Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect was Click.get-answers-fast.com


  • This topic is locked This topic is locked
21 replies to this topic

#1 LBQ

LBQ

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 20 June 2012 - 12:09 PM

Hello, this is a continuation of http://www.bleepingcomputer.com/forums/topic457553.html/page__pid__2736163#entry2736163
Narenxp was helping and asked me to move here.
Selecting any search result from Google search (didn't try others) resolves to redirected garbage site, starts with Click.get-answers-fast.com and then quickly to other junk site.
Ran
TDSS, MBAM (full, clean),aswMBR, and ESET (which produced a few quaratined files PLEASE see the end post in the above link), and Minitoolbox. Had to shut down machine, so I'm not sure what happened to those files.
During ESET, a Windows Popup came asking to fix files and install the Windows XP SP3 CD -- I did not and let it finish.

I have now run Defogger
I have run DDS
I have run GMER in accordance with forum instructions/use.

***** DDS *****

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by scubadiver at 10:03:21 on 2012-06-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2663 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PPMemCheck] c:\progra~1\stomps~1\spywar~1\PPMemCheck.exe
mRun: [Spyware X-terminator Control Center] c:\progra~1\stomps~1\spywar~1\PPControl.exe
mRun: [CookiePatrol] c:\progra~1\stomps~1\spywar~1\CookiePatrol.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: 将此图片添加为RealOA Messenger表情 - c:\program files\teesupport\addFace.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9A43582F-2BE4-4D1C-9708-EAE5A597B03A} : DhcpNameServer = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\scubadiver\application data\mozilla\firefox\profiles\sq2w75sl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_257.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2011-5-12 30392]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-14 257224]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-5-12 1691480]
S3 cpuz134;cpuz134;\??\c:\docume~1\scubad~1\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\scubad~1\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-14 129976]
.
=============== Created Last 30 ================
.
2012-06-20 04:27:21 982 ----a-w- c:\documents and settings\all users\application data\gpbsaaa.tmp
2012-06-20 02:11:07 -------- d-----w- c:\program files\ESET
2012-06-19 18:53:44 -------- d-----w- c:\program files\TeeSupport
2012-06-19 18:25:12 -------- d-----w- c:\program files\StompSoft
2012-06-19 18:23:51 -------- d-----w- C:\MyStuff
2012-06-18 23:29:23 -------- d-----w- c:\windows\system32\appmgmt
2012-06-18 23:14:27 -------- d-----w- C:\sh4ldr
2012-06-18 23:14:27 -------- d-----w- c:\program files\Enigma Software Group
2012-06-18 23:14:05 -------- d-----w- c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
2012-06-18 23:13:59 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-06-18 22:24:39 -------- d-----w- c:\program files\Oracle
2012-06-18 22:24:30 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-18 16:29:59 971 ----a-w- c:\documents and settings\all users\application data\kdgsaaa.tmp
2012-06-18 15:47:20 -------- d-sh--w- c:\documents and settings\scubadiver\IECompatCache
2012-06-15 18:37:51 972 ----a-w- c:\documents and settings\all users\application data\ymsraaa.tmp
2012-06-12 19:25:28 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-05 16:03:11 -------- d--h--w- C:\$AVG
.
==================== Find3M ====================
.
2012-06-20 02:29:02 544768 ----a-w- c:\windows\system32\winlogon.exe
2012-06-20 02:28:58 39424 ----a-w- c:\windows\system32\svchost.exe
2012-06-20 02:25:27 1058304 ----a-w- c:\windows\explorer.exe
2012-06-14 17:02:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-14 17:02:45 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-05 01:29:50 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-05 01:29:16 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-19 10:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-19 02:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 02:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-04 21:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 10:04:04.01 ===============



***** GMER *****
********************
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-20 10:52:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST31000520AS rev.CC32
Running: juotdrts.exe; Driver: C:\DOCUME~1\SCUBAD~1\LOCALS~1\Temp\kwldqkoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xB65DB004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xB65DB0D4]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB65DAD76]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB65DAE1E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB65DAEBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB65DAF56]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FE0 80504898 2 Bytes [1E, AE] {PUSH DS; SCASB }
? C:\DOCUME~1\SCUBAD~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2264] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0121C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2264] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 0144E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2264] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 0144E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2264] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 0144E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2876] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10665EE6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2876] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10665E78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2876] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10454822 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2876] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10454DD6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----
***********************************************************************

