Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ReDirects at google, web pages don't load


  • This topic is locked This topic is locked
38 replies to this topic

#1 KiKiDiKi

KiKiDiKi

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the non coastal section of the USA
  • Local time:01:52 AM

Posted 11 December 2011 - 06:44 AM

Hi there, I am running an HP Compaq, with an AMD Sempron Processor, 3200+ 1.79GHz with 1.93 GB of RAM. I have Windows XP Home Edition Version 2002 Service Pack 3, with all windows updates up-to-date. The problems I am having with my computer are:

1) Odd spikes in CPU usage when my browser is open

2) I can't open some simple web pages that I go to on a regular basis, but new web pages load right away. I've tried disabling NoScript and AdBlock add-ons in Firefox with no change, so I cleared history, cache etc. manually as well as running that portion of System Suite, helps for about 5 minutes, then right back to the problem. ***EDIT*** After still using my computer to get online this whole time, because it's the ONLY PC that goes online in my household, I have noticed that on some websites, if I turn NoScript off it actually ends up making things worse, the page actually NEVER loading and NEVER saying 'try again' just sitting there trying to load with nothing happening, but if I turn it back on sometimes it helps to make the page load, or at least tell me 'try again'. I don't know if that is at all pertinent. ***EDIT***

3) My internet connection looks like it's in idle mode 90% of the time even, even while attempting to load a common web page, although if I decide to open a web page that I don't normally go to, it snaps right back to life to load the page almost faster than it should.

4) Firefox has been blocking redirects when at Google and Facebook, never allowing them until the mouse slipped the other day, they stopped redirecting for a few hours, and now it's a crap shute wheather or not there will an attempt at redirecting the page, but it's never successful, because Firefox doesn't allow.

5) Computer has been acting all around sluggish when trying to open things like Process Explorer, or System Suite, or even just the settings to System Suite and it's Firewall. While every now and then, maybe once out of 5 startups, MXTask (System Suite's background task) will error out right from the start up of the computer and I get a message that says: "MXTask has encountered a problem and needs to quit. Would you like to send an error report to Microsoft?" to which I click either yes or no and either way the reporting errors out too.

6) A strange folder called YTDSETUP, with the file trafficspace.exe showed up in my Program files, I didn't see either in Add/Remove Programs so I deleted the folder.

7) My brand new install of System Suite Professional 12 errored out after finding Trojan.clicker.html.remotescript, and the file dissapeared, after running scan again, this time finishing, SS found and quarantined a trojan simply called 'A0008315' inside D:\System Volume Information\_restore{157219FE-5843-4129-BB48-54E732573546}\RP19\A0008315.exe the D drive is my secondary Hard drive where I keep my important files instead of on C in My Documents, but it did not find the same file as the first scan.

8) Just to see what SS couldn't get before it quit working, I broke out MalwareBytes, updated, and ran a quick scan to see what's up, where it found this file:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

I did a full scan next and found these infected files:
c:\system volume information\_restore{157219fe-5843-4129-bb48-54e732573546}\RP18\A0007991.exe (PUP.Zugo) -> Quarantined and deleted successfully.
c:\system volume information\_restore{157219fe-5843-4129-bb48-54e732573546}\RP18\A0007992.exe (PUP.Zugo) -> Quarantined and deleted successfully.
c:\system volume information\_restore{157219fe-5843-4129-bb48-54e732573546}\RP19\A0008219.exe (PUP.Zugo) -> Quarantined and deleted successfully.
c:\system volume information\_restore{157219fe-5843-4129-bb48-54e732573546}\RP19\A0008221.exe (PUP.Zugo) -> Quarantined and deleted successfully.

