Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google redirect virus, system security


  • This topic is locked This topic is locked
16 replies to this topic

#1 Snoozo

Snoozo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 10 July 2011 - 01:46 PM

Hello,

Virus likely pickup June 24, 2011. Have tried many online and downloadable removal and scanning tools with no success. My malwarebytes continues to block "potentially malicious websites" and google is still redirecting often. It keeps disabling ESET NOD by resetting the date of my pc to 2001 on restart.

Please help!

Thank you in advance,

Mark

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Welby at 11:53:56 on 2011-07-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.277 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 3.0 *Enabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259626271158
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194 24.226.1.94
TCP: Interfaces\{8AD0C856-75AB-4004-9BFD-2A79B9DDE494} : DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194 24.226.1.94
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
IFEO: image file execution options - svchost.exe
Hosts: 64.27.9.108 www.google.com
Hosts: 178.17.165.3 www.google.com
Hosts: 64.27.9.108 www.google.com.au
Hosts: 178.17.165.3 www.google.com.au
Hosts: 64.27.9.108 www.google.be
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R3 CT200xN51;NDIS5.1 Miniport Driver for 3Com 3C2000 Ethernet Controller;c:\windows\system32\drivers\CT200xN51.sys [2009-11-30 250240]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-4 22712]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-11-30 547744]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-11-30 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-11-30 5248]
.
=============== Created Last 30 ================
.
2011-07-06 23:51:22 -------- d-----w- c:\documents and settings\welby\application data\SMART Technologies Inc
2011-07-05 06:44:51 -------- d-----w- c:\documents and settings\all users\application data\SMART Technologies Inc
2011-07-05 06:44:48 -------- d-----w- c:\program files\SMART Ideas 5
2011-07-05 06:27:21 -------- d-----w- c:\program files\Premier AT
2011-07-05 02:07:01 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-05 02:06:57 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-28 02:55:28 -------- d-----w- C:\bleepe to KEEP
2011-06-26 00:53:18 -------- d-----w- c:\documents and settings\all users\application data\Emergency AntiMalware
2011-06-25 02:20:08 -------- d-sh--w- c:\documents and settings\all users\application data\SSTJNS
2011-06-25 02:19:40 -------- d-sh--w- c:\documents and settings\all users\application data\654eac
2011-06-16 21:19:11 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-11 00:58:29 -------- d-----w- c:\program files\VideoLAN
2011-06-11 00:57:49 -------- d-----w- c:\program files\Graboid
.
==================== Find3M ====================
.
2011-06-04 20:01:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-04 08:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
2004-10-01 20:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
============= FINISH: 11:55:45.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:15 AM

Posted 10 July 2011 - 05:05 PM

Good evening. :)

Download HostsXpert by FunkyToad from here and save it to your Desktop.

You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see the HostsXpert folder - open it and double click HostsXpert.exe
  • In the top left hand corner of the new window, ensure that the button says "Make ReadOnly?"
    If it says "Make Writable?", click it and it should change to the above.
  • Click on Restore MS Hosts File.
  • In the confirmation window, click on OK.
  • Finally, click the button mentioned above to make it read "Make Writable?".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 Snoozo

Snoozo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 10 July 2011 - 07:41 PM

Hello Noviciate,

Thank you for the prompt response. I downloaded HostsXpert as suggested and when I open it, I get this message:

"Your HOSTS file is marked as a 'system file' and cannot be manipulated. Press ok to remove the sytem file attribute, cancel to quit. ***HOSTSXpert will not reset these attributes.***"

When I click OK, the window opens but the top left hand corner says, "Make Writable?" and I cannot change it by clicking. Should I continue with trying to restore HOSTS file using this tool or something else?

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:15 AM

Posted 11 July 2011 - 02:23 PM

Good evening. :)

Download this file. Once done, double click hosts-perm.bat to run it and then try the instructions again.

So long, and thanks for all the fish.

 

 


#5 Snoozo

Snoozo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 11 July 2011 - 05:58 PM

Hello,

Downloaded and ran hosts-perm.bat. Black command window flashed quickly. Tried running HostsXpert again with same results. Got the same message on startup and could not change the toggle to "Make ReadOnly".

