Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected-Search results redirected


  • This topic is locked This topic is locked
29 replies to this topic

#16 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:11 PM

Posted 02 August 2010 - 11:58 AM

Hello, Bob Kraft.
Yes, that entry is a proxy hijack, related to a large number of fake antivirus software.

We need to run a custom OTL fix
  1. Please run OTL on your desktop.
  2. Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not copy the word "code".
    CODE
    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
  3. Click the Run Fix button
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click OK
  6. A report will open. Copy and Paste that report in your next reply.

In your next reply, please include the following:
  • OTL Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


BC AdBot (Login to Remove)

 


#17 Bob Kraft

Bob Kraft
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 02 August 2010 - 02:52 PM

aomaster:

This is the report produced when I ran Run Fix. No reboot was requested.

========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

OTL by OldTimer - Version 3.2.9.1 log created on 08022010_144825


A OTL.txt file was not created. Do you want me to run a scan as before to create one?

Thanks,

Bob Kraft


#18 Bob Kraft

Bob Kraft
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 02 August 2010 - 03:06 PM

aomaster:
I ran hijackthis and the 127.... was gone. I rebooted the machine and it reappeared again.

Thanks,

Bob Kraft


#19 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:11 PM

Posted 03 August 2010 - 03:15 AM

Hello, Bob Kraft.
Okay, we have something that's recreating these entries. Let's run Combofix (make sure you download a fresh copy).
We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#20 Bob Kraft

Bob Kraft
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 03 August 2010 - 10:52 AM

aomaster:

I have lost my linksys controls, I guess I'll have to reinstall the software for the wireless connection. Or is there an easier way to un-quarantene. Here is the Combofix.txt

ComboFix 10-08-02.03 - Owner 08/03/2010 10:34:07.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1498 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT


