Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

InfoMash redirect


  • This topic is locked This topic is locked
13 replies to this topic

#1 jpd9930

jpd9930

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 12 August 2012 - 01:00 PM

EDIT:

"One more thing to mention..after running GMER I am not able to use any desktop Icons. I can not use any links in the start menu. If I did not have google chrome I would not be able to post here now. When I ran GMER it took along time to run. I dont recall that happening before. THe quick launch icons have no response either...I have normal navigation once I get a window open.

only way I can reply is the email notification.

One point I left out on the original problem is when I do a search in google the results come up as normal. When I click on the link I want I get the search results redirect.

Thanks in advance

Jon

PS I wont pump this again but I needed to point out the icon issue"





original forum request:

http://www.bleepingcomputer.com/forums/topic458875.html/page__st__30



ran requested programs:

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33
Run by Jon at 11:07:52 on 2012-08-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3039.1793 [GMT -4:00]
.
.
============== Running Processes ===============



.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program files\java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tardisnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\firefox\firefox.exe
D:\firefox\plugin-container.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [msaplp] rundll32.exe "c:\documents and settings\jon.amd3\application data\msaplp.dll",SteamAPI_RestartAppIfNecessary
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [sntsi] "c:\windows\system32\rundll32.exe" "c:\documents and settings\jon.amd3\application data\sntsi.dll",GetBBHwnd
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [wimap] "c:\windows\system32\rundll32.exe" "c:\documents and settings\jon.amd3\application data\wimap.dll",WithUnicodeFilename
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: DhcpNameServer = 192.168.100.1
TCP: Interfaces\{252A8FE0-CED4-41BD-889C-E7183F0E4323} : DhcpNameServer = 192.168.100.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jon.amd3\application data\mozilla\firefox\profiles\zuqse4n8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\jon.amd3\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: d:\firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\firefox\plugins\npMozCouponPrinter.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\java\jre6\bin\plugin2\npjp2.dll
.
============= SERVICES / DRIVERS ===============
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2011-12-24 13696]
R1 FsFilter;FsFilter;c:\documents and settings\jon.amd3\application data\adobe\rxsupply.sys [2012-6-16 21504]
R2 Tardis;Tardis time service;c:\windows\system32\tardisnt.exe [2011-12-25 233472]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-3-9 2116480]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 250056]
S3 AMBFilt;AMBFilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-26 1656960]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2012-6-6 23456]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 113120]
S4 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-2 22344]
S4 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-8 654408]
.
=============== Created Last 30 ================
.
2012-07-24 19:34:28 -------- d-----w- c:\documents and settings\jon.amd3\local settings\application data\{92652E13-D5C6-11E1-8270-B8AC6F996F26}
2012-07-24 19:34:26 434688 ----a-w- c:\documents and settings\jon.amd3\application data\wimap.dll
2012-07-21 00:24:37 -------- d-----w- c:\documents and settings\jon.amd3\local settings\application data\Apple Computer
2012-07-21 00:24:29 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-07-21 00:24:29 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-07-21 00:23:16 -------- d-----w- c:\documents and settings\all users.windows\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-07-21 00:22:58 -------- d-----w- c:\documents and settings\jon.amd3\local settings\application data\Apple
2012-07-21 00:22:47 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-07-21 00:22:47 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
==================== Find3M ====================
.
2012-08-02 20:54:23 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-02 20:54:22 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-24 14:12:28 230808 ----a-r- c:\windows\system32\cpnprt2.cid
2012-06-19 12:48:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-19 12:48:13 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-19 12:48:12 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-08 21:01:44 123904 --sha-w- c:\documents and settings\jon.amd3\application data\msaplp.dll
2012-06-06 13:01:15 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
.
============= FINISH: 11:08:17.55 ===============


---------------------------------------------------------------------------------------------------------------------