Am I doing something wrong?

Thank you for the help so far!

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:15 AM

Posted 12 July 2011 - 03:02 PM

Good evening. :)

Am I doing something wrong?

Apart from following my instructions? :wacko: Time to get nasty with this thing. Download and install Unlocker. It's freeware and once you've used it, you can uninstall it if you wish, or keep it if you prefer.

Navigate to C:\WINDOWS\system32\drivers\etc, right click HOSTS and select Unlocker from the menu.

Change the action to Delete and let Unlocker get rid of the original HOSTS file.

The run HostsXpert again and it should tell you that the HOSTS file is missing and offer to create a new one. Let it do so and then ensure that you have the option "Make Writable?" visible and then you can close the program.

Just sort the above out and the let me know how you got on.

So long, and thanks for all the fish.

 

 


#7 Snoozo

Snoozo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 13 July 2011 - 09:53 PM

Arg... What if there is no file named hosts in that directory? Only 4 files are there: lmhosts, networks, protocol and services. Folder view is set to view hidden files. Did a search of C:\ and no 'hosts' file came up. Tried to use hostsXpert to restore hosts file and got this message:

"ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts". I hit ok and the program closes. Tried hosts-perm again with same result. Still getting the message:

"Your HOSTS file is marked as a 'system file' and cannot be manipulated. Press ok to remove the sytem file attribute, cancel to quit. ***HOSTSXpert will not reset these attributes.***"

when I start HostsXpert.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:15 AM

Posted 14 July 2011 - 02:03 PM

Good evening. :)

Download RegQuery from here and save it to your Desktop.
  • Double click the file to run it.
  • Copy the following keyname to your clipboard - either CTRL + C or right click will do.

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  • Click Paste from Clipboard and then Query.
  • A Notepad window should open with some text it - either that or you'll get a pop-up telling you to check the keyname.
  • Let me have the contents of the file in your next reply.

So long, and thanks for all the fish.

 

 


#9 Snoozo

Snoozo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 15 July 2011 - 04:21 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NV Hostname"="mark"
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00
"NameServer"=""
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="mark"
"SearchList"=""
"UseDomainNameDevolution"=dword:00000001
"EnableICMPRedirect"=dword:00000001
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableSecurityFilters"=dword:00000000
"DhcpNameServer"="24.226.1.93 24.226.10.193 24.226.10.194 24.226.1.94"
"DhcpDomain"="cgocable.net"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,31,00,33,00,38,00,38,00,45,00,35,00,\
34,00,39,00,2d,00,30,00,34,00,44,00,44,00,2d,00,34,00,37,00,37,00,37,00,2d,\
00,39,00,42,00,31,00,35,00,2d,00,46,00,32,00,35,00,38,00,33,00,35,00,44,00,\
44,00,44,00,39,00,44,00,37,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,\
00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,\
6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,42,00,35,\
00,35,00,34,00,33,00,37,00,32,00,44,00,2d,00,46,00,44,00,43,00,45,00,2d,00,\
34,00,35,00,30,00,34,00,2d,00,39,00,45,00,31,00,31,00,2d,00,42,00,39,00,35,\
00,37,00,46,00,35,00,37,00,36,00,32,00,46,00,36,00,39,00,7d,00,00,00,00,00
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:49,e5,88,13,dd,04,77,47,9b,15,f2,58,35,dd,d9,d7,2d,37,54,b5,\
ce,fd,04,45,9e,11,b9,57,f5,76,2f,69