((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-02 19:48 . 2010-08-02 19:48 -------- d-----w- C:\_OTL
2010-07-27 14:19 . 2010-08-02 20:02 -------- d-----w- c:\program files\trend micro
2010-07-27 14:19 . 2010-07-31 21:20 -------- d-----w- C:\rsit
2010-07-18 21:33 . 2010-07-18 21:33 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-07-18 21:22 . 2010-07-18 21:22 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-07-18 21:21 . 2010-07-18 21:21 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-07-18 21:18 . 2010-07-18 21:20 -------- dc-h--w- c:\windows\ie8
2010-07-16 21:50 . 2010-07-16 21:50 -------- d-----w- c:\program files\Common Files\Java
2010-07-16 21:49 . 2010-07-16 21:49 -------- d-----w- c:\program files\Sun
2010-07-16 21:47 . 2010-07-16 21:49 -------- d-----w- c:\program files\Java
2010-07-16 20:14 . 2010-07-16 20:14 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-07-16 20:14 . 2010-07-16 20:14 32480 ----a-w- c:\windows\system32\Partizan.exe
2010-07-15 19:53 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-15 19:53 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-15 19:53 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-15 19:53 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-15 19:53 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-15 19:53 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-15 19:53 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-15 19:52 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-15 12:16 . 2010-07-15 12:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-12 16:21 . 2010-07-12 16:21 -------- d-----w- c:\program files\PcPrivacySoftware.com
2010-07-12 15:35 . 2010-07-12 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-12 15:35 . 2010-07-12 15:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-11 23:10 . 2010-02-05 18:27 1291776 -c----w- c:\windows\system32\dllcache\quartz.dll
2010-07-11 16:13 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-11 02:06 . 2010-07-11 02:08 57056 ----a-w- C:\regrunck.exe
2010-07-11 01:15 . 2010-07-18 15:09 -------- d-----w- c:\documents and settings\Owner\Application Data\SafeReturner
2010-07-11 01:15 . 2010-08-03 11:37 -------- d-----w- c:\program files\Safe Returner
2010-07-11 00:41 . 2010-07-11 00:43 -------- d-----w- C:\backreg
2010-07-09 13:47 . 2010-07-09 13:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-09 13:46 . 2010-07-09 14:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ocyxxsgjq
2010-07-09 13:46 . 2010-07-09 13:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-09 02:49 . 2010-07-09 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-07-09 02:49 . 2010-07-09 12:04 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-07-09 02:45 . 2010-07-09 02:45 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-07-09 02:45 . 2005-11-25 00:51 245248 ----a-w- c:\windows\system32\rt73.sys
2010-07-09 02:45 . 2010-07-09 02:45 -------- d-----w- c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor
2010-07-05 21:42 . 2010-07-05 21:43 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2010-07-04 21:25 . 2010-07-04 21:25 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-63f0a3be-n\msvcp71.dll
2010-07-04 21:25 . 2010-07-04 21:25 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-63f0a3be-n\jmc.dll
2010-07-04 21:25 . 2010-07-04 21:25 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-63f0a3be-n\msvcr71.dll
2010-07-04 21:25 . 2010-07-04 21:25 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5c91c946-n\decora-sse.dll
2010-07-04 21:25 . 2010-07-04 21:25 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5c91c946-n\decora-d3d.dll
2010-07-04 21:24 . 2010-07-16 21:49 423656 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 15:41 . 2010-06-23 15:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-03 15:41 . 2010-04-28 13:50 -------- d-----w- c:\program files\Spyware Doctor
2010-07-22 18:41 . 2010-06-23 15:23 767928 ----a-w- c:\windows\BDTSupport.dll
2010-07-19 22:27 . 2008-12-12 17:42 40960 ----a-w- c:\windows\system32\drivers\sisagp.sys
2010-07-15 19:52 . 2008-12-12 18:10 -------- d-----w- c:\program files\Alwil Software
2010-07-09 13:46 . 2008-12-14 15:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 16:26 . 2010-04-28 13:42 -------- d-----w- c:\program files\RegCure
2010-07-04 20:50 . 2008-12-14 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 22:45 . 2008-12-12 19:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-23 17:36 . 2010-06-23 15:01 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-23 17:36 . 2010-06-23 15:01 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-23 15:23 . 2010-04-28 13:50 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-23 15:22 . 2010-06-23 15:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-06-23 15:00 . 2010-06-23 15:00 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2010-06-23 15:00 . 2010-06-23 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-23 14:37 . 2010-06-23 14:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-23 14:21 . 2008-12-12 18:56 -------- d-----w- c:\program files\Google
