Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser is being redirected through soundsofopera.com (system wide)


  • This topic is locked This topic is locked
21 replies to this topic

#1 Jordainminister

Jordainminister

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 25 March 2011 - 04:42 PM

Everytime i try to go to wmr-sports.net (this is the only site ive found this problem with) i get redirected. At the bottom of the left of the browser, (i use firefox 4) it says soundsofopera.com and redirects me to a random search engine sort of thing. heres the log

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Compaq_Owner at 16:36:34.21 on Fri 03/25/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703.179 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\h25lm4.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Guitar Pro 5\GP5.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Lzj.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:18810
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [quekydll] c:\docume~1\compaq~1\locals~1\temp\iynmfpwth\nfootsgsika.exe
uRun: [Ocubujaged] rundll32.exe "c:\windows\casgip.dll",Startup
uRun: [OUU6KC5WPX] c:\docume~1\compaq~1\locals~1\temp\Lzd.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] c:\program files\norton internet security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [Ovihefameteqariw] rundll32.exe "c:\windows\ahofupeyegu.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mExplorerRun: [p7za4d] c:\docume~1\compaq~1\locals~1\temp\h25lm4.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\sslaunch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\2s7c17b4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-28 197752]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2004-8-28 234616]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-28 164984]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2004-8-30 176768]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2004-7-23 49808]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20041117.006\NAVENG.Sys [2005-2-15 72712]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20041117.006\NavEx15.Sys [2005-2-15 629544]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2004-7-23 335504]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-28 78968]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2004-7-23 197864]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-8-28 11520]
.
=============== Created Last 30 ================
.
2011-03-25 16:59:14 124416 ----a-w- c:\windows\Lqecab.exe
2011-03-25 01:14:32 0 ----a-w- c:\windows\Idoxeqetalajoqib.bin
2011-03-25 01:14:30 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\{E3D5D31F-1187-4E8F-A98D-AB93887848D7}
2011-03-25 01:13:13 149504 --sha-r- c:\windows\system32\tcmsetupl.dll
2011-03-25 01:12:37 124416 ----a-w- c:\windows\Lqecaa.exe
2011-03-24 18:43:20 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-24 18:43:19 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-24 18:43:19 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-24 18:43:19 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-24 18:43:19 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-24 18:43:19 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-24 18:43:19 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-24 18:43:19 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-24 18:43:19 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-24 18:43:19 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
.
==================== Find3M ====================
.
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.8.11 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82B0E439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82b147d0]; MOV EAX, [0x82b1484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\Harddisk0\DR0[0x82B85AB8]
3 CLASSPNP[0xF7D3005B] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\0000005f[0x82BCAF18]
5 ACPI[0xF7BC6620] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> [0x82B35940]
\Driver\atapi[0x82AEEB78] -> IRP_MJ_CREATE -> 0x82B0E439
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160021A______________________________8.11____#4c33334a53524448202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82B0E27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:38:21.95 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:40 PM

Posted 25 March 2011 - 04:44 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Jordainminister

Jordainminister
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 25 March 2011 - 05:55 PM

it says it cant run because AVG targets it, and to uninstall AVG. But i dont have AVG on my computer

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:40 PM

Posted 25 March 2011 - 06:06 PM

Hi

Please try this:



Open notepad and copy/paste the text inside the codebox below into it:

REGISTRY::
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEnd]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEndFail]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdStart]
[-HKEY_CURRENT_USER\AppEvents\Schemes\Apps\avgtray]
[-HKEY_CURRENT_USER\Software\Avg]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\.avgdx]
[-HKEY_CLASSES_ROOT\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A3E}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{41B21542-2055-4212-A6F2-395CD109B14B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}]
[-HKEY_CLASSES_ROOT\CLSID\{6F59E522-4689-156E-316C-D5B48819DE95}]
[-HKEY_CLASSES_ROOT\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}]
[-HKEY_CLASSES_ROOT\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}]
[-HKEY_CLASSES_ROOT\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}]
[-HKEY_CLASSES_ROOT\CLSID\{F1FE4608-7924-4908-8E12-81CFA206F00A}]
[-HKEY_CLASSES_ROOT\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\Installer\Features\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Features\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Features\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\Products\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Products\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Products\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\06DD9E4F7F3FF9C41BC2BD64A2CE18FE]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\38F747DBDC97B4E459142E21199F9D10]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter.1]
[-HKEY_CLASSES_ROOT\MicroScanner.MicroScanner]
[-HKEY_CLASSES_ROOT\piffile\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\linkscanner]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DevDiv\VC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0323CB96-221A-4042-84A3-93EDE47099FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1A258E63-8DF5-4ADB-9832-38A0121D65EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlwaysUnloadDll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG]
DRIVER::
Avg
AVGIDSAgent
AVGIDSDriver
AVGIDSEH
AVGIDSFilter
AVGIDSShim
Avgldx86
Avgmfx86
Avgrkx86
Avgtdix
avgwd
FOLDER::
%SYSTEMDRIVE%\$AVG
%COMMONAPPDATA%\AVG10
%COMMONAPPDATA%\MFAData
%COMMONPROGRAMS%\AVG 2011
%APPDATA%\AVG10
%PROGRAMFILES%\AVG
%SYSTEM%\drivers\AVG
File::
%COMMONAPPDATA%\Common Files\6F59E522-4689-156E-316C-D5B48819DE95.dat
%COMMONDESKTOP%\AVG 2011.lnk
%SYSTEM%\drivers\AVGIDSDriver.sys
%SYSTEM%\drivers\AVGIDSEH.sys
%SYSTEM%\drivers\AVGIDSFilter.sys
%SYSTEM%\drivers\AVGIDSShim.sys
%SYSTEM%\drivers\avgldx86.sys
%SYSTEM%\drivers\avgmfx86.sys
%SYSTEM%\drivers\avgrkx86.sys
%SYSTEM%\drivers\avgtdix.sys

