Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Leftovers From Live Security Platinum Infection?


  • This topic is locked This topic is locked
14 replies to this topic

#1 joshpreston

joshpreston

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 10 July 2012 - 11:02 AM

Hey guys,

I somehow got ahold of the Live Security Platinum infection a couple days ago. I got rid of at least the false virus scans and stuff but I think there might be some leftovers still lurking on my machine. Avira picked up a trojan when I ran scan yesterday. It was removed, but these types seem to just come back on reboot. I just want to make sure I get everything, so here are my logs. Much thanks in advance!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Joshua at 21:30:38 on 2012-07-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1337 [GMT -7:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Joshua\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14597
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Plex Media Server] "c:\program files\plex\plex media server\Plex Media Server.exe"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [ACD mPower Tools] "c:\program files\itunes\iTunesHelper.exe"
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iluigr] "c:\windows\system32\rundll32.exe" "c:\documents and settings\joshua\application data\iluigr.dll",DocStopFeedLoad
mRun: [almsc] rundll32.exe "c:\documents and settings\joshua\application data\almsc.dll",CleanupGlobalTempFiles
StartupFolder: c:\docume~1\joshua\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\joshua\application data\dropbox\bin\Dropbox.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.8.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5131C24-E56D-11CF-B78A-444553540000} - hxxps://www.int.ch2m.com/cgi-bin/controls/ikcntrls.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{9BC39309-A49B-49B4-B7AD-7B47F50CBA30} : DhcpNameServer = 10.0.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: WBSrv - c:\progra~1\stardock\object~2\window~1\wbsrv.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\joshua\application data\mozilla\firefox\profiles\q4pn0t9b.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [2007-1-21 38784]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2006-8-30 70784]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-29 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-5-4 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-29 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-29 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-27 83392]
R2 Marvell RAID;Marvell RAID Event Agent;c:\program files\marvell\61xx\svc\mvraidsvc.exe [2006-8-9 114688]
R2 MRUWebService;MRU Web Service;c:\program files\marvell\61xx\apache2\bin\Apache.exe [2006-6-26 20541]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-6-24 2214504]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-7 250056]
S3 hitmanpro36;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-7-7 27424]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [2007-1-21 126592]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-5 113120]
S3 SkLaggProtocol;SysKonnect Link Aggregation Protocol (LAGG) Support;c:\windows\system32\drivers\yk51lagg.sys --> c:\windows\system32\drivers\yk51lagg.sys [?]
S3 SkVlanProtocol;SysKonnect Virtual LAN (VLAN) Support;c:\windows\system32\drivers\skvlan.sys [2005-11-30 19328]
.
=============== Created Last 30 ================
.
2012-07-10 00:33:47 141312 ----a-w- c:\documents and settings\joshua\application data\almsc.dll
2012-07-08 05:48:08 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-07-08 05:37:51 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-07-07 20:17:26 -------- d-----w- c:\documents and settings\joshua\local settings\application data\{A6B615AA-C870-11E1-8270-B8AC6F996F26}
2012-07-07 20:17:22 376320 ----a-w- c:\documents and settings\joshua\application data\iluigr.dll
2012-07-07 20:15:35 -------- d-----w- c:\documents and settings\all users\application data\F4D55EFF000452160001432BD151FC4E
2012-07-04 05:13:33 -------- d-----w- c:\documents and settings\joshua\application data\Nico Mak Computing
2012-07-04 05:13:27 17224 ----a-w- c:\windows\system32\roboot.exe
2012-07-04 01:42:36 -------- d-----w- c:\windows\system32\NtmsData
2012-07-02 07:07:33 -------- d-----w- c:\program files\EPUB to MOBI
2012-06-13 18:09:43 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-12 07:21:18 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-12 07:21:18 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
.
==================== Find3M ====================
.
2012-06-23 05:29:10 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-23 05:29:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-09 00:55:14 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2004-10-01 23:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
============= FINISH: 21:31:29.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 PM

Posted 15 July 2012 - 09:13 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs and let me know if the problem persists.