2010-06-17 19:12 . 2010-06-17 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-08 00:21 . 2010-06-23 15:23 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-04 15:47 . 2010-06-04 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-06-04 15:47 . 2008-12-14 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SSScanWizard
2010-06-04 15:47 . 2008-12-14 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-06-04 12:20 . 2009-06-04 12:20 2 --shatr- c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( SnapShot@2010-07-12_14.28.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-03 15:41 . 2010-08-03 15:41 16384 c:\windows\Temp\Perflib_Perfdata_c9c.dat
+ 2010-08-03 15:40 . 2010-08-03 15:40 16384 c:\windows\Temp\Perflib_Perfdata_834.dat
+ 2010-08-03 15:40 . 2010-08-03 15:40 16384 c:\windows\Temp\Perflib_Perfdata_5b8.dat
+ 2005-01-10 01:27 . 2009-01-07 23:21 26144 c:\windows\system32\spupdsvc.exe
+ 2008-12-12 19:14 . 2009-01-07 23:20 16928 c:\windows\system32\spmsg.dll
+ 2010-04-28 14:10 . 2010-07-15 12:16 25564 c:\windows\system32\Restore\rstrlog.dat
+ 2007-05-18 17:58 . 2009-03-08 09:31 46592 c:\windows\system32\pngfilt.dll
+ 2006-06-29 14:05 . 2009-01-07 23:20 23552 c:\windows\system32\normaliz.dll
- 2006-06-29 14:05 . 2006-06-29 14:05 23552 c:\windows\system32\normaliz.dll
+ 2006-06-28 23:59 . 2009-01-07 23:20 24576 c:\windows\system32\nlsdl.dll
- 2006-06-28 23:59 . 2006-06-28 23:59 24576 c:\windows\system32\nlsdl.dll
+ 2007-05-18 17:57 . 2009-03-08 09:31 48128 c:\windows\system32\mshtmler.dll
- 2007-05-18 17:57 . 2007-08-14 00:01 48128 c:\windows\system32\mshtmler.dll
+ 2007-05-18 17:57 . 2009-03-08 09:31 66560 c:\windows\system32\mshtmled.dll
- 2007-05-18 17:57 . 2007-08-14 00:32 45568 c:\windows\system32\mshta.exe
+ 2007-05-18 17:57 . 2009-03-08 09:31 45568 c:\windows\system32\mshta.exe
+ 2007-08-14 00:36 . 2009-03-08 09:31 13312 c:\windows\system32\msfeedssync.exe
+ 2007-08-14 00:54 . 2009-03-08 09:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2007-05-18 17:57 . 2009-03-08 09:34 43008 c:\windows\system32\licmgr10.dll
+ 2007-05-18 17:56 . 2009-03-08 09:33 25600 c:\windows\system32\jsproxy.dll
+ 2007-05-18 17:56 . 2009-03-08 09:32 94720 c:\windows\system32\inseng.dll
+ 2007-05-18 17:56 . 2009-03-08 09:31 34816 c:\windows\system32\imgutil.dll
+ 2007-08-14 00:39 . 2009-03-08 09:32 36864 c:\windows\system32\ieudinit.exe
+ 2007-05-18 17:56 . 2009-03-08 09:32 71680 c:\windows\system32\iesetup.dll
+ 2007-05-18 17:56 . 2009-03-08 09:32 55808 c:\windows\system32\iernonce.dll
+ 2006-06-29 14:05 . 2009-01-07 23:20 26112 c:\windows\system32\idndl.dll
- 2006-06-29 14:05 . 2006-06-29 14:05 26112 c:\windows\system32\idndl.dll
+ 2007-08-14 00:36 . 2009-03-08 09:31 59904 c:\windows\system32\icardie.dll
+ 2007-08-14 00:36 . 2009-03-08 09:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-08-14 00:01 . 2009-03-08 09:31 48128 c:\windows\system32\dllcache\mshtmler.dll
- 2007-08-14 00:01 . 2007-08-14 00:01 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2007-08-14 00:54 . 2009-03-08 09:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-14 00:32 . 2009-03-08 09:31 45568 c:\windows\system32\dllcache\mshta.exe
- 2007-08-14 00:32 . 2007-08-14 00:32 45568 c:\windows\system32\dllcache\mshta.exe
+ 2008-12-12 18:02 . 2009-03-08 09:31 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-08-14 00:44 . 2009-03-08 09:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2007-08-14 00:54 . 2009-03-08 09:33 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-08-14 00:39 . 2009-03-08 09:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2007-08-14 00:36 . 2009-03-08 09:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2007-08-14 00:39 . 2009-03-08 09:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2007-08-14 00:39 . 2009-03-08 09:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-12 18:02 . 2009-03-08 09:31 59904 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-14 00:18 . 2009-03-08 09:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2009-03-08 09:33 . 2009-03-08 09:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2007-08-14 00:39 . 2009-03-08 09:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2007-05-18 17:55 . 2009-03-08 09:33 18944 c:\windows\system32\corpol.dll
+ 2007-05-18 17:55 . 2009-03-08 09:32 72704 c:\windows\system32\admparse.dll
+ 2010-07-18 21:19 . 2009-03-08 19:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 44544 c:\windows\ie8\pngfilt.dll
+ 2010-07-18 21:18 . 2007-08-14 00:01 48128 c:\windows\ie8\mshtmler.dll
+ 2010-07-18 21:18 . 2007-08-14 00:32 45568 c:\windows\ie8\mshta.exe
+ 2010-07-18 21:18 . 2007-08-14 00:36 12288 c:\windows\ie8\msfeedssync.exe
+ 2010-07-18 21:18 . 2008-10-16 20:38 52224 c:\windows\ie8\msfeedsbs.dll
+ 2010-07-18 21:18 . 2007-08-14 00:44 40960 c:\windows\ie8\licmgr10.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 27648 c:\windows\ie8\jsproxy.dll