Save this as CFScript_AVG2011.txt

Posted Image
  • Referring to the screenshot above, drag CFScript_AVG2011.txt into ComboFix.exe.


    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Jordainminister

Jordainminister
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 25 March 2011 - 10:59 PM

ComboFix 11-03-23.04 - Compaq_Owner 03/25/2011 22:39:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703.479 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\Bleeping Computer\CFScript_AVG2011.txt
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\documents and settings\All Users\Application Data\Common Files\6F59E522-4689-156E-316C-D5B48819DE95.dat"
"c:\documents and settings\All Users\Desktop\AVG 2011.lnk"
"c:\windows\system32\drivers\AVGIDSDriver.sys"
"c:\windows\system32\drivers\AVGIDSEH.sys"
"c:\windows\system32\drivers\AVGIDSFilter.sys"
"c:\windows\system32\drivers\AVGIDSShim.sys"
"c:\windows\system32\drivers\avgldx86.sys"
"c:\windows\system32\drivers\avgmfx86.sys"
"c:\windows\system32\drivers\avgrkx86.sys"
"c:\windows\system32\drivers\avgtdix.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\extensions\{d48b509d-1732-4528-afe3-1da98654453e}
c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\extensions\{d48b509d-1732-4528-afe3-1da98654453e}\chrome.manifest
c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\extensions\{d48b509d-1732-4528-afe3-1da98654453e}\chrome\xulcache.jar
c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\extensions\{d48b509d-1732-4528-afe3-1da98654453e}\defaults\preferences\xulcache.js
c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\extensions\{d48b509d-1732-4528-afe3-1da98654453e}\install.rdf
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{E3D5D31F-1187-4E8F-A98D-AB93887848D7}
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{E3D5D31F-1187-4E8F-A98D-AB93887848D7}\chrome.manifest
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{E3D5D31F-1187-4E8F-A98D-AB93887848D7}\chrome\content\_cfg.js
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{E3D5D31F-1187-4E8F-A98D-AB93887848D7}\chrome\content\overlay.xul
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{E3D5D31F-1187-4E8F-A98D-AB93887848D7}\install.rdf
c:\program files\AVG
c:\program files\AVG\AVG8\avg.snu
c:\program files\AVG\AVG8\avg7api.dll
c:\program files\AVG\AVG8\avg8us.lng
c:\program files\AVG\AVG8\avgabout.dll
c:\program files\AVG\AVG8\avgamnot.dll
c:\program files\AVG\AVG8\avgapix.dll
c:\program files\AVG\AVG8\avgatend.stp
c:\program files\AVG\AVG8\avgatupd.stp
c:\program files\AVG\AVG8\avgbat.bav
c:\program files\AVG\AVG8\avgcclix.dll
c:\program files\AVG\AVG8\avgcfgex.exe
c:\program files\AVG\AVG8\avgcfgx.dll
c:\program files\AVG\AVG8\avgclitx.dll
c:\program files\AVG\AVG8\avgcmgr.exe
c:\program files\AVG\AVG8\avgcorex.dll
c:\program files\AVG\AVG8\avgcrlpx.dll
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgdumpx.exe
c:\program files\AVG\AVG8\avgf8us.chm
c:\program files\AVG\AVG8\avgfree_us.mht
c:\program files\AVG\AVG8\avgfrw.exe
c:\program files\AVG\AVG8\avginet.dll
c:\program files\AVG\AVG8\avgiproxy.exe
c:\program files\AVG\AVG8\avglngx.dll
c:\program files\AVG\AVG8\avglogx.dll
c:\program files\AVG\AVG8\avglvex.dll
c:\program files\AVG\AVG8\avgmail.dll
c:\program files\AVG\AVG8\avgmvflx.dll
c:\program files\AVG\AVG8\avgmwdef_us.mht
c:\program files\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgoff2k.dll
c:\program files\AVG\AVG8\avgpp.dll
c:\program files\AVG\AVG8\avgresf.dll
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgsbfree_us.mht
c:\program files\AVG\AVG8\avgscanx.dll
c:\program files\AVG\AVG8\avgscanx.exe
c:\program files\AVG\AVG8\avgsched.dll
c:\program files\AVG\AVG8\avgse.dll
c:\program files\AVG\AVG8\avgsrmax.exe
c:\program files\AVG\AVG8\avgsrmx.dll
c:\program files\AVG\AVG8\avgssie.dll
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\AVG\AVG8\avgui.exe
c:\program files\AVG\AVG8\avguiadv.dll
c:\program files\AVG\AVG8\avguires.dll
c:\program files\AVG\AVG8\avgupd.dll
c:\program files\AVG\AVG8\avgupd.exe
c:\program files\AVG\AVG8\avgvvx.dll