9) I also ran MiniToolBox, because I was having connection issues, it didn't help because obviously I didn't know what I was doing with it, just simply doing what someone had told someone else to do with it, though I did save the log file. I ran TDSSKILLER with all four peramiters selected, and found:
AegisP ( UnsignedFile.Multi.Generic ) - skipped by user
macnr ( UnsignedFile.Multi.Generic ) - skipped by user
Tcpip ( UnsignedFile.Multi.Generic ) - skipped by user

I didn't actually do anything about these results, just found out what I could and left it be, because I am not familiar with the program. The scans weren't done in safe mode and I plan on running them all again in whatever order is correct to make the actual changes.

I should mention, I am very careful about what I download, only taking recommendation from someone I know very well, and even then they have to show me exactly why it's worth my while to risk downloading and running an executable file that I have never personally heard of before. The only questionable file I have downloaded since the reinstall was a program called "SIW - System Information for Windows" which I was only looking into because with such an ancient computer, it's difficult to find all the drivers that I need to reinstall, and I completely forgot to back them up before taking the plunge. So a site that had never steered me wrong in the past when it came to good quality freeware programs to keep your computer going, recommended it to scan your computer and find out what exactly everything was right down to make and model :) Well, they finally sent me in the wrong direction, because it wouldn't finish its install until I agreed to "Finish The Free YouTube Downloader.exe" I hit cancel and properly disposed of SIW, having never opened it, and never even starting the download or install of "Finish The Free YouTube Downloader.exe"

Pasted below is the dds.txt file the guide instructed to be pasted in the post and attached are attach.txt from DDS and GMER.log by GMER, hope they help, although I am slightly concerned something might get missed if we continue to not scan my second drive as I use that for all my personal files and would hate to lose them to an unknown corruption.

