Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects From Google and eMails Sent to all Hotmail Contacts


  • This topic is locked This topic is locked
16 replies to this topic

#1 Bret60

Bret60

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 12 October 2010 - 09:50 PM

Thank you in advance.

I noticed about 2 weeks ago that sometimes clicking on a Google search result took me to the wrong page, usually trying to sell something. Tonight I saw 11 emails from postmaster@mail.hotmail.com stating:

This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
xxxxxxx@hotmail.com

because those mailboxes were unavailable. There are another 13 in my Sent folder that I guess got delivered.

This is all within a Hotmail account I've had since 1993. I was able to access it and have changed my password to a very strong one.

All my emails from that Hotmail account are transferred to my Gmail account (via Pop3), and I check and send all my emails from Thunderbird.

I have followed the steps in the preparation guide. I backed up my data, XP firewall is enabled, I ran Defogger, and I've run DDS and GMER.

Oh, the Dameware software was installed by me, to connect to other PC's on my home network.

Here is DDS.TXT:

DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 21:27:20.92 on Tue 10/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.519 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\njmvsf5c.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\tcpview.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\dealio toolbar\SearchSettings.dll
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll
BHO: Diigo Toolbar Helper: {84053da7-03de-4fb6-80ae-202c04691d8a} - c:\program files\diigo\DiigoToolbar.4.0.2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\dealio toolbar\SearchSettings.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Diigo Toolbar: {09197ffb-c236-4153-b268-31051e4f3b6c} - c:\program files\diigo\DiigoToolbar.4.0.2.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll
EB: Diigo Sidebar: {69523951-583f-418c-bde7-18efc9fd54b4} - c:\program files\diigo\DiigoToolbar.4.0.2.dll
uRun: [Meebo Notifier] "c:\documents and settings\administrator\local settings\application data\meebo\meebo notifier\MeeboNotifier.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SearchSettings] c:\program files\dealio toolbar\SearchSettings.exe
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [MPlayer2_FixUp] c:\windows\inf\unregmp2.exe /Fixups
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = avnotify.exe
IE: &Links to this page - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gbacklinks.htm
IE: &Similar pages - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gsimilar.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Open in &new window - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\tuofinw.htm
IE: Search with &Google - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gsearch.htm
IE: Show page from the &cache - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gcache.htm
IE: Translate this page with Google - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gtranslate.htm
IE: View old version at &archives.org - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\tuarch.htm
IE: Zoom &in  - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\tuzoomin.htm
IE: Zoom &out  - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\tuzoomout.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {B952F2E0-5F9F-4898-89A8-4FB770625E09} - {84053DA7-03DE-4FB6-80AE-202C04691D8A} - c:\program files\diigo\DiigoToolbar.4.0.2.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: Antiwpa - antiwpa.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: Outlook10 - {4f6a227d-c9a3-4358-9734-baeeecc1f73f} - c:\program files\common files\outlook\Outlook10.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\njmvsf5c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/|http://www.google.com/ig|http://www.diigo.com/user/hoopdedoo|http://mail.live.com/default.aspx?wa=wsignin1.0
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\njmvsf5c.default\extensions\{e173b749-db5b-4fd2-ba0e-94ecea0ca55b}\components\npAFOM.dll
FF - component: c:\program files\dealio toolbar\ff\components\dealioToolbarFF.dll
FF - component: c:\program files\dealio toolbar\ssff\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: browser.xul.error_pages.enabled - false
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: dom.disable_window_open_feature.minimizable - true
FF - user.js: dom.disable_window_open_feature.menubar - true
FF - user.js: dom.disable_window_open_feature.scrollbars - true
FF - user.js: browser.tabs.closeButtons - 0
FF - user.js: network.http.pipelining - false
FF - user.js: network.http.proxy.pipelining - false
FF - user.js: network.http.pipelining.ssl - false
FF - user.js: network.http.pipelining.maxrequests - 4
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-27 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-11 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-27 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-27 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-27 60936]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-2-25 1047880]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2010-2-25 10064]
S1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-17 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\48f.tmp --> c:\windows\system32\48F.tmp [?]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-12-31 14424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 12872]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-12-1 119296]
S4 Application Updater;Application Updater;"c:\program files\application updater\applicationupdater.exe" --> c:\program files\application updater\ApplicationUpdater.exe [?]

