Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet redirect


  • This topic is locked This topic is locked
32 replies to this topic

#1 VocaloidLover

VocaloidLover

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 04 March 2012 - 08:04 PM

I am being redirected to these sites: http://www.happili.com ; http://www.addedsuccess.com ; & http://www.askthecrew.net

also, any attempt to open control panel result in explorer.exe crashing. opening control panel applets (.cpl) files is unhindered

@ my disposal are: TDSSKiller.exe, Unhide.exe, rkil.exe, mbam.exe, Hijack this.exe, Dr web cure it, ComboFix.exe, fixNCR.reg, and a working internet connection on the computer

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:54:40 PM, on 3/4/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP UT\bin\hppusg.exe
C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Logitech\LWS\Webcam Software\lws.exe
C:\Users\Hanson\AppData\Local\Logitech® Webcam Software\Logishrd\LU2.0\LULnchr.exe
C:\Users\Hanson\AppData\Local\Logitech® Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\dinotify.exe
C:\Users\Hanson\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe
C:\Program Files\GNU\GnuPG\kleopatra.exe
C:\Program Files\GNU\GnuPG\bin\dbus-daemon.exe
C:\Windows\system32\conhost.exe
C:\Program Files\GNU\GnuPG\bin\kleopatra.exe
C:\Program Files\GNU\GnuPG\gpg-agent.exe
C:\Windows\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Users\Hanson\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?ref=hp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\Hewlett-Packard\HP UT\bin\hppusg.exe" "C:\Program Files\Hewlett-Packard\HP UT"
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [BSDAppUpdater] C:\Program Files\Common Files\BSD\AppUpdater\BSDChecker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\Update\realsched.exe" -osboot
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Users\Hanson\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Artisan 810(Network)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFRA.EXE /FU "C:\Users\Hanson\AppData\Local\Temp\E_S402B.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Hanson\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [EPSON Artisan 810 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFRA.EXE /FU "C:\Users\Hanson\AppData\Local\Temp\E_S510E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Update] rundll32.exe "C:\Users\Hanson\AppData\Roaming\BSD\BSD\dkgjonab.dll",DllRegisterServer
O4 - HKCU\..\Run: [googletalk] C:\Users\Hanson\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKUS\S-1-5-21-1799373236-3486777739-2621798443-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1799373236-3486777739-2621798443-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: Dropbox.lnk = AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CEA9B59-C845-4151-BA9A-FE59FDA73B25}: NameServer = 209.18.47.61,209.18.47.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CEA9B59-C845-4151-BA9A-FE59FDA73B25}: NameServer = 209.18.47.61,209.18.47.62
O17 - HKLM\System\CS2\Services\Tcpip\..\{1CEA9B59-C845-4151-BA9A-FE59FDA73B25}: NameServer = 209.18.47.61,209.18.47.62
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

--
End of file - 9814 bytes

Edited by boopme, 05 March 2012 - 09:11 AM.


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:54 PM

Posted 06 March 2012 - 05:59 PM

Hi VocaloidLover,

Please take note:

  • If you have since resolved the original problem you were having, I would appreciate you letting me know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and I will guide you.
  • Please tell me if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps I have recommended please try one more time and if unsuccessful alert us of such and I will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

I need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links.. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


