Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan/Google Redirect?


  • Please log in to reply
7 replies to this topic

#1 nucksfan

nucksfan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 19 August 2011 - 02:39 AM

Hi,

A couple of days ago my computer was infected by trojan, I run MBAM and was able to remove the trojans listed, I then run MBAM once again and it came out empty. I then run ESET online overnight and when I came back on the computer the next day there was some files I deleted as well from the ESET scan, after that I was just searching something on Google and a couple of the websites I click redirected to another website. I then restarted the computer and no longer experienced the Google redirect problem after that and my computer seems to be running fine...

So now I'm not 100% sure if the trojans have been completely remove and my computer is 100% clean. PS. I have tried running gmer.exe a couple of times but it seems to freeze my computer so I could not save the log file. I also attached the MBAM log when I first run the scan and deleted the trojans.

Any help will be greatly appreciated.

Thanks

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Run by Ralph at 16:02:15 on 2011-08-18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.1901 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Memeo\AutoBackupPro\MemeoBackgroundService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Auzentech\Auzen X-Fi Prelude 7.1\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\DNA\btdna.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\FlashMute\FlashMute.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Memeo\AutoBackupPro\MemeoBackup.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Ralph\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\WISPTIS.EXE
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [cdloader] "c:\documents and settings\ralph\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\ralph\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [FlashMute] c:\program files\flashmute\FlashMute.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [Memeo Backup Premium] c:\program files\memeo\autobackuppro\MemeoLauncher2.exe --silent --no_ui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [VolPanel] "c:\program files\auzentech\auzen x-fi prelude 7.1\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
StartupFolder: c:\docume~1\ralph\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{b49673f8-7ab6-4a14-8213-c8a7be370010}\IcoUltraMon.ico
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F12E30A0-CA51-452F-8E0A-DAD06FCEDD3F} : DhcpNameServer = 192.168.0.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\607\G2AWinLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ralph\application data\mozilla\firefox\profiles\c5uhzqg7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\ralph\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-9 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-29 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-29 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-29 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-29 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 2151640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-3 366640]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackuppro\MemeoBackgroundService.exe [2010-7-28 25824]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-11-14 17184]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-3 24652]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15232]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [2010-4-18 28160]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-3 22712]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2010-3-25 120232]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]
.
=============== Created Last 30 ================
.
2011-08-18 17:41:08 388096 ----a-r- c:\documents and settings\ralph\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-18 17:41:07 -------- d-----w- c:\program files\Trend Micro
2011-08-18 02:14:04 -------- d-----w- c:\program files\ESET
2011-08-17 05:21:20 90112 ------w- c:\windows\Updreg.EXE
2011-08-17 05:18:10 86016 ----a-r- c:\windows\system32\cttele.dll
2011-08-16 21:57:25 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-16 21:57:25 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-16 21:57:25 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-08-16 21:57:25 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-16 21:57:25 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-16 21:57:25 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-16 21:57:25 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-16 21:57:25 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-08-16 21:57:25 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-16 21:57:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-16 21:38:10 0 ----a-w- c:\windows\Ixesuvimupagidi.bin
2011-08-16 21:38:08 -------- d-----w- c:\documents and settings\ralph\local settings\application data\{2DE231AC-0388-418D-8259-EAFE6D2C54DA}
2011-07-21 18:16:57 -------- d-----w- c:\program files\FlashMute
.
==================== Find3M ====================
.
2011-08-17 05:07:34 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2011-08-17 05:07:34 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2011-08-11 19:44:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-01 01:47:10 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45:57 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47:20 389120 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.
============= FINISH: 16:08:07.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:35 PM

Posted 20 August 2011 - 09:24 AM

Hello nucksfan ,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to nucksfan.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 nucksfan

nucksfan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 20 August 2011 - 01:31 PM

Hi tea,

Thanks for your reply.

Here's the Combofix log file:

ComboFix 11-08-19.02 - Ralph 08/20/2011 11:17:38.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.942 [GMT -7:00]
Running from: c:\documents and settings\Ralph\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\iun6002.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-20 to 2011-08-20 )))))))))))))))))))))))))))))))
.
.
2011-08-18 17:41 . 2011-08-18 17:41 388096 ------r- c:\documents and settings\Ralph\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-18 17:41 . 2011-08-18 17:41 -------- d-----w- c:\program files\Trend Micro
2011-08-18 02:14 . 2011-08-18 02:14 -------- d-----w- c:\program files\ESET
2011-08-17 05:21 . 2000-05-11 08:00 90112 ------w- c:\windows\Updreg.EXE
2011-08-17 05:18 . 2007-09-28 07:12 86016 ----a-r- c:\windows\system32\cttele.dll
2011-08-16 21:57 . 2011-08-12 05:57 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-16 21:57 . 2011-08-12 05:57 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-16 21:57 . 2011-08-12 05:57 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-16 21:57 . 2011-08-12 05:57 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-08-16 21:57 . 2011-08-12 05:57 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-16 21:57 . 2011-08-12 05:57 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-16 21:57 . 2011-08-12 05:57 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-08-16 21:57 . 2011-08-12 05:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-16 21:57 . 2011-08-12 03:16 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-16 21:57 . 2011-08-12 03:16 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-16 21:38 . 2011-08-16 21:38 0 ----a-w- c:\windows\Ixesuvimupagidi.bin
2011-08-16 21:38 . 2011-08-16 21:38 -------- d-----w- c:\documents and settings\Ralph\Local Settings\Application Data\{2DE231AC-0388-418D-8259-EAFE6D2C54DA}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 05:07 . 2008-09-26 16:54 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2011-08-17 05:07 . 2008-09-26 16:54 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2011-08-11 19:44 . 2011-05-20 04:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-14 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52 . 2011-07-04 03:21 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-07-04 03:21 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-01 01:47 . 2010-08-10 01:45 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10 . 2008-09-26 15:54 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45 . 2008-04-14 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47 . 2008-04-14 12:00 389120 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2008-04-14 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-12 05:57 . 2011-08-16 21:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-12 323392]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2006-03-11 221184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-11 722256]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
"Memeo Backup Premium"="c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-07-28 136416]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-12-17 19968]
"VolPanel"="c:\program files\Auzentech\Auzen X-Fi Prelude 7.1\Volume Panel\VolPanlu.exe" [2008-02-11 221300]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
.
c:\documents and settings\Ralph\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-1-21 984408]
UltraMon.lnk - c:\windows\Installer\{B49673F8-7AB6-4A14-8213-C8A7BE370010}\IcoUltraMon.ico [2010-2-17 29310]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-21 16:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-02-24 21:52 13672 ----a-w- c:\program files\Citrix\GoToAssist\607\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2011\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Ralph\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/9/2010 6:45 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/29/2008 8:33 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/29/2008 8:33 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/29/2008 8:33 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/29/2008 8:33 PM 297752]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/3/2011 8:21 PM 366640]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe [7/28/2010 10:08 AM 25824]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 3:11 AM 17184]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/3/2008 12:53 AM 24652]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [4/18/2010 6:10 PM 28160]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/3/2011 8:21 PM 22712]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 2151640]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 10:31 AM 42000]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [3/25/2010 1:21 PM 120232]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 11:19]
.
2011-08-20 c:\windows\Tasks\Backup Schedule.job
- c:\windows\system32\ntbackup.exe [2001-08-18 05:36]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1757981266-1801674531-1004Core.job
- c:\documents and settings\Ralph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-04 04:36]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1757981266-1801674531-1004UA.job
- c:\documents and settings\Ralph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-04 04:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Ralph\Application Data\Mozilla\Firefox\Profiles\c5uhzqg7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Aim6 - (no file)
AddRemove-Replay_AV_807 - c:\windows\iun6002.exe
AddRemove-Replay_Converter_1 - c:\windows\iun6002.exe
AddRemove-FlashMute - c:\program files\FlashMute\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-20 11:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\1d1ef690]
"imagepath"="\??\c:\windows\TEMP\EE8.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\ *ĝU***2 *_*a*u*t*o*_*f*i*l*e*\shell\Open\Command]
@="c:\\Program Files\\Replay AV 8\\flvplayer.exe \"%1\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(460)
c:\program files\Citrix\GoToAssist\607\G2AWinLogon.dll
.
Completion time: 2011-08-20 11:24:49
ComboFix-quarantined-files.txt 2011-08-20 18:24
.
Pre-Run: 537,625,468,928 bytes free
Post-Run: 539,095,887,872 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 0832B302398F440CA55094EA401C8F31

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:35 PM

Posted 23 August 2011 - 11:54 AM

Hello,

I'm so sorry for my delay. :(

How is it running today? I don't see anything in the last log you sent, so that's good. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 nucksfan

nucksfan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 23 August 2011 - 01:44 PM

Hi tea,

No worries!

It's been running fine since I deleted the trojans as mentioned on my first post.

I just wanted to be sure that I have deleted everything and my PC is completely clean, so you're saying from looking at my last logs that's the case?

Thanks for your help.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:35 PM

Posted 23 August 2011 - 06:11 PM

Hello,

You're welcome. :)

Good to know, and I think you're all right. :thumbup2:

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

AVG is out of date. The latest build is 10 I believe, and you're running 8. Also your Java is out of date.

If you have any other questions or concerns, please feel free to ask. Otherwise you're done here. :)

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 nucksfan

nucksfan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 23 August 2011 - 07:34 PM

Great :)

I will update AVG and Java.

Thanks for your help, really appreciate it!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:35 PM

Posted 23 August 2011 - 07:57 PM

Any time. :thumbup2:

Take care!
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users