=============== Created Last 30 ================

2010-10-13 01:05:35 388096 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-05 22:06:52 -------- d-----w- c:\docume~1\admini~1\applic~1\com.rstoeber.GoogleVoice.913F9D81260FD6F3F98FE8A907686CD092F1C90D.1
2010-10-05 22:06:46 -------- d-----w- c:\program files\GVoice

==================== Find3M ====================

2010-09-06 01:26:25 592 ----a-w- c:\windows\chgkey.vbs

============= FINISH: 21:28:21.25 ===============

Oh, here is the TCPView log. I don't know how to interpret it.

[System Process] 0 TCP glurgle 1116 iad04s01-in-f19.1e100.net:https https TIME_WAIT 1 27 4 159
alg.exe 2624 TCP glurgle 1028 glurgle 0 LISTENING
DWRCS.EXE 2020 TCP glurgle 6129 localhost 1025 ESTABLISHED
DWRCS.EXE 2020 TCP glurgle 6129 glurgle 0 LISTENING
DWRCST.EXE 1296 TCP glurgle 1025 localhost 6129 ESTABLISHED
firefox.exe 3012 TCP glurgle 1127 yo-in-f101.1e100.net https ESTABLISHED 1 1,181
firefox.exe 3012 TCP glurgle 1131 server-216-137-39-99.stl2.cloudfront.net:http http CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1113 server.iad.liveperson.net http ESTABLISHED
firefox.exe 3012 TCP glurgle 1122 74.125.227.5:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1128 iad04s01-in-f189.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1132 74.125.227.5:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1092 iad04s01-in-f19.1e100.net https ESTABLISHED 1 1,423 2 454
firefox.exe 3012 TCP glurgle 1115 iad04s01-in-f19.1e100.net https ESTABLISHED 2 3,204 2 756
firefox.exe 3012 TCP glurgle 1117 iad04s01-in-f19.1e100.net https ESTABLISHED 1 1,676 3 2,883
firefox.exe 3012 TCP glurgle kpop iad04s01-in-f100.1e100.net http ESTABLISHED
firefox.exe 3012 TCP glurgle 1086 localhost 1085 ESTABLISHED 41 41 1 1
firefox.exe 3012 TCP glurgle 1085 localhost 1086 ESTABLISHED 41 41 1 1
firefox.exe 3012 TCP glurgle 1091 localhost 1090 ESTABLISHED 33 33
firefox.exe 3012 TCP glurgle 1090 localhost 1091 ESTABLISHED 33 33
firefox.exe 3012 TCP glurgle 1133 localhost 1130 ESTABLISHED
firefox.exe 3012 TCP glurgle 1097 iad04s01-in-f147.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1114 iad04s01-in-f147.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1119 iad04s01-in-f147.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1120 iad04s01-in-f147.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1248 209.85.239.31 http ESTABLISHED 1 788 1 436
firefox.exe 3012 TCP glurgle 1246 iad04s01-in-f190.1e100.net https ESTABLISHED 2 1,001 2 675
firefox.exe 3012 TCP glurgle 1247 iad04s01-in-f100.1e100.net http ESTABLISHED 1 1,042 1 453
firefox.exe 3012 TCP glurgle 1249 yo-in-f101.1e100.net https ESTABLISHED
googletalkplugin.exe 3416 TCP glurgle 1130 localhost 1133 ESTABLISHED
googletalkplugin.exe 3416 TCP glurgle 1130 glurgle 0 LISTENING
jqs.exe 228 TCP glurgle 5152 localhost 1088 CLOSE_WAIT
jqs.exe 228 TCP glurgle 5152 glurgle 0 LISTENING
svchost.exe 1060 TCP glurgle epmap glurgle 0 LISTENING
svchost.exe 1156 UDP glurgle ntp * *
svchost.exe 1156 UDP glurgle ntp * *
System 4 TCP glurgle microsoft-ds glurgle 0 LISTENING
System 4 TCP glurgle netbios-ssn glurgle 0 LISTENING
System 4 UDP glurgle netbios-ns * * 11 550
System 4 UDP glurgle netbios-dgm * *
System 4 UDP glurgle microsoft-ds * *
thunderbird.exe 3336 TCP glurgle 4846 localhost 4847 ESTABLISHED
thunderbird.exe 3336 TCP glurgle 4847 localhost 4846 ESTABLISHED
thunderbird.exe 3336 TCP glurgle 4849 localhost 4848 ESTABLISHED
thunderbird.exe 3336 TCP glurgle 4848 localhost 4849 ESTABLISHED