Please advise for Next Steps.
many thanks

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:27 PM

Posted 21 June 2012 - 12:33 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 LBQ

LBQ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 21 June 2012 - 11:00 AM

********** SECURITY CHECK LOG ************

Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
CCleaner
JavaFX 2.1.1
Java™ 6 Update 26
Java™ 7 Update 5
Adobe Flash Player 11.3.300.257
Adobe Reader X (10.1.3)
Mozilla Firefox 12.0 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgtray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 3%
````````````````````End of Log``````````````````````

*********************************************************************
*********************************************************************

********** COMBOFIX LOG ************

ComboFix 12-06-21.01 - scubadiver 06/21/2012 9:07.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2800 [GMT -6:00]
Running from: c:\documents and settings\scubadiver\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\gpbsaaa.tmp
c:\documents and settings\All Users\Application Data\kdgsaaa.tmp
c:\documents and settings\All Users\Application Data\ymsraaa.tmp
c:\windows\expl.dat
c:\windows\system32\dllc.dat
c:\windows\system32\SET124.tmp
c:\windows\system32\SET126.tmp
c:\windows\system32\SET12A.tmp
c:\windows\system32\SET12B.tmp
c:\windows\system32\SET132.tmp
c:\windows\system32\SET134.tmp
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-05-21 to 2012-06-21 )))))))))))))))))))))))))))))))
.
.
2012-06-20 02:11 . 2012-06-20 02:11 -------- d-----w- c:\program files\ESET
2012-06-19 23:49 . 2012-06-19 23:49 -------- d-----w- c:\documents and settings\Administrator
2012-06-19 18:53 . 2012-06-19 19:03 -------- d-----w- c:\program files\TeeSupport
2012-06-19 18:25 . 2012-06-19 22:16 -------- d-----w- c:\program files\StompSoft
2012-06-19 18:23 . 2012-06-19 18:24 -------- d-----w- C:\MyStuff
2012-06-18 23:14 . 2012-06-19 22:14 -------- d-----w- C:\sh4ldr
2012-06-18 23:14 . 2012-06-18 23:14 -------- d-----w- c:\program files\Enigma Software Group
2012-06-18 23:14 . 2012-06-19 22:14 -------- d-----w- c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
2012-06-18 23:13 . 2012-06-18 23:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-06-18 22:27 . 2012-06-18 22:27 -------- d-----w- c:\program files\Common Files\Java
2012-06-18 22:24 . 2012-06-18 22:24 -------- d-----w- c:\program files\Oracle
2012-06-18 22:24 . 2012-06-18 22:24 -------- d-----w- c:\documents and settings\scubadiver\Application Data\Oracle
2012-06-18 22:24 . 2012-05-05 01:29 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-18 15:47 . 2012-06-18 15:47 -------- d-sh--w- c:\documents and settings\scubadiver\IECompatCache
2012-06-15 18:16 . 2012-06-15 18:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-06-15 18:15 . 2012-06-15 18:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-06-12 19:25 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-05 16:03 . 2012-06-05 16:03 -------- d-----w- C:\$AVG
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-20 02:29 . 2008-04-14 11:42 544768 ----a-w- c:\windows\system32\winlogon.exe
2012-06-20 02:28 . 2008-04-14 11:42 39424 ----a-w- c:\windows\system32\svchost.exe
2012-06-20 02:25 . 2008-04-14 11:42 1058304 ----a-w- c:\windows\explorer.exe
2012-06-19 22:20 . 2012-06-19 22:20 13881 ----a-w- C:\TDSSKiller.2.7.40.0_19.06.2012_16.19.13_log.zip
2012-06-14 17:02 . 2012-05-14 17:16 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-14 17:02 . 2011-05-31 17:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-31 13:22 . 2008-04-14 11:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2008-04-14 11:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2008-04-14 07:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2008-04-14 11:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 14:42 . 2008-04-14 11:41 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 11:38 . 2008-04-14 06:07 385024 ------w- c:\windows\system32\html.iec
2012-05-05 01:29 . 2011-05-12 17:27 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-05 01:29 . 2011-05-12 17:27 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 13:16 . 2008-04-14 06:54 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2011-05-11 19:33 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-19 10:50 . 2012-04-19 10:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-19 02:56 . 2012-04-19 02:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 02:56 . 2012-04-19 02:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-04 21:56 . 2012-05-14 16:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-14 16:30 . 2011-05-12 17:06 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-06-20 . A14AF30BD4DDE76E1660BFB260D6F640 . 