Thanks in advance,
Mary


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by KiKi at 3:49:46 on 2011-12-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1131 [GMT -6:00]
.
AV: Avanquest SystemSuite *Enabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Avanquest Net Defense Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avanquest\SystemSuite\AVQWinMonEngine.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask2.exe
C:\Program Files\Mozilla\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla\plugin-container.exe
C:\Program Files\Common Files\Antivirus\SBAMSvc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\documents and settings\kiki\application data\flashgetbho\FlashGetBHO3.dll
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoStrCmpLogical = 01000000
IE: Download all by FlashGet3 - c:\documents and settings\kiki\application data\flashgetbho\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\kiki\application data\flashgetbho\GetUrl.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1323082525921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1323082651671
TCP: DhcpNameServer = 74.60.80.5 75.95.21.12
TCP: Interfaces\{4E5E618C-089B-4B15-93F9-7781EA5D8A4A} : DhcpNameServer = 74.60.80.5 75.95.21.12
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kiki\application data\mozilla\firefox\profiles\vc3vcfra.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?complete=0&hl=en
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-12-6 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R2 .AVQWindowsMonitorService;SystemSuite Process Monitor;c:\program files\avanquest\systemsuite\AVQWinMonEngine.exe [2011-10-13 293680]
R2 SBAMSvc;SystemSuite;c:\program files\common files\antivirus\SBAMSvc.exe [2010-10-11 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-12-6 69976]
R3 KFilter;KFilter;c:\progra~1\avanqu~1\system~1\KFilter.sys [2011-10-12 62120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 22216]
R3 TFilter;TFilter;c:\progra~1\avanqu~1\system~1\TFilter.sys [2011-10-12 26960]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AQFileRestore;AQFileRestore;c:\windows\system32\drivers\AQFileRestore.sys [2011-10-12 15376]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S4 AQFileRestoreSrv;AQFileRestoreSrv;c:\program files\avanquest\systemsuite\AQFileRestoreSrv.exe [2011-10-13 84760]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-10 366152]
.
=============== Created Last 30 ================
.
2011-12-10 14:19:01 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 14:02:59 -------- d-----w- c:\documents and settings\kiki\application data\Malwarebytes
2011-12-10 14:02:49 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-10 14:02:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 14:01:07 -------- d-----w- C:\TDSSKiller_Quarantine
2011-12-10 12:31:28 -------- d-sh--w- c:\documents and settings\kiki\IECompatCache
2011-12-07 01:09:10 -------- d-----w- c:\windows\system32\NtmsData
2011-12-06 23:30:09 -------- d-----w- c:\documents and settings\kiki\application data\WinBatch
2011-12-06 23:26:42 -------- d-----w- c:\program files\ATI Technologies
2011-12-06 23:25:56 516096 ------w- c:\windows\system32\ati2sgag.exe
2011-12-06 23:25:31 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-12-06 23:25:31 221184 ------w- c:\program files\common files\installshield\iscript\IScript.dll
2011-12-06 23:25:31 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-12-06 23:25:30 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-12-06 23:25:29 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-12-06 23:23:57 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2011-12-06 20:16:18 -------- d-----w- c:\documents and settings\kiki\local settings\application data\Temp
2011-12-06 19:34:58 -------- d-sh--r- C:\_Backup.RC
2011-12-06 19:33:03 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-12-06 19:31:46 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-12-06 19:31:18 -------- d--h--w- C:\_Backup
2011-12-06 19:29:47 -------- d-----w- c:\program files\common files\Antivirus
2011-12-06 15:06:21 -------- d-----w- c:\windows\ie8updates
2011-12-06 14:57:19 -------- d-----w- c:\windows\system32\winrm
2011-12-06 14:57:15 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-12-06 14:46:21 -------- d-----w- c:\documents and settings\kiki\local settings\application data\ApplicationHistory
2011-12-06 14:42:51 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-12-06 14:42:45 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-12-06 14:42:44 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-12-06 14:42:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-06 14:42:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-12-06 14:42:43 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-12-06 14:42:42 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-12-06 14:03:47 -------- d-sh--w- c:\documents and settings\kiki\PrivacIE
2011-12-06 14:00:34 -------- d-sh--w- c:\documents and settings\kiki\IETldCache
2011-12-06 13:07:05 -------- d-----w- c:\documents and settings\kiki\application data\BITS
2011-12-06 13:07:02 -------- d-----w- c:\documents and settings\kiki\application data\FlashGet
2011-12-06 13:06:53 -------- d-----w- c:\documents and settings\kiki\application data\FlashGetBHO
2011-12-06 13:06:46 -------- d-----w- c:\program files\FlashGet Network
2011-12-06 12:56:22 -------- d-----w- c:\program files\FlashGet
2011-12-06 12:24:40 -------- dc-h--w- c:\windows\ie8
2011-12-06 12:18:54 -------- d--h--w- c:\windows\PIF
2011-12-06 12:15:45 -------- d-----w- c:\windows\system32\XPSViewer
2011-12-06 12:15:10 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-12-06 12:15:10 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-12-06 12:15:10 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-12-06 12:15:10 117760 ------w- c:\windows\system32\prntvpt.dll
2011-12-06 12:15:09 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-12-06 12:15:09 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-12-06 12:15:09 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-12-06 12:15:09 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-12-06 12:15:08 -------- d-----w- C:\a7cb62255ed9242e1aac4f1bdd46b8ef
2011-12-06 12:09:48 -------- d-----w- c:\documents and settings\kiki\local settings\application data\Identities
2011-12-06 12:09:09 -------- d-----w- c:\windows\system32\GroupPolicy
2011-12-06 12:09:09 -------- d-----w- c:\program files\Windows Desktop Search
2011-12-06 12:08:45 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2011-12-06 12:08:45 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2011-12-06 12:08:45 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2011-12-06 12:07:33 -------- d-----w- c:\program files\Windows Media Connect 2
2011-12-06 12:06:16 -------- d-----w- c:\windows\system32\LogFiles
2011-12-06 12:05:39 -------- d-----w- c:\program files\CONEXANT
2011-12-06 12:04:56 -------- d-----w- c:\windows\system32\URTTEMP
2011-12-06 11:44:48 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-12-06 11:44:33 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-12-06 11:43:12 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-12-06 11:36:34 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-12-06 11:31:09 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-12-06 11:30:52 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-12-06 11:30:36 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2011-12-06 11:30:15 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-12-06 11:30:15 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-12-06 11:27:42 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-12-06 11:23:01 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-12-06 11:22:12 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-12-06 11:18:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-12-06 11:18:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-12-06 11:18:17 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-12-06 11:16:44 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2011-12-06 11:15:03 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2011-12-06 11:00:18 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2011-12-06 11:00:18 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2011-12-06 11:00:18 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2011-12-06 11:00:18 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2011-12-06 11:00:18 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2011-12-06 11:00:18 110592 -c----w- c:\windows\system32\dllcache\services.exe
2011-12-06 11:00:17 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2011-12-06 11:00:17 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2011-12-06 11:00:17 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2011-12-06 11:00:16 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-12-06 11:00:16 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-12-06 11:00:15 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-12-06 10:59:47 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-12-06 10:59:47 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-12-06 10:59:20 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-12-06 10:59:13 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-12-06 10:57:55 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-12-06 10:57:50 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-12-05 11:18:39 -------- d-----w- c:\windows\ServicePackFiles
2011-12-05 11:18:30 294912 ------w- c:\program files\windows media player\dlimport.exe
2011-12-05 11:18:27 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2011-12-05 11:16:59 685056 ------w- c:\windows\system32\drivers\hsfcxts2.sys
2011-12-05 11:15:55 19569 ----a-w- c:\windows\002771_.tmp
2011-12-05 11:15:52 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-12-05 11:12:42 -------- d-----w- c:\windows\EHome
2011-12-05 11:06:41 -------- d-----w- c:\windows\system32\PreInstall
2011-12-05 10:59:27 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-12-05 10:59:27 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-12-05 10:56:47 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-12-05 10:56:46 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-12-05 10:56:46 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-12-05 10:56:46 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-12-05 10:56:46 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-12-05 10:54:27 -------- d-sh--w- c:\documents and settings\kiki\UserData
2011-12-05 10:20:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-05 10:10:14 -------- d-----w- c:\documents and settings\kiki\local settings\application data\Avanquest_Software
2011-12-05 09:55:00 -------- d-----w- c:\documents and settings\kiki\application data\Avanquest
2011-12-05 09:54:43 -------- d-----w- c:\documents and settings\all users\application data\Avanquest
2011-12-05 09:54:21 -------- d-----w- c:\program files\Avanquest
2011-12-05 09:25:03 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-12-05 09:20:52 -------- d-----w- c:\documents and settings\kiki\local settings\application data\Adobe
2011-12-05 09:04:04 -------- d-----w- c:\documents and settings\kiki\local settings\application data\Mozilla
2011-12-05 09:03:59 -------- d-----w- c:\program files\Mozilla
.
==================== Find3M ====================
.
2011-12-05 08:52:29 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-10-12 23:13:03 15376 ----a-w- c:\windows\system32\drivers\AQFileRestore.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 3:50:28.92 ===============