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 13 October 2010 - 12:17 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 PM

Posted 21 October 2010 - 01:46 PM

Hello Bret60 ,

Posted Image

If you still need help I need for you to verify that your Operating System is legal. Your logs say otherwise. :(

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Bret60

Bret60
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 October 2010 - 04:15 PM

OK....I made a whiney response here, because I had to wait. I'm embarrassed to even leave it, thus the edit. I apologize again.

Edited by Bret60, 21 October 2010 - 06:49 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 PM

Posted 21 October 2010 - 04:31 PM

I do apologize for the delay. :( There are just not enough of us volunteers to cover the 400 logs we have open every day. Thank you for understanding. I hope this wasn't "too preachy" for you.

If you'd like to continue, please do reply. Otherwise, you have a great one. :)

Regards,
teacup61
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Bret60

Bret60
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 October 2010 - 04:42 PM

Oh crud.....I didn't expect kindness back. And I lied....I did read the reply. So, I'm sorry I took my frustration about the spyware out in the post.

I got this PC at a thrift store and had no idea it's an illegal OS. I've got a lot of documents, emails and pictures on it that I don't want to lose, so I want to just fix it so I can safely save them and move on to another PC. I thought from your reply that you were saying you couldn't help me.

I mostly just want to know how the whole address book got sent ou,t and if they still have the addresses, and if they got into anything else like my passwords or bank info.

Thank you.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 PM

Posted 21 October 2010 - 04:50 PM

It's okay. I understand the frustration.Been there, done that, got the shirt. :wink: It really is frustrating for us to have to make so many wait for so long.

Your explanation of the OS happens more often than you might think. If you like I will point out the files that told me to ask you for sure about it. Now that I know what happened, I'll certainly help you. Not your fault and you should not have to be the one to pay for it. We may have to run a few different tools.....maybe not....but I'll let you know what's compromised, if anything.

See if you can run this, and please post the report in your reply:

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Bret60

Bret60
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 October 2010 - 06:47 PM

OK....did it. It did have me reboot. Here's the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4905

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10/21/2010 6:25:56 PM
mbam-log-2010-10-21 (18-25-56).txt

Scan type: Quick scan
Objects scanned: 153566
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\My Documents\downloads\RockXP4.exe (Hacktool.PasswordDump) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Delete on reboot.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 PM

Posted 21 October 2010 - 07:17 PM

Hi there,

Well, now you see why I asked about the OS. :( From the looks of that you're still having the redirects?

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Bret.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Bret60

Bret60
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 October 2010 - 07:48 PM

Yes...the blasted redirects. Here's the Combofix log:

ComboFix 10-10-21.02 - Administrator 10/21/2010 20:37:57.1.1 - x86
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Dealio
c:\documents and settings\Administrator\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Administrator\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Dad\Application Data\Dealio
c:\documents and settings\Dad\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Dad\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\FF\chrome.manifest
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.xul
c:\program files\Dealio Toolbar\FF\chrome\content\login.js
c:\program files\Dealio Toolbar\FF\chrome\content\login.xul
c:\program files\Dealio Toolbar\FF\chrome\content\parser.js
c:\program files\Dealio Toolbar\FF\chrome\content\RssTickerWidget.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgichevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgicomm.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgihandling.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgilisteners.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgiui.js
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\searchbox.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.properties
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\yahoo-search.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\apple.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\barnes.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\bestbuy.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\icon_settings.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\macys.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\newegg.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\overstock.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_dealio.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_yahoo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\searchbox.css
c:\program files\Dealio Toolbar\FF\chrome\skin\separator.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\target.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\walmart.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\widgitoolbarplugin.css
c:\program files\Dealio Toolbar\FF\components\config.ini
c:\program files\Dealio Toolbar\FF\components\dealioToolbarFF.dll
c:\program files\Dealio Toolbar\FF\components\IFBHOHelperWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\components\IFBHOWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\install.rdf
c:\program files\Dealio Toolbar\IE\4.0.2\config.ini
c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\SeARchsettings.dll
c:\program files\Dealio Toolbar\SearchSettings.exe
c:\program files\Dealio Toolbar\SearchSettingsRes409.dll
c:\program files\Dealio Toolbar\sscfg.ini
c:\program files\Dealio Toolbar\SSFF\chrome.manifest
c:\program files\Dealio Toolbar\SSFF\chrome\content\plugin.js
c:\program files\Dealio Toolbar\SSFF\chrome\content\plugin.xul
c:\program files\Dealio Toolbar\SSFF\chrome\content\protection.js
c:\program files\Dealio Toolbar\SSFF\chrome\content\utils.js
c:\program files\Dealio Toolbar\SSFF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Dealio Toolbar\SSFF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Dealio Toolbar\SSFF\chrome\skin\yahoo.xml
c:\program files\Dealio Toolbar\SSFF\components\IFBHOSearch.xpt
c:\program files\Dealio Toolbar\SSFF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Dealio Toolbar\SSFF\components\IFHelperPreferences.xpt
c:\program files\Dealio Toolbar\SSFF\components\SearchSettingsFF.dll
c:\program files\Dealio Toolbar\SSFF\components\sscfg.ini
c:\program files\Dealio Toolbar\SSFF\install.rdf
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\windows\system32\spool\prtprocs\w32x86\CNMPP8O.DLL

.
((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

2010-10-22 00:29 . 2010-10-22 00:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2010-10-21 23:44 . 2003-05-25 07:11 60416 ------w- c:\windows\system32\antiwpa.dll
2010-10-20 00:39 . 2010-10-20 00:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thinstall
2010-10-15 22:50 . 2010-10-15 22:50 -------- d-----w- C:\1st Stop Business Connection Documents
2010-10-13 03:35 . 2010-10-13 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2010-10-13 01:05 . 2010-10-13 01:05 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-05 22:06 . 2010-10-05 22:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\com.rstoeber.GoogleVoice.913F9D81260FD6F3F98FE8A907686CD092F1C90D.1
2010-10-05 22:06 . 2010-10-05 22:06 -------- d-----w- c:\program files\GVoice
2010-09-26 01:29 . 2010-10-21 01:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Meebo Notifier"="c:\documents and settings\Administrator\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe" [2010-08-23 818888]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-04-07 85528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"MPlayer2_FixUp"="c:\windows\inf\unregmp2.exe" [2004-08-03 208896]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\uTorrent2\\utorrent2.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service
"4718:TCP"= 4718:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/11/2009 11:44 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 11:44 AM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/27/2009 6:50 AM 135336]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2/25/2010 10:59 AM 1047880]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 8:00 AM 3712]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 10:18 AM 10064]
S1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 8:00 AM 26624]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/17/2010 4:28 PM 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\48F.tmp --> c:\windows\system32\48F.tmp [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [12/31/2009 4:26 AM 14424]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 11:44 AM 12872]
S4 Application Updater;Application Updater;"c:\program files\Application Updater\ApplicationUpdater.exe" --> c:\program files\Application Updater\ApplicationUpdater.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6b46a796c5f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-17 20:28]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cb6b46a7cd9c06.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-17 20:28]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1417001333-1606980848-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 21:57]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1417001333-1606980848-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 21:57]
.
.
------- Supplementary Scan -------
.
IE: &Links to this page - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gbacklinks.htm
IE: &Similar pages - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gsimilar.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Open in &new window - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm
IE: Search with &Google - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.htm
IE: Show page from the &cache - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gcache.htm
IE: Translate this page with Google - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gtranslate.htm
IE: View old version at &archives.org - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuarch.htm
IE: Zoom &in  - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
IE: Zoom &out  - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\njmvsf5c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/|http://www.google.com/ig|http://www.diigo.com/user/hoopdedoo|http://mail.live.com/default.aspx?wa=wsignin1.0
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\njmvsf5c.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\njmvsf5c.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\npAFOM.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\njmvsf5c.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: browser.xul.error_pages.enabled - false
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: dom.disable_window_open_feature.minimizable - true
FF - user.js: dom.disable_window_open_feature.menubar - true
FF - user.js: dom.disable_window_open_feature.scrollbars - true
FF - user.js: browser.tabs.closeButtons - 0
FF - user.js: network.http.pipelining - false
FF - user.js: network.http.proxy.pipelining - false
FF - user.js: network.http.pipelining.ssl - false
FF - user.js: network.http.pipelining.maxrequests - 4
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
HKLM-Run-SearchSettings - c:\program files\Dealio Toolbar\SearchSettings.exe
SSODL-Outlook10-{4f6a227d-c9a3-4358-9734-baeeecc1f73f} - (no file)