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{8AD0C856-75AB-4004-9BFD-2A79B9DDE494}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,38,00,41,00,44,00,30,00,43,00,38,00,\
35,00,36,00,2d,00,37,00,35,00,41,00,42,00,2d,00,34,00,30,00,30,00,34,00,2d,\
00,39,00,42,00,46,00,44,00,2d,00,32,00,41,00,37,00,39,00,42,00,39,00,44,00,\
44,00,45,00,34,00,39,00,34,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1388E549-04DD-4777-9B15-F25835DDD9D7}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8AD0C856-75AB-4004-9BFD-2A79B9DDE494}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="72.39.19.89"
"DhcpSubnetMask"="255.255.224.0"
"DhcpServer"="24.226.1.122"
"Lease"=dword:00093a80
"LeaseObtainedTime"=dword:4e2028d1
"T1"=dword:4e24c611
"T2"=dword:4e283c01
"LeaseTerminatesTime"=dword:4e296351
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000000
"IsServerNapAware"=dword:00000000
"DhcpRetryTime"=dword:00049d3d
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="24.226.1.93 24.226.10.193 24.226.10.194 24.226.1.94"
"DhcpDefaultGateway"=hex(7):37,00,32,00,2e,00,33,00,39,00,2e,00,30,00,2e,00,31,\
00,00,00,00,00
"DhcpDomain"="cgocable.net"
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,32,00,34,00,2e,00,30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B554372D-FDCE-4504-9E11-B957F5762F69}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,77,00,73,00,68,00,74,00,63,00,70,00,69,00,70,00,2e,00,64,00,6c,00,6c,00,\
00,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:15 AM

Posted 16 July 2011 - 04:10 PM

Good evening. :)

Run ComboFix as above and we'll worry about the HOSTS file later.

So long, and thanks for all the fish.

 

 


#11 Snoozo

Snoozo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 17 July 2011 - 11:10 AM

ComboFix 11-07-17.01 - Welby 17/07/2011 11:56:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.393 [GMT -4:00]
Running from: c:\documents and settings\Tracy\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\daemon.dll
c:\windows\isRS-000.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-06-17 to 2011-07-17 )))))))))))))))))))))))))))))))
.
.
2011-07-14 02:41 . 2011-07-14 02:41 -------- d-----w- c:\program files\Unlocker
2011-07-06 23:54 . 2011-07-06 23:55 -------- d-----w- c:\documents and settings\Administrator
2011-07-06 23:51 . 2011-07-06 23:51 -------- d-----w- c:\documents and settings\Welby\Application Data\SMART Technologies Inc
2011-07-05 06:44 . 2011-07-05 06:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SMART Technologies Inc
2011-07-05 06:44 . 2011-07-13 02:44 -------- d-----w- c:\program files\SMART Ideas 5
2011-07-05 06:27 . 2011-07-14 03:25 -------- d-----w- c:\program files\Premier AT
2011-07-05 02:07 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-05 02:06 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-28 02:55 . 2011-07-05 08:32 -------- d-----w- C:\bleepe to KEEP
2011-06-26 00:53 . 2011-06-26 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Emergency AntiMalware
2011-06-25 02:20 . 2011-06-25 02:20 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SSTJNS
2011-06-25 02:19 . 2002-01-02 03:36 -------- d-sh--w- c:\documents and settings\All Users\Application Data\654eac
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-04 20:01 . 2011-06-04 20:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-05-09 15:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2010-01-06 01:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2009-11-30 23:23 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-10 12:00 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-10 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-10 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 12:00 105472 ------w- c:\windows\system32\drivers\mup.sys
2004-10-01 20:00 . 2009-12-31 02:17 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Tracy^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Tracy\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Welby^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Welby\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Welby^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Welby\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 00:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 22:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2009-12-31 02:19 557056 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SMART Ideas 5\\bin\\Ideas.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [20/02/2008 11:11 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [20/02/2008 11:08 AM 472320]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/07/2011 10:07 PM 366640]
R3 CT200xN51;NDIS5.1 Miniport Driver for 3Com 3C2000 Ethernet Controller;c:\windows\system32\drivers\CT200xN51.sys [30/11/2009 7:59 PM 250240]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/07/2011 10:06 PM 22712]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [10/08/2004 8:00 AM 3584]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [30/11/2009 7:35 PM 547744]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [30/11/2009 8:35 PM 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [30/11/2009 8:35 PM 5248]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194 24.226.1.94
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-D-Link AirPlus XtremeG DWL-G520 - c:\program files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-17 12:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-17 12:08:29
ComboFix-quarantined-files.txt 2011-07-17 16:08
.
Pre-Run: 2,130,530,304 bytes free
Post-Run: 3,325,669,376 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 03259A6061C620A4A027A81E123EAFCF

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:15 AM

Posted 17 July 2011 - 01:25 PM

Good evening. :)

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

File::
C:\WINDOWS\system32\DRIVERS\ETC\hosts


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before, and a description of how the PC is behaving.

