Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect and other Issues! can't run dds as requested


  • This topic is locked This topic is locked
44 replies to this topic

#1 dlagere

dlagere

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 12 January 2012 - 10:58 AM

I started in the wrong section. Sorry about that. I received the following request:
Hello, if you ran all those tools we need you to move to the Malware removal section.
Having run ComboFix we need to see that and a DDS log.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip the GMER step and instead post the ComboFix log you have.

Let me know if that went well.

NOTE:post these also.
tdsskliller, rootkill

I was able to run the defogger but my computer locks up when trying to run the dds program. Tried 3 times. What can I do now? Thanks for all your help!!

Am I still in the correct place? I can not attach any logs as my computer freezes up and won't complete the scan (even for dds). I was told to move my post to here and the old one is now locked. Am I in the right place? Thanks.

EDIT: Yes you are in the right place. Please be patient. There are over 160 unanswered topics in this forum at present and the current average wait time to receive help is 5-6 days. ~Budapest

OK Thanks

Still having the same issues.

Edited by Budapest, 17 January 2012 - 04:47 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 18 January 2012 - 09:59 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 dlagere

dlagere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 18 January 2012 - 11:32 AM

Gringo- Thanks so much for responding. You are a life saver. I did as instructed and disabled everything and downloaded ComboFix and saved to desktop. I closed all applications and ran it. It locked up the computer each time I tried (I tried 2 times in regular mode and one in safe mode). I made sure to not even touch my mouse while it was running. But it gets to the point where it says "scanning computer...should take 10 minutes or so" and then it never gets fartther and the entire computer locks up. Hope this helps. Dave

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 18 January 2012 - 12:41 PM

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
ComboFix /nombr
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 dlagere

dlagere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 18 January 2012 - 01:48 PM

Gringo- Error message comes up and says "windows can not find "ComboFix"" Dave

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 18 January 2012 - 04:40 PM

hello


make sure combofix is on the desktop

try and run combofix by double clicking on it

when it stalls again restart the computer and try to run it from the run command as I have it done




gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 dlagere

dlagere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 18 January 2012 - 06:22 PM

Gringo- Did as you suggested. It stalled on the double click effort and I ran it the other way and it stalled in the same place. Tried it in safe mode as well with same results. Dave

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 19 January 2012 - 12:47 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 dlagere

dlagere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 19 January 2012 - 10:39 AM

Gringo- I tried the TDS Killer program and it won't run. A windows error box pops up after a few minutes with the following "IExplore.exe- Application Error" "the instruction at "0x3d61dae4" referenced memory at "0x00000000000".

I tried keeping the error message up (not clicking it) and running the program again but the same thing happened.

I tried starting the program like I did with combofix through the run box and same thing happened. The computer is not locking up like it did with ComboFix but the program wont run. I left it alone for over an hour and the hard drive light was not blinking.

Sorry to be difficult. Dave

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 19 January 2012 - 12:01 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 dlagere

dlagere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 19 January 2012 - 06:35 PM

Gringo- Something worked. I am thrilled. The fixTDSS came back with the message "infected MBR detected" I OK'd a repair and it said "repair succeeded". I restarted the computer and was able to run the TDSSKiller program. It came back with no threats found. I opened the report but it wont let me copy/paste it. Is there a trick to that? Computer seems better already.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 19 January 2012 - 08:21 PM

Hello

now that we have removed the rootkit lets try to run combofix once more if it still don't complete try it in safe mode


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 dlagere

dlagere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 January 2012 - 12:42 PM

Gringo- ComboFix did run!! You will notice I saved ComboFix as DL123 on my desktop. The following is the log report:

ComboFix 12-01-19.02 - Owner 01/20/2012 11:02:05.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1460 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\DL123.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\default\us_sres.data
c:\documents and settings\All Users\Application Data\aizoaaa.tmp
c:\documents and settings\All Users\Application Data\czppaaa.tmp
c:\documents and settings\All Users\Application Data\dzppaaa.tmp
c:\documents and settings\All Users\Application Data\ekipaaa.tmp
c:\documents and settings\All Users\Application Data\ezppaaa.tmp
c:\documents and settings\All Users\Application Data\fkipaaa.tmp
c:\documents and settings\All Users\Application Data\fzppaaa.tmp
c:\documents and settings\All Users\Application Data\gdhoaaa.tmp
c:\documents and settings\All Users\Application Data\gvapaaa.tmp
c:\documents and settings\All Users\Application Data\gzppaaa.tmp
c:\documents and settings\All Users\Application Data\hkipaaa.tmp
c:\documents and settings\All Users\Application Data\hvapaaa.tmp
c:\documents and settings\All Users\Application Data\idhoaaa.tmp
c:\documents and settings\All Users\Application Data\ikipaaa.tmp
c:\documents and settings\All Users\Application Data\jvapaaa.tmp
c:\documents and settings\All Users\Application Data\knpdbaa.tmp
c:\documents and settings\All Users\Application Data\kvapaaa.tmp
c:\documents and settings\All Users\Application Data\lnpdbaa.tmp
c:\documents and settings\All Users\Application Data\mceoaaa.tmp
c:\documents and settings\All Users\Application Data\mnpdbaa.tmp
c:\documents and settings\All Users\Application Data\nceoaaa.tmp
c:\documents and settings\All Users\Application Data\nnpdbaa.tmp
c:\documents and settings\All Users\Application Data\oceoaaa.tmp
c:\documents and settings\All Users\Application Data\onpdbaa.tmp
c:\documents and settings\All Users\Application Data\oxjpaaa.tmp
c:\documents and settings\All Users\Application Data\pceoaaa.tmp
c:\documents and settings\All Users\Application Data\pxjpaaa.tmp
c:\documents and settings\All Users\Application Data\qceoaaa.tmp
c:\documents and settings\All Users\Application Data\qxjpaaa.tmp
c:\documents and settings\All Users\Application Data\rxjpaaa.tmp
c:\documents and settings\All Users\Application Data\slopaaa.tmp
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\tlopaaa.tmp
c:\documents and settings\All Users\Application Data\ulopaaa.tmp
c:\documents and settings\All Users\Application Data\vlopaaa.tmp
c:\documents and settings\All Users\Application Data\whzoaaa.tmp
c:\documents and settings\All Users\Application Data\wlopaaa.tmp
c:\documents and settings\All Users\Application Data\xhzoaaa.tmp
c:\documents and settings\All Users\Application Data\yhzoaaa.tmp
c:\documents and settings\All Users\Application Data\zhzoaaa.tmp
c:\documents and settings\Owner\Application Data\64dlls.exe
c:\documents and settings\Owner\Application Data\intel64.exe
c:\documents and settings\Owner\Application Data\Kernel32.exe
c:\documents and settings\Owner\Application Data\localsys64.exe
c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
c:\documents and settings\Owner\Application Data\ntos.exe
c:\documents and settings\Owner\Application Data\oembios.exe
c:\documents and settings\Owner\Application Data\sdra64.exe
c:\documents and settings\Owner\Application Data\sdra73.exe
c:\documents and settings\Owner\Application Data\swin32.exe
c:\documents and settings\Owner\Application Data\twex.exe
c:\documents and settings\Owner\Application Data\twext.exe
c:\documents and settings\Owner\Application Data\wsnpoema.exe
c:\documents and settings\Owner\Start Menu\Programs\System Fix
c:\documents and settings\Owner\Start Menu\Programs\System Fix\System Fix.lnk
c:\documents and settings\Owner\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
c:\windows\expl.dat
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\atapi.sys
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\i8042prt.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))
.
.
2012-01-20 17:09 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-18 15:40 . 2012-01-18 15:51 -------- d-----w- C:\DL123
2012-01-15 17:32 . 2012-01-20 09:39 -------- d-----w- C:\e
2012-01-15 16:20 . 2012-01-15 16:20 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\visi_coupon
2012-01-15 16:19 . 2012-01-15 16:19 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2012-01-15 16:18 . 2012-01-15 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2012-01-15 16:16 . 2012-01-18 14:51 -------- d-----w- c:\windows\SxsCaPendDel
2012-01-12 17:18 . 2012-01-12 17:18 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sun
2012-01-11 19:53 . 2012-01-11 19:53 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sun
2012-01-11 18:56 . 2012-01-11 18:56 -------- d-----w- c:\program files\Common Files\Java
2012-01-11 18:55 . 2012-01-11 18:55 -------- d-----w- c:\program files\Oracle
2012-01-11 18:55 . 2012-01-11 18:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Oracle
2012-01-11 18:55 . 2011-11-09 01:56 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-01-11 16:56 . 2012-01-11 16:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-11 16:54 . 2012-01-11 16:54 0 ----a-w- c:\windows\system32\REN163.tmp
2012-01-11 16:54 . 2012-01-11 16:54 0 ----a-w- c:\windows\system32\REN162.tmp
2012-01-11 16:54 . 2012-01-11 16:54 0 ----a-w- c:\windows\system32\REN161.tmp
2012-01-11 16:54 . 2012-01-11 18:54 -------- d-----w- c:\program files\Java
2012-01-11 16:38 . 2012-01-11 16:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2012-01-11 16:37 . 2012-01-11 16:37 -------- d-----w- c:\program files\Common Files\Adobe
2012-01-09 15:51 . 2012-01-09 15:51 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Temp
2012-01-04 22:11 . 2012-01-04 22:11 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple
2012-01-04 22:11 . 2012-01-04 22:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2012-01-04 22:11 . 2012-01-04 22:11 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2012-01-04 22:11 . 2012-01-04 22:11 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2012-01-04 22:09 . 2012-01-04 22:11 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2012-01-04 07:44 . 2012-01-04 08:44 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Skype
2012-01-03 18:45 . 2012-01-11 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-03 15:35 . 2012-01-03 15:35 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-03 15:34 . 2012-01-03 15:34 -------- d-----w- c:\program files\Bonjour
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-29 19:37 . 2011-12-29 19:37 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2011-12-29 18:13 . 2012-01-03 15:34 -------- d-s---w- c:\documents and settings\Administrator
2011-12-29 15:51 . 2011-12-29 15:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-12-29 15:51 . 2011-12-29 15:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-12-29 00:54 . 2011-12-29 00:54 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-12-28 23:49 . 2011-12-28 23:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2011-12-28 23:49 . 2011-12-28 23:49 -------- d-----r- c:\program files\Skype
2011-12-28 23:49 . 2011-12-28 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-12-23 23:41 . 2011-12-27 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\aL36400HdHnB36400
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-11 18:55 . 2011-05-24 14:53 567184 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-09 01:56 . 2011-05-24 14:53 141312 ----a-w- c:\windows\system32\javacpl.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 1300F6682BEA386767AE2A7C6C2DDCA7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2004-08-12 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . ECD453C1AD7D2FF9448C24A65642FE17 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2004-08-12 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2004-08-12 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WMEtNQy1FOVZVVy1FVzBWQS1VVTNYTC1GRVc5Ny1PVTZF&inst=NzctNjM1NDE2MDgxLUZMMTArMS1YTzEwKzExLUxJQys4LUREVCszMjY3My1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMi1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEJOKzE&prod=90&ver=10.0.1415" [?]
.
c:\documents and settings\Administrator.CAM-DL.000\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 17:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-22 22:20 339968 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Owner\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASDIFSV.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Owner\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASKUTIL.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-20 c:\windows\Tasks\User_Feed_Synchronization-{308EAF0C-8D62-47DA-8A63-A61ECC8641BD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.cherokeearch.com/interfaces/sso/login.php
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-dplaysvr - c:\documents and settings\Owner\Application Data\dplaysvr.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\docume~1\Owner\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASSEH.DLL
Notify-!SASWinLogon - c:\docume~1\Owner\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASWINLO.DLL
MSConfigStartUp-PDVDDXSrv - c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-20 11:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,43,c8,a8,da,c0,39,4d,ba,2e,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,43,c8,a8,da,c0,39,4d,ba,2e,a3,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\t*]
"DisplayName"=""
"DeviceDesc"=""
"ProviderName"=""
"MFG"="?????"
"ReinstallString"="??\01"
"DeviceInstanceIds"=multi:"n\\download\\install\\driver\\2kxp_inf\\cx_19641.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2660)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2012-01-20 11:36:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-20 17:36
.
Pre-Run: 138,056,581,120 bytes free
Post-Run: 143,110,770,688 bytes free
.
- - End Of File - - 9EF1E988BD4F812668791980DE04075F

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:39 PM

Posted 20 January 2012 - 05:46 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.exe
svchost.exe 
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 dlagere

dlagere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 January 2012 - 05:50 PM

Gringo- See the following:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:48 on 20/01/2012 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1058816 bytes [13:57 12/08/2004] [00:12 14/04/2008] F92D05B1C0DE946CF66B11479247FBDE
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1032192 bytes [00:37 24/05/2011] [13:57 12/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [23:19 09/12/2011] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [00:12 14/04/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "svchost.exe "
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c- 14336 bytes [00:37 24/05/2011] [14:06 12/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [23:19 09/12/2011] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------- 14336 bytes [00:12 14/04/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe --a---- 39936 bytes [14:06 12/08/2004] [00:12 14/04/2008] ECD453C1AD7D2FF9448C24A65642FE17

Searching for "winlogon.exe"
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c- 502272 bytes [00:37 24/05/2011] [14:09 12/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ERDNT\cache\winlogon.exe --a---- 507904 bytes [23:19 09/12/2011] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------- 507904 bytes [00:12 14/04/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [14:09 12/08/2004] [00:12 14/04/2008] 1300F6682BEA386767AE2A7C6C2DDCA7

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users