c:\program files\AVG\AVG8\avgwd.dll
c:\program files\AVG\AVG8\avgwdsvc.exe
c:\program files\AVG\AVG8\avgwdwsc.dll
c:\program files\AVG\AVG8\avgxch32.dll
c:\program files\AVG\AVG8\avgxpl.dll.prepare
c:\program files\AVG\AVG8\cf.dat
c:\program files\AVG\AVG8\cfg\mail.cfg
c:\program files\AVG\AVG8\contacts_us.html
c:\program files\AVG\AVG8\dbghelp.dll
c:\program files\AVG\AVG8\dfncfg.dat
c:\program files\AVG\AVG8\fixcfg.exe
c:\program files\AVG\AVG8\fixfp.exe
c:\program files\AVG\AVG8\Icons\background_middle_gray.gif
c:\program files\AVG\AVG8\Icons\background_middle_green.gif
c:\program files\AVG\AVG8\Icons\background_middle_orange.gif
c:\program files\AVG\AVG8\Icons\background_middle_red.gif
c:\program files\AVG\AVG8\Icons\background_middle_yellow.gif
c:\program files\AVG\AVG8\Icons\background_top_gray.gif
c:\program files\AVG\AVG8\Icons\background_top_green.gif
c:\program files\AVG\AVG8\Icons\background_top_orange.gif
c:\program files\AVG\AVG8\Icons\background_top_red.gif
c:\program files\AVG\AVG8\Icons\background_top_yellow.gif
c:\program files\AVG\AVG8\Icons\block-doc.gif
c:\program files\AVG\AVG8\Icons\blocked.gif
c:\program files\AVG\AVG8\Icons\border_bottom_gray.gif
c:\program files\AVG\AVG8\Icons\border_bottom_green.gif
c:\program files\AVG\AVG8\Icons\border_bottom_orange.gif
c:\program files\AVG\AVG8\Icons\border_bottom_red.gif
c:\program files\AVG\AVG8\Icons\border_bottom_yellow.gif
c:\program files\AVG\AVG8\Icons\border_top_gray.gif
c:\program files\AVG\AVG8\Icons\border_top_green.gif
c:\program files\AVG\AVG8\Icons\border_top_orange.gif
c:\program files\AVG\AVG8\Icons\border_top_red.gif
c:\program files\AVG\AVG8\Icons\border_top_yellow.gif
c:\program files\AVG\AVG8\Icons\box_bottom_red.gif
c:\program files\AVG\AVG8\Icons\box_top_red.gif
c:\program files\AVG\AVG8\Icons\caution.gif
c:\program files\AVG\AVG8\Icons\click_here_gray.gif
c:\program files\AVG\AVG8\Icons\click_here_green.gif
c:\program files\AVG\AVG8\Icons\click_here_orange.gif
c:\program files\AVG\AVG8\Icons\click_here_red.gif
c:\program files\AVG\AVG8\Icons\click_here_yellow.gif
c:\program files\AVG\AVG8\Icons\clock.gif
c:\program files\AVG\AVG8\Icons\close.gif
c:\program files\AVG\AVG8\Icons\icons_blocked.gif
c:\program files\AVG\AVG8\Icons\icons_caution.gif
c:\program files\AVG\AVG8\Icons\icons_close.gif
c:\program files\AVG\AVG8\Icons\icons_safe.gif
c:\program files\AVG\AVG8\Icons\icons_unknown.gif
c:\program files\AVG\AVG8\Icons\icons_warning.gif
c:\program files\AVG\AVG8\Icons\LS_Logo_Results.gif
c:\program files\AVG\AVG8\Icons\safe.gif
c:\program files\AVG\AVG8\Icons\unknown.gif
c:\program files\AVG\AVG8\Icons\warning.gif
c:\program files\AVG\AVG8\license_us.txt
c:\program files\AVG\AVG8\Notification\arrow.png
c:\program files\AVG\AVG8\Notification\button_left.png
c:\program files\AVG\AVG8\Notification\button_left_hover.png
c:\program files\AVG\AVG8\Notification\button_right.png
c:\program files\AVG\AVG8\Notification\button_right_hover.png
c:\program files\AVG\AVG8\Notification\footer-message.gif
c:\program files\AVG\AVG8\Notification\head_blue_bg.png
c:\program files\AVG\AVG8\Notification\head_red_bg.png
c:\program files\AVG\AVG8\Notification\head_yellow_bg.png
c:\program files\AVG\AVG8\Notification\style.css
c:\program files\AVG\AVG8\Notification\upgrade-oportunity-avg85-message1.html
c:\program files\AVG\AVG8\Notification\upgrade-oportunity-avg85-message2.html
c:\program files\AVG\AVG8\Notification\upgrade-oportunity-avgavf85.gif
c:\program files\AVG\AVG8\Notification\upgrade-oportunity-avgis85.gif
c:\program files\AVG\AVG8\ph.dat
c:\program files\AVG\AVG8\sb.dat
c:\program files\AVG\AVG8\sb.dat.xcd
c:\program files\AVG\AVG8\sb2.dat
c:\program files\AVG\AVG8\sc.dat
c:\program files\AVG\AVG8\sc.dat.xcd
c:\program files\AVG\AVG8\setup.dat
c:\program files\AVG\AVG8\setup.exe
c:\program files\AVG\AVG8\setupus.lns
c:\program files\AVG\AVG8\updatecomps.bak
c:\program files\Mozilla Firefox\extensions\{E03676DC-ED77-4308-A030-54668E2A6911}
