Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect & IE Script Error Virus infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 chronain

chronain

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 20 April 2011 - 07:34 AM

My computer is infected with a virus(es)that are causing google to redirect, innumerable internet explorer script errors (even when explorer is not running), and snipets of audio to play through the computer speakers when no programs are running. I have posted the required logs below:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 16:47 on 19/04/2011 (Randolph4)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Randolph4 at 16:49:43.09 on Tue 04/19/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.374 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Randolph4\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [COMMUNICATOR] "c:\program files\microsoft office communicator\Communicator.exe" /silentRetrials /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229009856437
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {AEDDE394-D18C-4334-8011-3AF63A1393AC} = 24.56.100.20,24.56.102.20
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-6-23 149632]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-6-23 554304]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2009-11-24 20504]
.
=============== Created Last 30 ================
.
2011-04-19 16:05:42 -------- d-----w- c:\docume~1\randol~1\applic~1\SUPERAntiSpyware.com
2011-04-19 16:05:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-19 13:57:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-15 18:13:16 -------- d-----w- c:\windows\pss
2011-04-15 16:18:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-15 16:18:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-15 13:22:48 -------- d-----w- c:\docume~1\randol~1\applic~1\Malwarebytes
2011-04-15 13:22:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-15 13:11:55 -------- d-----w- c:\docume~1\randol~1\applic~1\GetRightToGo
2011-04-13 14:13:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-13 14:13:30 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-13 14:12:11 -------- d-sh--w- C:\found.000
2011-04-11 22:07:15 -------- d-----w- c:\program files\Norton AntiVirus
2011-04-11 22:06:26 -------- d-----w- c:\program files\Symantec
2011-04-11 22:06:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2011-04-11 22:06:09 -------- d-----w- c:\program files\common files\Symantec Shared
2011-03-29 20:54:20 -------- d-----w- c:\program files\iPod
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 16:50:27.03 ===============

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-20 08:23:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7 ST380819AS rev.8.04
Running: k181k0xw.exe; Driver: C:\DOCUME~1\RANDOL~1\LOCALS~1\Temp\uwdorpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF2DE9620]

---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys F75BBBD0 4 Bytes [80, 69, 53, 80] {SUB BYTE [ECX+0x53], 0x80}
INITc VolSnap.sys F75BBBF8 4 Bytes [32, 8F, 4F, 80]
INITc VolSnap.sys F75BBC20 4 Bytes [B0, 9B, 4F, 80]
INITc VolSnap.sys F75BBC48 4 Bytes [9C, DF, 4F, 80] {PUSHF ; FISTTP WORD [EDI-0x80]}
INITc VolSnap.sys F75BBC70 4 Bytes [E6, 95, 4F, 80]
INITc ...

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 830EDE84
Thread System [4:124] 830F0084

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 AM

Posted 20 April 2011 - 08:57 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • The Attach.txt log from DDS
  • ComboFix log

Edited by RPMcMurphy, 20 April 2011 - 08:57 AM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 chronain

chronain
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 20 April 2011 - 09:52 AM

I think it is fixed...I have included the files you requested...Thank you!