+ 2010-07-18 21:18 . 2007-08-14 00:39 92672 c:\windows\ie8\inseng.dll
+ 2010-07-18 21:18 . 2007-08-14 00:36 36352 c:\windows\ie8\imgutil.dll
+ 2010-07-18 21:18 . 2007-08-14 00:39 55296 c:\windows\ie8\iesetup.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 44544 c:\windows\ie8\iernonce.dll
+ 2010-07-18 21:18 . 2008-04-14 00:11 81920 c:\windows\ie8\ieencode.dll
+ 2010-07-18 21:18 . 2008-10-16 13:11 70656 c:\windows\ie8\ie4uinit.exe
+ 2010-07-18 21:18 . 2008-10-16 20:38 63488 c:\windows\ie8\icardie.dll
+ 2010-07-18 21:18 . 2007-08-14 00:18 60416 c:\windows\ie8\hmmapi.dll
+ 2010-07-18 21:18 . 2008-04-14 00:11 35328 c:\windows\ie8\corpol.dll
+ 2010-07-18 21:18 . 2007-08-14 00:39 71680 c:\windows\ie8\admparse.dll
- 2008-12-12 18:05 . 2008-04-14 00:12 121856 c:\windows\system32\xmllite.dll
+ 2008-12-12 18:05 . 2009-01-07 23:21 121856 c:\windows\system32\xmllite.dll
+ 2007-05-18 17:58 . 2009-03-08 09:34 914944 c:\windows\system32\wininet.dll
+ 2007-08-14 00:45 . 2009-03-08 09:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2007-05-18 17:58 . 2009-03-08 09:34 236544 c:\windows\system32\webcheck.dll
+ 2007-05-18 17:58 . 2009-03-08 09:33 420352 c:\windows\system32\vbscript.dll
- 2007-05-18 17:58 . 2008-10-16 20:38 105984 c:\windows\system32\url.dll
+ 2007-05-18 17:58 . 2009-03-08 09:34 105984 c:\windows\system32\url.dll
+ 2007-05-18 17:57 . 2009-03-08 09:34 109568 c:\windows\system32\occache.dll
+ 2007-05-18 17:57 . 2009-03-08 09:32 611840 c:\windows\system32\mstime.dll
+ 2007-05-18 17:57 . 2009-03-08 09:34 193536 c:\windows\system32\msrating.dll
- 2007-05-18 17:57 . 2007-08-14 00:54 156160 c:\windows\system32\msls31.dll
+ 2007-05-18 17:57 . 2009-03-08 09:22 156160 c:\windows\system32\msls31.dll
+ 2007-08-14 00:54 . 2009-03-08 09:32 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 265720 c:\windows\system32\msdbg2.dll
+ 2007-05-18 17:56 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll
+ 2010-07-16 21:49 . 2010-07-16 21:49 153376 c:\windows\system32\javaws.exe
- 2010-07-08 16:26 . 2010-07-08 16:26 153376 c:\windows\system32\javaws.exe
- 2010-07-08 16:26 . 2010-07-08 16:26 145184 c:\windows\system32\javaw.exe
+ 2010-07-16 21:49 . 2010-07-16 21:49 145184 c:\windows\system32\javaw.exe
+ 2010-07-16 21:49 . 2010-07-16 21:49 145184 c:\windows\system32\java.exe
- 2010-07-08 16:26 . 2010-07-08 16:26 145184 c:\windows\system32\java.exe
+ 2007-08-14 00:54 . 2009-03-08 09:22 164352 c:\windows\system32\ieui.dll
+ 2007-05-18 17:56 . 2009-03-08 09:31 183808 c:\windows\system32\iepeers.dll
+ 2007-05-18 17:56 . 2009-03-08 19:09 391536 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 18:27 . 2009-03-08 09:11 445952 c:\windows\system32\ieapfltr.dll
+ 2007-05-18 17:56 . 2009-03-08 09:32 163840 c:\windows\system32\ieakui.dll
+ 2007-05-18 17:56 . 2009-03-08 09:33 229376 c:\windows\system32\ieaksie.dll
+ 2007-05-18 17:56 . 2009-03-08 09:33 125952 c:\windows\system32\ieakeng.dll
+ 2007-05-18 17:56 . 2009-03-08 09:32 173056 c:\windows\system32\ie4uinit.exe
+ 2007-05-18 17:56 . 2009-03-08 09:31 216064 c:\windows\system32\dxtrans.dll
+ 2007-05-18 17:56 . 2009-03-08 09:31 348160 c:\windows\system32\dxtmsft.dll
+ 2007-08-14 00:54 . 2009-03-08 09:34 914944 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-14 00:54 . 2009-03-08 09:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2007-08-14 00:54 . 2009-03-08 09:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2009-03-08 09:33 . 2009-03-08 09:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2007-08-14 00:44 . 2009-03-08 09:34 105984 c:\windows\system32\dllcache\url.dll
- 2007-08-14 00:44 . 2008-10-16 20:38 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2007-08-14 00:44 . 2009-03-08 09:34 109568 c:\windows\system32\dllcache\occache.dll
+ 2007-08-14 00:54 . 2009-03-08 09:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-14 00:44 . 2009-03-08 09:34 193536 c:\windows\system32\dllcache\msrating.dll
- 2007-08-14 00:54 . 2007-08-14 00:54 156160 c:\windows\system32\dllcache\msls31.dll
+ 2007-08-14 00:54 . 2009-03-08 09:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2008-12-12 18:02 . 2009-03-08 09:32 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-03-08 09:33 . 2009-03-08 09:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2007-08-14 00:43 . 2009-03-08 19:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2007-08-14 00:54 . 2009-03-08 09:31 183808 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-14 00:39 . 2009-03-08 19:09 391536 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-12 18:02 . 2009-03-08 09:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