Attached Files


Edited by KiKiDiKi, 11 December 2011 - 09:46 PM.

http://thereconcilecenter.proboards.com/index.cgi

Meow :) Go There it's cool. ^^^^^^^^^^^^^^^^^^^

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 AM

Posted 17 December 2011 - 06:45 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/431840 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,926 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 18 December 2011 - 12:11 PM

Hello, if you still need help, please post the requested logs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 KiKiDiKi

KiKiDiKi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the non coastal section of the USA
  • Local time:01:52 AM

Posted 27 December 2011 - 07:02 PM

I don't understand why I have to repost the same things I already posted? Is it because you took so dang long to reply?
http://thereconcilecenter.proboards.com/index.cgi

Meow :) Go There it's cool. ^^^^^^^^^^^^^^^^^^^

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,926 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 28 December 2011 - 05:43 AM

As you waited more than a week to replying to my post as well, its been more than two weeks in which things on your computer may have changed quite a bit. I need to see updated information in order to be able to provide you with adequate steps.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 KiKiDiKi

KiKiDiKi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the non coastal section of the USA
  • Local time:01:52 AM

Posted 05 January 2012 - 09:33 AM

As you waited more than a week to replying to my post as well, its been more than two weeks in which things on your computer may have changed quite a bit. I need to see updated information in order to be able to provide you with adequate steps.


