Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with redirecting


  • Please log in to reply
20 replies to this topic

#1 jwv8518

jwv8518

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 04 September 2010 - 03:57 PM

so basically when ever i search something i goggle i get redirected and don't know what sites it takes me too becuase my trendmicro anti virus blocks the site so i update my anti virus and malware bytes scan with both it found a few things and i clean them or deleted the ones that couldn't be clean but i still get redirected so i follow the instructions from Preparation Guide For Use Before Using Malware Removal Tools and Requesting but when i got to the part where you ask to save a the ark.txt it would freeze every time and the rest of my computer will freeze to so i going to replacce that one with the hijack this file instead sad.gif

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:57 PM

Posted 12 September 2010 - 07:25 PM

hi jwv8518,

Sorry for delay, no shortage of posters. If you still need help post back

How Can I Reduce My Risk to Malware?


#3 jwv8518

jwv8518
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 14 September 2010 - 11:25 AM

yes i still need help what do you mean by post back?

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:57 PM

Posted 14 September 2010 - 04:06 PM

hi,

QUOTE
what do you mean by post back?

What you just did. The older a log is the less chance I will get a reply back.

We will get a download to use. Its called combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. If for some reason combofix wont run in 'normal' mode you can boot into safe mode to try and run it. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list; safe mode, log in to your usual account. Once at the safe mode desktop riun combofix. Post the combofix log.

Guide to using Combofix


How Can I Reduce My Risk to Malware?


#5 jwv8518

jwv8518
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 14 September 2010 - 05:46 PM

so should i post it on here or a new post?

#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:57 PM

Posted 14 September 2010 - 06:01 PM

You can post it here.

How Can I Reduce My Risk to Malware?


#7 jwv8518

jwv8518
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 14 September 2010 - 06:32 PM

so i did what the guide said but it never maid the log file also i had to change the name of the combofix for it to work because it wouldn't let me us it even in safe mode i got some smart malware that doesn't want to be found so what should i do now

#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:57 PM

Posted 14 September 2010 - 07:03 PM

So combofix wouldnt run either normally or in safe mode. Nothing happens when you double click the icon?
See if you can run Malwarebytes:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?


#9 jwv8518

jwv8518
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 14 September 2010 - 07:36 PM

yeah nothing happens when i click on it so what i did was a ichange the name of it and it ran but after it did everything it restated my computer and it didn't make the log file so i downloaded malwarebytes that didn't want to start so i change the name of the file and then it started to run so i updated did a full system scan it didn't find anything but it maid the log file and i still have the redirecting problem when i search on google

Attached Files



#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:57 PM

Posted 14 September 2010 - 08:32 PM

ok lets try something else with combofix and get another download also.

Uninstall the current copy of combofix like this:
start>run and type in combofix /uninstall
click ok or enter
note the space after the x and before the /
Download a new copy of combofix and this time rename it combofix1 before you save and download it.
Rename it then and not after its on your desktop.
Try running combofix again, but first please make sure to disable any AV or antimalware that may be running in the background.



ok lets go to TDSSkiller also;

Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malicious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C:) as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

I may not be back on line for 18 or so hrs. If nothing improves on your end after the above-then I would suggest that you use the computer as little as possible until its clean and when not in use make sure it has no internet connectivity. And for sure no personal or financial info transactions on the computer.

How Can I Reduce My Risk to Malware?


#11 jwv8518

jwv8518
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 14 September 2010 - 10:06 PM

tdss killer did the trick you are the man thumbup.gif i feel like doing this --> bounce.gif anyways my question is should i still do the combfix since tdss killer fixed it also here's my log also i notice now my volume buttons on my keyboard do not work do you know how to fix it if not that's cool i rather be malware free then worry about volume buttons on my keyboard lol

Attached Files


Edited by jwv8518, 15 September 2010 - 12:46 AM.


#12 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:57 PM

Posted 15 September 2010 - 04:19 PM

hi,

ok good. Yes, try running combofix again and check malwarebytes for updates and scan with it also. Why? because malware usually installs more malware.

