Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security - Re-Directs - System Crashes


  • This topic is locked This topic is locked
16 replies to this topic

#1 Jetb

Jetb

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 03 March 2012 - 11:39 AM

I am unable to access the internet or any applications. Internet Security window opens at start-up whenever windows starts normally. Also google searches redirect. And a blue screen crash dump shuts down my computer almost daily, but at least several times a week.

Based on your article, I should run tdsskiller first to clean the re-direct problems. I have thought of connecting the hard drive to another computer, but I do not know how to get the tdsskiller to scan the infected drive. Tdsskiller appears to only scan the master drive. Any advice of I can fix my computer is much appreciated. Thank you.

BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:08 AM

Posted 05 March 2012 - 02:09 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.




Have you tried accessing Safe Mode?
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Jetb

Jetb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 29 March 2012 - 12:18 PM

Thank you for your reply. Yes. I have started the computer in safe mode with networking. I have limited access and it appears that most applications do not work. I cannot access the internet. I can access word, but I cannot save any changes to documents or save new documents on the computer. I am able to copy data to my flash drive.

#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:08 AM

Posted 31 March 2012 - 03:15 PM

Hi there,

I apologize for the delay, I need approval for my fix and therefore I will come back with a reply as soon as possible! Thank you for your patience.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:08 AM

Posted 01 April 2012 - 11:28 AM

Hi there,


Using the USB stick or CD please transfer the file on the infected computer's desktop and from there please follow the instructions listed below:
On the clean computer, please do the following in order to avoid infecting your USB stick.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.



On a clean computer please download Bleepingcomputer"]ComboFix[/url] and copy it on a portable drive (flash drive, CD,etc).
Boot the infected computer into Safe Mode with Network Connection.
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please transfer the log on your portable drive and copy/paste it in your next reply.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 Jetb

Jetb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 01 April 2012 - 10:30 PM

Good Evening,

I ran Flash Disinfector for my flash drive. And I am looking forward to your response. Thank you. Following is a copy of the log from the Combofix scan of the infected computer:

ComboFix 12-04-01.01 - User 04/01/2012 19:51:48.5.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1637 [GMT -4:00]
Running from: c:\users\User\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\cY1532y3.exe
c:\programdata\isecurity.exe
c:\users\Public\Desktop\Internet Security.lnk
c:\users\User\AppData\Roaming\mIRC\logs\status.log
c:\users\User\Documents\~WRL1796.tmp
c:\windows\$NtUninstallKB28283$
c:\windows\$NtUninstallKB28283$\2718569094
c:\windows\$NtUninstallKB28283$\3294013997\@
c:\windows\$NtUninstallKB28283$\3294013997\cfg.ini
c:\windows\$NtUninstallKB28283$\3294013997\Desktop.ini
c:\windows\$NtUninstallKB28283$\3294013997\L\qnbwvoto
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\ifjojgyc.ini
c:\windows\system32\jgaw400.dll
c:\windows\system32\JGOGO.dll
c:\windows\system32\VAIOMediaPlatform-PhotoServer-UPnP.dll
c:\windows\system32\vppviubc.ini
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_cdrom.inf_31bf3856ad364e35_6.0.6001.18000_none_5fa95be2a3c76a4a\cdrom.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_HpqKbFiltr
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-04-02 00:03 . 2012-04-02 00:07 -------- d-----w- c:\users\User\AppData\Local\temp
2012-04-02 00:03 . 2012-04-02 00:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-03 23:50 . 2012-03-03 23:50 -------- d-----w- c:\users\User\AppData\Roaming\Image Zone Express
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 23:00 . 2006-11-02 08:31 74752 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-02-21 17:55 . 2006-11-02 08:57 184320 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-21 17:19 . 2006-11-02 08:57 68096 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-18 16:08 . 2012-02-21 00:50 87176 ----a-w- c:\windows\system32\vH663o.com
2012-02-18 16:08 . 2012-02-18 16:07 87176 ----a-w- c:\windows\system32\vH663o.com_
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
2012-02-18 07:50 . 2012-02-01 07:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]
.
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-06-13 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 4472832]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-10 857648]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-04 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-04 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-04 138008]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"HostManager"="c:\program files\Common Files\AOL\1201378896\ee\AOLSoftware.exe" [2006-03-10 48280]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 185896]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-27 715568]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R0 74346763;74346763;c:\windows\system32\drivers\85696442.sys [x]
R2 .bntr;Box_NTR v2.6A;c:\programdata\Norton\bntr.exe [2009-01-25 1147098]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bthsvcs REG_MULTI_SZ BthServ
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPService REG_MULTI_SZ HPSLPSVC
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
HpqKbFiltr
bc_filter
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-20 c:\windows\Tasks\At1.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At10.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At11.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At12.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At13.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At14.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At15.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At16.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At17.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At18.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At19.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At2.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At20.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At21.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At22.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At23.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At24.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At25.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At26.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At27.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At28.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-21 c:\windows\Tasks\At29.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At3.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-21 c:\windows\Tasks\At30.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-18 c:\windows\Tasks\At31.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-18 c:\windows\Tasks\At32.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-18 c:\windows\Tasks\At33.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-18 c:\windows\Tasks\At34.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At35.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At36.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At37.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At38.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-21 c:\windows\Tasks\At39.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At4.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-21 c:\windows\Tasks\At40.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-21 c:\windows\Tasks\At41.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-21 c:\windows\Tasks\At42.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At43.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At44.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At45.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At46.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At47.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At48.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At49.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At5.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At50.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At51.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At52.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At53.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At54.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At55.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At56.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At57.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At58.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At59.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At6.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At60.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At61.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At62.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At63.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At64.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At65.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At66.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At67.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At68.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At69.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At7.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At70.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At71.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At72.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At73.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At74.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At75.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At76.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-21 c:\windows\Tasks\At77.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-21 c:\windows\Tasks\At78.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-18 c:\windows\Tasks\At79.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At8.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-18 c:\windows\Tasks\At80.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-18 c:\windows\Tasks\At81.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-18 c:\windows\Tasks\At82.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At83.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At84.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At85.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At86.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-21 c:\windows\Tasks\At87.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-21 c:\windows\Tasks\At88.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-21 c:\windows\Tasks\At89.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At9.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-21 c:\windows\Tasks\At90.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At91.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At92.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At93.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At94.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
2012-02-20 c:\windows\Tasks\At95.job
- c:\windows\system32\vH663o.com [2012-02-21 16:08]
.
2012-02-20 c:\windows\Tasks\At96.job
- c:\windows\system32\vH663o.com_ [2012-02-18 16:08]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\8t8jv622.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKCU-Run-Internet Security - c:\programdata\isecurity.exe
HKLM-Run-NPSStartup - (no file)
SafeBoot-66255261.sys
SafeBoot-74346763.sys
SafeBoot-94457652.sys
AddRemove-Orb - c:\program files\Winamp Remote\uninstall.exe
AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\SAMSUNG\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\SAMSUNG\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-01 20:07
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\8dc2ac00]
"imagepath"="\??\c:\windows\TEMP\F4CB.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1584)
c:\program files\CyberLink\PCM4Everio\Kernel\Video\CLM2Splter.ax
c:\program files\CyberLink\PowerDirector Express\PDM1Splter.ax
c:\program files\CyberLink\PowerDirector Express\PDM2Splter.ax
c:\program files\CyberLink\PCM4Everio\Kernel\Video\CLM1Splter.ax
c:\program files\Acer Arcade Deluxe\VideoMagician\Kernel\EditMovie\MDTLM2Splter.ax
c:\program files\Acer Arcade Deluxe\VideoMagician\Kernel\EditMovie\MDTLM1Splter.ax
c:\program files\Combined Community Codec Pack\Filters\VSFilter.dll
c:\program files\Combined Community Codec Pack\Filters\WavPackDSSplitter.ax
c:\windows\system32\RealMediaSplitter.ax
c:\program files\Combined Community Codec Pack\Filters\FLVSplitter.ax
c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLWMFDemux.ax
c:\program files\Acer Arcade Deluxe\VideoMagician\Kernel\Movie\CLDemuxer.ax
c:\program files\Winamp Remote\bin\aac_parser.ax
c:\program files\Combined Community Codec Pack\Filters\Haali\splitter.ax
c:\program files\Combined Community Codec Pack\Filters\Haali\mkzlib.dll
c:\program files\Combined Community Codec Pack\Filters\Haali\mkunicode.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-04-01 20:15:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-02 00:15
ComboFix2.txt 2008-08-03 04:55
ComboFix3.txt 2008-07-31 04:21
ComboFix4.txt 2008-07-31 03:59
ComboFix5.txt 2012-04-01 23:36
.
Pre-Run: 9,517,314,048 bytes free
Post-Run: 9,857,716,224 bytes free
.
- - End Of File - - 9F2390119FC09DBEC2DF844CEA895B68