I also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 VocaloidLover

VocaloidLover
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 07 March 2012 - 10:41 AM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-07 07:39:30
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3160815AS rev.3.ADA
Running: Gmer.exe; Driver: C:\Users\Hanson\AppData\Local\Temp\pxldapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x88ECB28A]
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwAllocateVirtualMemory [0xA35262D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x88EE5342]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x88EE5678]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcSendWaitReceivePort [0x88EE59EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x88ECBD04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x88EE502A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x88ECC276]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x88ECC164]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x88EE54E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSection [0x88ECB046]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x88ECC38E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0x88EE68D0]
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwCreateThread [0xA3527904]
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwCreateThreadEx [0xA35279E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateUserProcess [0x88ECC4A6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x88EE55B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x88ECC74E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0x88ECBD46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x88ECD750]
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwFreeVirtualMemory [0xA352655E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x88ECC840]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwMapViewOfSection [0x88EE68F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwNotifyChangeKey [0x88EE3840]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x88ECC308]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x88ECC1F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x88ECB4C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x88ECCB90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x88ECC420]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x88ECB3B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwPlugPlayControl [0x88EE68E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x88ECC55C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryObject [0x88EE3A38]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQuerySection [0x88ECD0D2]
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwQueueApcThread [0xA3527A0C]
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwQueueApcThreadEx [0xA3527A32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x88EE57DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x88EE572A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x88EE5848]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x88ECD5F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x88EE51B2]
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwSetContextThread [0xA3527A58]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetInformationToken [0x88ECC5FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x88ECD222]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x88ECD316]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x88ECD450]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x88ECC670]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x88ECB664]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x88ECB5BA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0x88ECCF8A]
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwWriteVirtualMemory [0xA352666E]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82C83369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CBCD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82CC3D8C 2 Bytes [8A, B2]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DA 82CC3D8F 1 Byte [88]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82CC3DA8 4 Bytes [D2, 62, 52, A3]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82CC3DB4 8 Bytes [42, 53, EE, 88, 78, 56, EE, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82CC3DF8 4 Bytes [EE, 59, EE, 88]
.text ...
? system32\drivers\dwprot.sys The system cannot find the path specified. !
? C:\Users\Hanson\AppData\Local\Temp\5881QnDe.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Users\Hanson\Desktop\kslab\avp.exe[2408] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch;
.text C:\Users\Hanson\Desktop\kslab\avp.exe[2408] ntdll.dll!NtProtectVirtualMemory 775A5F18 5 Bytes JMP 6AC91765 C:\Users\Hanson\Desktop\kslab\ushata.dll (Ushata module/Kaspersky Lab ZAO)
? C:\Users\Hanson\Desktop\kslab\avp.exe[2408] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Users\Hanson\Desktop\kslab\avp.exe[2408] USER32.dll!NotifyWinEvent + 6AE 7649D66C 4 Bytes [E0, 13, 54, 67]
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3192] kernel32.dll!SetUnhandledExceptionFilter 7732F4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
? C:\Users\Hanson\Desktop\kslab\avp.exe[3268] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch;
.text C:\Users\Hanson\Desktop\kslab\avp.exe[3268] ntdll.dll!NtProtectVirtualMemory 775A5F18 5 Bytes JMP 6AC91765 C:\Users\Hanson\Desktop\kslab\ushata.dll (Ushata module/Kaspersky Lab ZAO)
? C:\Users\Hanson\Desktop\kslab\avp.exe[3268] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Users\Hanson\Desktop\kslab\avp.exe[3268] USER32.dll!NotifyWinEvent + 6AE 7649D66C 4 Bytes [E0, 13, 54, 67]
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3352] kernel32.dll!SetUnhandledExceptionFilter 7732F4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Mozilla Firefox\firefox.exe[6284] ntdll.dll!LdrLoadDll 775C223E 5 Bytes JMP 608C5B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[6944] USER32.dll!GetWindowInfo 76494B5E 5 Bytes JMP 60A40924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[6944] USER32.dll!TrackPopupMenu 764A2228 5 Bytes JMP 60A40ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8675F230
Device \FileSystem\Ntfs \Ntfs 87C4A0C0
Device \FileSystem\Ntfs \Ntfs 856BC9F0
Device \FileSystem\Ntfs \Ntfs 87B2C1B8
Device \FileSystem\Ntfs \Ntfs 85A490D8
Device \FileSystem\Ntfs \Ntfs 85764BA0

AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys
AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\tdx \Device\Tcp dwprot.sys
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\tdx \Device\Udp dwprot.sys
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\tdx \Device\RawIp dwprot.sys