+ 2007-08-13 23:56 . 2009-03-08 09:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2007-08-14 00:39 . 2009-03-08 09:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2007-08-14 00:39 . 2009-03-08 09:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2007-08-14 00:39 . 2009-03-08 09:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-14 00:35 . 2009-03-08 09:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2007-08-14 00:35 . 2009-03-08 09:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-08-14 00:39 . 2009-03-08 09:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2007-05-18 17:55 . 2009-03-08 09:32 128512 c:\windows\system32\advpack.dll
+ 2010-07-16 21:50 . 2010-07-16 21:50 180224 c:\windows\Installer\527846.msi
+ 2010-07-16 21:49 . 2010-07-16 21:49 386048 c:\windows\Installer\527840.msi
+ 2010-07-16 21:49 . 2010-07-16 21:49 676352 c:\windows\Installer\52783a.msi
+ 2010-07-16 21:48 . 2010-07-16 21:48 533504 c:\windows\Installer\527836.msi
+ 2010-07-18 21:18 . 2008-10-16 20:38 826368 c:\windows\ie8\wininet.dll
+ 2010-07-18 21:18 . 2007-08-14 00:45 206336 c:\windows\ie8\winfxdocobj.exe
+ 2010-07-18 21:18 . 2008-10-16 20:38 233472 c:\windows\ie8\webcheck.dll
+ 2010-07-18 21:18 . 2007-08-14 00:54 765952 c:\windows\ie8\vgx.dll
+ 2010-07-18 21:18 . 2008-04-14 00:12 434176 c:\windows\ie8\vbscript.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 105984 c:\windows\ie8\url.dll
+ 2010-07-18 21:19 . 2009-01-07 23:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2010-07-18 21:19 . 2009-01-07 23:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2010-07-18 21:18 . 2006-09-06 23:43 213216 c:\windows\ie8\spuninst.exe
+ 2010-07-18 21:18 . 2008-10-16 20:38 102912 c:\windows\ie8\occache.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 671232 c:\windows\ie8\mstime.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 193024 c:\windows\ie8\msrating.dll
+ 2010-07-18 21:18 . 2007-08-14 00:54 156160 c:\windows\ie8\msls31.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 477696 c:\windows\ie8\mshtmled.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 459264 c:\windows\ie8\msfeeds.dll
+ 2010-07-18 21:18 . 2008-04-14 00:11 512000 c:\windows\ie8\jscript.dll
+ 2010-07-18 21:18 . 2008-10-15 07:06 633632 c:\windows\ie8\iexplore.exe
+ 2010-07-18 21:18 . 2007-08-14 00:54 180736 c:\windows\ie8\ieui.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 267776 c:\windows\ie8\iertutil.dll
+ 2010-07-18 21:18 . 2007-08-14 00:54 287744 c:\windows\ie8\ieproxy.dll
+ 2010-07-18 21:18 . 2007-08-14 00:54 191488 c:\windows\ie8\iepeers.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 384512 c:\windows\ie8\iedkcs32.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 383488 c:\windows\ie8\ieapfltr.dll
+ 2010-07-18 21:18 . 2008-10-15 07:04 161792 c:\windows\ie8\ieakui.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 230400 c:\windows\ie8\ieaksie.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 153088 c:\windows\ie8\ieakeng.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 214528 c:\windows\ie8\dxtrans.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 347136 c:\windows\ie8\dxtmsft.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 124928 c:\windows\ie8\advpack.dll
+ 2007-05-18 17:58 . 2009-03-08 09:34 1206784 c:\windows\system32\urlmon.dll
+ 2007-05-18 17:57 . 2009-03-08 09:41 5937152 c:\windows\system32\mshtml.dll
+ 2007-08-14 00:34 . 2009-03-08 09:32 1985024 c:\windows\system32\iertutil.dll
+ 2007-02-12 22:10 . 2009-02-07 02:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2007-08-14 00:54 . 2009-03-08 09:34 1206784 c:\windows\system32\dllcache\urlmon.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 1497088 c:\windows\system32\dllcache\shdocvw.dll
+ 2007-08-14 00:54 . 2009-03-08 09:41 5937152 c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 18:02 . 2009-03-08 09:32 1985024 c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-12 18:02 . 2009-02-07 02:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-01-07 23:20 . 2009-01-07 23:20 1022976 c:\windows\system32\dllcache\browseui.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 1160192 c:\windows\ie8\urlmon.dll
+ 2010-07-18 21:18 . 2008-10-17 08:08 3593216 c:\windows\ie8\mshtml.dll
+ 2010-07-18 21:18 . 2008-10-16 20:38 6066176 c:\windows\ie8\ieframe.dll
+ 2010-07-18 21:18 . 2007-04-17 09:32 2455488 c:\windows\ie8\ieapfltr.dat
+ 2007-08-14 00:54 . 2009-03-08 09:39 11063808 c:\windows\system32\ieframe.dll
+ 2008-12-12 18:02 . 2009-03-08 09:39 11063808 c:\windows\system32\dllcache\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-06-23 1287120]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-12-09 01:57 550912 ----a-w- c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2005-10-28 00:17 8740864 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ledpointer]
2004-03-03 04:24 5576704 ----a-w- c:\windows\CNYHKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-13 00:16 1121792 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-08-27 13:09 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\showwnd]
2003-09-19 04:09 36864 ----a-w- c:\windows\ShowWnd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Links 2003\\LinksMMIII.exe"=
"c:\\Soulseek\\slsk.exe"=

