Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removed by Combofix, now DNS problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 mistergrinch

mistergrinch

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 19 September 2011 - 02:01 PM

I removed some kind of Rootkit with Combofix (which I ran twice), but now DNS isn't working in any applications. I got DNS to work in nslookup after repairing the connection, but if I ping or use a browser nothing resolves. Does anyone have any idea how to fix this? Below is my Combofix log. Thanks.

ComboFix 11-09-19.01 - Sean T 09/19/2011 9:35.11.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1499 [GMT -7:00]
Running from: c:\documents and settings\Sean T\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-19 to 2011-09-19 )))))))))))))))))))))))))))))))
.
.
2011-09-19 16:07 . 2008-08-21 12:00 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-19 00:23 . 2011-08-12 02:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C98ED94E-DF6D-4BB1-A534-B79A597E4A9A}\mpengine.dll
2011-09-17 02:06 . 2011-09-17 02:06 -------- d-----w- c:\documents and settings\Sean T\Local Settings\Application Data\HighAndes
2011-09-17 02:06 . 2011-09-17 02:06 -------- d-----w- c:\documents and settings\Sean T\Application Data\HighAndes
2011-09-17 02:06 . 2011-09-17 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\HighAndes
2011-09-17 02:03 . 2009-06-07 20:20 61440 ----a-w- c:\windows\system32\NlsSrv32.exe
2011-09-17 02:01 . 2011-09-17 02:01 -------- d-----w- c:\documents and settings\Sean T\Application Data\Blue Cat Audio
2011-09-17 02:01 . 2011-09-17 02:01 -------- d-----w- c:\program files\HighAndes
2011-09-17 01:46 . 2011-09-17 01:46 -------- d-----w- c:\program files\Conduit
2011-09-17 01:46 . 2011-09-19 16:27 -------- d-----w- c:\documents and settings\Sean T\Local Settings\Application Data\PhotoJoy_US
2011-09-17 01:46 . 2011-09-17 01:46 -------- d-----w- c:\documents and settings\Sean T\Local Settings\Application Data\Conduit
2011-09-17 01:46 . 2011-09-17 01:46 -------- d-----w- c:\program files\PhotoJoy_US
2011-08-25 21:03 . 2011-09-14 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2011-08-25 21:02 . 2011-08-25 21:02 -------- d-----w- c:\documents and settings\Sean T\Application Data\NCH Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-12 02:44 . 2011-01-29 10:23 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-19 03:47 . 2011-07-19 03:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-13 03:39 . 2011-08-18 03:38 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-08-17_21.17.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:02 . 2009-07-12 07:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2011-09-19 16:31 . 2011-09-19 16:31 16384 c:\windows\temp\Perflib_Perfdata_28c.dat
+ 2011-09-17 02:02 . 2011-09-17 02:02 7886 c:\windows\Installer\{CAB81583-0310-43E1-8E33-0864985EDD67}\_6FEFF9B68218417F98F549.exe
+ 2011-09-17 02:02 . 2011-09-17 02:02 7886 c:\windows\Installer\{CAB81583-0310-43E1-8E33-0864985EDD67}\_21F3885A18D238E15AAE81.exe
+ 2009-06-19 16:10 . 2011-08-20 17:40 214472 c:\windows\system32\FNTCACHE.DAT
+ 2010-01-07 16:21 . 2010-01-07 16:21 594048 c:\windows\system32\drivers\RTL8192su.sys
- 2010-01-07 00:21 . 2010-01-07 00:21 594048 c:\windows\system32\drivers\RTL8192su.sys
+ 2010-10-25 05:25 . 2011-04-18 20:18 165648 c:\windows\system32\drivers\MpFilter.sys
+ 2011-08-18 17:52 . 2011-08-18 17:52 883712 c:\windows\Installer\9d059.msi
+ 2011-09-17 02:01 . 2011-09-17 02:01 219648 c:\windows\Installer\21a22c8.msi
+ 2011-08-18 03:39 . 2011-08-18 03:39 785920 c:\windows\Installer\11a6f8.msi
+ 2011-08-18 03:38 . 2011-08-18 03:38 483840 c:\windows\Installer\11a6d9.msi
+ 2011-08-18 03:38 . 2011-08-18 03:38 301056 c:\windows\Installer\11a6d1.msi
+ 2011-09-17 02:02 . 2011-09-17 02:02 355574 c:\windows\Installer\{CAB81583-0310-43E1-8E33-0864985EDD67}\_D707CE1C009F1381803C2C.exe
+ 2011-09-17 02:02 . 2011-09-17 02:02 355574 c:\windows\Installer\{CAB81583-0310-43E1-8E33-0864985EDD67}\_4030872FF57CBB7F004FA6.exe
+ 2011-09-17 02:02 . 2011-09-17 02:02 355574 c:\windows\Installer\{CAB81583-0310-43E1-8E33-0864985EDD67}\_27BA116C85EAB83CD5A215.exe
+ 2009-07-12 07:02 . 2009-07-12 07:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2011-09-17 02:02 . 2011-09-17 02:02 1441280 c:\windows\Installer\21a22cc.msi
+ 2011-08-18 17:51 . 2011-08-18 17:51 3821568 c:\windows\{4626E3EA-85B3-464E-B296-F3F5488D8B08}\Belkin F7D1101 Basic Wireless USB Adapter.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f2c43291-151e-499c-98a7-923c120b88fa}"= "c:\program files\PhotoJoy_US\prxtbPhot.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{f2c43291-151e-499c-98a7-923c120b88fa}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2c43291-151e-499c-98a7-923c120b88fa}]
