Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirecting to ad sites


  • This topic is locked This topic is locked
5 replies to this topic

#1 local

local

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 20 May 2011 - 09:24 AM

Hello,

Please can someone help me remove some malware. Clicking on links provided by google redirects to various ad sites.

I've tried Combofix to no avail. Here all the logs....

DDS...


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Administrator at 10:11:14 on 2011-05-20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1527.839 [GMT 1:00]
.
AV: eTrust ITM *Enabled/Updated* {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Asset Services Management\ASMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Castelle\FaxPress\FaxTray.exe
C:\Program Files\Castelle\FaxPress\ExCnvt.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
\\swfp10\ezaudit\ondemand\ondemand.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrator.ROCOL\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator.ROCOL\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator.ROCOL\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator.ROCOL\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://rocoli.rocol.com
uInternet Settings,ProxyServer = 192.168.1.3:8080
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator.rocol\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [pdfFactory Dispatcher v1] c:\windows\system32\spool\drivers\w32x86\3\fppdis1.exe
mRun: [CstlFaxTray] c:\program files\castelle\faxpress\FaxTray.exe
mRun: [FPEXCNVT] c:\program files\castelle\faxpress\ExCnvt.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
mRun: [Seagull Drivers] ssdal_nc.exe startup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [jthfbmtn] rundll32 "c:\windows\system32\iologmsgg.dll",Iapvpsxc
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.09/uploader2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://www.asda-photo.co.uk/upload/activex/v2_0_0_12/PCAXSetupv2.0.0.12.cab?
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R3 ASMMEMORYDRIVER;ASMMEMORYDRIVER;c:\program files\asset services management\ASMMemoryDriver.sys [2008-6-5 2560]
S3 Commander Service;Commander Service;c:\program files\seagull\bartender 7.00\enterprise\CmdrSrv.exe [2002-10-15 435352]
.
=============== Created Last 30 ================
.
2011-05-20 09:04:06 -------- d-----w- c:\documents and settings\administrator.rocol\local settings\application data\Temp
2011-05-20 09:03:59 -------- d-----w- c:\documents and settings\administrator.rocol\local settings\application data\Google
2011-05-19 14:42:20 -------- d-sha-r- C:\cmdcons
2011-05-19 14:35:01 98816 ----a-w- c:\windows\sed.exe
2011-05-19 14:35:01 89088 ----a-w- c:\windows\MBR.exe
2011-05-19 14:35:01 256512 ----a-w- c:\windows\PEV.exe
2011-05-19 14:35:01 161792 ----a-w- c:\windows\SWREG.exe
2011-05-17 14:15:50 -------- d-----w- C:\tds
.
==================== Find3M ====================
.
2011-04-07 12:21:15 94208 --sha-r- c:\windows\system32\iologmsgg.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 10:11:43.49 ===============

Thanks

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 21 May 2011 - 07:06 AM

Please post the ComboFix Log(s) and then run the following program:



Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Edited by CatByte, 21 May 2011 - 07:06 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 local

local
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 23 May 2011 - 07:20 AM