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\48F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-1417001333-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,ba,57,9f,36,94,d6,4f,9c,77,ca,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,ba,57,9f,36,94,d6,4f,9c,77,ca,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cf,b8,e1,31,8e,20,8a,47,ab,a2,51,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\antiwpa.dll
.
Completion time: 2010-10-21 20:45:57
ComboFix-quarantined-files.txt 2010-10-22 00:45
ComboFix2.txt 2010-06-05 23:55

Pre-Run: 1,194,385,408 bytes free
Post-Run: 1,341,534,208 bytes free

- - End Of File - - 893272A251F0D494A566B34117A09F54

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 PM

Posted 21 October 2010 - 08:27 PM

This is after a reboot that you're still getting the redirects? If so, I'd like to look for a rootkit with this:

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Bret60

Bret60
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 October 2010 - 09:33 PM

OK....it said nothing was found. And I haven't had any redirects lately. Here's the log.

2010/10/21 22:31:05.0218 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/21 22:31:05.0218 ================================================================================
2010/10/21 22:31:05.0218 SystemInfo:
2010/10/21 22:31:05.0218
2010/10/21 22:31:05.0218 OS Version: 5.1.2600 ServicePack: 2.0
2010/10/21 22:31:05.0218 Product type: Workstation
2010/10/21 22:31:05.0218 ComputerName: GLURGLE
2010/10/21 22:31:05.0218 UserName: Administrator
2010/10/21 22:31:05.0218 Windows directory: C:\WINDOWS
2010/10/21 22:31:05.0218 System windows directory: C:\WINDOWS
2010/10/21 22:31:05.0218 Processor architecture: Intel x86
2010/10/21 22:31:05.0218 Number of processors: 1
2010/10/21 22:31:05.0218 Page size: 0x1000
2010/10/21 22:31:05.0218 Boot type: Normal boot
2010/10/21 22:31:05.0218 ================================================================================
2010/10/21 22:31:05.0484 Initialize success
2010/10/21 22:31:18.0812 ================================================================================
2010/10/21 22:31:18.0812 Scan started
2010/10/21 22:31:18.0812 Mode: Manual;
2010/10/21 22:31:18.0812 ================================================================================
2010/10/21 22:31:19.0656 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/21 22:31:19.0765 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/21 22:31:19.0968 aeaudio (b2886807ac2543da273765cef4d82d68) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/10/21 22:31:20.0062 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/10/21 22:31:20.0171 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/10/21 22:31:20.0437 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/21 22:31:20.0671 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/21 22:31:20.0859 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/21 22:31:21.0000 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/21 22:31:21.0093 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/21 22:31:21.0187 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/10/21 22:31:21.0281 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/10/21 22:31:21.0421 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/10/21 22:31:21.0531 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/21 22:31:21.0734 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/21 22:31:21.0843 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/21 22:31:22.0031 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/21 22:31:22.0125 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/21 22:31:22.0234 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/21 22:31:22.0546 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/21 22:31:22.0687 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/21 22:31:22.0875 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/10/21 22:31:22.0984 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/21 22:31:23.0093 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/21 22:31:23.0234 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/21 22:31:23.0343 DwMirror (383182215a2c238e76b86e3b5ede40eb) C:\WINDOWS\system32\DRIVERS\DamewareMini.sys
2010/10/21 22:31:23.0468 dwvkbd (5a402c57f621114c99f813c6ae7bc37a) C:\WINDOWS\system32\DRIVERS\dwvkbd.sys
2010/10/21 22:31:23.0578 E100B (fae8b6b311f898df3d19bc638e980ca5) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/21 22:31:23.0687 ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2010/10/21 22:31:23.0890 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/21 22:31:24.0031 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/21 22:31:24.0140 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/21 22:31:24.0203 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/21 22:31:24.0296 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/21 22:31:24.0421 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/21 22:31:24.0531 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/21 22:31:24.0656 GcKernel (97983db98129efe4e2d215ce350a7546) C:\WINDOWS\system32\DRIVERS\GcKernel.sys
2010/10/21 22:31:24.0781 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/21 22:31:24.0921 HIDSwvd (bd205320308fb41c88a4049a2d1764b4) C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
2010/10/21 22:31:25.0015 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/21 22:31:25.0171 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/21 22:31:25.0343 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/21 22:31:25.0500 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/10/21 22:31:25.0609 IdeBusDr (791f0829de88dd0ca77192f0dfad03b6) C:\WINDOWS\system32\DRIVERS\IdeBusDr.sys
2010/10/21 22:31:25.0718 IdeChnDr (7d2b8be9e89628663c1fb571f7c34062) C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys
2010/10/21 22:31:25.0843 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/21 22:31:26.0031 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/21 22:31:26.0125 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/21 22:31:26.0218 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/21 22:31:26.0312 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/21 22:31:26.0406 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/21 22:31:26.0500 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/21 22:31:26.0640 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/21 22:31:26.0859 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/21 22:31:26.0968 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/21 22:31:27.0078 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/21 22:31:27.0171 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/21 22:31:27.0265 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/21 22:31:27.0390 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/21 22:31:27.0593 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/21 22:31:27.0640 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/21 22:31:27.0765 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/21 22:31:27.0875 