Considering the holidays kept me busy, as I assume they did for everyone else, I can see your point and will again run the scans and post the logs. I appreciate you still helping me out after so long :)

Edited by KiKiDiKi, 05 January 2012 - 09:42 AM.

http://thereconcilecenter.proboards.com/index.cgi

Meow :) Go There it's cool. ^^^^^^^^^^^^^^^^^^^

#7 KiKiDiKi

KiKiDiKi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the non coastal section of the USA
  • Local time:01:52 AM

Posted 05 January 2012 - 10:39 AM

so here are the new scans

dds -

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by KiKi at 8:37:38 on 2012-01-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1146 [GMT -6:00]
.
AV: Avanquest SystemSuite *Enabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Avanquest Net Defense Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Avanquest\SystemSuite\AVQWinMonEngine.exe
C:\Program Files\Common Files\Antivirus\SBAMSvc.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla\firefox.exe
C:\Program Files\Mozilla\plugin-container.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\KiKi\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Mozilla\plugin-container.exe
C:\Documents and Settings\KiKi\Desktop\procexp.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\documents and settings\kiki\application data\flashgetbho\FlashGetBHO3.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\kiki\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\kiki\application data\dropbox\bin\Dropbox.exe
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoStrCmpLogical = 01000000
IE: Download all by FlashGet3 - c:\documents and settings\kiki\application data\flashgetbho\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\kiki\application data\flashgetbho\GetUrl.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1323082525921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1323082651671
TCP: DhcpNameServer = 74.60.80.5 75.95.21.12
TCP: Interfaces\{4E5E618C-089B-4B15-93F9-7781EA5D8A4A} : DhcpNameServer = 74.60.80.5 75.95.21.12
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kiki\application data\mozilla\firefox\profiles\vc3vcfra.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-12-6 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R2 .AVQWindowsMonitorService;SystemSuite Process Monitor;c:\program files\avanquest\systemsuite\AVQWinMonEngine.exe [2011-10-13 293680]
R2 SBAMSvc;SystemSuite;c:\program files\common files\antivirus\SBAMSvc.exe [2010-10-11 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-12-6 69976]
R3 KFilter;KFilter;c:\progra~1\avanqu~1\system~1\KFilter.sys [2011-10-12 62120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 22216]
R3 TFilter;TFilter;c:\progra~1\avanqu~1\system~1\TFilter.sys [2011-10-12 26960]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-10 366152]
S3 AQFileRestore;AQFileRestore;c:\windows\system32\drivers\AQFileRestore.sys [2011-10-12 15376]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S4 AQFileRestoreSrv;AQFileRestoreSrv;c:\program files\avanquest\systemsuite\AQFileRestoreSrv.exe [2011-10-13 84760]
.
=============== Created Last 30 ================
.
2012-01-05 03:35:04 -------- d-----w- c:\documents and settings\kiki\application data\Dropbox
2011-12-16 17:34:50 -------- d-----w- c:\documents and settings\all users\application data\AlawarWrapper
2011-12-16 17:30:55 -------- d-----w- c:\program files\500,000 Games
2011-12-16 17:28:38 -------- d-----w- c:\program files\Viva Media Game Center
2011-12-10 14:19:01 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 14:02:59 -------- d-----w- c:\documents and settings\kiki\application data\Malwarebytes
2011-12-10 14:02:49 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-10 14:02:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 14:01:07 -------- d-----w- C:\TDSSKiller_Quarantine
2011-12-10 12:31:28 -------- d-sh--w- c:\documents and settings\kiki\IECompatCache
2011-12-07 01:09:10 -------- d-----w- c:\windows\system32\NtmsData
2011-12-06 23:30:09 -------- d-----w- c:\documents and settings\kiki\application data\WinBatch
2011-12-06 23:26:42 -------- d-----w- c:\program files\ATI Technologies
2011-12-06 23:25:56 516096 ------w- c:\windows\system32\ati2sgag.exe
2011-12-06 23:25:31 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-12-06 23:25:31 221184 ------w- c:\program files\common files\installshield\iscript\IScript.dll
2011-12-06 23:25:31 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-12-06 23:25:30 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-12-06 23:25:29 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-12-06 23:23:57 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2011-12-06 20:16:18 -------- d-----w- c:\documents and settings\kiki\local settings\application data\Temp
2011-12-06 19:34:58 -------- d-sh--r- C:\_Backup.RC
2011-12-06 19:33:03 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-12-06 19:31:46 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-12-06 19:31:18 -------- d--h--w- C:\_Backup
2011-12-06 19:29:47 -------- d-----w- c:\program files\common files\Antivirus
2011-12-06 15:06:21 -------- d-----w- c:\windows\ie8updates
2011-12-06 14:57:19 -------- d-----w- c:\windows\system32\winrm
2011-12-06 14:57:15 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-12-06 14:46:21 -------- d-----w- c:\documents and settings\kiki\local settings\application data\ApplicationHistory
2011-12-06 14:42:51 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-12-06 14:42:45 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-12-06 14:42:44 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-12-06 14:42:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-06 14:42:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-12-06 14:42:43 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-12-06 14:42:42 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
.
==================== Find3M ====================
.
2011-12-11 15:36:48 44544 ----a-w- c:\windows\system32\alg.exe
2011-12-05 10:20:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-05 08:52:29 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-10-12 23:13:03 15376 ----a-w- c:\windows\system32\drivers\AQFileRestore.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 8:38:01.61 ===============