ComboFix 11-05-18.04 - Administrator 19/05/2011 15:43:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1527.1054 [GMT 1:00]
Running from: c:\documents and settings\Administrator.ROCOL\Desktop\ComboFix.exe
AV: eTrust ITM *Disabled/Updated* {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\AutoRun.ini
Z:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2011-05-17 14:25 . 2011-05-17 14:27 -------- d-----w- c:\documents and settings\lfinnigan\Local Settings\Application Data\Google
2011-05-17 14:24 . 2011-05-17 14:25 -------- d-----w- c:\documents and settings\lfinnigan\Local Settings\Application Data\Deployment
2011-05-17 14:15 . 2011-05-17 14:15 -------- d-----w- C:\tds
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-08-04 07:56 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 07:56 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 06:17 1857920 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Seagull Drivers"="ssdal_nc.exe startup" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"pdfFactory Dispatcher v1"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2003-07-22 380928]
"CstlFaxTray"="c:\program files\Castelle\FaxPress\FaxTray.exe" [1999-08-17 57344]
"FPEXCNVT"="c:\program files\Castelle\FaxPress\ExCnvt.exe" [2002-04-22 40960]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2008-02-08 407368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"jthfbmtn"="c:\windows\system32\iologmsgg.dll" [2011-04-07 94208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-5-7 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-1074\Scripts\Logon\0\0]
"Script"=ROC_LOGON.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-1287\Scripts\Logon\0\0]
"Script"=rocol_mail_font.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-1287\Scripts\Logon\1\0]
"Script"=rocol_ifs_filedist.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-1287\Scripts\Logon\2\0]
"Script"=rocol_dic.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-1287\Scripts\Logon\3\0]
"Script"=ROC_LOGON.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-2296\Scripts\Logon\0\0]
"Script"=e:\rocol_logon\real VNC\rocol_real_VNC.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-2296\Scripts\Logon\1\0]
"Script"=rocol_mail_font.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-2296\Scripts\Logon\2\0]
"Script"=rocol_ifs_filedist.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-2296\Scripts\Logon\3\0]
"Script"=rocol_dic.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-2296\Scripts\Logon\4\0]
"Script"=ROC_LOGON.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-3256\Scripts\Logon\0\0]
"Script"=ROC_LOGON.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-4093\Scripts\Logon\0\0]
"Script"=e:\rocol_logon\real VNC\rocol_real_VNC.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-4093\Scripts\Logon\1\0]
"Script"=rocol_mail_font.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-4093\Scripts\Logon\2\0]
"Script"=rocol_ifs_filedist.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-4093\Scripts\Logon\3\0]
"Script"=rocol_dic.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-4093\Scripts\Logon\4\0]
"Script"=ROC_LOGON.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-4118\Scripts\Logon\0\0]
"Script"=rocol_mail_font.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-4118\Scripts\Logon\1\0]
"Script"=rocol_ifs_filedist.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-4118\Scripts\Logon\2\0]
"Script"=ROC_LOGON.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-500\Scripts\Logon\0\0]
"Script"=e:\rocol_logon\real VNC\rocol_real_VNC.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-500\Scripts\Logon\1\0]
"Script"=rocol_mail_font.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-500\Scripts\Logon\2\0]
"Script"=rocol_ifs_filedist.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-500\Scripts\Logon\3\0]
"Script"=rocol_dic.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-824574081-1221268441-623647154-500\Scripts\Logon\4\0]
"Script"=ROC_LOGON.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R3 ASMMEMORYDRIVER;ASMMEMORYDRIVER;c:\program files\Asset Services Management\ASMMemoryDriver.sys [05/06/2008 11:02 2560]
S3 Commander Service;Commander Service;c:\program files\Seagull\BarTender 7.00\Enterprise\CmdrSrv.exe [15/10/2002 17:06 435352]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\fmptbxnr.job
- c:\windows\system32\iologmsgg.dll [2011-04-07 12:21]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-824574081-1221268441-623647154-2296Core.job
- c:\documents and settings\lfinnigan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-17 14:25]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-824574081-1221268441-623647154-2296UA.job
- c:\documents and settings\lfinnigan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-17 14:25]
.
.
------- Supplementary Scan -------
.
uStart Page = https://rocoli.rocol.com
uInternet Settings,ProxyServer = 192.168.1.3:8080
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-WZCLINE - c:\program files\WinZip\winzip32
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-19 15:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\ADMINI~1.ROC\LOCALS~1\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(712)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2011-05-19 15:54:43
ComboFix-quarantined-files.txt 2011-05-19 14:54
.
Pre-Run: 41,338,421,248 bytes free
Post-Run: 56,499,585,024 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B480ED8C32ADB9F2F0907A30803F1EBE

Will run that progam now.

Thanks for your help.

#4 local

local
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 23 May 2011 - 07:25 AM

aswMBR log...


aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-23 13:22:47
-----------------------------
13:22:47.799 OS Version: Windows 5.1.2600 Service Pack 3
13:22:47.799 Number of processors: 2 586 0x401
13:22:47.799 ComputerName: LFINNIGAN UserName:
13:22:48.559 Initialize success
13:22:51.568 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
13:22:51.568 Disk 0 Vendor: ST380013AS 3.43 Size: 76319MB BusType: 3
13:22:53.689 Disk 0 MBR read successfully
13:22:53.689 Disk 0 MBR scan
13:22:53.689 Disk 0 Windows XP default MBR code
13:22:55.748 Disk 0 scanning sectors +156280320
13:22:55.764 Disk 0 scanning C:\WINDOWS\system32\drivers
13:23:04.678 Service scanning
13:23:06.087 Disk 0 trace - called modules:
13:23:06.103 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:23:06.103 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2cbab8]
13:23:06.103 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000061[0x8a2b19e8]
13:23:06.103 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8a2b0d98]
13:23:06.103 Scan finished successfully
13:23:20.036 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.ROCOL\Desktop\MBR.dat"
13:23:20.036 The log file has been saved successfully to "C:\Documents and Settings\Administrator.ROCOL\Desktop\aswMBR.txt"

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 23 May 2011 - 08:43 AM

Hi

Please run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



Reset your Router:

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you dont know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.


NEXT


  • Go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between ..g /f it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.


NEXT


Please let me know in as much detail as possible how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 29 May 2011 - 01:09 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users