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/21 22:31:27.0953 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/21 22:31:28.0093 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/21 22:31:28.0218 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/21 22:31:28.0359 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/21 22:31:28.0453 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/21 22:31:28.0531 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/21 22:31:28.0625 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/21 22:31:28.0718 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/21 22:31:28.0890 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/21 22:31:29.0000 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/21 22:31:29.0093 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/21 22:31:29.0203 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/21 22:31:29.0296 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/21 22:31:29.0468 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/21 22:31:29.0562 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/21 22:31:29.0671 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/21 22:31:29.0781 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/21 22:31:29.0921 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/21 22:31:30.0015 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/21 22:31:30.0140 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/21 22:31:30.0250 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/21 22:31:30.0359 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/21 22:31:30.0484 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/21 22:31:30.0562 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/21 22:31:30.0656 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/21 22:31:30.0765 NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2010/10/21 22:31:30.0906 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2010/10/21 22:31:31.0000 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2010/10/21 22:31:31.0093 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/21 22:31:31.0203 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/21 22:31:31.0296 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/21 22:31:31.0484 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/21 22:31:31.0546 pbfilter (65fb0c4aa30d84849e0e4c97cb5501ce) C:\Program Files\PeerBlock\pbfilter.sys
2010/10/21 22:31:31.0656 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/21 22:31:31.0906 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/10/21 22:31:31.0984 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/21 22:31:32.0265 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/21 22:31:32.0375 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/21 22:31:32.0468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/21 22:31:32.0546 QCDonner (fddd1aeb9f81ef1e6e48ae1edc2a97d6) C:\WINDOWS\system32\DRIVERS\OVCD.sys
2010/10/21 22:31:32.0765 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/21 22:31:32.0906 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/21 22:31:33.0000 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/21 22:31:33.0093 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/21 22:31:33.0187 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/21 22:31:33.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/21 22:31:33.0468 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/21 22:31:33.0578 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/21 22:31:33.0687 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/21 22:31:33.0875 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/10/21 22:31:33.0906 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/10/21 22:31:33.0984 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/10/21 22:31:34.0062 SbieDrv (69af63abc08b418e613bd1241feb49e9) C:\Program Files\Sandboxie\SbieDrv.sys
2010/10/21 22:31:34.0156 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/21 22:31:34.0250 ser2plms (227df2e68510d25462ee80136722374e) C:\WINDOWS\system32\DRIVERS\ser2plms.sys
2010/10/21 22:31:34.0390 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/21 22:31:34.0484 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/21 22:31:34.0593 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/10/21 22:31:35.0031 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/21 22:31:35.0125 SMBios (d72a21424ca66c7a745bd995eca6a710) C:\WINDOWS\system32\DRIVERS\SMBios.sys
2010/10/21 22:31:35.0203 smbusp (067114712715d88e1fccaba33e418e24) C:\WINDOWS\system32\DRIVERS\smb.sys
2010/10/21 22:31:35.0390 smwdm (c908f7a3326e794789cac485b73149b4) C:\WINDOWS\system32\drivers\smwdm.sys
2010/10/21 22:31:35.0515 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/21 22:31:35.0609 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/21 22:31:35.0734 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/21 22:31:35.0906 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/10/21 22:31:36.0000 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/21 22:31:36.0093 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/21 22:31:36.0187 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/21 22:31:36.0390 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/21 22:31:36.0515 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/21 22:31:36.0625 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/21 22:31:36.0718 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/21 22:31:36.0890 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/21 22:31:37.0093 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
2010/10/21 22:31:37.0203 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/21 22:31:37.0343 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/21 22:31:37.0453 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/10/21 22:31:37.0562 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/21 22:31:37.0609 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/21 22:31:37.0687 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/21 22:31:37.0859 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/21 22:31:37.0984 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/21 22:31:38.0093 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/21 22:31:38.0187 VClone (1cdaa48cb2f7744b8d25650e050766a5) C:\WINDOWS\system32\DRIVERS\VClone.sys
2010/10/21 22:31:38.0281 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/10/21 22:31:38.0515 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/21 22:31:38.0562 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/21 22:31:38.0703 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/21 22:31:38.0875 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/21 22:31:38.0937 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/21 22:31:39.0062 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/21 22:31:39.0234 ================================================================================
2010/10/21 22:31:39.0234 Scan finished
2010/10/21 22:31:39.0234 ================================================================================