And attached is the second dds log that it says to attach.
Attached File  attach3.zip   3.04KB   0 downloads


the GMER log -

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-05 09:29:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1c ST3120026A rev.8.54
Running: wn899kt9.exe; Driver: C:\DOCUME~1\KiKi\LOCALS~1\Temp\uxlyapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xB9DD04D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xB9DD0520]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !
? C:\DOCUME~1\KiKi\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla\plugin-container.exe[2548] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106ACCFA C:\Program Files\Mozilla\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla\plugin-container.exe[2548] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106ACC8C C:\Program Files\Mozilla\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla\plugin-container.exe[2548] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1045E78C C:\Program Files\Mozilla\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla\plugin-container.exe[2548] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1045ED49 C:\Program Files\Mozilla\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla\firefox.exe[3772] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01223690 C:\Program Files\Mozilla\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip TFilter.sys (TFilter Kernel Module/Avanquest Software)
AttachedDevice \Driver\Tcpip \Device\Tcp TFilter.sys (TFilter Kernel Module/Avanquest Software)
AttachedDevice \Driver\Tcpip \Device\Udp TFilter.sys (TFilter Kernel Module/Avanquest Software)
AttachedDevice \Driver\Tcpip \Device\RawIp TFilter.sys (TFilter Kernel Module/Avanquest Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
http://thereconcilecenter.proboards.com/index.cgi

Meow :) Go There it's cool. ^^^^^^^^^^^^^^^^^^^

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,926 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 05 January 2012 - 11:12 AM

Hi again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 KiKiDiKi

KiKiDiKi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the non coastal section of the USA
  • Local time:01:52 AM

Posted 05 January 2012 - 11:40 AM

here's the combofix log... it deleted something, don't exactly know what they were, hopefully not important, either way please let me know if they were important or not? thanks