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/23/2010 10:01 AM 218592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/15/2010 2:53 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/15/2010 2:53 PM 17744]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [6/23/2010 10:23 AM 112592]
R2 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\dvrms\DVRMSFileWatcherService.exe [9/14/2008 10:25 AM 20480]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/23/2010 10:00 AM 366840]
S1 757ab0ac;757ab0ac; [x]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [7/16/2010 3:14 PM 34760]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: e&xport to microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {1413DDD1-7C94-4D55-A43E-CC2303963978} = 195.242.208.40
TCP: {6EF20433-F836-40CA-896B-17F3934DE318} = 195.242.208.40
TCP: {C9F6E6D0-AE0E-498F-8985-3D45E984FC21} = 195.242.208.40
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n0qrmqfl.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.insightbb.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 10:41
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3284)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-03 10:44:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-03 15:44
ComboFix2.txt 2010-07-12 14:31
ComboFix3.txt 2010-07-09 02:35

Pre-Run: 426,480,324,608 bytes free
Post-Run: 426,551,746,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 02B220A7C707998D1ABF8997A22EB577
Thanks,

Bob Kraft

#21 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:11 PM

Posted 03 August 2010 - 11:53 AM

Hi!

It doesn't look like Combofix deleted anything. Could you explain what you meant? Which software was affected?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#22 Bob Kraft

Bob Kraft
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 03 August 2010 - 01:23 PM

aomaster:
The software that I thought was affected is for my wireless USB Linksys controls in the sys tray. When I restarted, It was back. All is as it was prior to the Combofix scan. Could there be something on this computer that I can control or set which is protecting the registry, etc? I see Safereturner and Regrescue which are from the previous owner.

Bob Kraft


#23 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:11 PM

Posted 03 August 2010 - 06:23 PM

Hello, Bob Kraft.
All I can see is TeaTimer, which could have been disabled earlier. However, if you do feel like they are interfering with the fix, then uninstall them, although it is unlikely that they are.
We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    Driver::
    757ab0ac

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT:

We need to submit a few files
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  1. Please go here
  2. Click Browse and upload the following file(s). You will need to repeat this for each file
    c:\windows\winstart.bat
  3. Click the Send Files button
  4. Let me know once all files have been uploaded

NEXT:

Please run MalwareBytes Anti-Malware (make sure you update the definitions) with a full scan. Then, post up the log produced.

In your next reply, please include the following:
  • ComboFix.txt
  • MBAM log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#24 Bob Kraft

Bob Kraft
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 04 August 2010 - 07:35 PM

Aomaster:
Hurray, I think that you have fixed me. After the last procedure I have rebooted twice and Hijackthis does not report the 127... in the registry. I am not available tomorrow or Friday but will test further this weekend. Great work!

I did upload the Winstart.bat file. I think that it is empty. I ran the script in combofix and then Malawarebytes found one object related to restore points. I deleted the object (not quarantine) and upon rebooting checked through Hijackthis.

Here are the two logs:

Combofix

ComboFix 10-08-04.02 - Owner 08/04/2010 13:57:49.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1567 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_757ab0ac