c:\program files\Mozilla Firefox\extensions\{E03676DC-ED77-4308-A030-54668E2A6911}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{E03676DC-ED77-4308-A030-54668E2A6911}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{E03676DC-ED77-4308-A030-54668E2A6911}\install.rdf
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\ahofupeyegu.dll
c:\windows\run.log
c:\windows\system32\itlnfw32.dll
c:\windows\system32\itlpfw32.dll
D:\Autorun.inf
D:\b.exe
D:\resycled
D:\winlogon.exe
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
.
.
2011-03-26 03:25 . 2011-03-26 03:30 -------- d-----w- C:\32788R22FWJFW
2011-03-26 00:03 . 2011-03-26 00:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-25 22:32 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-25 22:32 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-25 21:21 . 2011-03-25 21:22 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\FileZilla
2011-03-25 21:19 . 2011-03-25 21:20 -------- d-----w- c:\program files\FileZilla FTP Client
2011-03-25 16:10 . 2011-03-25 16:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-25 01:14 . 2011-03-25 16:01 0 ----a-w- c:\windows\Idoxeqetalajoqib.bin
2011-03-25 01:13 . 2011-03-25 01:13 149504 --sha-r- c:\windows\system32\tcmsetupl.dll
2011-03-24 18:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-24 18:43 . 2011-03-18 17:53 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-03-24 18:43 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-24 18:43 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-24 18:43 . 2011-03-18 17:53 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-03-24 18:43 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-24 18:43 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-24 18:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-24 18:43 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-24 18:43 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-21 02:14 . 2011-02-21 02:14 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-18 21:36 . 2010-08-30 03:20 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2010-08-30 03:20 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-03-18 17:53 . 2011-03-24 18:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-08-17 322352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-16 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-28 58488]
"IS CfgWiz"="c:\program files\Norton Internet Security\cfgwiz.exe" [2004-08-18 132248]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 33936]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-06 218240]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-2-15 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
SpySubtract.lnk - c:\program files\InterMute\SpySubtract\sslaunch.exe [2005-2-15 73728]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Pocket Tanks Deluxe\\pockettanks.exe"=
.
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 3:28 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 12:58 PM 20480]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/28/2010 12:14 AM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2010-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-03-26 c:\windows\Tasks\ffa24bb3.job
- c:\documents and settings\Compaq_Owner\Application Data\ffa24bb3.exe [2006-10-22 00:00]
.
2011-03-26 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 19:23]
.
2005-02-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-02-16 08:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Ovihefameteqariw - c:\windows\ahofupeyegu.dll
ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)
Notify-itlntfy - itlnfw32.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-25 22:50
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1788)
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\InterMute\SpySubtract\SpySub.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
.
**************************************************************************
.
Completion time: 2011-03-25 22:57:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-26 03:57
.
Pre-Run: 105,886,035,968 bytes free
Post-Run: 127,315,644,416 bytes free
.
- - End Of File - - 69567A40B8E34C9DB0A55D0D56D0BA33