ComboFix 12-01-05.01 - KiKi 01/05/2012 10:30:41.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1396 [GMT -6:00]
Running from: c:\documents and settings\KiKi\My Documents\ComboFix.exe
AV: Avanquest SystemSuite *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\alcrmv.exe
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 )))))))))))))))))))))))))))))))
.
.
2012-01-05 03:35 . 2012-01-05 03:38 -------- d-----w- c:\documents and settings\KiKi\Application Data\Dropbox
2011-12-27 00:06 . 2008-04-14 11:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-12-16 17:34 . 2011-12-18 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2011-12-16 17:30 . 2011-12-16 17:30 -------- d-----w- c:\program files\500,000 Games
2011-12-16 17:28 . 2011-12-16 17:28 -------- d-----w- c:\program files\Viva Media Game Center
2011-12-10 20:58 . 2011-12-10 20:58 -------- d-----w- c:\documents and settings\Administrator
2011-12-10 14:19 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 14:02 . 2011-12-10 14:02 -------- d-----w- c:\documents and settings\KiKi\Application Data\Malwarebytes
2011-12-10 14:02 . 2011-12-10 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-10 14:02 . 2011-12-12 01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 14:01 . 2011-12-10 14:57 -------- d-----w- C:\TDSSKiller_Quarantine
2011-12-10 12:31 . 2011-12-10 12:31 -------- d-sh--w- c:\documents and settings\KiKi\IECompatCache
2011-12-07 07:05 . 2011-12-07 07:05 -------- d-----w- c:\program files\Recuva
2011-12-07 01:09 . 2011-12-10 19:46 -------- d-----w- c:\windows\system32\NtmsData
2011-12-07 00:21 . 2011-12-07 00:21 -------- d--h--w- c:\documents and settings\Default User
2011-12-06 23:30 . 2011-12-06 23:30 -------- d-----w- c:\documents and settings\KiKi\Application Data\WinBatch
2011-12-06 23:26 . 2011-12-06 23:26 -------- d-----w- c:\program files\ATI Technologies
2011-12-06 23:25 . 2005-08-14 03:05 516096 ------w- c:\windows\system32\ati2sgag.exe
2011-12-06 23:23 . 2008-04-14 06:49 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2011-12-06 20:16 . 2011-12-09 10:23 -------- d-----w- c:\documents and settings\KiKi\Local Settings\Application Data\Temp
2011-12-06 19:33 . 2010-06-14 20:54 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-12-06 19:31 . 2010-06-14 20:54 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-12-06 19:31 . 2012-01-05 16:26 -------- d-----w- C:\_Backup
2011-12-06 19:29 . 2011-12-06 19:31 -------- d-----w- c:\program files\Common Files\Antivirus
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-11 15:36 . 2006-02-28 12:00 44544 ----a-w- c:\windows\system32\alg.exe
2011-12-05 10:20 . 2011-12-05 10:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-05 08:52 . 2011-12-05 08:52 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-10-12 23:13 . 2011-10-12 23:12 15376 ----a-w- c:\windows\system32\drivers\AQFileRestore.sys
2011-10-10 14:22 . 2011-12-05 08:33 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2509553$\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2006-02-28 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\KiKi\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\KiKi\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\KiKi\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\KiKi\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\documents and settings\KiKi\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\KiKi\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoStrCmpLogical"= 01000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlashGet3.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\KiKi\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [12/6/2011 1:31 PM 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/13/2010 7:56 AM 98392]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [12/6/2011 1:33 PM 69976]
R3 KFilter;KFilter;c:\progra~1\AVANQU~1\SYSTEM~1\KFilter.sys [10/12/2011 5:12 PM 62120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/10/2011 8:19 AM 22216]
R3 TFilter;TFilter;c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [10/12/2011 5:12 PM 26960]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S2 .AVQWindowsMonitorService;SystemSuite Process Monitor;c:\program files\Avanquest\SystemSuite\AVQWinMonEngine.exe [10/13/2011 8:58 AM 293680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2011 8:19 AM 366152]
S2 SBAMSvc;SystemSuite;c:\program files\Common Files\Antivirus\SBAMSvc.exe [10/11/2010 11:08 AM 2763080]
S3 AQFileRestore;AQFileRestore;c:\windows\system32\drivers\AQFileRestore.sys [10/12/2011 5:12 PM 15376]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 6:00 AM 14336]
S4 AQFileRestoreSrv;AQFileRestoreSrv;c:\program files\Avanquest\SystemSuite\AQFileRestoreSrv.exe [10/13/2011 8:58 AM 84760]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP141
*Deregistered* - uxlyapow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download all by FlashGet3 - c:\documents and settings\KiKi\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\KiKi\Application Data\FlashGetBHO\GetUrl.htm
TCP: DhcpNameServer = 74.60.80.5 75.95.21.12
FF - ProfilePath - c:\documents and settings\KiKi\Application Data\Mozilla\Firefox\Profiles\vc3vcfra.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Best Game Hits 5 - c:\program files\500
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-05 10:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-01-05 10:35:03
ComboFix-quarantined-files.txt 2012-01-05 16:35
.
Pre-Run: 106,023,235,584 bytes free
Post-Run: 106,045,120,512 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7FD60FEC60B9835473842A139C10B535
http://thereconcilecenter.proboards.com/index.cgi