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Hanson\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Kaspersky Lab\AVP12\SysWHist\amlogs\367 0 bytes
File C:\ProgramData\Kaspersky Lab\AVP12\SysWHist\amlogs\368 0 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733 0 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\@ 2048 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\bckfg.tmp 849 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\cfg.ini 199 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\keywords 200 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\L 0 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\L\xadqgnnk 108544 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\U 0 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\U\80000000.@ 1024 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB65262$\1058783733\U\80000032.@ 98304 bytes
File C:\Windows\$NtUninstallKB65262$\3512901505 0 bytes

---- EOF - GMER 1.0.15 ----

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:54 PM

Posted 07 March 2012 - 10:51 AM

Looking good. :thumbup2:

Please also post a DDS log, following the instructions in my last post.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 VocaloidLover

VocaloidLover
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 07 March 2012 - 09:06 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by Hanson at 18:00:26 on 2012-03-07
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.934 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Users\Hanson\Desktop\kslab\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP UT\bin\hppusg.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Common Files\BSD\AppUpdater\BSDChecker.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Users\Hanson\Desktop\kslab\avp.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Steam\Steam.exe
C:\Users\Hanson\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\Hanson\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Users\Hanson\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Users\Hanson\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com/home.php?ref=hp
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\users\hanson\desktop\kslab\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\users\hanson\desktop\kslab\klwtbbho.dll
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Google Update] "c:\users\hanson\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Artisan 810(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifra.exe /fu "c:\users\hanson\appdata\local\temp\E_S402B.tmp" /EF "HKCU"
uRun: [Facebook Update] "c:\users\hanson\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [EPSON Artisan 810 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifra.exe /fu "c:\users\hanson\appdata\local\temp\E_S510E.tmp" /EF "HKCU"
uRun: [Update] rundll32.exe "c:\users\hanson\appdata\roaming\bsd\bsd\dkgjonab.dll",DllRegisterServer
uRun: [googletalk] c:\users\hanson\appdata\roaming\google\google talk\googletalk.exe /autostart
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HPUsageTracking] "c:\program files\hewlett-packard\hp ut\bin\hppusg.exe" "c:\program files\hewlett-packard\HP UT"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [PrnStatusMX] c:\program files\hewlett-packard\prnstatusmx\PrnStatusMX.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [BSDAppUpdater] c:\program files\common files\bsd\appupdater\BSDChecker.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [AVP] "c:\users\hanson\desktop\kslab\avp.exe"
StartupFolder: c:\users\hanson\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\hanson\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\users\hanson\desktop\kslab\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\users\hanson\desktop\kslab\ievkbd.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\users\hanson\desktop\kslab\klwtbbho.dll
TCP: Interfaces\{1CEA9B59-C845-4151-BA9A-FE59FDA73B25} : NameServer = 209.18.47.61,209.18.47.62
TCP: Interfaces\{1CEA9B59-C845-4151-BA9A-FE59FDA73B25}\17775627479702E65647 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{1CEA9B59-C845-4151-BA9A-FE59FDA73B25}\3474442343746334 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{1CEA9B59-C845-4151-BA9A-FE59FDA73B25}\75F627D613 : DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
TCP: Interfaces\{A03A5CDA-A4BF-46F0-B6E9-730E339C8E0A} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{D54992C5-E6DC-4D5E-BB59-11C400F981C5} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: klogon - c:\windows\system32\klogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\hanson\appdata\roaming\mozilla\firefox\profiles\pxz0mcx3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=hp
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z131&form=ZGAADF&install_date=20111007&q=
FF - prefs.js: network.proxy.ftp - 199.195.109.21
FF - prefs.js: network.proxy.ftp_port - 9090
FF - prefs.js: network.proxy.http - 0.0.0.0
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 199.195.109.21