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 PM

Posted 21 October 2010 - 09:50 PM

oh good! You didn't say in your last post, so I wasn't sure if you were still being redirected or not. That why I asked you to run that last tool. Okay then, no problem. :) Is everything else better as well? Can you tell if the spamming has stopped, or does that take some time? Please let me know. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Bret60

Bret60
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 October 2010 - 10:07 PM

I only saw that spam sent out from my PC once. No more redirects. It's running smoothly. Do you think it's gone? Do you know if they still have my address book?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 PM

Posted 21 October 2010 - 10:23 PM

Glad it's better. :thumbup2: Not entirely sure that there is a "they" to blame here....it's entirely possible that those e-mails were sent from another address to many people, with the return address being your address, if that makes sense. That said, as long as the illegal OS remains intact, you should change all the passwords you can to be on the safe side. If you do have bank accounts, keep a close eye on them and report any nefarious activity. When the time comes, as of right now, your pictures and documents are safe to transfer to a clean system. I would still make double sure when you do, to scan everything with your AntiVirus.

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

If you have any other questions, please feel free to ask. :)

tea

Edited by teacup61, 21 October 2010 - 10:24 PM.
typo....sorry

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Bret60

Bret60
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 21 October 2010 - 10:29 PM

Thank you again, and.....sorry again. I'll get to backing up, and getting legit. Cheers.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users