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/6/2008 2:44:44 PM
System Uptime: 4/19/2011 4:41:36 PM (0 hours ago)
.
Motherboard: WinFast | | 760GXK8MC
Processor: AMD Sempron™ Processor 2800+ | Socket 940 | 1599/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 61.216 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP561: 1/17/2011 8:59:48 AM - System Checkpoint
RP562: 1/18/2011 10:52:03 AM - System Checkpoint
RP563: 1/19/2011 11:19:46 AM - System Checkpoint
RP564: 1/20/2011 12:02:28 PM - System Checkpoint
RP565: 1/21/2011 12:16:22 PM - System Checkpoint
RP566: 1/24/2011 9:54:56 AM - System Checkpoint
RP567: 1/25/2011 10:21:24 AM - System Checkpoint
RP568: 1/26/2011 11:35:45 AM - System Checkpoint
RP569: 1/27/2011 11:51:08 AM - System Checkpoint
RP570: 1/28/2011 1:43:41 PM - System Checkpoint
RP571: 1/31/2011 8:50:14 AM - System Checkpoint
RP572: 2/1/2011 10:03:45 AM - System Checkpoint
RP573: 2/1/2011 3:48:17 PM - Installed OverDrive Media Console
RP574: 2/2/2011 4:21:26 PM - System Checkpoint
RP575: 2/4/2011 7:51:25 AM - System Checkpoint
RP576: 2/7/2011 11:10:24 AM - System Checkpoint
RP577: 2/8/2011 11:10:47 AM - System Checkpoint
RP578: 2/9/2011 10:28:36 AM - Software Distribution Service 3.0
RP579: 2/10/2011 11:41:11 AM - System Checkpoint
RP580: 2/11/2011 12:36:00 PM - System Checkpoint
RP581: 2/14/2011 8:57:50 AM - System Checkpoint
RP582: 2/15/2011 11:51:29 AM - System Checkpoint
RP583: 2/16/2011 12:53:51 PM - System Checkpoint
RP584: 2/17/2011 1:12:25 PM - System Checkpoint
RP585: 2/18/2011 2:54:54 PM - Removed Adobe Reader 9.4.2.
RP586: 2/18/2011 2:55:26 PM - Installed Adobe Reader X (10.0.1).
RP587: 2/22/2011 9:42:53 AM - System Checkpoint
RP588: 2/23/2011 10:03:16 AM - System Checkpoint
RP589: 2/24/2011 10:49:50 AM - System Checkpoint
RP590: 2/25/2011 12:30:28 PM - System Checkpoint
RP591: 2/28/2011 9:38:27 AM - System Checkpoint
RP592: 3/1/2011 9:44:19 AM - System Checkpoint
RP593: 3/2/2011 9:42:18 AM - Installed Windows Internet Explorer 8.
RP594: 3/2/2011 9:43:44 AM - Software Distribution Service 3.0
RP595: 3/2/2011 5:07:36 PM - Software Distribution Service 3.0
RP596: 3/3/2011 5:08:58 PM - System Checkpoint
RP597: 3/7/2011 9:27:20 AM - System Checkpoint
RP598: 3/8/2011 9:45:55 AM - System Checkpoint
RP599: 3/9/2011 10:32:59 AM - System Checkpoint
RP600: 3/9/2011 5:05:33 PM - Software Distribution Service 3.0
RP601: 3/11/2011 7:41:34 AM - System Checkpoint
RP602: 3/11/2011 8:55:45 AM - Software Distribution Service 3.0
RP603: 3/14/2011 9:42:40 AM - System Checkpoint
RP604: 3/15/2011 11:05:03 AM - System Checkpoint
RP605: 3/16/2011 8:55:00 AM - Software Distribution Service 3.0
RP606: 3/17/2011 9:35:21 AM - System Checkpoint
RP607: 3/17/2011 6:34:28 PM - Software Distribution Service 3.0
RP608: 3/21/2011 12:13:18 PM - System Checkpoint
RP609: 3/22/2011 12:29:06 PM - System Checkpoint
RP610: 3/23/2011 9:21:07 AM - Software Distribution Service 3.0
RP611: 3/24/2011 9:25:58 AM - Software Distribution Service 3.0
RP612: 3/25/2011 9:41:26 AM - System Checkpoint
RP613: 3/28/2011 9:57:24 AM - System Checkpoint
RP614: 3/29/2011 10:50:33 AM - System Checkpoint
RP615: 3/30/2011 11:17:10 AM - System Checkpoint
RP616: 3/31/2011 12:20:56 PM - System Checkpoint
RP617: 4/1/2011 12:31:10 PM - System Checkpoint
RP618: 4/4/2011 10:53:46 AM - System Checkpoint
RP619: 4/5/2011 11:27:44 AM - System Checkpoint
RP620: 4/6/2011 11:55:21 AM - System Checkpoint
RP621: 4/7/2011 12:13:48 PM - System Checkpoint
RP622: 4/8/2011 12:57:21 PM - System Checkpoint
RP623: 4/11/2011 10:27:02 AM - System Checkpoint
RP624: 4/12/2011 11:23:44 AM - Restore Operation
RP625: 4/13/2011 9:13:50 AM - Software Distribution Service 3.0
RP626: 4/13/2011 10:05:50 AM - Restore Operation
RP627: 4/14/2011 10:12:54 AM - System Checkpoint
RP628: 4/15/2011 2:07:16 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.0.1)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bing Bar
Bonjour
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Destination Component
getPlus® for Adobe
GIMP 2.6.10
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP LaserJet M2727 MFP Series 5.0
HP Product Detection
hppscanM2727
iTunes
Java Auto Updater
Java™ 6 Update 23
Java™ 6 Update 4
Java™ 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Small Business
Microsoft Office 97, Professional Edition
Microsoft Silverlight
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OverDrive Media Console
QuickTime
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SUPERAntiSpyware
Turtle Beach Santa Cruz
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VoiceOver Kit
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
4/19/2011 3:22:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdPPM Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
4/19/2011 11:56:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/19/2011 11:23:52 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM Fips SASDIFSV SASKUTIL
4/19/2011 10:31:15 AM, error: atapi [9] - The device, \Device\Ide\IdePort3, did not respond within the timeout period.
4/18/2011 8:56:47 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
4/15/2011 2:34:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM Fips
4/13/2011 9:57:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/13/2011 9:56:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdPPM Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
4/13/2011 9:56:18 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 9:56:18 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 9:56:18 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 9:56:18 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 9:56:18 AM, error: Service Control Manager [7001] - The Canon Driver Information Assist Service service depends on the TCP/IP NetBIOS Helper service which failed to start because of the following error: The dependency service or group failed to start.
4/13/2011 9:56:18 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 9:56:18 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/12/2011 9:31:05 AM, error: PSched [14105] - QoS [Adapter NDISWANIP]: The UpperBindings key is missing from the registry.
4/12/2011 9:06:27 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/12/2011 11:29:35 AM, error: NetBT [4307] - Initialization failed because the transport refused to open initial Addresses.
4/12/2011 11:23:00 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/12/2011 10:29:45 AM, error: Rasman [20030] - Remote Access Connection Manager failed to start because it could not load one or more communication DLLs. Ensure that your communication hardware is installed and then restart the computer. The system cannot find the file specified.
4/12/2011 10:29:41 AM, error: Service Control Manager [7023] - The Remote Access Connection Manager service terminated with the following error: The system cannot find the file specified.
.
==== End Of File ===========================