#3 joshpreston

joshpreston
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 15 July 2012 - 11:27 AM

Thanks for your help, here are the requested logs:

ComboFix 12-07-14.01 - Joshua 07/15/2012 9:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1428 [GMT -7:00]
Running from: c:\documents and settings\Joshua\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\boost_interprocess\20120712233246.375000
c:\documents and settings\All Users\Application Data\boost_interprocess\20120712233246.375000\plex_frame_mutex
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Joshua\Application Data\iluigr.dll
c:\documents and settings\Joshua\WINDOWS
c:\windows\jestertb.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\roboot.exe
c:\windows\system32\SET2D9.tmp
c:\windows\system32\SET2DD.tmp
c:\windows\system32\SET2DE.tmp
c:\windows\system32\SET2E5.tmp
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
.
.
2012-07-13 19:23 . 2012-07-13 19:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-13 19:23 . 2012-07-13 19:23 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-08 05:48 . 2012-07-08 05:48 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-07-08 05:37 . 2012-07-08 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-07-08 04:24 . 2012-07-08 04:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-07-08 04:22 . 2012-07-08 04:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-07-07 20:17 . 2012-07-07 20:17 -------- d-----w- c:\documents and settings\Joshua\Local Settings\Application Data\{A6B615AA-C870-11E1-8270-B8AC6F996F26}
2012-07-07 20:15 . 2012-07-08 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55EFF000452160001432BD151FC4E
2012-07-04 05:13 . 2012-07-04 05:18 -------- d-----w- c:\documents and settings\Joshua\Application Data\Nico Mak Computing
2012-07-04 01:42 . 2012-07-12 18:06 -------- d-----w- c:\windows\system32\NtmsData
2012-07-02 07:07 . 2012-07-02 07:07 -------- d-----w- c:\program files\EPUB to MOBI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-13 19:23 . 2010-04-18 21:53 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 20:29 . 2012-05-08 03:27 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-11 20:29 . 2011-06-12 01:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2007-06-01 01:05 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2007-06-01 01:05 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2007-01-20 23:09 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2007-01-20 23:09 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2007-01-20 23:09 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2007-06-01 01:05 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2007-01-20 23:09 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2007-01-20 23:09 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2004-08-04 09:56 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2007-06-01 01:05 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2007-01-20 23:09 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2007-01-20 23:09 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:18 . 2008-12-28 22:15 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18 . 2008-12-28 22:15 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18 . 2008-12-28 22:15 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-08-04 09:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 09:56 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2008-11-16 07:32 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2004-08-04 09:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 14:42 . 2004-08-04 09:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 11:38 . 2004-08-04 07:59 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2008-11-16 07:32 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-11-16 07:32 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-11-16 07:32 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2004-10-01 23:00 . 2007-01-21 01:03 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2012-06-17 02:06 . 2011-05-01 19:54 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Joshua\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Joshua\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Joshua\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Joshua\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Plex Media Server"="c:\program files\Plex\Plex Media Server\Plex Media Server.exe" [2012-06-04 3029112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"ACD mPower Tools"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"x3watch"="c:\program files\X3watch\x3watch.exe" [2010-05-22 299008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Joshua\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Joshua\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-23 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-11-28 23:52 176128 ----a-w- c:\progra~1\Stardock\OBJECT~2\WINDOW~1\WbSrv.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 18:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Gear Help]
2006-07-28 04:39 415744 ----a-w- c:\program files\ASUS\Ai Gear\GearHelp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
2006-09-07 19:26 1419264 ----a-w- c:\program files\ASUS\Ai Nap\AiNap.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIRECTCD]
2005-10-25 08:49 299008 ----a-w- c:\program files\InterVideo\Disc Master 2.5\DirectCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2006-07-14 00:32 3712512 ----a-w- c:\program files\ASUS\AI Booster\OverClk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2011-05-05 07:02 1632360 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-09-01 06:39 860160 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
2005-01-21 10:47 270336 ----a-w- c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [1/21/2007 1:34 PM 38784]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [8/30/2006 12:43 AM 70784]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 10:54 AM 116608]
R2 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\61xx\svc\mvraidsvc.exe [8/9/2006 8:46 PM 114688]
R2 MRUWebService;MRU Web Service;c:\program files\Marvell\61xx\Apache2\bin\Apache.exe [6/26/2006 2:16 PM 20541]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/24/2011 10:22 PM 2214504]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/9/2007 7:24 PM 47360]
R4 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys --> c:\windows\system32\DRIVERS\avkmgr.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/7/2012 8:27 PM 250056]
S3 hitmanpro36;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [7/7/2012 10:48 PM 27424]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [1/21/2007 1:34 PM 126592]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/5/2012 1:17 AM 113120]
S3 SkLaggProtocol;SysKonnect Link Aggregation Protocol (LAGG) Support;c:\windows\system32\DRIVERS\yk51lagg.sys --> c:\windows\system32\DRIVERS\yk51lagg.sys [?]
S3 SkVlanProtocol;SysKonnect Virtual LAN (VLAN) Support;c:\windows\system32\drivers\skvlan.sys [11/30/2005 3:15 AM 19328]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - avipbb
*Deregistered* - ssmdrv
*Deregistered* - udffsrec
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-08 20:29]
.
2012-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-07-13 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14597
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\documents and settings\Joshua\Application Data\Mozilla\Firefox\Profiles\q4pn0t9b.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-iluigr - c:\documents and settings\Joshua\Application Data\iluigr.dll
HKLM-Run-almsc - c:\documents and settings\Joshua\Application Data\almsc.dll
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-LGODDFU - c:\program files\lg_fwupdate\fwupdate.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-15 09:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-515967899-1957994488-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:82,ac,69,86,14,71,5a,c3,84,46,08,70,14,01,77,27,df,8b,46,48,dc,89,55,
2a,c6,aa,fa,6a,ef,89,28,55,74,ce,21,8d,21,e5,20,e0,ab,98,e0,05,d7,17,42,29,\
"??"=hex:07,61,a4,9c,60,3d,9c,4d,bd,1a,6a,f4,d7,db,34,aa
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\01\02\0a\16&\16?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\progra~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll
.
Completion time: 2012-07-15 09:23:03
ComboFix-quarantined-files.txt 2012-07-15 16:22
.
Pre-Run: 18,485,202,944 bytes free
Post-Run: 20,381,032,448 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 772D14BD2B604B25CA1BE2C613F33BC1




Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.61.0.1400
CCleaner (remove only)
Java™ 6 Update 33
Java version out of Date!
Adobe Flash Player 9 Flash Player out of Date!
Adobe Flash Player 11.3.300.265
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (13.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 5%
````````````````````End of Log``````````````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 PM

Posted 15 July 2012 - 12:42 PM

Looking good.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 33


===

Remove this old version of Flash using the Add/Remove programs applet.
Adobe Flash Player 9
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Please let me know what problem persists.

#5 joshpreston

joshpreston
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 16 July 2012 - 02:04 AM

Took care of everything you said. I'll let you know if anything persists here in the next day or so. Thanks very much!

#6 joshpreston

joshpreston
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 20 July 2012 - 04:14 PM

Nasdaq, I'm still getting the occasional redirect from a Google search result...

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 PM

Posted 21 July 2012 - 09:52 AM

Execute this. If the redirection continue do the next one.

Go Posted Image > run box and type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed) press the Enter key.

repeat with
ipconfig /renew

Then type Exit, hit the Enter key
*/*

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.


If still a problem and you are connected to a Wireless router execute this.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html

Keep me posted.

#8 joshpreston

joshpreston
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 21 July 2012 - 03:23 PM

Took care of the first step... I'll try it and see if I get anymore redirects and keep you posted. Thanks again!

#9 joshpreston

joshpreston
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 23 July 2012 - 12:55 AM

Still have the occasional redirect. It is the scour.com redirect if that helps. Thanks again for your continued help!

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 PM

Posted 23 July 2012 - 10:13 AM

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

===

Run ComboFix one more time and post the log also.

#11 joshpreston

joshpreston
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 23 July 2012 - 09:42 PM

TDSS didn't pick anything up. Also, I went back over your last post and I did NOT reset my router. Could this really have something to do with the router, though? I am connected via ethernet to it (if that matters, just saying cause you specified wireless in your last post).


Here's the ComboFix log:

ComboFix 12-07-24.01 - Joshua 07/23/2012 18:59:28.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1510 [GMT -7:00]
Running from: c:\documents and settings\Joshua\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\boost_interprocess\20120723183121.725056
c:\documents and settings\All Users\Application Data\boost_interprocess\20120723183121.725056\plex_frame_mutex
.
.
((((((((((((((((((((((((( Files Created from 2012-06-24 to 2012-07-24 )))))))))))))))))))))))))))))))
.
.
2012-07-21 10:21 . 2012-07-21 10:21 -------- d-----w- C:\found.000
2012-07-21 04:43 . 2012-07-21 04:43 -------- d-----w- c:\documents and settings\Joshua\Local Settings\Application Data\Sun
2012-07-16 05:08 . 2012-07-16 05:08 -------- d-----w- c:\program files\Oracle
2012-07-16 05:07 . 2012-07-16 05:07 -------- d-----w- c:\documents and settings\Joshua\Application Data\Oracle
2012-07-16 05:07 . 2012-07-06 05:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-13 19:23 . 2012-07-13 19:23 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-08 05:48 . 2012-07-08 05:48 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-07-08 05:37 . 2012-07-08 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-07-08 04:24 . 2012-07-08 04:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-07-08 04:22 . 2012-07-08 04:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-07-07 20:17 . 2012-07-07 20:17 -------- d-----w- c:\documents and settings\Joshua\Local Settings\Application Data\{A6B615AA-C870-11E1-8270-B8AC6F996F26}
2012-07-07 20:15 . 2012-07-08 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55EFF000452160001432BD151FC4E
2012-07-04 05:13 . 2012-07-04 05:18 -------- d-----w- c:\documents and settings\Joshua\Application Data\Nico Mak Computing
2012-07-04 01:42 . 2012-07-12 18:06 -------- d-----w- c:\windows\system32\NtmsData