544768 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2012-06-20 . 6994A17E1D04EE1C0CC1E4AB0EB2ED85 . 39424 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2012-06-20 . 20484B4DC84DC2F3A9BE90BE5EED3A8C . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-02-22 18791456]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/11/2011 1:13 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 1:13 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 301248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [5/12/2011 11:11 AM 30392]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [4/30/2012 9:44 AM 5106744]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/14/2012 11:16 AM 257224]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/12/2011 10:51 AM 1691480]
S3 cpuz134;cpuz134;\??\c:\docume~1\SCUBAD~1\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\SCUBAD~1\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/14/2012 10:30 AM 129976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-14 17:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: 将此图片添加为RealOA Messenger表情 - c:\program files\TeeSupport\addFace.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\scubadiver\Application Data\Mozilla\Firefox\Profiles\sq2w75sl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PPMemCheck - c:\progra~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
HKLM-Run-Spyware X-terminator Control Center - c:\progra~1\STOMPS~1\SPYWAR~1\PPControl.exe
HKLM-Run-CookiePatrol - c:\progra~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-21 09:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,c1,0f,6e,ca,30,c7,4a,b4,a9,b5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,c1,0f,6e,ca,30,c7,4a,b4,a9,b5,\
.
Completion time: 2012-06-21 09:11:01
ComboFix-quarantined-files.txt 2012-06-21 15:10
.
Pre-Run: 445,252,583,424 bytes free
Post-Run: 445,523,361,792 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 90D72405032F5BBB2B97CA66C868BB94

****************************************************
****************************************************

Computer seems to function o.k. Initial Google searches and selecting a result does not redirect -- yeah !
No Problems in running the tools.
ComboFix downloaded the Recovery Console , everything seemed to work o.k. No reboots that I saw.

Will it be safe to reboot ?
Do I need to rerun the Defogger to enable CD Imaging ?
Other Cleanup steps ?

thankyou.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:27 PM

Posted 21 June 2012 - 02:34 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.exe
svchost.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 LBQ

LBQ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 21 June 2012 - 05:01 PM

previously,following my last post where it looked like things were working better, i had tried to shutdown the machine, it would not. Start-> Turn Off Computer... -> Turn Off resulted in a brief hour glass followed by a return to the Desktop. I forced power off with power button. Reboot to pick up your post , thing seem 'normal' except that the FF Homepage does not render. Hitting the Home button in the "new tab" that is present does render the home page (Google in this case). The FF Options are to show the Home page (Google) when FF starts.
*****************************************
********* SystemLook log **************

SystemLook 30.07.11 by jpshortstuff
Log created at 15:53 on 21/06/2012 by scubadiver
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1058304 bytes [11:42 14/04/2008] [02:25 20/06/2012] 20484B4DC84DC2F3A9BE90BE5EED3A8C

Searching for "svchost.exe"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [16:46 14/05/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\svchost.exe --a---- 39424 bytes [11:42 14/04/2008] [02:28 20/06/2012] 6994A17E1D04EE1C0CC1E4AB0EB2ED85

Searching for "winlogon.exe"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 199240 bytes [16:46 14/05/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\winlogon.exe --a---- 544768 bytes [11:42 14/04/2008] [02:29 20/06/2012] A14AF30BD4DDE76E1660BFB260D6F640

-= EOF =-
***************************************************************

thanks for your help.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:27 PM

Posted 21 June 2012 - 10:34 PM

greetings


do you have access to another XP computer?


SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.*
svchost.*
winlogon.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 LBQ

LBQ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 22 June 2012 - 11:23 AM

yes, there are a few XP computers here.
Here is a log from (what I believe is not infected) system
SystemLook 30.07.11 by jpshortstuff
Log created at 09:28 on 22/06/2012 by LBQ
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [11:42 14/04/2008] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.scf --a---- 80 bytes [11:00 23/08/2001] [11:00 23/08/2001] A3975A7D2C98B30A2AE010754FFB9392