ComboFix 11-04-19.06 - Randolph4 04/20/2011 10:40:44.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.512 [GMT -4:00]
Running from: c:\documents and settings\Randolph4\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 )))))))))))))))))))))))))))))))
.
.
2011-04-19 16:05 . 2011-04-19 16:05 -------- d-----w- c:\documents and settings\Randolph4\Application Data\SUPERAntiSpyware.com
2011-04-19 16:05 . 2011-04-19 16:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-19 13:57 . 2011-04-19 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-18 12:56 . 2011-04-18 12:56 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY
2011-04-15 16:18 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-15 16:18 . 2011-04-15 19:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-15 13:22 . 2011-04-15 13:22 -------- d-----w- c:\documents and settings\Randolph4\Application Data\Malwarebytes
2011-04-15 13:22 . 2011-04-15 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-15 13:11 . 2011-04-15 13:12 -------- d-----w- c:\documents and settings\Randolph4\Application Data\GetRightToGo
2011-04-13 14:13 . 2011-04-13 14:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-13 14:12 . 2011-04-13 14:12 -------- d-----w- C:\found.000
2011-04-11 22:07 . 2011-04-13 14:12 -------- d-----w- c:\program files\Norton AntiVirus
2011-04-11 22:06 . 2011-04-13 14:12 -------- d-----w- c:\program files\Symantec
2011-04-11 22:06 . 2011-04-13 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2011-04-11 22:06 . 2011-04-13 14:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-03-29 20:54 . 2011-03-29 20:54 -------- d-----w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2008-10-06 18:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-17 12:11 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2008-10-06 18:38 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-10-06 18:38 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-05 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2003-06-23 290816]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 122880]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 61440]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [6/23/2003 12:15 PM 149632]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [6/23/2003 12:15 PM 554304]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [11/24/2009 5:31 PM 20504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-04-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-05 17:14]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-15 16:26]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-15 16:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: {AEDDE394-D18C-4334-8011-3AF63A1393AC} = 24.56.100.20,24.56.102.20
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-COMMUNICATOR - c:\program files\Microsoft Office Communicator\Communicator.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 10:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(480)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4000)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-20 10:48:55
ComboFix-quarantined-files.txt 2011-04-20 14:48
.
Pre-Run: 65,651,933,184 bytes free
Post-Run: 66,435,194,880 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 0D0EF706691EE58F0134F9C8A1871ECE

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 AM

Posted 20 April 2011 - 10:15 AM

chronain:

It's looking better. Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to this page.
  • Scroll down to where it says "Java Platform, Standard Edition."
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • MBAM log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 chronain

chronain
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 22 April 2011 - 04:04 PM

Here are the Logs you requested:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6420

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/22/2011 2:09:14 PM
mbam-log-2011-04-22 (14-09-14).txt

Scan type: Quick scan
Objects scanned: 166719
Time elapsed: 7 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

C:\System Volume Information\_restore{E6FB943F-9513-446C-905C-D6F577B79CF3}\RP629\A0045804.sys Win32/Olmasco.E trojan

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 AM

Posted 22 April 2011 - 10:15 PM

chronain:

Your logs look good! That ESET detections is in your system restore cache and will be cleaned when we uninstall ComboFix. Now I have some very important cleanup for you to take care of:

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Install an anti-virus program. I don't see any anti-virus software running on your computer. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 chronain

chronain
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 26 April 2011 - 01:45 PM

Thanks a lot for all of your help!

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 AM

Posted 26 April 2011 - 05:03 PM

You're welcome, chronain. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 AM

Posted 29 April 2011 - 11:51 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users