How Can I Reduce My Risk to Malware?


#13 jwv8518

jwv8518
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 15 September 2010 - 05:37 PM

because after i used the tdss killer my volume buttons on my keybaord stop working so i thought u might know how to fix that also here's the combofix log you wanted

Attached Files


Edited by jwv8518, 15 September 2010 - 05:52 PM.


#14 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:57 PM

Posted 15 September 2010 - 07:49 PM

I pasted in your combofix log for a easier view:



ComboFix 10-09-15.01 - Owner 09/15/2010 18:42:28.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2290 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix1.exe

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\windows\system32\service

c:\windows\system32\service\01082009_TIS17_SfFniAU.log

c:\windows\system32\service\03012010_TIS17_SfFniAU.log

c:\windows\system32\service\03062010_TIS17_SfFniAU.log

c:\windows\system32\service\03092010_TIS17_SfFniAU.log

c:\windows\system32\service\04102009_TIS17_SfFniAU.log

c:\windows\system32\service\05062009_TIS17_SfFniAU.log

c:\windows\system32\service\06062010_TIS17_SfFniAU.log

c:\windows\system32\service\07102009_TIS17_SfFniAU.log

c:\windows\system32\service\08062009_TIS17_SfFniAU.log

c:\windows\system32\service\09062009_TIS17_SfFniAU.log

c:\windows\system32\service\11062009_TIS17_SfFniAU.log

c:\windows\system32\service\13072009_TIS17_SfFniAU.log

c:\windows\system32\service\14062009_TIS17_SfFniAU.log

c:\windows\system32\service\14072010_TIS17_SfFniAU.log

c:\windows\system32\service\17012010_TIS17_SfFniAU.log

c:\windows\system32\service\17062010_TIS17_SfFniAU.log

c:\windows\system32\service\18062009_TIS17_SfFniAU.log

c:\windows\system32\service\20052009_TIS17_SfFniAU.log

c:\windows\system32\service\21052010_TIS17_SfFniAU.log

c:\windows\system32\service\22112009_TIS17_SfFniAU.log

c:\windows\system32\service\23052009_TIS17_SfFniAU.log

c:\windows\system32\service\23062009_TIS17_SfFniAU.log

c:\windows\system32\service\24032010_TIS17_SfFniAU.log

c:\windows\system32\service\24062009_TIS17_SfFniAU.log

c:\windows\system32\service\24082009_TIS17_SfFniAU.log

c:\windows\system32\service\25062009_TIS17_SfFniAU.log

c:\windows\system32\service\26062009_TIS17_SfFniAU.log

c:\windows\system32\service\30052009_TIS17_SfFniAU.log



.

((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))

.



2010-09-15 05:31 . 2010-09-15 22:34 -------- d-----w- c:\windows\LastGood

2010-09-14 07:49 . 2010-09-14 07:49 -------- d-----w- c:\program files\iPod

2010-09-14 07:49 . 2010-09-14 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-09-14 07:47 . 2010-09-14 07:47 -------- d-----w- c:\program files\QuickTime

2010-09-14 07:43 . 2010-09-14 07:43 -------- d-----w- c:\program files\Bonjour

2010-09-14 07:41 . 2010-09-14 07:41 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

2010-09-04 04:07 . 2010-09-04 04:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue

2010-09-04 03:54 . 2010-09-07 22:36 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-09-04 03:53 . 2010-09-04 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-09-04 03:52 . 2010-09-04 03:52 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-09-03 18:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-03 18:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-03 18:16 . 2010-09-03 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-03 16:34 . 2009-05-22 04:58 287608 ----a-w- c:\windows\system32\drivers\Tmfilter.sys

2010-09-03 16:05 . 2010-09-03 16:05 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-09-02 05:45 . 2009-02-09 12:10 714752 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_enviewlist.dll

2010-09-02 05:45 . 2009-02-09 12:10 617472 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll

2010-09-02 05:45 . 2010-09-02 05:45 209 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E3C773515569F0044B146EF9A0B6AEEF.dll

2010-09-02 05:45 . 2010-09-02 05:45 567 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C055ECD834AC28E429FDFF4C4AF8B51E.dll

2010-09-02 05:45 . 2010-09-02 05:45 151 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AA0F1499309B4FA40A55389A18C50C11.dll

2010-09-02 05:45 . 2010-09-02 05:45 27 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6BBFDF96D153C8B4988D68D79C0D2A4A.dll

2010-09-02 05:45 . 2010-09-02 05:45 235 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A878B62407546B3DBCBF4E0CA3A1812.dll

2010-09-02 05:45 . 2010-09-02 05:45 181 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AA363DBBE9F39654A8251DEDCEFC1512.dll

2010-09-02 05:45 . 2010-09-02 05:45 591 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_48C235E057243B14D9184D1A2AD0E87E.dll

2010-09-02 05:32 . 2010-09-02 05:32 -------- d-----w- c:\documents and settings\Owner\updates

2010-09-01 14:34 . 2010-09-01 14:34 -------- d-----w- c:\program files\Common Files\Java

2010-08-31 16:11 . 2010-08-31 16:11 3401880 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

2010-08-31 15:55 . 2010-08-31 15:55 275096 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll

2010-08-31 15:39 . 2010-08-31 15:39 3734536 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\Google Talk Plugin Extras\d3dx9_36.dll

2010-08-28 21:08 . 2010-09-01 23:46 46852 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll

2010-08-27 00:20 . 2010-09-13 10:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-15 16:13 . 2009-05-16 07:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus

2010-09-15 02:35 . 2006-12-01 08:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys

2010-09-14 07:50 . 2009-09-07 08:27 -------- d-----w- c:\program files\iTunes

2010-09-14 07:49 . 2009-05-17 00:43 -------- d-----w- c:\program files\Common Files\Apple

2010-09-13 17:37 . 2009-09-09 17:03 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc

2010-09-10 16:47 . 2009-05-28 05:55 -------- d-----w- c:\program files\Stardock

2010-09-10 16:35 . 2009-05-16 07:30 -------- d-----w- c:\program files\AlienGUIse

2010-09-02 17:08 . 2009-05-16 06:46 -------- d-----w- c:\program files\World of Warcraft

2010-09-02 05:48 . 2010-09-02 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan

2010-09-02 05:45 . 2010-09-02 05:44 3710 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F6CAE87C37A7E2541843BD2B61C5A586.dll

2010-09-01 14:32 . 2009-05-16 04:57 -------- d-----w- c:\program files\Java

2010-08-28 21:08 . 2010-08-08 03:12 -------- d-----w- c:\program files\StarCraft II

2010-08-12 22:58 . 2009-05-16 07:46 -------- d-----w- c:\program files\Vuze

2010-08-08 18:30 . 2010-08-08 18:30 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6057cf63-n\msvcp71.dll

2010-08-08 18:30 . 2010-08-08 18:30 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-63fc19c3-n\decora-sse.dll

2010-08-08 18:30 . 2010-08-08 18:30 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6057cf63-n\jmc.dll

2010-08-08 18:30 . 2010-08-08 18:30 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6057cf63-n\msvcr71.dll

2010-08-08 18:30 . 2010-08-08 18:30 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-63fc19c3-n\decora-d3d.dll

2010-08-08 05:14 . 2009-05-17 01:30 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2010-08-08 05:13 . 2009-09-23 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2010-08-07 03:44 . 2009-09-16 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-07-31 18:52 . 2010-07-31 18:50 -------- d-----w- c:\program files\DAEMON Tools Lite

2010-07-31 18:50 . 2009-06-28 10:53 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-07-31 18:49 . 2009-06-28 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2010-07-30 18:37 . 2010-07-30 17:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Command and Conquer 3 Tiberium Wars