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:08 AM

Posted 03 April 2012 - 06:30 AM

Hi there,


Firstly I need to tell you about the risks your computer is exposed to.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to continue the cleaning procedure:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

AtJob::

File::
c:\windows\TEMP\F4CB.tmp
c:\windows\system32\vH663o.com
c:\windows\system32\vH663o.com_

Driver::
8dc2ac00


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



How is your system working now?

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 Jetb

Jetb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 06 April 2012 - 05:38 PM

Hi,

Thank you much.

My computer system is much improved. The window for internet security has not launched at startup as before. I am again, able to access application files in normal mode. I have not explored the internet, so I don't know if I still get re-directs when I click on a link in google.

The computer did freeze during a malwarebytes full scan and did not yield a scan log. I left the computer scanning. When I returned, two hours later, the screen was black and the system was frozen. After restarting the computer, I started a full scan again.

I was having problems with computer freeze before--either the entire computer will freeze, or just the internet would freeze. When it is just the internet, I put the computer to sleep and wake it up again. When the computer wakes up, the internet wakes back up. When it is the entire computer, I turn the computer off for a few hours or more to let it rest.

Because my computer was infected with a back door trojan, would it be better to install a new hard drive and use the old hard drive as a slave?

Again, thank you for your help.

Following is the log from combofix.txt.

ComboFix 12-04-06.03 - User 04/06/2012 14:05:16.7.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1364 [GMT -4:00]
Running from: F:\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
* Created a new restore point
.
FILE ::
"c:\windows\system32\vH663o.com"
"c:\windows\system32\vH663o.com_"
"c:\windows\TEMP\F4CB.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_8dc2ac00
.
.
((((((((((((((((((((((((( Files Created from 2012-03-06 to 2012-04-06 )))))))))))))))))))))))))))))))
.
.
2012-04-06 18:10 . 2012-04-06 18:14 -------- d-----w- c:\users\User\AppData\Local\temp
2012-04-06 18:10 . 2012-04-06 18:10 -------- d-----w- c:\users\Default\AppData\Local\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 23:00 . 2006-11-02 08:31 74752 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-02-21 17:55 . 2006-11-02 08:57 184320 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-21 17:19 . 2006-11-02 08:57 68096 ----a-w- c:\windows\system32\drivers\tdx.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
2012-02-18 07:50 . 2012-02-01 07:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]
.
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-06-13 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 4472832]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-10 857648]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-04 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-04 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-04 138008]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"HostManager"="c:\program files\Common Files\AOL\1201378896\ee\AOLSoftware.exe" [2006-03-10 48280]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 185896]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-27 715568]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R0 74346763;74346763;c:\windows\system32\drivers\85696442.sys [x]
R2 .bntr;Box_NTR v2.6A;c:\programdata\Norton\bntr.exe [2009-01-25 1147098]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bthsvcs REG_MULTI_SZ BthServ
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPService REG_MULTI_SZ HPSLPSVC
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
HpqKbFiltr
bc_filter
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\8t8jv622.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-06 14:13
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1824)
c:\program files\CyberLink\PCM4Everio\Kernel\Video\CLM2Splter.ax
c:\program files\CyberLink\PowerDirector Express\PDM1Splter.ax
c:\program files\CyberLink\PowerDirector Express\PDM2Splter.ax
c:\program files\CyberLink\PCM4Everio\Kernel\Video\CLM1Splter.ax
c:\program files\Acer Arcade Deluxe\VideoMagician\Kernel\EditMovie\MDTLM2Splter.ax
c:\program files\Acer Arcade Deluxe\VideoMagician\Kernel\EditMovie\MDTLM1Splter.ax
c:\program files\Combined Community Codec Pack\Filters\VSFilter.dll
c:\program files\Combined Community Codec Pack\Filters\WavPackDSSplitter.ax
c:\windows\system32\RealMediaSplitter.ax
c:\program files\Combined Community Codec Pack\Filters\FLVSplitter.ax
c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLWMFDemux.ax
c:\program files\Acer Arcade Deluxe\VideoMagician\Kernel\Movie\CLDemuxer.ax
c:\program files\Winamp Remote\bin\aac_parser.ax
c:\program files\Combined Community Codec Pack\Filters\Haali\splitter.ax
c:\program files\Combined Community Codec Pack\Filters\Haali\mkzlib.dll
c:\program files\Combined Community Codec Pack\Filters\Haali\mkunicode.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wbem\unsecapp.exe
c:\windows\helppane.exe
.
**************************************************************************
.
Completion time: 2012-04-06 14:21:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-06 18:21
ComboFix2.txt 2012-04-02 00:15
ComboFix3.txt 2008-08-03 04:55
ComboFix4.txt 2008-07-31 04:21
ComboFix5.txt 2012-04-06 16:08
.
Pre-Run: 9,821,691,904 bytes free
Post-Run: 9,756,418,048 bytes free
.
- - End Of File - - E02332D1938CC88BD6051D2153EAA166

