Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirecting malware


  • Please log in to reply
15 replies to this topic

#1 TaylorWilliams

TaylorWilliams

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 26 October 2010 - 05:31 PM

I've been dealing with this nasty worm that has been redirecting my browser to sites like forless.com, partypoker, and icityfind.com This malware blocks access to Malwarebyes and SUPERantispyware so it doesn't even give me a chance to kill it. It may be a form of Conficker, but I am not sure.

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:31 PM

Posted 26 October 2010 - 06:13 PM

Hi, TaylorWilliams :)

:welcome:


Please download and run Rkill by Grinler from any of the following locations (Vista and Win7: to run the application, right click on Rkill and choose Run as an Administrator):

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 TaylorWilliams

TaylorWilliams
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 27 October 2010 - 03:10 PM

Thank you for the fast reply.

I ran Rkill, but the malware won't even let me run Combofix.exe from my desktop.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:31 PM

Posted 27 October 2010 - 03:52 PM

Download the enclosed folder.

Save and extract its contents to the desktop. Once extracted, open the folder and click on the Regtest.bat file and post the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 TaylorWilliams

TaylorWilliams
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 27 October 2010 - 04:18 PM

I'm sorry for not stating this earlier, but the 2nd link for Combofix ran but it's still scanning my computer after 45 mins. Must be really bad.
Should I extract that folder while Combofix is still running?

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:31 PM

Posted 27 October 2010 - 04:20 PM

I'm sorry for not stating this earlier, but the 2nd link for Combofix ran but it's still scanning my computer after 45 mins. Must be really bad.
Should I extract that folder while Combofix is still running?

No. Lets see what happens.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 TaylorWilliams

TaylorWilliams
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 27 October 2010 - 04:45 PM

It seems that Combofix is severely slowing down the infected pc (I'm on a clean pc right now) to the point I can't even open it normally, I have to go through task manager to open the program. The bad pc also has the time stuck at 5:12 pm. Can't really determine if it's actually scanning or if the computer is frozen.

Edited by TaylorWilliams, 27 October 2010 - 04:45 PM.


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:31 PM

Posted 27 October 2010 - 04:51 PM

Close Combofix throughout the Task Manager. Extract and run the Regtest.bat as previously requested.

Edited by JSntgRvr, 27 October 2010 - 04:51 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 TaylorWilliams

TaylorWilliams
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 27 October 2010 - 05:09 PM

Here it is:

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\software\2Wire Inc.