2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-07-27 22:44 . 2010-07-27 22:44 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-07-17 09:00 . 2010-05-14 18:18 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-05 15:20 . 2009-05-16 07:05 50256 ----a-w- c:\windows\system32\drivers\tmactmon.sys

2010-07-05 15:19 . 2009-05-16 07:05 50256 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

2010-07-05 15:19 . 2009-05-16 07:03 154192 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-06-30 12:31 . 2006-12-01 08:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2006-12-01 08:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2006-12-01 08:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2006-12-01 08:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2009-05-23 05:33 . 2009-05-23 05:33 5836 -csha-w- c:\windows\system32\64.tmp

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-27 136176]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"SoundMan"="SOUNDMAN.EXE" [2005-09-26 90112]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"VX3000"="c:\windows\vVX3000.exe" [2006-10-14 707376]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-14 277296]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]



c:\documents and settings\Owner\Start Menu\Programs\Startup\

Alienware Dock.lnk - c:\program files\AlienGUIse\AlienwareDock\ObjectDock.exe [2009-5-16 2074360]

Alienware News Feed.lnk - c:\program files\Stardock\DesktopGadgets\Alienware News Feed\Alienware News Feed.exe [2010-9-10 523952]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\windows\system32\logonuiX.exe"



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wbsys.dll



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"



[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Air Mouse.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Air Mouse.lnk

backup=c:\windows\pss\Air Mouse.lnkCommon Startup



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wisdom-soft AutoScreenRecorder 3.1 Pro]

0 [X]



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-08-10 09:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2005-03-09 15:49 966656 ----a-w- c:\windows\creator\remind_xp.exe



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\ooVoo\\ooVoo.exe"=

"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6112:TCP"= 6112:TCP:Warcraft III

"6119:TCP"= 6119:TCP:WarCraftIII

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"9876:TCP"= 9876:TCP:Vuze

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675



R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [5/16/2009 3:03 AM 36368]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [9/4/2009 3:44 AM 28672]

R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [4/24/2005 10:43 PM 13225]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/16/2009 3:00 AM 335376]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/16/2009 3:05 AM 50256]

S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [5/16/2009 3:06 AM 497008]

S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/16/2009 3:06 AM 677128]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]

S3 portio32;portio32;c:\windows\system32\drivers\portio32.sys --> c:\windows\system32\drivers\portio32.sys [?]

S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [8/22/2009 3:29 AM 16456]

S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [8/22/2009 3:29 AM 11088]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/28/2009 6:53 AM 691696]

.

Contents of the 'Scheduled Tasks' folder



2010-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-855543529-3813675720-297006418-1006Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 00:20]



2010-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-855543529-3813675720-297006418-1006UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 00:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.gateway.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xo4e61q6.default\

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\



---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -



HKCU-Run-Everyday Auto Backup - c:\program files\Everyday Auto Backup\AutoBackup.exe

HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe

HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe

HKLM-Run-nwiz - nwiz.exe

Notify-5c70e3d3600 - c:\windows\System32\fdco1ins32.dll

SafeBoot-klmdb.sys

MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe







**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-15 18:46

Windows 5.1.2600 Service Pack 3 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...





c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll 53248 bytes executable



scan completed successfully

hidden files: 1



**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------



[HKEY_USERS\S-1-5-21-855543529-3813675720-297006418-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

@SACL=

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'winlogon.exe'(1148)

c:\program files\AlienGUIse\fastload.dll

.

Completion time: 2010-09-15 18:48:18

ComboFix-quarantined-files.txt 2010-09-15 22:48



Pre-Run: 35,187,871,744 bytes free

Post-Run: 35,630,833,664 bytes free



- - End Of File - - F369B6854BAD6EE0AD84630D4763D0CF

How Can I Reduce My Risk to Malware?


#15 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:57 PM

Posted 15 September 2010 - 08:08 PM

looks good. The volume buttons on your keyboard stopped working? Did the keyboard come with the computer and what brand is it like a HP, Dell, Acer etc?

looks like a gateway computer?

Edited by shelf life, 15 September 2010 - 08:12 PM.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users