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a---- 95124 bytes [14:45 06/02/2012] [18:39 18/05/2012] 45FF81D442EFF73612BD2C0BC17D7609
C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1033728 bytes [11:42 14/04/2008] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "svchost.*"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [16:10 20/02/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf --a---- 42628 bytes [15:26 22/06/2012] [15:26 22/06/2012] 50C46C27B73E41870532116E2D8C4061
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [11:42 14/04/2008] [11:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\dllcache\svchost.exe --a--c- 14336 bytes [11:42 14/04/2008] [11:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

Searching for "winlogon.*"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 199240 bytes [16:10 20/02/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [11:42 14/04/2008] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\dllcache\winlogon.exe --a--c- 507904 bytes [11:42 14/04/2008] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

-= EOF =-

***********************************
***********************************

Log from this system that we've been working with
********************************************
SystemLook 30.07.11 by jpshortstuff
Log created at 09:17 on 22/06/2012 by scubadiver
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\WINDOWS\explorer.exe --a---- 1058304 bytes [11:42 14/04/2008] [02:25 20/06/2012] 20484B4DC84DC2F3A9BE90BE5EED3A8C
C:\WINDOWS\explorer.scf --a---- 80 bytes [11:00 23/08/2001] [11:00 23/08/2001] A3975A7D2C98B30A2AE010754FFB9392
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a---- 82888 bytes [18:52 05/06/2012] [14:31 21/06/2012] 5D8EB776BAF52FBAABB9674366F0B667

Searching for "svchost.*"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [16:46 14/05/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf --a---- 14864 bytes [13:46 06/06/2012] [15:06 22/06/2012] B50DD99D1DBBA23DFFA435F9360B4737
C:\WINDOWS\system32\svchost.exe --a---- 39424 bytes [11:42 14/04/2008] [02:28 20/06/2012] 6994A17E1D04EE1C0CC1E4AB0EB2ED85

Searching for "winlogon.*"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 199240 bytes [16:46 14/05/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\winlogon.exe --a---- 544768 bytes [11:42 14/04/2008] [02:29 20/06/2012] A14AF30BD4DDE76E1660BFB260D6F640

-= EOF =-

***************************************

I can see the differences in size, but maybe because the patch levels are different ?
Is this the comparison that you were hoping to see ?

#8 LBQ

LBQ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 22 June 2012 - 12:55 PM

Updated P4(noninfected) with 11 available windows updates; reran SystemLook
**********************************************

SystemLook 30.07.11 by jpshortstuff
Log created at 11:46 on 22/06/2012 by LBQ
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [11:42 14/04/2008] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.scf --a---- 80 bytes [11:00 23/08/2001] [11:00 23/08/2001] A3975A7D2C98B30A2AE010754FFB9392
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a---- 96686 bytes [14:45 06/02/2012] [17:00 22/06/2012] A5429D4957B7C539E6C8F2C4D9A4E78F
C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1033728 bytes [11:42 14/04/2008] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "svchost.*"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [16:10 20/02/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf --a---- 42408 bytes [15:26 22/06/2012] [17:00 22/06/2012] A86C6BA171743FDE2AB2862D5EE05E09
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [11:42 14/04/2008] [11:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\dllcache\svchost.exe --a--c- 14336 bytes [11:42 14/04/2008] [11:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

Searching for "winlogon.*"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 199240 bytes [16:10 20/02/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [11:42 14/04/2008] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\dllcache\winlogon.exe --a--c- 507904 bytes [11:42 14/04/2008] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

-= EOF =-

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:27 PM

Posted 22 June 2012 - 05:42 PM

that is good that we have other computers to copy the files from


I want you to copy these files from the good computer

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe


move them to the infected computer but we need to first put them on the c drive so I can move them

C:\explorer.exe
C:\svchost.exe
C:\winlogon.exe

rerun system and send me the report so I now they are



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 LBQ