((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-02 19:48 . 2010-08-02 19:48 -------- d-----w- C:\_OTL
2010-07-27 14:19 . 2010-08-03 19:34 -------- d-----w- c:\program files\trend micro
2010-07-27 14:19 . 2010-07-31 21:20 -------- d-----w- C:\rsit
2010-07-18 21:33 . 2010-07-18 21:33 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-07-18 21:22 . 2010-07-18 21:22 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-07-18 21:21 . 2010-07-18 21:21 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-07-18 21:18 . 2010-07-18 21:20 -------- dc-h--w- c:\windows\ie8
2010-07-16 21:50 . 2010-07-16 21:50 -------- d-----w- c:\program files\Common Files\Java
2010-07-16 21:49 . 2010-07-16 21:49 -------- d-----w- c:\program files\Sun
2010-07-16 21:47 . 2010-07-16 21:49 -------- d-----w- c:\program files\Java
2010-07-16 20:14 . 2010-07-16 20:14 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-07-16 20:14 . 2010-07-16 20:14 32480 ----a-w- c:\windows\system32\Partizan.exe
2010-07-15 19:53 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-15 19:53 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-15 19:53 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-15 19:53 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-15 19:53 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-15 19:53 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-15 19:53 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-15 19:52 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-15 12:16 . 2010-07-15 12:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-12 16:21 . 2010-07-12 16:21 -------- d-----w- c:\program files\PcPrivacySoftware.com
2010-07-12 15:35 . 2010-07-12 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-12 15:35 . 2010-07-12 15:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-11 23:10 . 2010-02-05 18:27 1291776 -c----w- c:\windows\system32\dllcache\quartz.dll
2010-07-11 16:13 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-11 02:06 . 2010-07-11 02:08 57056 ----a-w- C:\regrunck.exe
2010-07-11 01:15 . 2010-07-18 15:09 -------- d-----w- c:\documents and settings\Owner\Application Data\SafeReturner
2010-07-11 01:15 . 2010-08-03 18:19 -------- d-----w- c:\program files\Safe Returner
2010-07-11 00:41 . 2010-07-11 00:43 -------- d-----w- C:\backreg
2010-07-09 13:47 . 2010-07-09 13:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-09 13:46 . 2010-07-09 14:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ocyxxsgjq
2010-07-09 13:46 . 2010-07-09 13:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-09 02:49 . 2010-07-09 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-07-09 02:49 . 2010-07-09 12:04 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-07-09 02:45 . 2010-07-09 02:45 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-07-09 02:45 . 2005-11-25 00:51 245248 ----a-w- c:\windows\system32\rt73.sys
2010-07-09 02:45 . 2010-07-09 02:45 -------- d-----w- c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor
2010-07-05 21:42 . 2010-07-05 21:43 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-04 19:06 . 2010-06-23 15:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-04 19:05 . 2010-04-28 13:50 -------- d-----w- c:\program files\Spyware Doctor
2010-07-22 18:41 . 2010-06-23 15:23 767928 ----a-w- c:\windows\BDTSupport.dll
2010-07-19 22:27 . 2008-12-12 17:42 40960 ----a-w- c:\windows\system32\drivers\sisagp.sys
2010-07-16 21:49 . 2010-07-04 21:24 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 19:52 . 2008-12-12 18:10 -------- d-----w- c:\program files\Alwil Software
2010-07-09 13:46 . 2008-12-14 15:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 16:26 . 2010-04-28 13:42 -------- d-----w- c:\program files\RegCure
2010-07-04 21:25 . 2010-07-04 21:25 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-63f0a3be-n\msvcp71.dll
2010-07-04 21:25 . 2010-07-04 21:25 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-63f0a3be-n\jmc.dll
2010-07-04 21:25 . 2010-07-04 21:25 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-63f0a3be-n\msvcr71.dll
2010-07-04 21:25 . 2010-07-04 21:25 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5c91c946-n\decora-sse.dll
2010-07-04 21:25 . 2010-07-04 21:25 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5c91c946-n\decora-d3d.dll
2010-07-04 20:50 . 2008-12-14 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 22:45 . 2008-12-12 19:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-23 17:36 . 2010-06-23 15:01 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-23 17:36 . 2010-06-23 15:01 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-23 15:23 . 2010-04-28 13:50 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-23 15:22 . 2010-06-23 15:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-06-23 15:00 . 2010-06-23 15:00 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2010-06-23 15:00 . 2010-06-23 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-23 14:37 . 2010-06-23 14:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-23 14:21 . 2008-12-12 18:56 -------- d-----w- c:\program files\Google
2010-06-17 19:12 . 2010-06-17 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-08 00:21 . 2010-06-23 15:23 1652664 ----a-w- c:\windows\PCTBDCore.dll
2009-06-04 12:20 . 2009-06-04 12:20 2 --shatr- c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( SnapShot_2010-08-03_15.40.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-04 19:05 . 2010-08-04 19:05 16384 c:\windows\Temp\Perflib_Perfdata_c6c.dat
+ 2010-08-04 19:04 . 2010-08-04 19:04 16384 c:\windows\Temp\Perflib_Perfdata_810.dat
+ 2010-08-04 19:04 . 2010-08-04 19:04 16384 c:\windows\Temp\Perflib_Perfdata_4e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-06-23 1287120]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-12-09 01:57 550912 ----a-w- c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2005-10-28 00:17 8740864 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ledpointer]
2004-03-03 04:24 5576704 ----a-w- c:\windows\CNYHKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-13 00:16 1121792 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-08-27 13:09 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\showwnd]
2003-09-19 04:09 36864 ----a-w- c:\windows\ShowWnd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Links 2003\\LinksMMIII.exe"=
"c:\\Soulseek\\slsk.exe"=

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/23/2010 10:01 AM 218592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/15/2010 2:53 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/15/2010 2:53 PM 17744]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [6/23/2010 10:23 AM 112592]
R2 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\dvrms\DVRMSFileWatcherService.exe [9/14/2008 10:25 AM 20480]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/23/2010 10:00 AM 366840]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [7/16/2010 3:14 PM 34760]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.insightbb.com/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: e&xport to microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {1413DDD1-7C94-4D55-A43E-CC2303963978} = 195.242.208.40
TCP: {6EF20433-F836-40CA-896B-17F3934DE318} = 195.242.208.40
TCP: {C9F6E6D0-AE0E-498F-8985-3D45E984FC21} = 195.242.208.40
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n0qrmqfl.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.insightbb.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-04 14:06
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2160)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2010-08-04 14:08:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-04 19:08
ComboFix2.txt 2010-08-03 15:44
ComboFix3.txt 2010-07-12 14:31
ComboFix4.txt 2010-07-09 02:35

Pre-Run: 426,392,076,288 bytes free
Post-Run: 426,371,698,688 bytes free

- - End Of File - - 0DAD18C12B826D173DCC2800AE5FADE8


MBAM log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4390

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/4/2010 2:38:28 PM
mbam-log-2010-08-04 (14-38-28).txt

Scan type: Full scan (C:\|)
Objects scanned: 188598
Time elapsed: 26 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP14\A0009501.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.


From these reports to you agree that you have succeeded? Do you want to leave this Post open for a few days as I test this weekend? And is there any further actions you want me to take.