Edited by Jetb, 06 April 2012 - 05:41 PM.


#9 Jetb

Jetb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 07 April 2012 - 10:13 AM

Hi again,

Just an update about my computer.

The malwarebytes full scan completed, and yielded a log.

I have been able to use Google without being re-directed.

I could not turn on Windows Firewall. I got this message: "Due to an unidentified problem, Window cannot display Windows Firewall settings."

Nor could I turn on Windows Defender. I got this message: "Application failed to initialize 0x800106ba. A problem caused this program’s service to stop. To start the service, restart your computer or search Help and Support for how to start a service manually."

The only protection that is currently on my computer is Malwarebytes. What would you recommend for computer protection?

Thank you.

Jet.

Edited by Jetb, 07 April 2012 - 10:14 AM.


#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:08 AM

Posted 08 April 2012 - 05:38 AM

Hi there,

Could you please copy/paste the MBAM log here?



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 Jetb

Jetb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 10 April 2012 - 08:22 PM

Hi Elle,

Here is the mbam log from the computer scan:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.06.06

Windows Vista x86 NTFS
Internet Explorer 7.0.6000.17037
User :: USER-PC [administrator]

4/6/2012 5:27:28 PM
mbam-log-2012-04-06 (17-27-28).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 396071
Time elapsed: 1 hour(s), 33 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\QooBox\Quarantine\C\ProgramData\cY1532y3.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\ProgramData\isecurity.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\VAIOMediaPlatform-PhotoServer-UPnP.dll.vir (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\JGOGO.dll.vir (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\vH663o.com.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\vH663o.com_.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\User\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)

#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:08 AM

Posted 12 April 2012 - 03:59 PM

Can you please tell me how is the system behaving now?




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:08 AM

Posted 13 April 2012 - 05:36 AM

Hi there,

Please answer my previous question too! :grinner:
It's time to check for other problems with an Online Scanner.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 Jetb

Jetb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 14 April 2012 - 01:24 PM

Hi Elle,

Could you please explain to me what it is about my computer that makes me need the online scan? Are there still problems that you can identify? Please, what are they? Are there any alternatives to an online scan? The idea of the online scan makes me nervous...

Thank you. Jett.

#15 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:08 PM

Posted 15 April 2012 - 05:18 AM

Hi Jett,

Elle is away for the weekend and so, as her instructor, I am going to answer this for her.

The online scan is just simply a way of running another virus scan on your PC. ESET is a well trusted anti-malware vendor who offer this free service, we use it simply to clean up any left overs and make sure we've not missed anything.

The scanner does not send your files anywhere, it simply downloads a little scanner to your PC which then uses an online database of threats to compare your files to - it is just like a regular anti-virus program which you would normally install on your PC.

Rest assured your data remains private. This is just a really handy way of doing that "final check".

Let me know what you think :)

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users