FF - prefs.js: network.proxy.socks_port - 9090
FF - prefs.js: network.proxy.ssl - 199.195.109.21
FF - prefs.js: network.proxy.ssl_port - 9090
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\hanson\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\hanson\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\users\hanson\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\hanson\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2011-3-4 11352]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2011-3-10 23856]
R2 AVP;Kaspersky Anti-Virus Service;c:\users\hanson\desktop\kslab\avp.exe -r --> c:\users\hanson\desktop\kslab\avp.exe -r [?]
R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2011-3-2 224256]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-8 2214504]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19984]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2011-8-25 645120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-7 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-7 136176]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2011-12-12 710144]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-8-7 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-7 52224]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2012-03-07 01:36:34 97961 -c--a-w- c:\windows\system32\drivers\klick.dat
2012-03-07 01:36:34 115369 -c--a-w- c:\windows\system32\drivers\klin.dat
2012-03-07 01:34:44 -------- dc----w- c:\programdata\Kaspersky Lab
2012-03-06 07:37:18 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e83ef7c9-de8a-405c-98db-022b8bd8e262}\mpengine.dll
2012-03-06 07:13:05 -------- dc-h--w- C:\kleaner.tmp
2012-03-04 21:53:12 -------- dc----w- c:\users\hanson\DoctorWeb
2012-03-04 19:10:52 -------- dc----w- c:\users\hanson\appdata\local\Microsoft_Corporation
2012-03-04 18:56:33 -------- dcs---w- C:\ComboFix
2012-02-24 08:32:20 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2012-02-24 08:31:59 -------- d---a-w- c:\program files\common files\xing shared
2012-02-24 08:31:43 150696 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2012-02-24 08:31:14 108544 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2012-02-24 08:30:59 499712 -c--a-w- c:\windows\system32\msvcp71.dll
2012-02-24 08:30:59 348160 -c--a-w- c:\windows\system32\msvcr71.dll
2012-02-24 08:04:42 -------- d---a-w- c:\program files\Audacity
2012-02-21 08:50:06 -------- dc----r- c:\users\hanson\Dropbox
2012-02-21 08:47:42 -------- dc----w- c:\users\hanson\appdata\roaming\Dropbox
2012-02-15 11:01:44 -------- d---a-w- c:\program files\Microsoft Visual Studio 8
2012-02-15 05:02:18 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 05:02:12 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 05:02:07 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-14 09:39:32 -------- dc----w- c:\users\hanson\appdata\local\AsyncEventclass
.
==================== Find3M ====================
.
2012-03-02 01:43:49 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 17:18:36 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-02-15 11:01:16 981504 ----a-w- c:\windows\system32\wininet.dll
2012-02-15 11:01:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-15 11:00:56 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-01-26 11:01:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-26 11:01:04 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-26 11:01:04 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-26 11:01:04 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-26 11:01:04 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-26 11:01:04 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-26 11:01:04 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-26 11:01:04 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-26 11:01:04 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-26 11:01:04 100352 ----a-w- c:\windows\system32\sspicli.dll
2011-12-29 19:58:25 717296 -c--a-w- c:\windows\system32\drivers\sptd.sys
.
============= FINISH: 18:01:20.56 ===============

Attached Files



#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:54 PM

Posted 07 March 2012 - 10:46 PM

VocaloidLover,

It looks like you've previously run Combofix. Please post the latest Combofix log, located at C:\ComboFix.txt (if it exists)

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


In your next reply, please include:
  • Combofix log (located at C:\Combofix.txt if it exists)
  • MiniToolBox log
  • How's your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:54 PM

Posted 09 March 2012 - 07:14 PM

Hi VocaloidLover,

It's been a couple days since my last post. Do you still need help?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 VocaloidLover

VocaloidLover
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 10 March 2012 - 04:05 AM

Oh, yeah. haven't been able to access in a while

#9 VocaloidLover

VocaloidLover
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 10 March 2012 - 04:16 AM