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:40 PM

Posted 25 March 2011 - 11:38 PM

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic387114.html/page__view__findpost__p__2182648

Collect::
c:\windows\system32\tcmsetupl.dll
c:\windows\Tasks\ffa24bb3.job
c:\documents and settings\Compaq_Owner\Application Data\ffa24bb3.exe

File::
c:\windows\Idoxeqetalajoqib.bin

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"itlsvc"=-

NetSvc::
itlsvc

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Jordainminister

Jordainminister
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 27 March 2011 - 04:41 PM

ComboFix 11-03-26.01 - Compaq_Owner 03/27/2011 17:22:12.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703.279 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\Bleeping Computer\CFScript.txt
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\windows\Idoxeqetalajoqib.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{BA7D5A28-8746-4A7F-9D00-5E26BADBF99D}
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{BA7D5A28-8746-4A7F-9D00-5E26BADBF99D}\chrome.manifest
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{BA7D5A28-8746-4A7F-9D00-5E26BADBF99D}\chrome\content\_cfg.js
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{BA7D5A28-8746-4A7F-9D00-5E26BADBF99D}\chrome\content\overlay.xul
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{BA7D5A28-8746-4A7F-9D00-5E26BADBF99D}\install.rdf
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\windows\Idoxeqetalajoqib.bin
c:\windows\system32\drivers\jsquouou.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_skhx
.
.
((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))
.
.
2011-03-26 23:31 . 2011-03-26 23:31 -------- d-----w- c:\program files\ESET
2011-03-26 00:03 . 2011-03-26 00:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-25 22:32 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-25 22:32 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-25 21:21 . 2011-03-25 21:22 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\FileZilla
2011-03-25 21:19 . 2011-03-25 21:20 -------- d-----w- c:\program files\FileZilla FTP Client
2011-03-25 16:10 . 2011-03-25 16:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-24 18:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-24 18:43 . 2011-03-18 17:53 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-03-24 18:43 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-24 18:43 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-24 18:43 . 2011-03-18 17:53 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-03-24 18:43 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-24 18:43 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-24 18:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-24 18:43 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-24 18:43 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-21 02:14 . 2011-02-21 02:14 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-18 21:36 . 2010-08-30 03:20 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2010-08-30 03:20 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-03-18 17:53 . 2011-03-24 18:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-08-17 322352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-16 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-28 58488]
"IS CfgWiz"="c:\program files\Norton Internet Security\cfgwiz.exe" [2004-08-18 132248]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 33936]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-06 218240]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-2-15 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
SpySubtract.lnk - c:\program files\InterMute\SpySubtract\sslaunch.exe [2005-2-15 73728]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Pocket Tanks Deluxe\\pockettanks.exe"=
.
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 3:28 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 12:58 PM 20480]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\COMPAQ~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\COMPAQ~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/28/2010 12:14 AM 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2010-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-03-27 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 19:23]
.
2005-02-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-02-16 08:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 17:32
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2892)
c:\windows\system32\msi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\InterMute\SpySubtract\SpySub.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
.
**************************************************************************
.
Completion time: 2011-03-27 17:38:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-27 22:37
ComboFix2.txt 2011-03-26 23:20
ComboFix3.txt 2011-03-26 03:57
.
Pre-Run: 128,065,859,584 bytes free
Post-Run: 128,069,836,800 bytes free
.
- - End Of File - - BB0C08E4D4089DD3349836C909813CED

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6172

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/27/2011 5:19:05 PM
mbam-log-2011-03-27 (17-19-05).txt

Scan type: Quick scan
Objects scanned: 142350
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
c:\documents and settings\compaq_owner\local settings\application data\iol.exe (Trojan.FakeAlert) -> 3728 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ovihefameteqariw (Trojan.Hiloti) -> Value: Ovihefameteqariw -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ocubujaged (Trojan.Hiloti) -> Value: Ocubujaged -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\compaq_owner\local settings\application data\iol.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\ucifosiziwawazu.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\casgip.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\compaq_owner\local settings\temp\E.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\compaq_owner\local settings\temporary internet files\Content.IE5\9SBUV5FP\load[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\compaq_owner\local settings\temporary internet files\Content.IE5\H9S23M5O\load[2].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

ESET is still coming...

Edited by Jordainminister, 27 March 2011 - 04:43 PM.


#8 Jordainminister

Jordainminister
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 27 March 2011 - 04:57 PM

ESET seems to just stall at 10 percent. its been there for almost 20 minutes.

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:40 PM

Posted 27 March 2011 - 05:53 PM

Run this program first,set a new restore point and clear the old ones, then try it again:

Download TFC to your desktop
Mirror
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.


NEXT



Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create,
when the confirmation screen shows the restore point has been created click Close.

