c:\windows\system32\drivers\OPFFLT.sys --> c:\windows\system32\drivers\OPFFLT.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S4 OPFSVC;OPFSVC;c:\program files\Omniquad Total Security\OPF\OPFSVC.exe --> c:\program files\Omniquad Total Security\OPF\OPFSVC.exe [?]
S4 Personal Firewall;Personal Firewall;c:\program files\Omniquad Total Security\OPF\pfsvc.exe --> c:\program files\Omniquad Total Security\OPF\pfsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 20:42]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 07:04]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 07:04]

2010-04-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-10-16 23:26]

2010-04-20 c:\windows\Tasks\User_Feed_Synchronization-{1B2D25D3-EAFC-4077-8C52-D4E4CBF66038}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-!AVG Anti-Spyware - c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-phtmsbnt - c:\documents and settings\Default\Local Settings\Application Data\jgwajx\aprdsysguard.exe
AddRemove-Operation Spacehog - c:\games\spacehog\Uninstal.exe
AddRemove-Xerox XK Series Print - c:\windows\DeIsL2.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 07:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-20 07:30:20
ComboFix-quarantined-files.txt 2010-04-20 14:30

Pre-Run: 39,212,150,784 bytes free
Post-Run: 39,248,424,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

- - End Of File - - E6EDEAAAB6AB3D9AD19A6C8C21D26D84

Edited by nightowl1, 20 April 2010 - 11:33 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:26 AM

Posted 25 April 2010 - 06:45 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 nightowl1

nightowl1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 30 April 2010 - 02:56 AM

Hello mOle,

Thank you for your reply.

The browser redirect problem is no longer there since I ran comborfix. Also my blue screen has not returned either, so it appears to have fixed that as well.

The only other thing I am wondering about is the Torpig virus. I have already searched start up menu, task manager, registry key, applications, and windows system 32 and have not found any of its listed files anywhere in my computer.

I was not planning on posting a log but the directions for combofix suggested that I should.

I was just wondering if there was anything in the log that appeared suspicious.



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:26 AM

Posted 30 April 2010 - 02:36 PM

Well, apart from you running Combofix without support which is defintely not advised......there's nothing suspicious.

Why the worry about torpig? Combofix has restored the MBR and the report that would come out if there were still problems is not there.

It looks clean. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 nightowl1

nightowl1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 02 May 2010 - 11:03 PM

Our ISP is telling us one of the computers in our house has the Torpig virus, but they cannot tell us which one. There are six computers in our house. The two downstairs, belonging to myself and my dad, have been thoroughly checked. I researched Torpig, made a note of all possible file names under which it would occur, and then did a manual check looking in all the places described in my previous post, and found nothing. My dad had his checked by a local computer store. Both of ours are clean.

My brother, who lives upstairs, has four computers which have not been manually checked. They have run a number of scans but nothing has been able to locate which of their computers has the Torpig virus. As such they are not completely convinced the two computers downstairs are clean, and believe it may be in one of ours.

I simply thought while I was in here about my 'other' problem, that I would just ask if you could please take a quick look at my log to verify that Torpig is not in "my" computer.

Now that that you have done so, I can relay that computer tech support has verified that mine is not the infected computer---which I have told them all along. Maybe they will believe you, as they are not believing me.

Thank you for your time and help in this matter, it is greatly appreciated.



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:26 AM

Posted 03 May 2010 - 04:03 AM

Your PC showed the signs of this infection so it is likely that the machine your ISP has targeted is yours.

Please run this program, it is a torpig detector.

Download and run HAMeb_check.exe

Post the contents of the resulting log.

(I suggest the other PCs do the same)
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:26 AM

Posted 05 May 2010 - 06:46 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:26 AM

Posted 09 May 2010 - 02:31 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users