Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Results from DDS/Combofix scan which were requested


  • This topic is locked This topic is locked
5 replies to this topic

#1 Xookliba

Xookliba

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 07 February 2012 - 10:34 AM

First, thanks for your help, it is greatly appreciated. I was asked to post the scan of the DDS script and Combofix. I should note that I had to run each several times before they successfully completed. Also, I have uninstalled my personal firewall (ZoneAlarm) and AV (Avast) and disconnected from the internet (physically) before doing any of this.

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_30
Run by admin at 22:46:53 on 2012-02-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1496 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [HLBackupScheduler] c:\program files\verizon v cast media manager\V CAST Backup Scheduler.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: google.com\www
Trusted Zone: intuit.com\ttlc
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1326728808218
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\e6zucmji.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2452474&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-5-22 16512]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2009-10-11 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2009-10-11 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2009-10-11 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2009-10-11 10368]
S3 gupdatem;Google Update Service (gupdatem);"c:\program files\google\update\googleupdate.exe" /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2011-1-17 401920]
.
=============== Created Last 30 ================
.
2012-02-07 03:34:13 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-02-07 03:34:13 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-07 03:22:47 98816 ----a-w- c:\windows\sed.exe
2012-02-07 03:22:47 518144 ----a-w- c:\windows\SWREG.exe
2012-02-07 03:22:47 256000 ----a-w- c:\windows\PEV.exe
2012-02-07 03:22:47 208896 ----a-w- c:\windows\MBR.exe
2012-02-05 05:09:31 -------- d-----w- c:\windows\system32\appmgmt
2012-02-04 05:29:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-04 05:29:50 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-01-17 03:34:26 -------- d-----w- c:\windows\system32\scripting
2012-01-17 03:34:26 -------- d-----w- c:\windows\l2schemas
2012-01-17 03:34:25 -------- d-----w- c:\windows\system32\en
2012-01-17 03:34:25 -------- d-----w- c:\windows\system32\bits
2012-01-17 03:30:55 -------- d-----w- c:\windows\network diagnostic
2012-01-17 03:17:58 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2012-01-16 17:51:37 -------- d-----w- c:\windows\ServicePackFiles
2012-01-16 17:50:39 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2012-01-16 17:50:38 -------- d-----w- c:\windows\system32\ReinstallBackups
2012-01-16 16:42:43 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-01-16 16:37:32 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-01-16 16:37:06 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2012-01-16 16:36:18 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-01-16 16:36:18 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-01-16 16:36:07 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-01-16 16:27:53 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-01-16 16:27:01 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-01-16 16:27:01 272128 ------w- c:\windows\system32\drivers\bthport.sys
2012-01-16 16:26:55 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-01-16 16:24:10 -------- d-----w- c:\windows\system32\PreInstall
2012-01-16 16:24:08 -------- d--h--w- c:\windows\$hf_mig$
2012-01-16 15:58:00 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-01-16 15:58:00 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-01-16 15:58:00 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-01-16 15:57:59 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-01-16 15:57:59 -------- d-----w- c:\windows\system32\SoftwareDistribution
.
==================== Find3M ====================
.
2011-12-28 04:05:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 22:47:02.53 ===============


Combofix Log:

ComboFix 12-02-06.02 - admin 02/06/2012 22:30:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1466 [GMT -5:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\admin\a6d3c900-5618.exe
c:\documents and settings\admin\WINDOWS
D:\install.exe
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\i8042prt.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-07 to 2012-02-07 )))))))))))))))))))))))))))))))
.
.
2012-02-07 03:34 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-02-07 03:08 . 2012-02-07 03:09 -------- d-----w- c:\documents and settings\admin\Application Data\U3
2012-02-04 05:29 . 2012-02-04 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-02-04 05:29 . 2012-02-04 05:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-17 12:40 . 2012-01-17 12:40 -------- d-----w- c:\program files\Microsoft.NET
2012-01-17 03:34 . 2012-01-17 03:34 -------- d-----w- c:\windows\system32\scripting
2012-01-17 03:34 . 2012-01-17 03:34 -------- d-----w- c:\windows\l2schemas
2012-01-17 03:34 . 2012-01-17 03:34 -------- d-----w- c:\windows\system32\en
2012-01-17 03:34 . 2012-01-17 03:34 -------- d-----w- c:\windows\system32\bits
2012-01-17 03:17 . 2004-08-04 03:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2012-01-16 17:51 . 2012-01-17 03:32 -------- d-----w- c:\windows\ServicePackFiles
2012-01-16 17:50 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2012-01-16 16:42 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-01-16 16:37 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-01-16 16:37 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2012-01-16 16:36 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-01-16 16:36 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-01-16 16:36 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-01-16 16:27 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-01-16 16:27 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-01-16 16:27 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2012-01-16 16:26 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-01-16 16:24 . 2012-01-16 20:19 -------- d--h--w- c:\windows\$hf_mig$
2012-01-16 15:58 . 2009-08-07 00:24 44768 ----a-w- c:\windows\system32\wups2.dll
2012-01-16 15:58 . 2009-08-07 00:24 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-01-16 15:58 . 2009-08-07 00:24 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-01-16 15:58 . 2009-08-07 00:24 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-01-16 15:57 . 2009-08-07 00:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 04:05 . 2011-06-24 12:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 10:54 . 2010-04-22 10:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2009-10-20 22:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-29 15:55 . 2012-02-05 06:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HLBackupScheduler"="c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe" [2011-05-05 4950664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-22 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"nwiz"="nwiz.exe" [2007-10-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-10 16132608]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-7-24 113664]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [5/22/2010 12:07 PM 16512]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [10/11/2009 5:34 AM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [10/11/2009 5:34 AM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [10/11/2009 5:34 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [10/11/2009 5:34 AM 10368]
S3 gupdatem;Google Update Service (gupdatem);"c:\program files\Google\Update\GoogleUpdate.exe" /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [1/17/2011 12:08 PM 401920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: google.com\www
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\e6zucmji.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2452474&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Windows Update Server - c:\documents and settings\admin\72335c55-5618.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-06 22:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-02-06 22:38:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-07 03:38
.
Pre-Run: 31,743,832,064 bytes free
Post-Run: 31,726,432,256 bytes free
.
- - End Of File - - F2CFD1B53DEEE27219FD18C9A7FF1BC3

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 07 February 2012 - 01:49 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Nothing suspicious was found on your DDS log.
Your ComboFix log is clean.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know what problem persists with this computer.

#3 Xookliba

Xookliba
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 08 February 2012 - 02:17 PM

Thanks again for your help. I should mention that I uninstalled ZoneAlarm and Avast just prior to running combofix and the DDS scripts. I am now running Comodo firewall and AV and using their SecureDNS. Here is the contents of the checklist.txt:

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
CCleaner
Java™ 6 Update 30
Java™ 6 Update 7
Java version out of date!
Adobe Flash Player 11.1.102.55
Adobe Reader 8 Adobe Reader out of date!
Mozilla Firefox 10.0. Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

I also ran malwarebytes and it came up clean. I am still having intermittent Google redirect issues. Is it possible that it was related to one of my old firewall or AV settings? I had also read about a problem with google apis, but could not find too much info on that. Some of the sites I got redirected to seemed a bit fishy, with online technicians ready to "help" me with my problems. This was when I was searching for info on redirect malware.

Thanks again!

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 09 February 2012 - 09:23 AM

Internet Explorer 6 Out of date!

You may not be using IE but this version 6 is vulnerable on your computer.
Please update for your security.
===

Delete this old version of Java™ 6 Update 7 using the Add/Remove programs list.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

I am still having intermittent Google redirect issues.


Try this:

Go Posted Image > run box and type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit Enter
*/*

If not solved:

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Keep me posted.

#5 Xookliba

Xookliba
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 09 February 2012 - 09:58 AM

Thanks again! Your help is appreciated. I'll post back if any problems persist or return.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 19 February 2012 - 09:58 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users