Now remove all previous Restore Points:
Click Start > Run > copy and paste the following into the run box:

cleanmgr

Choose to scan drive C:\ (if C:\ is your main drive) At the top, click on More Options tab. Click the Clean up button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Jordainminister

Jordainminister
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 01 April 2011 - 11:52 AM

ESET:

C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\1\4ca69f41-3aa4f811 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\12\1785434c-3673ca68 a variant of Java/Exploit.Agent.NAC trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\15\310e48cf-6f375b3e Java/TrojanDownloader.Agent.NAP trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\15\42d2050f-718c56a7 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\16\9908890-1d1dac68 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\18\5f812792-6df8c030 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\18\6eb74992-6e875e63 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\19\2aec6bd3-1ad05828 probably a variant of Java/TrojanDownloader.Agent.AB trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\1ab7b894-10c52aca Java/TrojanDownloader.Agent.NAM trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\22\d1ed7d6-53a21753 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\25\16646899-2e6eba3a multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\25\2b854b99-236a3d9f a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\32\30686be0-61d50d45 Java/TrojanDownloader.Agent.NAM trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\33\2938ae1-1c2f9463 Java/TrojanDownloader.Agent.NAM trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\36\1d6baaa4-55ed55ce multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\38\113000e6-52fb6f78 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\41\23ea3369-438d4be3 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\42\4251676a-4f4b19d3 a variant of Java/Exploit.Agent.NAL trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\43\2f82d16b-726f82a6 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\1862f8ee-289e25dd a variant of OSX/Exploit.Smid.B trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\56\2d475f78-51684b49 multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\56\6278ff38-302a8b78 Java/TrojanDownloader.Agent.NAQ trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\62\46ba42fe-6c8b8e32 Java/TrojanDownloader.OpenStream.NBL trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\7\3e142047-242a4d2e a variant of Java/Exploit.Agent.NAC trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bof.jar-7a0e070a-19d63c4e.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.val-135ad73e-5fb2a9e1.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\des.jar-5c4d836d-646e9c3d.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\gsb2.jar-592f208f-78d68ae8.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\j2_t895.jar-75c7e7b8-30d03e1e.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmaudio.jar-433a0d47-2a834390.zip probably a variant of Win32/Agent.HRYTTOE trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmaudio.jar-433a0d47-6c87d11c.zip Java/TrojanDownloader.Agent.NBL trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-14eacc21-134fd7d0.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-15c901e9-4c994c53.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-15c901e9-6cf99093.zip Java/TrojanDownloader.Agent.NBK trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsetfi.jar-7ae7aa96-1137a9ec.zip Java/TrojanDownloader.Agent.NBM trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsetfi.jar-7ae7aa96-6aca92ca.zip probably a variant of Win32/Agent.FPEXZHL trojan
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\khscb.jar-5beaeb73-23ad47a4.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mjgbc.jar-57c49b09-3d96c4fb.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ycwf.jar-70bfc555-63dc1d76.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\zcj_q.jar-7851d27a-7673654a.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\zpup.jar-729bd9f0-43425ad3.zip multiple threats
C:\Documents and Settings\Compaq_Owner\Desktop\Back Up\Guitar Pro 6\Guitar Pro 6.0.1 r7840 (no MAC change + Fixed Patch)\crack-pavka77-GP6.0.1-7840.rar probably a variant of Win32/HackTool.Patcher.A application
C:\Documents and Settings\Compaq_Owner\Desktop\Wii\autorun.inf Win32/AutoRun.Agent.BE worm
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\gfgdkvtfw\paqccdutssd.exe Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\mqsxyqyiq\abaoamwtssd.exe Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\payraeqxp\jrihqtftssd.exe Win32/Adware.SpywareProtect2009 application
C:\Program Files\Guitar Pro 6\guitarpro6-patch-Fixed.exe probably a variant of Win32/HackTool.Patcher.A application
C:\Qoobox\Quarantine\[4]-Submit_2011-03-26_18.04.57.zip multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\extensions\{d48b509d-1732-4528-afe3-1da98654453e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\extensions\{d48b509d-1732-4528-afe3-1da98654453e}\chrome\xulcache.jar.vir JS/Agent.NCP trojan
C:\Qoobox\Quarantine\C\WINDOWS\ahofupeyegu.dll.vir a variant of Win32/Cimag.GK trojan
C:\Qoobox\Quarantine\D\Autorun.inf.vir INF/Autorun virus
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP3\A0004844.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP3\A0004901.dll a variant of Win32/Cimag.GK trojan
D:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP3\A0004904.inf INF/Autorun virus

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:40 PM

Posted 01 April 2011 - 04:35 PM

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic387114.html/page__view__findpost__p__2190552

File::
C:\Documents and Settings\Compaq_Owner\Desktop\Back Up\Guitar Pro 6\Guitar Pro 6.0.1 r7840 (no MAC change + Fixed Patch)\crack-pavka77-GP6.0.1-7840.rar 
C:\Documents and Settings\Compaq_Owner\Desktop\Wii\autorun.inf 
C:\Program Files\Guitar Pro 6\guitarpro6-patch-Fixed.exe 

Collect::
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\gfgdkvtfw\paqccdutssd.exe 
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\mqsxyqyiq\abaoamwtssd.exe 
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\payraeqxp\jrihqtftssd.exe 


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Posted Image Your Java is out of date.
Java™ 6 Update 23 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Jordainminister

Jordainminister
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 01 April 2011 - 06:00 PM