2012-07-02 07:07 . 2012-07-02 07:07 -------- d-----w- c:\program files\EPUB to MOBI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 20:29 . 2012-05-08 03:27 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-11 20:29 . 2011-06-12 01:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 05:06 . 2010-04-18 21:53 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-13 13:19 . 2008-11-16 07:32 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2009-05-03 01:46 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 09:56 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2008-11-16 07:32 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 22:19 . 2007-06-01 01:05 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2007-06-01 01:05 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2007-01-20 23:09 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2007-01-20 23:09 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2007-01-20 23:09 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2007-06-01 01:05 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2007-01-20 23:09 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2007-01-20 23:09 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2004-08-04 09:56 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2007-06-01 01:05 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2007-01-20 23:09 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2007-01-20 23:09 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:18 . 2008-12-28 22:15 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18 . 2008-12-28 22:15 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18 . 2008-12-28 22:15 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-08-04 09:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 09:56 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-04 09:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 14:42 . 2004-08-04 09:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 11:38 . 2004-08-04 07:59 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2008-11-16 07:32 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-11-16 07:32 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-11-16 07:32 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2004-10-01 23:00 . 2007-01-21 01:03 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2012-06-17 02:06 . 2011-05-01 19:54 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-15_16.21.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-24 01:35 . 2012-07-24 01:35 16384 c:\windows\temp\Perflib_Perfdata_13c.dat
+ 2007-01-31 04:16 . 2012-07-21 09:04 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
+ 2007-01-31 04:16 . 2012-07-21 09:04 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2012-07-16 05:07 . 2012-07-06 05:06 227760 c:\windows\system32\javaws.exe
+ 2012-07-16 05:07 . 2012-07-16 05:07 174064 c:\windows\system32\javaw.exe
+ 2012-07-16 05:07 . 2012-07-16 05:07 174064 c:\windows\system32\java.exe
+ 2007-01-20 06:50 . 2012-07-21 10:23 255864 c:\windows\system32\FNTCACHE.DAT
- 2007-01-20 06:50 . 2012-06-15 18:55 255864 c:\windows\system32\FNTCACHE.DAT
+ 2008-12-05 06:54 . 2012-06-04 04:32 152576 c:\windows\system32\dllcache\schannel.dll
- 2010-11-09 14:52 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll
+ 2010-11-09 14:52 . 2012-05-28 18:16 536576 c:\windows\system32\dllcache\msado15.dll
+ 2012-07-16 05:08 . 2012-07-16 05:08 176128 c:\windows\Installer\f2363e7.msi
+ 2012-07-16 05:08 . 2012-07-16 05:08 457216 c:\windows\Installer\f2363e2.msi
+ 2012-07-16 05:07 . 2012-07-16 05:07 863744 c:\windows\Installer\f2363de.msi
+ 2007-01-31 04:16 . 2012-07-21 09:04 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-01-31 04:16 . 2012-07-21 09:04 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-01-31 04:16 . 2012-05-10 10:03 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 937920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearm.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2004-08-04 09:56 . 2012-06-08 14:26 8462848 c:\windows\system32\shell32.dll
+ 2008-10-16 02:41 . 2012-06-13 13:19 1866112 c:\windows\system32\dllcache\win32k.sys
+ 2008-06-17 19:02 . 2012-06-08 14:26 8462848 c:\windows\system32\dllcache\shell32.dll
+ 2009-05-03 01:46 . 2012-06-05 15:50 1372672 c:\windows\system32\dllcache\msxml6.dll
- 2009-05-03 01:46 . 2009-07-31 18:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2004-08-04 09:56 . 2012-06-05 15:50 1172480 c:\windows\system32\dllcache\msxml3.dll
- 2004-08-04 09:56 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2012-06-29 21:33 . 2012-06-29 21:33 6063616 c:\windows\Installer\f437e9.msp
+ 2012-07-16 05:05 . 2012-07-16 05:05 2295808 c:\windows\Installer\f2363d9.msi
+ 2011-06-06 19:55 . 2011-06-06 19:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 1189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
+ 2011-06-06 19:55 . 2011-06-06 19:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2009-01-15 17:39 . 2012-07-21 09:07 57442464 c:\windows\system32\MRT.exe
+ 2012-04-04 11:17 . 2012-04-04 11:17 16613376 c:\windows\Installer\f2363da.msp