MiniToolBox by Farbar Version: 18-01-2012
Ran by Hanson (administrator) on 10-03-2012 at 01:12:42
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.backup.ftp", ""
"network.proxy.backup.ftp_port", 0
"network.proxy.backup.socks", ""
"network.proxy.backup.socks_port", 0
"network.proxy.backup.ssl", ""
"network.proxy.backup.ssl_port", 0
"network.proxy.ftp", "199.195.109.21"
"network.proxy.ftp_port", 9090
"network.proxy.http", "0.0.0.0"
"network.proxy.http_port", 8080
"network.proxy.no_proxies_on", ""
"network.proxy.share_proxy_settings", true
"network.proxy.socks", "199.195.109.21"
"network.proxy.socks_port", 9090
"network.proxy.ssl", "199.195.109.21"
"network.proxy.ssl_port", 9090
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================

Compact Wireless-G USB Network Adapter = Wireless Network Connection (Connected)
Intel® 82562V-2 10/100 Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Wireless Network Connection" nexthop=192.168.0.1 publish=Yes
add address name="Wireless Network Connection" address=192.168.0.8 mask=255.255.255.0


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Compact Wireless-G USB Network Adapter
Physical Address. . . . . . . . . : 00-25-9C-A1-0C-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ac32:871d:db51:4484%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 318776732
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-D0-91-55-00-1D-09-8B-8A-04
DNS Servers . . . . . . . . . . . : 209.18.47.61
209.18.47.62
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® 82562V-2 10/100 Network Connection
Physical Address. . . . . . . . . : 00-1D-09-8B-8A-04
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{1CEA9B59-C845-4151-BA9A-FE59FDA73B25}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D54992C5-E6DC-4D5E-BB59-11C400F981C5}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: google.com
Addresses: 74.125.239.3
74.125.239.4
74.125.239.5
74.125.239.6
74.125.239.7
74.125.239.8
74.125.239.9
74.125.239.14
74.125.239.0
74.125.239.1
74.125.239.2


Pinging google.com [74.125.239.3] with 32 bytes of data:
Reply from 74.125.239.3: bytes=32 time=15ms TTL=55
Reply from 74.125.239.3: bytes=32 time=16ms TTL=55

Ping statistics for 74.125.239.3:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 16ms, Average = 15ms
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 98.139.127.62
98.139.183.24
209.191.122.70


Pinging yahoo.com [98.139.127.62] with 32 bytes of data:
Reply from 98.139.127.62: bytes=32 time=604ms TTL=53
Reply from 98.139.127.62: bytes=32 time=737ms TTL=53

Ping statistics for 98.139.127.62:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 604ms, Maximum = 737ms, Average = 670ms
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
13...00 25 9c a1 0c 01 ......Compact Wireless-G USB Network Adapter
10...00 1d 09 8b 8a 04 ......Intel® 82562V-2 10/100 Network Connection
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.8 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.8 281
192.168.0.8 255.255.255.255 On-link 192.168.0.8 281
192.168.0.255 255.255.255.255 On-link 192.168.0.8 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.8 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.8 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.0.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
13 281 fe80::/64 On-link
13 281 fe80::ac32:871d:db51:4484/128
On-link
1 306 ff00::/8 On-link
13 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

**** End of log ****

ps will send CF log in morning

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:54 PM

Posted 10 March 2012 - 08:10 AM

:thumbup2:
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 VocaloidLover

VocaloidLover
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 10 March 2012 - 12:49 PM

