Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Re-direct affecting Internet Explorer on Windows XP Pro 32bit


  • Please log in to reply
4 replies to this topic

#1 rkashyap74

rkashyap74

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 18 June 2012 - 07:59 PM

Hi, I really think I need to download ComboFix as I've tried
everything else I can think of.

I updated Malwarebytes and ran it,same with SpyBot SD and ran that which
found one hijack attempt and fixed it. I ran Avast as a boot time scan
and it found one infection, but even after that IE will re-direct
when I try to search for things like "rundll32" the links
take me to pages that seem to be trying me to link
through so they get clicks.

I ran AVG Anti-Rootkit as well and that is my usual anti-virus.

I downloaded SpyHunter and it didn't seem to find it. I've also run MRT
from the Start Menu, Run. Then I downloaded the latest TDSSKiller from Kaspersky
and ran that. It found nothing.

I upgraded from IE7 to IE8 and it still is happening. I tried
to clear my "hosts" file but I couldn't save it even though I am
the administrator.

It is not happening to Google Chrome, ironically.

I can't start in Safe Mode, the cursor freezes up.

So any thoughts would be appreciated.


Thank you,

Rahul Kashyap

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:14 PM

Posted 19 June 2012 - 12:34 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)


Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 rkashyap74

rkashyap74
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 20 June 2012 - 04:49 PM

Sorry, my Outlook started locking up and I didn't know if
it was related to the other issues. Long story short I downloaded
and ran Combofix while I was waiting for a helper.

It found Rootkit.ZeroAccess.

Here's the log:

ComboFix 12-06-20.02 - Administrator 06/20/2012 15:21:34.1.2 - x86
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\19cfc9e0
c:\documents and settings\Administrator\Application Data\eeb7be1a
c:\documents and settings\Administrator\Application Data\f912361f
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\ifuttbsqrh.tmp
c:\documents and settings\Administrator\Local Settings\Application Data\AOL\Adobe\ruscoraw.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\$NtUninstallKB3255$
c:\windows\$NtUninstallKB3255$\2208133482
c:\windows\$NtUninstallKB3255$\485945278\@
c:\windows\$NtUninstallKB3255$\485945278\cfg.ini
c:\windows\$NtUninstallKB3255$\485945278\Desktop.ini
c:\windows\$NtUninstallKB3255$\485945278\L\nqrupmok
c:\windows\$NtUninstallKB3255$\485945278\U\00000001.@
c:\windows\$NtUninstallKB3255$\485945278\U\00000002.@
c:\windows\$NtUninstallKB3255$\485945278\U\80000000.$
c:\windows\$NtUninstallKB3255$\485945278\U\80000032.$
c:\windows\$NtUninstallKB62280$
c:\windows\$NtUninstallKB62280$\3100865560
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\L\nqrupmok
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.$
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.$
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.$
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.$
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.$
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.$
.
.
((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))
.
.
2012-06-18 20:21 . 2012-02-28 17:43 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-06-18 20:21 . 2012-02-28 17:43 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-06-18 20:21 . 2012-04-23 18:36 383368 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-06-18 20:21 . 2012-04-23 18:36 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-06-18 20:21 . 2012-06-18 20:21 -------- d-----w- c:\program files\Common Files\PC Tools
2012-06-18 20:21 . 2012-05-11 17:14 203088 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-06-18 20:21 . 2012-06-18 20:21 -------- d-----w- c:\program files\PC Tools
2012-06-18 20:20 . 2012-06-18 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-06-18 20:20 . 2012-06-18 20:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\TestApp
2012-06-18 19:12 . 2012-06-19 00:32 -------- d-----w- C:\sh4ldr
2012-06-18 19:12 . 2012-06-18 19:12 -------- d-----w- c:\program files\Enigma Software Group
2012-06-18 19:12 . 2012-06-19 00:32 -------- d-----w- c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
2012-06-18 19:12 . 2012-06-18 19:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-06-18 14:38 . 2012-06-18 14:40 -------- dc-h--w- c:\windows\ie8
2012-06-15 19:43 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-06-15 19:43 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-06-15 19:43 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-06-15 19:09 . 2012-06-15 19:09 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-06-13 17:59 . 2012-05-11 14:42 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-05 00:18 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-06-05 00:18 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-12 17:12 . 2012-04-10 15:38 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-12 17:12 . 2011-05-19 01:47 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 21:19 . 2008-10-16 20:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 21:19 . 2008-10-16 20:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 21:19 . 2004-08-04 08:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 21:19 . 2004-08-04 08:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 21:19 . 2004-08-04 08:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 21:19 . 2008-10-16 20:09 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 21:19 . 2008-10-16 20:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 21:19 . 2004-08-04 08:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 21:19 . 2004-08-04 08:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 21:19 . 2004-08-04 08:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 21:19 . 2008-10-16 20:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 21:19 . 2004-08-04 08:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 21:19 . 2004-08-04 08:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 21:18 . 2009-10-20 23:29 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 21:18 . 2009-10-20 23:29 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 21:18 . 2008-10-16 20:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2004-08-04 08:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 08:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-04 08:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2004-08-04 08:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-04 08:00 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2004-08-04 08:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-19 10:50 . 2012-04-19 10:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-04 21:56 . 2009-09-29 18:10 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-16 14:40 . 2012-03-01 17:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 02:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 02:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 02:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-30 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13537280]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"nwiz"="nwiz.exe" [2008-06-25 1630208]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-18 82224]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-20 178712]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-10-07 349488]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-06-18 24848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2008-06-03 65536]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-10-17 1044480]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-30 122880]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-12 576104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 7:30 AM 31952]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/18/2012 2:21 PM 383368]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [6/18/2012 2:21 PM 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [6/18/2012 2:21 PM 909728]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [10/1/2008 3:01 PM 109216]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/1/2008 3:02 PM 51408]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [10/1/2008 3:02 PM 12960]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 4:14 AM 24064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 7:23 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 2:14 AM 301248]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [6/18/2012 2:21 PM 203088]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [10/1/2008 3:02 PM 12528]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [10/3/2008 1:33 PM 1185016]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [4/30/2012 9:44 AM 5106744]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [10/7/2008 2:17 PM 45056]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [3/17/2011 4:45 PM 92216]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [10/1/2008 3:01 PM 256544]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [6/12/2008 3:40 PM 479488]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [7/23/2009 7:36 PM 193840]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [3/27/2008 5:42 AM 239760]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 1:16 PM 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [7/23/2009 6:09 PM 47616]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 2:00 AM 14336]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 2:00 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 7:50 PM 135664]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 7:50 PM 135664]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 11:09 PM 267568]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [6/15/2012 1:09 PM 32072]
S3 PCTSFileEnum;PCTSFileEnum;c:\program files\PC Tools\DMScanning\PCTSFiles.exe [6/18/2012 2:21 PM 89016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 01:50]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 01:50]
.
2012-06-13 c:\windows\Tasks\videopadDowngrade.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-08-08 23:24]
.
2012-06-13 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-08-08 23:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.money-questions.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb
uInternet Settings,ProxyServer = web-proxy.fc.hp.com:8088
uInternet Settings,ProxyOverride = *.local;<local>
Trusted Zone: dol.gov\www.efast
Trusted Zone: google.com\accounts
Trusted Zone: lpl.com
Trusted Zone: lpl.com\branchweb
Trusted Zone: microsoft.com\*.update
Trusted Zone: reged.com\secure
Trusted Zone: select2perform.com\www
Trusted Zone: windowsupdate.com\download
Trusted Zone: wordpress.com\www
TCP: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\16uw30sl.default\
FF - prefs.js: browser.startup.homepage - about:blank
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-Adobe - c:\documents and settings\Administrator\Local Settings\Application Data\AOL\Adobe\ruscoraw.dll
HKU-Default-Run-Adobe - c:\documents and settings\Administrator\Local Settings\Application Data\AOL\Adobe\ruscoraw.dll
Notify-OneCard - c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-20 15:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe???????????????????????|?M?|?????M?|??@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2022829542-1945835941-4244603019-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cb,be,69,4b,d1,a5,d7,48,90,93,ca,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cb,be,69,4b,d1,a5,d7,48,90,93,ca,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ed,18,cb,60,26,cb,0a,4d,91,49,06,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4368)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\btmmhook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2012-06-20 15:40:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-20 21:40
.
Pre-Run: 73,192,157,184 bytes free
Post-Run: 73,258,508,288 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E0435EBC7E5DD6E22AAD3609995667DD

#4 rkashyap74

rkashyap74
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 20 June 2012 - 04:52 PM

Also, I had already run TDSSKiller and it did not find the Rootkit.

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:14 PM

Posted 20 June 2012 - 05:15 PM

We cannot analyze combofix logs in this forum.You should not have run combofix without expert guidance.

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users