LBQ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 23 June 2012 - 04:03 PM

From Noninfected machine
_________________________________________
SystemLook 30.07.11 by jpshortstuff
Log created at 14:41 on 23/06/2012 by Kyle
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\explorer.exe --a---- 1033728 bytes [20:37 23/06/2012] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [11:42 14/04/2008] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.scf --a---- 80 bytes [11:00 23/08/2001] [11:00 23/08/2001] A3975A7D2C98B30A2AE010754FFB9392
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a---- 99166 bytes [14:45 06/02/2012] [18:46 22/06/2012] C0A3C7B841415F1575DD865B8DFC8E05
C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1033728 bytes [11:42 14/04/2008] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "svchost.*"
C:\svchost.exe --a---- 14336 bytes [20:39 23/06/2012] [11:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [16:10 20/02/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf --a---- 42408 bytes [15:26 22/06/2012] [17:00 22/06/2012] A86C6BA171743FDE2AB2862D5EE05E09
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [11:42 14/04/2008] [11:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\dllcache\svchost.exe --a--c- 14336 bytes [11:42 14/04/2008] [11:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

Searching for "winlogon.*"
C:\winlogon.exe --a---- 507904 bytes [20:39 23/06/2012] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 199240 bytes [16:10 20/02/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [11:42 14/04/2008] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\dllcache\winlogon.exe --a--c- 507904 bytes [11:42 14/04/2008] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

-= EOF =-
______________________________________________________
______________________________________________________

Infected machine, I renamed the existing/bad files so that you could see (and I could get the copy to work)
_____________________________________________________________________
SystemLook 30.07.11 by jpshortstuff
Log created at 14:55 on 23/06/2012 by scubadiver
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [20:50 23/06/2012] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.old.exe --a---- 1058304 bytes [11:42 14/04/2008] [02:25 20/06/2012] 20484B4DC84DC2F3A9BE90BE5EED3A8C
C:\WINDOWS\explorer.scf --a---- 80 bytes [11:00 23/08/2001] [11:00 23/08/2001] A3975A7D2C98B30A2AE010754FFB9392
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a---- 77228 bytes [18:52 05/06/2012] [20:47 23/06/2012] B3D7B42D05A24592156B6CA52BA54E20
C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1033728 bytes [20:50 23/06/2012] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "svchost.*"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [16:46 14/05/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf --a---- 14864 bytes [13:46 06/06/2012] [20:17 23/06/2012] 8CB0E1CB86D655999ADF8BB54582946B
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [20:53 23/06/2012] [11:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.old.exe --a---- 39424 bytes [11:42 14/04/2008] [02:28 20/06/2012] 6994A17E1D04EE1C0CC1E4AB0EB2ED85
C:\WINDOWS\system32\dllcache\svchost.exe --a--c- 14336 bytes [20:53 23/06/2012] [11:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

Searching for "winlogon.*"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 199240 bytes [16:46 14/05/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [11:42 14/04/2008] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.old.exe --a---- 544768 bytes [11:42 14/04/2008] [02:29 20/06/2012] A14AF30BD4DDE76E1660BFB260D6F640
C:\WINDOWS\system32\dllcache\winlogon.exe --a--c- 507904 bytes [11:42 14/04/2008] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

-= EOF =-

Thanks for your insights and assistance.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:27 PM

Posted 23 June 2012 - 09:41 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 LBQ

LBQ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 24 June 2012 - 05:54 PM

The text in your box has a 1 blank character in it and I didn't know if that made a difference.
I did not use the Blank character, so the 1st character of the CFScript.txt was the C in ClearJavaCache.
CF downloaded an updated version.
CF downloaded MS Recovery console from Microsoft.
Seemed to have finished 'normally'.
No reboot activity.
Opening FF produced a 'new tab' page rather than the home page.
Other than those observations, the computer seems o.k.

_____________________________________________________________________________________________
ComboFix 12-06-24.03 - scubadiver 06/24/2012 16:45:12.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2857 [GMT -6:00]