2011-05-09 09:49 176936 ----a-w- c:\program files\PhotoJoy_US\prxtbPhot.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f2c43291-151e-499c-98a7-923c120b88fa}"= "c:\program files\PhotoJoy_US\prxtbPhot.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{f2c43291-151e-499c-98a7-923c120b88fa}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2C43291-151E-499C-98A7-923C120B88FA}"= "c:\program files\PhotoJoy_US\prxtbPhot.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{f2c43291-151e-499c-98a7-923c120b88fa}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-11-21 3289088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Sean T^Start Menu^Programs^Startup^Password Safe.lnk]
path=c:\documents and settings\Sean T\Start Menu\Programs\Startup\Password Safe.lnk
backup=c:\windows\pss\Password Safe.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-06-16 04:20 5937984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-19 23:45 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verbose]
2011-05-12 19:02 364548 ----a-w- c:\program files\NCH Swift Sound\Verbose\verbose.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
2010-09-21 10:09 129584 ----a-w- c:\program files\VMware\VMware Workstation\vmware-tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SonicStage Back-End Service"=3 (0x3)
"pgsql-8.3"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"avg9wd"=2 (0x2)
"avg9emc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\IDM Computer Solutions\\UltraEdit\\Uedit32.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\ComicRack\\ComicRack.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23639:TCP"= 23639:TCP:BitComet 23639 TCP
"23639:UDP"= 23639:UDP:BitComet 23639 UDP
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [4/26/2010 3:09 PM 123856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [4/26/2010 3:08 PM 41680]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [9/16/2011 7:03 PM 61440]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/31/2011 10:11 PM 428640]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [9/21/2010 3:10 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [9/21/2010 1:42 AM 539184]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/7/2010 9:21 AM 594048]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 spocrxnk;spocrxnk;\??\c:\windows\system32\drivers\spocrxnk.sys --> c:\windows\system32\drivers\spocrxnk.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [3/31/2011 10:07 PM 20448]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [3/25/2010 8:06 PM 99728]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [3/25/2010 8:06 PM 110608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [6/19/2009 4:05 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-09-11 c:\windows\Tasks\classicftpDowngrade.job
- c:\program files\NCH Software\ClassicFTP\classicftp.exe [2011-08-25 21:02]
.
2011-09-17 c:\windows\Tasks\classicftpShakeIcon.job
- c:\program files\NCH Software\ClassicFTP\classicftp.exe [2011-08-25 21:02]
.
2011-09-17 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-09-14 17:41]
.
2011-05-15 c:\windows\Tasks\verboseShakeIcon.job
- c:\program files\NCH Swift Sound\Verbose\verbose.exe [2011-05-12 19:02]
.
2011-05-15 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-05-12 19:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3074349
uInternet Settings,ProxyServer = http=127.0.0.1:61414
uInternet Settings,ProxyOverride = <local>
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: DhcpNameServer = 75.106.192.61
FF - ProfilePath - c:\documents and settings\Sean T\Application Data\Mozilla\Firefox\Profiles\98py2z64.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3074349&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3074349&SearchSource=2&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55495
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: JavaScript Debugger: {f13b157f-b174-47e7-a34d-4815ddfdfeb8} - %profile%\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}
FF - Ext: Easy YouTube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-19 09:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-19 09:44:25
ComboFix-quarantined-files.txt 2011-09-19 16:44
ComboFix2.txt 2011-09-19 16:26
ComboFix3.txt 2011-08-26 01:52
ComboFix4.txt 2011-08-17 21:20
ComboFix5.txt 2011-09-19 16:34
.
Pre-Run: 193,950,547,968 bytes free
Post-Run: 193,945,632,768 bytes free
.
- - End Of File - - C47A75C4D7F26A2E42216DD6720937F3

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:38 AM

Posted 24 September 2011 - 10:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Remove the proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:61414 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Please just paste the contents of the DDS.txt log in your next post.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:38 AM

Posted 29 September 2011 - 07:29 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users