ComboFix 12-03-10.01 - Hanson 03/10/2012 9:21.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1238 [GMT -8:00]
Running from: c:\users\Hanson\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Hanson\Documents\~WRL0078.tmp
c:\windows\$NtUninstallKB65262$
.
.
((((((((((((((((((((((((( Files Created from 2012-02-10 to 2012-03-10 )))))))))))))))))))))))))))))))
.
.
2012-03-10 17:37 . 2012-03-10 17:40 -------- dc----w- c:\users\Hanson\AppData\Local\temp
2012-03-10 17:37 . 2012-03-10 17:37 -------- dc----w- c:\users\UpdatusUser\AppData\Local\temp
2012-03-10 17:37 . 2012-03-10 17:37 -------- dc----w- c:\users\qwertyuiop\AppData\Local\temp
2012-03-10 17:37 . 2012-03-10 17:37 -------- dc----w- c:\users\Public\AppData\Local\temp
2012-03-10 17:37 . 2012-03-10 17:37 -------- dc----w- c:\users\gary\AppData\Local\temp
2012-03-10 17:37 . 2012-03-10 17:37 -------- dc----w- c:\users\Default\AppData\Local\temp
2012-03-10 17:37 . 2012-03-10 17:37 -------- d-----w- c:\users\vinson\AppData\Local\temp
2012-03-10 00:17 . 2012-02-20 09:05 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9573E6AD-A403-4E10-A550-B8FE316F8913}\mpengine.dll
2012-03-07 01:36 . 2012-03-07 01:59 97961 -c--a-w- c:\windows\system32\drivers\klick.dat
2012-03-07 01:36 . 2012-03-07 01:59 115369 -c--a-w- c:\windows\system32\drivers\klin.dat
2012-03-07 01:34 . 2012-03-10 17:39 -------- dc----w- c:\programdata\Kaspersky Lab
2012-03-06 07:13 . 2012-03-06 07:13 -------- dc----w- C:\kleaner.tmp
2012-03-04 21:53 . 2012-03-04 22:17 -------- dc----w- c:\users\Hanson\DoctorWeb
2012-03-04 19:10 . 2012-03-04 19:10 -------- dc----w- c:\users\Hanson\AppData\Local\Microsoft_Corporation
2012-02-24 08:32 . 2012-02-24 08:32 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2012-02-24 08:31 . 2012-02-24 08:31 -------- d---a-w- c:\program files\Common Files\xing shared
2012-02-24 08:31 . 2012-02-24 08:31 150696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2012-02-24 08:31 . 2012-02-24 08:31 108544 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2012-02-24 08:30 . 2012-02-24 08:30 499712 -c--a-w- c:\windows\system32\msvcp71.dll
2012-02-24 08:30 . 2012-02-24 08:30 348160 -c--a-w- c:\windows\system32\msvcr71.dll
2012-02-24 08:30 . 2012-02-24 08:32 -------- d---a-w- c:\program files\Real
2012-02-24 08:04 . 2012-02-24 08:04 -------- d---a-w- c:\program files\Audacity
2012-02-21 08:50 . 2012-03-10 03:01 -------- dc----r- c:\users\Hanson\Dropbox
2012-02-21 08:47 . 2012-03-10 03:01 -------- dc----w- c:\users\Hanson\AppData\Roaming\Dropbox
2012-02-15 05:01 . 2012-02-15 11:00 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-14 09:39 . 2012-02-17 06:08 -------- dc----w- c:\users\Hanson\AppData\Local\AsyncEventclass
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-02 01:43 . 2011-08-07 20:03 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 08:27 . 2012-01-02 11:29 2018272 -c--a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-02-23 17:18 . 2011-08-07 18:55 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-01-26 11:01 . 2012-01-25 17:50 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-26 11:01 . 2012-01-25 17:50 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-26 11:01 . 2012-01-25 17:50 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-26 11:01 . 2012-01-25 17:50 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-26 11:01 . 2012-01-25 17:50 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-26 11:01 . 2012-01-25 17:50 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-26 11:01 . 2012-01-25 17:50 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-26 11:01 . 2012-01-25 17:50 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-26 11:01 . 2012-01-25 17:50 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-26 11:01 . 2012-01-25 17:50 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-06 05:23 . 2012-01-06 05:23 53248 -c--a-r- c:\users\Hanson\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-12-29 19:58 . 2011-12-29 19:58 717296 -c--a-w- c:\windows\system32\drivers\sptd.sys
2011-12-26 23:00 . 2009-08-18 19:30 564632 -c--a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-12-26 23:00 . 2009-08-18 19:24 18328 -c--a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-02-20 19:06 . 2011-08-07 18:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 -c--a-w- c:\users\Hanson\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 -c--a-w- c:\users\Hanson\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 -c--a-w- c:\users\Hanson\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-07 3077528]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-06-02 6123032]
"Steam"="c:\program files\Steam\steam.exe" [2011-12-12 1242448]