Running from: c:\documents and settings\scubadiver\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\scubadiver\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-23 20:53 . 2008-04-14 11:42 14336 -c--a-w- c:\windows\system32\dllcache\svchost.exe
2012-06-23 20:53 . 2008-04-14 11:42 14336 ----a-w- c:\windows\system32\svchost.exe
2012-06-23 20:50 . 2008-04-14 11:42 1033728 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2012-06-23 20:50 . 2008-04-14 11:42 1033728 ----a-w- c:\windows\explorer.exe
2012-06-20 02:11 . 2012-06-20 02:11 -------- d-----w- c:\program files\ESET
2012-06-19 23:49 . 2012-06-19 23:49 -------- d-----w- c:\documents and settings\Administrator
2012-06-19 18:53 . 2012-06-19 19:03 -------- d-----w- c:\program files\TeeSupport
2012-06-19 18:25 . 2012-06-19 22:16 -------- d-----w- c:\program files\StompSoft
2012-06-19 18:23 . 2012-06-19 18:24 -------- d-----w- C:\MyStuff
2012-06-18 23:14 . 2012-06-19 22:14 -------- d-----w- C:\sh4ldr
2012-06-18 23:14 . 2012-06-18 23:14 -------- d-----w- c:\program files\Enigma Software Group
2012-06-18 23:14 . 2012-06-19 22:14 -------- d-----w- c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
2012-06-18 23:13 . 2012-06-18 23:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-06-18 22:27 . 2012-06-18 22:27 -------- d-----w- c:\program files\Common Files\Java
2012-06-18 22:24 . 2012-06-18 22:24 -------- d-----w- c:\program files\Oracle
2012-06-18 22:24 . 2012-06-18 22:24 -------- d-----w- c:\documents and settings\scubadiver\Application Data\Oracle
2012-06-18 22:24 . 2012-05-05 01:29 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-18 15:47 . 2012-06-18 15:47 -------- d-sh--w- c:\documents and settings\scubadiver\IECompatCache
2012-06-15 18:16 . 2012-06-15 18:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-06-15 18:15 . 2012-06-15 18:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-06-12 19:25 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-05 16:03 . 2012-06-05 16:03 -------- d-----w- C:\$AVG
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-23 20:25 . 2012-05-14 17:16 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-23 20:25 . 2011-05-31 17:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-20 02:29 . 2008-04-14 11:42 544768 ----a-w- c:\windows\system32\winlogon.old.exe
2012-06-20 02:28 . 2008-04-14 11:42 39424 ----a-w- c:\windows\system32\svchost.old.exe
2012-06-20 02:25 . 2008-04-14 11:42 1058304 ----a-w- c:\windows\explorer.old.exe
2012-06-19 22:20 . 2012-06-19 22:20 13881 ----a-w- C:\TDSSKiller.2.7.40.0_19.06.2012_16.19.13_log.zip
2012-06-02 21:19 . 2009-08-07 01:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 21:19 . 2011-05-11 19:35 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 21:19 . 2011-05-11 19:35 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 21:19 . 2011-05-11 19:35 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 21:19 . 2009-08-07 01:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 21:19 . 2011-05-11 19:35 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 21:19 . 2011-05-11 19:35 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 21:19 . 2009-08-07 01:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 21:19 . 2009-08-07 01:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 21:19 . 2008-04-14 11:41 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 21:19 . 2009-08-07 01:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 21:19 . 2011-05-11 19:35 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 21:19 . 2011-05-11 19:35 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2008-04-14 11:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2008-04-14 11:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2008-04-14 07:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2008-04-14 11:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 14:42 . 2008-04-14 11:41 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 11:38 . 2008-04-14 06:07 385024 ------w- c:\windows\system32\html.iec
2012-05-05 01:29 . 2011-05-12 17:27 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-05 01:29 . 2011-05-12 17:27 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 13:16 . 2008-04-14 06:54 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2011-05-11 19:33 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-19 10:50 . 2012-04-19 10:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-19 02:56 . 2012-04-19 02:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 02:56 . 2012-04-19 02:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-04 21:56 . 2012-05-14 16:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-14 16:30 . 2011-05-12 17:06 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-21_15.10.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-24 22:16 . 2012-06-24 22:16 16384 c:\windows\Temp\Perflib_Perfdata_7f8.dat