HKEY_LOCAL_MACHINE\software\Adobe

HKEY_LOCAL_MACHINE\software\Ahead

HKEY_LOCAL_MACHINE\software\America Online

HKEY_LOCAL_MACHINE\software\Analog Devices

HKEY_LOCAL_MACHINE\software\Andrea Electronics

HKEY_LOCAL_MACHINE\software\AOL

HKEY_LOCAL_MACHINE\software\AT&T

HKEY_LOCAL_MACHINE\software\ATI Technologies

HKEY_LOCAL_MACHINE\software\brother

HKEY_LOCAL_MACHINE\software\BVRP Software, Inc

HKEY_LOCAL_MACHINE\software\C07ft5Y

HKEY_LOCAL_MACHINE\software\CCleaner

HKEY_LOCAL_MACHINE\software\Classes

HKEY_LOCAL_MACHINE\software\Clients

HKEY_LOCAL_MACHINE\software\Corel

HKEY_LOCAL_MACHINE\software\CXT

HKEY_LOCAL_MACHINE\software\DivXNetworks

HKEY_LOCAL_MACHINE\software\Dragon Systems

HKEY_LOCAL_MACHINE\software\EnigmaSoftwareGroup

HKEY_LOCAL_MACHINE\software\F.A. Davis

HKEY_LOCAL_MACHINE\software\Gemplus

HKEY_LOCAL_MACHINE\software\Google

HKEY_LOCAL_MACHINE\software\Hewlett-Packard

HKEY_LOCAL_MACHINE\software\HP

HKEY_LOCAL_MACHINE\software\HTH Engineering, Inc

HKEY_LOCAL_MACHINE\software\IBM

HKEY_LOCAL_MACHINE\software\illiminable

HKEY_LOCAL_MACHINE\software\InstalledOptions

HKEY_LOCAL_MACHINE\software\InstallShield

HKEY_LOCAL_MACHINE\software\Intel

HKEY_LOCAL_MACHINE\software\InterVideo

HKEY_LOCAL_MACHINE\software\Intuit

HKEY_LOCAL_MACHINE\software\JavaSoft

HKEY_LOCAL_MACHINE\software\JreMetrics

HKEY_LOCAL_MACHINE\software\L&H

HKEY_LOCAL_MACHINE\software\Lenovo

HKEY_LOCAL_MACHINE\software\Licenses

HKEY_LOCAL_MACHINE\software\Macromedia

HKEY_LOCAL_MACHINE\software\Macserlen

HKEY_LOCAL_MACHINE\software\Malwarebytes' Anti-Malware

HKEY_LOCAL_MACHINE\software\Mayer-Johnson

HKEY_LOCAL_MACHINE\software\MDC

HKEY_LOCAL_MACHINE\software\Microsoft

HKEY_LOCAL_MACHINE\software\MicroVision

HKEY_LOCAL_MACHINE\software\Mozilla

HKEY_LOCAL_MACHINE\software\mozilla.org

HKEY_LOCAL_MACHINE\software\MozillaPlugins

HKEY_LOCAL_MACHINE\software\Nero

HKEY_LOCAL_MACHINE\software\ODBC

HKEY_LOCAL_MACHINE\software\OpenOffice.org

HKEY_LOCAL_MACHINE\software\PCTools

HKEY_LOCAL_MACHINE\software\Policies

HKEY_LOCAL_MACHINE\software\Program Groups

HKEY_LOCAL_MACHINE\software\quicklookup

HKEY_LOCAL_MACHINE\software\RegisteredApplications

HKEY_LOCAL_MACHINE\software\Registration

HKEY_LOCAL_MACHINE\software\Riverdeep

HKEY_LOCAL_MACHINE\software\ScanSoft

HKEY_LOCAL_MACHINE\software\Schlumberger

HKEY_LOCAL_MACHINE\software\ShopAtHome

HKEY_LOCAL_MACHINE\software\Siber Systems

HKEY_LOCAL_MACHINE\software\SmartDraw.com

HKEY_LOCAL_MACHINE\software\Sonic

HKEY_LOCAL_MACHINE\software\Sony and LHS

HKEY_LOCAL_MACHINE\software\SpywareBlaster

HKEY_LOCAL_MACHINE\software\Staccato

HKEY_LOCAL_MACHINE\software\Sun Microsystems

HKEY_LOCAL_MACHINE\software\Sun Microsystems, Inc.

HKEY_LOCAL_MACHINE\software\SUPERAntiSpyware.com

HKEY_LOCAL_MACHINE\software\Swearware

HKEY_LOCAL_MACHINE\software\Symantec

HKEY_LOCAL_MACHINE\software\Synaptics

HKEY_LOCAL_MACHINE\software\SystemRequirementsLab

HKEY_LOCAL_MACHINE\software\ThinkVantage

HKEY_LOCAL_MACHINE\software\Tobii

HKEY_LOCAL_MACHINE\software\TrendMicro

HKEY_LOCAL_MACHINE\software\UIU

HKEY_LOCAL_MACHINE\software\Vantage Software Technologies

HKEY_LOCAL_MACHINE\software\Voice

HKEY_LOCAL_MACHINE\software\Widcomm

HKEY_LOCAL_MACHINE\software\Windows

HKEY_LOCAL_MACHINE\software\Windows 3.1 Migration Status

HKEY_LOCAL_MACHINE\software\Wise Solutions

HKEY_LOCAL_MACHINE\software\WoltersKluwerLWW

HKEY_LOCAL_MACHINE\software\Yahoo

Attached Files


Edited by TaylorWilliams, 27 October 2010 - 05:55 PM.


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:31 PM

Posted 27 October 2010 - 10:30 PM

No help there.

Remove your current copy of Combofix and download another copy as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Myppopy as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" , or Myppopy.txt as may be the case..
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 TaylorWilliams

TaylorWilliams
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 28 October 2010 - 03:21 PM

This is the ComboFix log:

ComboFix 10-10-27.A3 - AudioScribe User 10/28/2010 16:06:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.597 [GMT -4:00]
Running from: c:\documents and settings\AudioScribe User\Desktop\Mypoppy.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\AudioScribe User\System
c:\documents and settings\AudioScribe User\System\win_qs8.jqx
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\system32\iniasd.txt

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack :P
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-28 20:06 . 2010-10-28 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-10-28 14:32 . 2010-10-28 14:32 -------- d-----w- c:\documents and settings\AudioScribe User\Application Data\Office Genuine Advantage
2010-10-26 21:20 . 2010-10-26 21:20 -------- d-----w- c:\documents and settings\AudioScribe User\Application Data\PCToolsFirewallPlus
2010-10-26 21:16 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-10-26 21:16 . 2009-11-09 15:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-10-26 21:16 . 2010-01-07 16:40 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-10-26 21:16 . 2010-10-26 21:16 -------- d-----w- c:\program files\Common Files\PC Tools
2010-10-26 21:16 . 2010-01-12 13:34 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-10-26 21:16 . 2010-01-07 15:35 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-10-26 21:16 . 2010-01-07 15:35 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-10-26 21:16 . 2010-01-13 12:59 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-10-26 21:16 . 2010-10-26 21:19 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-10-26 19:49 . 2010-10-26 19:49 388096 ----a-r- c:\documents and settings\AudioScribe User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-26 19:41 . 2010-10-26 22:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 19:41 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 19:41 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-20 23:05 . 2010-10-20 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-18 15:01 . 2010-10-18 15:01 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2010-10-18 15:01 . 2010-10-18 15:01 -------- d-----w- c:\program files\Coupons
2010-10-12 22:34 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 22:34 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-12 22:34 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 22:33 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-10 21:44 . 2010-10-10 21:44 -------- d-----w- c:\documents and settings\AudioScribe User\Application Data\ElevatedDiagnostics
2010-10-02 19:20 . 2010-10-05 19:57 -------- d-----w- c:\documents and settings\AudioScribe User\Local Settings\Application Data\WMTools Downloaded Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 1980-01-01 07:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 1980-01-01 07:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 1980-01-01 07:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 1980-01-01 07:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 1980-01-01 07:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 1980-01-01 07:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 1980-01-01 07:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 1980-01-01 07:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 1980-01-01 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 1980-01-01 07:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 1980-01-01 07:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-28 01:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 1980-01-01 07:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 1980-01-01 07:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 1980-01-01 07:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[-] 2008-09-13 . 63999D0ABD8DABFD76A9C07F6E104868 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-04-05 160328]
"Google Update"="c:\documents and settings\AudioScribe User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]