+ 2011-06-06 19:55 . 2011-06-06 19:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Joshua\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Joshua\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Joshua\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Joshua\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Plex Media Server"="c:\program files\Plex\Plex Media Server\Plex Media Server.exe" [2012-06-04 3029112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"ACD mPower Tools"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"x3watch"="c:\program files\X3watch\x3watch.exe" [2010-05-22 299008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\Joshua\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Joshua\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-23 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-11-28 23:52 176128 ----a-w- c:\progra~1\Stardock\OBJECT~2\WINDOW~1\WbSrv.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-04-04 05:53 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Gear Help]
2006-07-28 04:39 415744 ----a-w- c:\program files\ASUS\Ai Gear\GearHelp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
2006-09-07 19:26 1419264 ----a-w- c:\program files\ASUS\Ai Nap\AiNap.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIRECTCD]
2005-10-25 08:49 299008 ----a-w- c:\program files\InterVideo\Disc Master 2.5\DirectCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2006-07-14 00:32 3712512 ----a-w- c:\program files\ASUS\AI Booster\OverClk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2011-05-05 07:02 1632360 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-09-01 06:39 860160 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
2005-01-21 10:47 270336 ----a-w- c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Plex\\Plex Media Server\\PlexDlnaServer.exe"=
"c:\\Program Files\\Plex\\Plex Media Server\\PlexScriptHost.exe"=
"c:\\Program Files\\Plex\\Plex Media Server\\Plex Media Server.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
.
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [1/21/2007 1:34 PM 38784]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [8/30/2006 12:43 AM 70784]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 10:54 AM 116608]
R2 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\61xx\svc\mvraidsvc.exe [8/9/2006 8:46 PM 114688]
R2 MRUWebService;MRU Web Service;c:\program files\Marvell\61xx\Apache2\bin\Apache.exe [6/26/2006 2:16 PM 20541]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/24/2011 10:22 PM 2214504]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/9/2007 7:24 PM 47360]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/7/2012 8:27 PM 250056]
S3 hitmanpro36;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [7/7/2012 10:48 PM 27424]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [1/21/2007 1:34 PM 126592]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/5/2012 1:17 AM 113120]
S3 SkLaggProtocol;SysKonnect Link Aggregation Protocol (LAGG) Support;c:\windows\system32\DRIVERS\yk51lagg.sys --> c:\windows\system32\DRIVERS\yk51lagg.sys [?]
S3 SkVlanProtocol;SysKonnect Virtual LAN (VLAN) Support;c:\windows\system32\drivers\skvlan.sys [11/30/2005 3:15 AM 19328]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 40418393
*Deregistered* - 40418393
*Deregistered* - udffsrec
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-08 20:29]
.
2012-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-07-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14597
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\documents and settings\Joshua\Application Data\Mozilla\Firefox\Profiles\q4pn0t9b.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-23 19:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-515967899-1957994488-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:82,ac,69,86,14,71,5a,c3,84,46,08,70,14,01,77,27,df,8b,46,48,dc,89,55,
2a,c6,aa,fa,6a,ef,89,28,55,74,ce,21,8d,21,e5,20,e0,ab,98,e0,05,d7,17,42,29,\
"??"=hex:07,61,a4,9c,60,3d,9c,4d,bd,1a,6a,f4,d7,db,34,aa
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\01\02\0a\16&\16?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\progra~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll
.
Completion time: 2012-07-23 19:11:53
ComboFix-quarantined-files.txt 2012-07-24 02:11
ComboFix2.txt 2012-07-15 16:23
.
Pre-Run: 18,445,950,976 bytes free
Post-Run: 18,435,629,056 bytes free
.
- - End Of File - - 3E6E2B63F653E400D782D6662E5F6E9A

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 PM

Posted 24 July 2012 - 07:06 AM

Yes the router could be infected.

If other are also connected to it and not getting this redirection then it's not the router.

#13 joshpreston

joshpreston
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 24 July 2012 - 12:25 PM

Yeah, no redirects on the other computers.

#14 joshpreston

joshpreston
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 24 July 2012 - 08:21 PM

The latest redirect was to newsfudge.com if that helps you narrow anything down!

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 PM

Posted 25 July 2012 - 09:00 AM

No these redirection are caused by some Java script, Plugins or extensions.

Disable all the plugins in the Browser you normally used.

If the issues remains disable the extensions.

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users