"Facebook Update"="c:\users\Hanson\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-01-04 137536]
"googletalk"="c:\users\Hanson\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HPUsageTracking"="c:\program files\Hewlett-Packard\HP UT\bin\hppusg.exe" [2007-11-02 36864]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"BSDAppUpdater"="c:\program files\Common Files\BSD\AppUpdater\BSDChecker.exe" [2011-11-16 1660232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2012-02-24 296056]
"AVP"="c:\users\Hanson\Desktop\kslab\avp.exe" [2011-04-25 202296]
.
c:\users\Hanson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Hanson\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-12-29 717296]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-07 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-07 136176]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-03-03 710144]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-07 11520]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-11 23856]
S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [2011-03-02 224256]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-03 19984]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 20480]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\DRIVERS\WUSB54GCv3.sys [2008-12-04 645120]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1799373236-3486777739-2621798443-1000Core.job
- c:\users\Hanson\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-04 07:11]
.
2012-03-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1799373236-3486777739-2621798443-1000UA.job
- c:\users\Hanson\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-04 07:11]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-07 20:02]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-07 20:02]
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1799373236-3486777739-2621798443-1000Core.job
- c:\users\Hanson\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-25 01:41]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1799373236-3486777739-2621798443-1000UA.job
- c:\users\Hanson\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-25 01:41]
.
2012-03-10 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 21:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php?ref=hp
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{1CEA9B59-C845-4151-BA9A-FE59FDA73B25}: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Hanson\AppData\Roaming\Mozilla\Firefox\Profiles\pxz0mcx3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=hp
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z131&form=ZGAADF&install_date=20111007&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
SafeBoot-11884822.sys
SafeBoot-57601178.sys
SafeBoot-88152287.sys
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE]
"ImagePath"="."
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(864)
c:\users\Hanson\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\windows\system32\taskhost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-03-10 09:45:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-10 17:45
.
Pre-Run: 74,593,832,960 bytes free
Post-Run: 75,542,044,672 bytes free
.
- - End Of File - - 44EA01953632BF2D3E93AFABF5676CDE

#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:54 PM

Posted 10 March 2012 - 12:56 PM

Looking good. :thumbup2:

How's your computer running now? Please be as descriptive as possible.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 VocaloidLover

VocaloidLover
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 10 March 2012 - 05:02 PM

still getting redirected, does that mean that there's still a virus/trojan on the computer?
Also, just got Kaspersky AV and KIS on trial. any good?

EDIT: just remembered, control panel still crashes

Edited by VocaloidLover, 10 March 2012 - 05:51 PM.


#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:54 PM

Posted 10 March 2012 - 05:21 PM

VocaloidLover,

Well there's still something that's redirecting, that's for sure. Whether this is due to virus/trojan files, or you're just experiencing the remnants of an infection, I'm not sure.

Your previous logs showed you had Kaspersky Internet Security 2012 already installed. Having more than one antivirus program installed is strongly not recommended, as they tend to conflict with each other. Security Suites usually include an antivirus program. Kaspersky is a good antivirus program, however there are free antivirus programs (namely Microsoft Security Essentials, Avira or Avast).

I will get back to you shortly on further malware removal instructions.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:54 PM

Posted 10 March 2012 - 07:30 PM

VocaloidLover,

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users