c:\documents and settings\AudioScribe User\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2006-7-6 2297856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^AudioScribe User^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\AudioScribe User\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 05:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 01:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-06-02 16:21 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-02-05 23:52 849280 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 21:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-11-22 01:08 813912 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Message Center Plus]
2009-05-28 02:09 49976 ----a-w- c:\program files\Lenovo\Message Center Plus\MCPLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-09-29 21:00 155648 ----a-w- c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-09-28 14:04 2424560 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-07-04 05:10 1323008 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-03-04 15:34 487424 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2005-08-19 00:22 85696 ----a-w- c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2006-10-27 03:21 4662776 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2003-07-11 19:51 57344 ----a-w- c:\program files\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
2006-07-21 16:43 407032 ----a-w- c:\progra~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [10/26/2010 5:16 PM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [9/20/2004 1:00 PM 6144]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [10/26/2010 5:16 PM 88040]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [10/26/2010 5:16 PM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [10/26/2010 5:16 PM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [10/26/2010 5:16 PM 115216]
S2 gupdate1c9e88cc5f19d42;Google Update Service (gupdate1c9e88cc5f19d42);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2009 6:59 PM 133104]
S2 Parclass;Parclass;c:\windows\system32\drivers\PARCLASS.SYS [9/11/2007 11:37 AM 19824]
S2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys --> c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [8/18/2005 8:22 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10633
.
Contents of the 'Scheduled Tasks' folder

2010-10-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-12 19:22]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 22:59]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 22:59]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2686941812-3494764303-1661707221-1006Core.job
- c:\documents and settings\AudioScribe User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-19 21:34]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2686941812-3494764303-1661707221-1006UA.job
- c:\documents and settings\AudioScribe User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-19 21:34]

2010-10-28 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-11-17 16:21]

2006-09-12 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-09-01 00:32]

2010-10-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 03:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
Trusted Zone: eonstreams.com\players
Trusted Zone: wolam.com
Trusted Zone: yahoo.com\us.f818.mail
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-PRISMSVR - c:\windows\system32\PRISMSVR.EXE
MSConfigStartUp-qlu - c:\program files\QLU\qlu.exe
MSConfigStartUp-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Paradise Quest_is1 - e:\games\Paradise Quest\unins000.exe
AddRemove-Start Stop Universal Transcription System - c:\program files\HTH Engineering



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-28 16:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1780)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(3008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\crypserv.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-10-28 16:18:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-28 20:18

Pre-Run: 73,549,918,208 bytes free
Post-Run: 73,654,702,080 bytes free

- - End Of File - - 3853938D13B03D31E78D27612509B7B7

Attached Files

  • Attached File  log.txt   22.63KB   1 downloads


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:31 PM

Posted 28 October 2010 - 11:32 PM

I am glad it worked. Lets scan for remnants.

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following are checked
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 TaylorWilliams

TaylorWilliams
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 30 October 2010 - 03:19 PM

MBAM log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4986

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/29/2010 3:45:56 PM
mbam-log-2010-10-29 (15-45-56).txt

Scan type: Quick scan
Objects scanned: 153578
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\AudioScribe User\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

KASPERSKY:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 30, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 30, 2010 07:36:52
Records in database: 4193834
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 79002
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 03:36:06


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\024C0000\46CCAE26.VBN Infected: Virus.VBS.Redlof.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Infected: Virus.Win32.TDSS.b 1

Selected area has been scanned.

,

Attached Files



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:31 PM

Posted 30 October 2010 - 06:24 PM

Delete this file and clear Norton's Quarantined items:

C:\Documents and Settings\AudioScribe User\Desktop\explorer.exe

How is it doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 TaylorWilliams

TaylorWilliams
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 31 October 2010 - 03:41 PM

I've had no redirect problems since Combofix ran. MBAM didn't really do any visual improvements. I think it's all good. :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users