ComboFix 11-03-26.01 - Compaq_Owner 04/01/2011 17:42:08.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703.456 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\Bleeping Computer\CFScript.txt
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\documents and settings\Compaq_Owner\Desktop\Back Up\Guitar Pro 6\Guitar Pro 6.0.1 r7840 (no MAC change + Fixed Patch)\crack-pavka77-GP6.0.1-7840.rar"
"c:\documents and settings\Compaq_Owner\Desktop\Wii\autorun.inf"
"c:\program files\Guitar Pro 6\guitarpro6-patch-Fixed.exe"
.
file zipped: c:\documents and settings\Compaq_Owner\Local Settings\Application Data\gfgdkvtfw\paqccdutssd.exe
file zipped: c:\documents and settings\Compaq_Owner\Local Settings\Application Data\mqsxyqyiq\abaoamwtssd.exe
file zipped: c:\documents and settings\Compaq_Owner\Local Settings\Application Data\payraeqxp\jrihqtftssd.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Desktop\Back Up\Guitar Pro 6\Guitar Pro 6.0.1 r7840 (no MAC change + Fixed Patch)\crack-pavka77-GP6.0.1-7840.rar
c:\documents and settings\Compaq_Owner\Desktop\Wii\autorun.inf
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\gfgdkvtfw\paqccdutssd.exe
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\mqsxyqyiq\abaoamwtssd.exe
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\payraeqxp\jrihqtftssd.exe
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\program files\Guitar Pro 6\guitarpro6-patch-Fixed.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-03-26 23:31 . 2011-03-26 23:31 -------- d-----w- c:\program files\ESET
2011-03-26 00:03 . 2011-03-26 00:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-25 22:32 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-25 22:32 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-25 21:21 . 2011-03-25 21:22 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\FileZilla
2011-03-25 21:19 . 2011-03-25 21:20 -------- d-----w- c:\program files\FileZilla FTP Client
2011-03-25 16:10 . 2011-03-25 16:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-24 18:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-24 18:43 . 2011-03-18 17:53 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-03-24 18:43 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-24 18:43 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-24 18:43 . 2011-03-18 17:53 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-03-24 18:43 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-24 18:43 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-24 18:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-24 18:43 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-24 18:43 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-21 02:14 . 2011-02-21 02:14 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-18 21:36 . 2010-08-30 03:20 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2010-08-30 03:20 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-03-18 17:53 . 2011-03-24 18:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-08-17 322352]
"Google Update"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-04-01 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-16 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-28 58488]
"IS CfgWiz"="c:\program files\Norton Internet Security\cfgwiz.exe" [2004-08-18 132248]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 33936]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-06 218240]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-2-15 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
SpySubtract.lnk - c:\program files\InterMute\SpySubtract\sslaunch.exe [2005-2-15 73728]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Pocket Tanks Deluxe\\pockettanks.exe"=
.
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 3:28 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 12:58 PM 20480]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\COMPAQ~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\COMPAQ~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/28/2010 12:14 AM 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2010-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1793508375-804412471-397176574-1009Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-01 16:59]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1793508375-804412471-397176574-1009UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-01 16:59]
.
2011-04-01 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 19:23]
.
2005-02-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-02-16 08:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2s7c17b4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 17:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2892)
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\InterMute\SpySubtract\SpySub.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
.
**************************************************************************
.
Completion time: 2011-04-01 17:53:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-01 22:53
ComboFix2.txt 2011-03-27 22:38
ComboFix3.txt 2011-03-26 23:20
ComboFix4.txt 2011-03-26 03:57
.
Pre-Run: 127,448,883,200 bytes free
Post-Run: 127,533,682,688 bytes free
.
- - End Of File - - 0C75CE862D289D1543AF97C261394C07
Upload was successful

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:40 PM

Posted 01 April 2011 - 08:23 PM

Please post a fresh DDS Log and attach.txt and advise how your computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Jordainminister

Jordainminister
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 01 April 2011 - 09:24 PM

It did stop redirecting me, but now it just shows the correct url but just displays a white screen.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Compaq_Owner at 22:20:46.31 on Fri 04/01/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703.162 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Compaq_Owner\Desktop\Bleeping Computer\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uInternet Settings,ProxyOverride = <local>;*.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] c:\program files\norton internet security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\sslaunch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\2s7c17b4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\compaq_owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
.
---- FIREFOX POLICIES ----