+ 2012-06-22 15:06 . 2012-06-02 21:19 45080 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.6.7600.256\wups2.dll
+ 2012-06-22 15:06 . 2012-06-02 21:19 35864 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.6.7600.256\wups.dll
+ 2011-05-11 19:35 . 2012-06-02 21:19 35864 c:\windows\system32\dllcache\wups.dll
+ 2011-05-11 19:35 . 2012-06-02 21:19 53784 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 11:41 . 2012-06-02 21:19 97304 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 11:42 . 2008-04-14 11:42 507904 c:\windows\system32\winlogon.exe
+ 2012-06-23 20:25 . 2012-06-23 20:25 686280 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_262_Plugin.exe
+ 2012-05-14 17:16 . 2012-06-23 20:25 250056 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2011-05-11 19:35 . 2012-06-02 21:19 210968 c:\windows\system32\dllcache\wuweb.dll
+ 2011-05-11 19:35 . 2012-06-02 21:19 329240 c:\windows\system32\dllcache\wucltui.dll
+ 2011-05-11 19:35 . 2012-06-02 21:19 577048 c:\windows\system32\dllcache\wuapi.dll
+ 2008-04-14 11:42 . 2008-04-14 11:42 507904 c:\windows\system32\dllcache\winlogon.exe
+ 2012-06-23 20:25 . 2012-06-23 20:25 9459912 c:\windows\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll
+ 2011-05-11 19:35 . 2012-06-02 21:19 1933848 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-02-22 18791456]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/11/2011 1:13 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 1:13 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 301248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [5/12/2011 11:11 AM 30392]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [4/30/2012 9:44 AM 5106744]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/14/2012 11:16 AM 250056]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/12/2011 10:51 AM 1691480]
S3 cpuz134;cpuz134;\??\c:\docume~1\SCUBAD~1\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\SCUBAD~1\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/14/2012 10:30 AM 129976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-14 20:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: 将此图片添加为RealOA Messenger表情 - c:\program files\TeeSupport\addFace.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\scubadiver\Application Data\Mozilla\Firefox\Profiles\sq2w75sl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-24 16:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,c1,0f,6e,ca,30,c7,4a,b4,a9,b5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,c1,0f,6e,ca,30,c7,4a,b4,a9,b5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-06-24 16:47:44
ComboFix-quarantined-files.txt 2012-06-24 22:47
ComboFix2.txt 2012-06-24 22:40
ComboFix3.txt 2012-06-24 22:31
ComboFix4.txt 2012-06-21 15:11
.
Pre-Run: 445,538,234,368 bytes free
Post-Run: 445,526,855,680 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 441D9683D50321AF72FA7D1B7402724C
_______________________________________________________________________________________

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:27 PM

Posted 24 June 2012 - 08:26 PM

Hello LBQ

That looks very good - how are things running now?

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 LBQ

LBQ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 25 June 2012 - 10:02 AM

I was confused by the extra combofix report comment. I did not run another combofix.
Here is the result of the Qoobox result

Things seem to be running well. No more redirects.

========================================================
32 Bit HP CIO Components Installer
6500_E709_eDocs
6500_E709_Help
6500_E709n
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
AMD USB Filter Driver
Apple Application Support
Apple Software Update
ATI Catalyst Install Manager
AVG 2012
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
CCleaner
Destination Component
DeviceDiscovery
DocMgr
DocProc
ESET Online Scanner v3
Fax
GPBaseService2
Hewlett-Packard ACLM.NET v1.1.0.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB954550-v5)
HP Customer Participation Program 12.0
HP Document Manager 2.0
HP Imaging Device Functions 12.0
HP Officejet 6500 E709 Series
HP Product Detection
HP Smart Web Printing
HP Solution Center 12.0
HP Update
HPProductAssistant
HPSSupply
Java Auto Updater
Java™ 6 Update 26
Java™ 7 Update 5
JavaFX 2.1.1
Malwarebytes Anti-Malware version 1.61.0.1400
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network
OCR Software by I.R.I.S. 12.0
ProductContext
QuickTime
Realtek High Definition Audio Driver
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
Status
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Yahoo! Detect

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:27 PM

Posted 25 June 2012 - 12:42 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java 6 Update 26
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users