So long, and thanks for all the fish.

 

 


#13 Snoozo

Snoozo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 20 July 2011 - 05:57 PM

Hello,

Log attached below. Alerts from malwarebytes and google redirects still happening. Screenshot of the message I still get from malwarebytes attached. This one says incoming, but I also get them saying outgoing.



ComboFix 11-07-18.05 - Welby 18/07/2011 21:53:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.585 [GMT -4:00]
Running from: c:\documents and settings\Tracy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Welby\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *Disabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
FILE ::
"c:\windows\system32\DRIVERS\ETC\hosts"
.
.
((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))
.
.
2011-07-14 02:41 . 2011-07-14 02:41 -------- d-----w- c:\program files\Unlocker
2011-07-06 23:54 . 2011-07-06 23:55 -------- d-----w- c:\documents and settings\Administrator
2011-07-06 23:51 . 2011-07-06 23:51 -------- d-----w- c:\documents and settings\Welby\Application Data\SMART Technologies Inc
2011-07-05 06:44 . 2011-07-05 06:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SMART Technologies Inc
2011-07-05 06:44 . 2011-07-13 02:44 -------- d-----w- c:\program files\SMART Ideas 5
2011-07-05 06:27 . 2011-07-14 03:25 -------- d-----w- c:\program files\Premier AT
2011-07-05 02:07 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-05 02:06 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-28 02:55 . 2011-07-05 08:32 -------- d-----w- C:\bleepe to KEEP
2011-06-26 00:53 . 2011-06-26 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Emergency AntiMalware
2011-06-25 02:20 . 2011-06-25 02:20 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SSTJNS
2011-06-25 02:19 . 2002-01-02 03:36 -------- d-sh--w- c:\documents and settings\All Users\Application Data\654eac
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-04 20:01 . 2011-06-04 20:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-05-09 15:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2010-01-06 01:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2009-11-30 23:23 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-10 12:00 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-10 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-10 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 12:00 105472 ------w- c:\windows\system32\drivers\mup.sys
2004-10-01 20:00 . 2009-12-31 02:17 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-17_16.05.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-01-01 04:01 . 2002-01-01 04:01 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
- 2004-08-10 12:00 . 2011-07-14 02:41 68214 c:\windows\system32\perfc009.dat
+ 2004-08-10 12:00 . 2002-01-01 04:03 68214 c:\windows\system32\perfc009.dat
+ 2004-08-10 12:00 . 2002-01-01 04:03 435700 c:\windows\system32\perfh009.dat
- 2004-08-10 12:00 . 2011-07-14 02:41 435700 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Tracy^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Tracy\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Welby^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Welby\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Welby^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Welby\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 00:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 22:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2009-12-31 02:19 557056 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SMART Ideas 5\\bin\\Ideas.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [20/02/2008 11:11 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [20/02/2008 11:08 AM 472320]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/07/2011 10:07 PM 366640]
R3 CT200xN51;NDIS5.1 Miniport Driver for 3Com 3C2000 Ethernet Controller;c:\windows\system32\drivers\CT200xN51.sys [30/11/2009 7:59 PM 250240]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/07/2011 10:06 PM 22712]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [10/08/2004 8:00 AM 3584]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [30/11/2009 7:35 PM 547744]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [30/11/2009 8:35 PM 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [30/11/2009 8:35 PM 5248]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194 24.226.1.94
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-18 22:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1320)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
- - - - - - - > 'explorer.exe'(2008)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-07-18 22:08:18
ComboFix-quarantined-files.txt 2011-07-19 02:08
ComboFix2.txt 2011-07-17 16:08
.
Pre-Run: 3,134,533,632 bytes free
Post-Run: 3,134,242,816 bytes free
.
- - End Of File - - F41502DBF20E4FD26CBDEC0F6B702F28

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:15 AM

Posted 21 July 2011 - 02:16 PM

Good evening. :)

Do you have a flashdrive of at least 128 Mb that you can wipe clean for a little tool to play with?

So long, and thanks for all the fish.

 

 


#15 Snoozo

Snoozo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 22 July 2011 - 06:04 PM

Sure do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users