.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-28 197752]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2004-8-28 234616]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-28 164984]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2004-8-30 176768]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2004-7-23 49808]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20041117.006\NAVENG.Sys [2005-2-15 72712]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20041117.006\NavEx15.Sys [2005-2-15 629544]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2004-7-23 335504]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-28 78968]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\compaq~1\locals~1\temp\cfcatchme.sys --> c:\docume~1\compaq~1\locals~1\temp\CFcatchme.sys [?]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2004-7-23 197864]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-8-28 11520]
.
=============== Created Last 30 ================
.
2011-03-26 23:31:20 -------- d-----w- c:\program files\ESET
2011-03-26 03:30:46 89088 ----a-w- c:\windows\MBR.exe
2011-03-26 03:30:46 256512 ----a-w- c:\windows\PEV.exe
2011-03-26 03:30:46 161792 ----a-w- c:\windows\SWREG.exe
2011-03-26 03:30:45 98816 ----a-w- c:\windows\sed.exe
2011-03-25 22:32:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-25 22:32:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-24 18:43:20 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-24 18:43:19 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-24 18:43:19 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-24 18:43:19 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-24 18:43:19 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-24 18:43:19 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-24 18:43:19 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-24 18:43:19 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-24 18:43:19 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-24 18:43:19 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
.
==================== Find3M ====================
.
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 22:23:00.35 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/27/2010 5:25:27 PM
System Uptime: 4/1/2011 6:45:26 PM (4 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Salmon
Processor: AMD Athlon™ 64 Processor 3300+ | Socket 754 | 2411/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 117.783 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 0.549 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 3/25/2011 10:59:54 AM - System Checkpoint
RP2: 3/25/2011 2:48:34 PM - Removed Apple Application Support
RP3: 3/25/2011 2:59:27 PM - Removed Apple Mobile Device Support
RP4: 3/26/2011 4:33:37 PM - System Checkpoint
RP5: 3/26/2011 6:03:12 PM - Removed Norton Security Center
RP6: 3/27/2011 6:32:31 PM - System Checkpoint
RP7: 4/1/2011 12:39:14 AM - System Checkpoint
RP8: 4/1/2011 5:58:25 PM - Installed Java™ 6 Update 24
.
==== Installed Programs ======================
.
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Belkin 54Mbps Wireless Network Adapter
Blackhawk Striker 2 from Compaq (remove only)
Blast Pack for Pocket Tanks Deluxe
Blasterball 2 from Compaq (remove only)
Blasterball 2 Remix from Compaq (remove only)
Bonjour
Bounce Symphony from Compaq (remove only)
CC_ccProxyExt
ccCommon
ccPxyCore
Compaq Connections
Compaq Organize
Crystal Maze from Compaq (remove only)
Easy Internet Sign-up
ESET Online Scanner v3
FileZilla Client 3.3.5.1
Freecorder
Google Chrome
Guitar Pro 5.2
Help and Support Additions
HiJackThis
HpSdpAppCoreApp
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java™ 6 Update 24
KBD
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
Mozilla Firefox 4.0 (x86 en-US)
MSRedist
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Orbital from Compaq (remove only)
Overball from Compaq (remove only)
Party Pack for Pocket Tanks Deluxe
PC-Doctor for Windows
Pocket Tanks Deluxe v1.3 By Argogo
Polar Bowler from Compaq (remove only)
Polar Golfer from Compaq (remove only)
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Road Ready Streetwise from Compaq (remove only)
Shrek 2 Ogre Bowler from Compaq (remove only)
SiS VGA Utilities
Sonic Express Labeler
Sonic RecordNow!
SPBBC
SpySubtract
Super Granny from Compaq (remove only)
SymNet
Tradewinds from Compaq (remove only)
WD SmartWare
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175
.
==== Event Viewer Messages From Past Week ========
.
3/27/2011 4:41:19 PM, error: Dhcp [1002] - The IP address lease 192.168.2.103 for the Network Card with network address 002275AF0CD8 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/27/2011 10:50:11 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.2.100 with the system having network hardware address F8:1E:DF:E9:AF:E1. Network operations on this system may be disrupted as a result.
3/26/2011 8:22:24 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer OWNER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{BA6B11B4-ECE7-41F3-. The master browser is stopping or an election is being forced.
3/26/2011 6:03:22 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
3/26/2011 3:33:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
3/26/2011 3:33:31 PM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/26/2011 3:32:49 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
3/26/2011 3:32:49 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\MFC80U.DLL. Reference error message: The operation completed successfully. .
3/26/2011 3:32:49 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
3/26/2011 3:32:48 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
3/26/2011 3:32:48 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe. Reference error message: The operation completed successfully. .
3/26/2011 3:32:48 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
3/25/2011 4:47:57 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
3/25/2011 4:40:37 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
3/25/2011 3:52:59 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
3/25/2011 10:59:23 AM, error: Dhcp [1002] - The IP address lease 192.168.2.100 for the Network Card with network address 002275AF0CD8 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
3/25/2011 10:43:29 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
3/25/2011 10:38:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: gagp30kx
3/25/2011 10:38:26 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:40 PM

Posted 01 April 2011 - 10:23 PM

It did stop redirecting me, but now it just shows the correct url but just displays a white screen.


are you still having these issues? Does it happen with all your browsers?



Please do the following:

Download TFC to your desktop
Mirror
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.


NEXT


Reset your Router:

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.



NEXT


  • Go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.

Let me know how the computer is running now in as much detail as possible

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users