Could you tell me how to make a donation. When my son returns to the Univ. of Iowa next month I will know what I can afford.

Thanks again,

Bob Kraft


#25 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:11 PM

Posted 05 August 2010 - 02:54 AM

Hi!

That's a bit odd, I can still see this entry here:
CODE
uInternet Settings,ProxyServer = http=127.0.0.1:5577


Are you sure it was removed with the fix? You can run a HijackThis scan and have a look, just to make sure.

And yes, I can leave this topic open smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#26 Bob Kraft

Bob Kraft
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 07 August 2010 - 02:02 PM

Aomaster:
Sorry for the late reply. I've been away for 2 days. The 127... still showed in the Combofix log. Mbam reported one object as infected resore file. I quarantined and deleted file A0009501.exe. Upon restart, the line in registry did not reappear. The last line in the Mbam log shows my action. I have restarted three times, o.k. so far. Here is a Hjacthis log as a test.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:52:38 PM, on 8/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DVRMS\DVRMSFileWatcherService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\trend micro\hijackthis.exe
C:\Program Files\Alwil Software\Avast5\setup\avast.setup

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1413DDD1-7C94-4D55-A43E-CC2303963978}: NameServer = 195.242.208.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EF20433-F836-40CA-896B-17F3934DE318}: NameServer = 195.242.208.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9F6E6D0-AE0E-498F-8985-3D45E984FC21}: NameServer = 195.242.208.40
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: DVRMSFileWatcherService - http://babgvant.com - C:\DVRMS\DVRMSFileWatcherService.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 7947 bytes


I think I'm clean. Do you agree?

Thanks,

Bob Kraft


#27 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:11 PM

Posted 07 August 2010 - 04:02 PM

Hello, Bob Kraft.
Indeed, the log looks good. Let's just make sure we didn't miss anything smile.gif

We need to run an ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the ESET Online Scanner button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the Eset Smart Installer icon on your desktop.
  4. Check the "YES, I accept the Terms of Use"
  5. Click the Start button.
  6. Accept any security warnings from your browser.
  7. Check Scan archives
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push "List of found threats"
  11. Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the "<<Back" button.
  13. Push Finish

In your next reply, please include the following:
  • Eset Scan Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#28 Bob Kraft

Bob Kraft
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 08 August 2010 - 11:39 AM

Aomaster:

Here is the ESATScan.txt file.

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0009360.dll Win32/Adware.SpywareCease application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0009361.dll Win32/Adware.SpywareCease application cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP13\A0009366.exe a variant of Win32/Adware.SpywareCease application cleaned by deleting - quarantined


Thanks,

Bob Kraft


#29 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:11 PM

Posted 08 August 2010 - 11:45 AM

Hello, Bob Kraft.
That looks perfect. Let's clean up!

We need to uninstall Combofix
  1. Click on your Start Menu, then Run....
  2. Now type combofix /uninstall in the runbox and click OK. Notice the space between the "x" and "/".

NEXT:

We need to clean up using OTL
  1. Please run OTL on your desktop.
  2. Click the CleanUp button

NEXT:

We need to enable TeaTimer
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Check the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy




Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it clean smile.gif

There are many ways to reduce the chance of getting infected in the future. Below, I have listed a few:
  1. Practice Safe Internet
    • Be weary about attachments in emails. Avoid opening .exe, .com, .bat, or .pif files.
    • Watch out for Foistware. More info can be found on Foistware, And how to avoid it.
    • Do not fall for Rogue/Suspect Anti-Spyware Products & Web Sites
    • Do not go to adult sites.
    • When using an Instant Messaging program be cautious about clicking on links people send to you.
    • Stay away from Warez and Crack sites. In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    • Use McAfee Siteadvisor to look up info on a site if you are not sure whether it is legitimate
    • Do not install any software without first reading the End User License Agreement, otherwise known as the EULA.
  2. Make Internet Explorer more secure
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt

        When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Make Firefox more secure
    Firefox is a relatively safe browser compared to Internet Explorer. However, if you'd still like to enhance security, consider some of these extensions:
    • NoScript: Add-on which automatically blocks Javascript and Java from running on sites.
    • Firekeeper: Add-on which aims to protect your from malicious websites which may exploit browser and code security flaws.
    • KeyScrambler: Add-on that protects your passwords from being detected by keyloggers.
  4. Keep Windows updated
    Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.
  5. Install and update the following programs frequently
    1. An outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here
    2. An antivirus software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats. Three good antivirus programs free for non-commercial home use are Avast! and Antivir and AVG Antivirus
    3. An antispyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    4. SpywareBlaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    5. MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  6. Keep your other software updated too
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

Some more links you might find of interest:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#30 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:11 PM

Posted 10 August 2010 - 02:27 AM

Since this problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please send me a PM with the address of this thread. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users