Meow :) Go There it's cool. ^^^^^^^^^^^^^^^^^^^

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,926 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 05 January 2012 - 12:32 PM

Are you still getting redirects at this point?

The detected items were not active infections.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 KiKiDiKi

KiKiDiKi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the non coastal section of the USA
  • Local time:01:52 AM

Posted 05 January 2012 - 12:36 PM

At this point it's only at google, I guess there is a possibility that it could be a setting in firefox, but otherwise all the problems are still there except I can make it through a virus scan now. So the machine is clean then? Maybe the old girl is just getting old, unless you have any other ideas?

Thanks again for your help :)
http://thereconcilecenter.proboards.com/index.cgi

Meow :) Go There it's cool. ^^^^^^^^^^^^^^^^^^^

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,926 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 05 January 2012 - 01:29 PM

Can you please verify if Internet Explorer has the same problem?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 KiKiDiKi

KiKiDiKi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the non coastal section of the USA
  • Local time:01:52 AM

Posted 05 January 2012 - 01:36 PM

I'm actually a little afraid to even open it lol I never use it, but I will do so, also I seem to be getting port scans now, according to my firewall, and when I backtrace them it says its my IP address but its inbound...
http://thereconcilecenter.proboards.com/index.cgi

Meow :) Go There it's cool. ^^^^^^^^^^^^^^^^^^^

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,926 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 05 January 2012 - 01:57 PM

Portscans are normal; any firewall will register them on any computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 KiKiDiKi

KiKiDiKi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the non coastal section of the USA
  • Local time:01:52 AM

Posted 05 January 2012 - 02:00 PM

So far in Internet Explorer, it has taken well over 2 minutes to load the log in page at google with no other tabs or windows open and my firewall is 100% allowing IExplorer although the page did stay at google, no redirects, but it keeps telling me to reload the page because it couldn't load all the features. Even after refreshing and the page loading at a MUCH faster rate, it still can't load everything. Again at facebook, very good steady connection speed and still can't load pages correctly... No redirects though which is a good thing, like I said, firefox just kept preventing the sites from redirecting the page, so nothing happening in ie is a good thing right? :)

One last new question: Is it a problem if my firewall detects inbound packets at impossible dates and times (12-31-1969 at 6pm) with all zeros filling out the IP information?

Edited by KiKiDiKi, 05 January 2012 - 02:36 PM.

http://thereconcilecenter.proboards.com/index.cgi

Meow :) Go There it's cool. ^^^^^^^^^^^^^^^^^^^




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users