Attach:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/24/2011 11:40:23 AM
System Uptime: 8/1/2012 11:08:21 AM (264 hours ago)
.
Motherboard: BIOSTAR Group | | N68S3B
Processor: AMD Phenom™ II X2 555 Processor | CPU 1 | 3214/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 29 GiB total, 0.195 GiB free.
D: is FIXED (NTFS) - 120 GiB total, 94.131 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_1186&DEV_4C00&SUBSYS_4C001186&REV_11\4&25700A26&0&3020
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_1186&DEV_4C00&SUBSYS_4C001186&REV_11\4&25700A26&0&3020
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
7-zip v9.20
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP620 series MP Drivers
Coupon Printer for Windows
DriverAgent by eSupport.com
ESET Online Scanner v3
Google Chrome
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
iTunes
Java Auto Updater
Java™ 6 Update 33
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
NVIDIA Drivers
Platform
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Tardis 2000 V1.6
Timex Data Link USB
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
8/10/2012 10:45:15 AM, error: Print [6161] - The document TraditionalPicnicTable.pdf owned by Jon failed to print on printer Canon MP620 series Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 3494176. Number of bytes printed: 258592. Total number of pages in the document: 7. Number of pages printed: 0. Client machine: \\AMD3. Win32 error code returned by the print processor: 13 (0xd).
.
==== End Of File ===========================

-------------------------------------------------------------------------------------------------------------------------------------

GMER:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-12 13:13:48
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0 ST316081 rev.3.AA
Running: 2o54wr4k[1].exe; Driver: C:\DOCUME~1\JON~1.AMD\LOCALS~1\Temp\ugtdrpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text Ntfs.sys B7DF4F2F 6 Bytes PUSH B7B0F420; RET \??\c:\documents and settings\jon.amd3\application data\adobe\rxsupply.sys
? C:\WINDOWS\system32\drivers\Ntfs.sys The system cannot find the file specified.
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB71B6360, 0x3CDCE5, 0xE8000020]
? c:\documents and settings\jon.amd3\application data\adobe\rxsupply.sys The system cannot find the file specified.
? C:\DOCUME~1\JON~1.AMD\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1624] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1624] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1624] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1624] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1624] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1624] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1624] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1624] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1624] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A65 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0DD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB30 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2104] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E756F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text D:\firefox\firefox.exe[2652] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0116B52A D:\firefox\xul.dll (Mozilla Foundation)
.text D:\firefox\firefox.exe[2652] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0141B6F5 D:\firefox\xul.dll (Mozilla Foundation)
.text D:\firefox\firefox.exe[2652] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0141B6D2 D:\firefox\xul.dll (Mozilla Foundation)
.text D:\firefox\firefox.exe[2652] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 0141B653 D:\firefox\xul.dll (Mozilla Foundation)
.text D:\firefox\plugin-container.exe[2884] USER32.dll!DefWindowProcA + 11A 7E42C298 7 Bytes JMP 1067C453 D:\firefox\xul.dll (Mozilla Foundation)
.text D:\firefox\plugin-container.exe[2884] USER32.dll!SetWindowLongA + 19 7E42C2B6 7 Bytes JMP 1067C3E2 D:\firefox\xul.dll (Mozilla Foundation)
.text D:\firefox\plugin-container.exe[2884] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1043BACC D:\firefox\xul.dll (Mozilla Foundation)
.text D:\firefox\plugin-container.exe[2884] USER32.dll!GetMenuContextHelpId + 1A 7E465319 7 Bytes JMP 1043C0F9 D:\firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7216] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7216] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7216] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7216] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7216] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7216] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7216] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7216] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7216] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A65 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0DD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB30 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7976] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E756F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A65 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0DD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB30 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8876] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E756F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs rxsupply.sys

---- EOF - GMER 1.0.15 ----

Edited by jpd9930, 12 August 2012 - 04:12 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 AM

Posted 17 August 2012 - 09:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I do not see any Security software on this computer.
If that is the case please install Microsoft Security Essentials and run it before proceeding.
It's very unwise to use the Internet without any security programs.
http://windows.microsoft.com/en-US/windows/products/security-essentials
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

    Unfortunately the Microsoft link is down at the moment. Ignore the request to install the Console it still the case.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Please post the logs and let me know if the problem persists.

#3 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 17 August 2012 - 12:04 PM

figures. I wont be able to reply to this thread for a few days....be advised also. For reasons other than this problem I had to reload WinXP Pro between when I posted this thread and now. Should I re-post the information I have already posted or start from your post?

I don't seem to be getting redirects after re-installing XP.

please advise.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 AM

Posted 17 August 2012 - 01:44 PM

Forget about ComboFix just run the last 2 programs.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 AM

Posted 23 August 2012 - 08:31 AM

Are you still with me?

#6 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 24 August 2012 - 06:30 PM

Yeah still here...upgraded to IE8 from IE6 after XP reinstall and redirect came back...not sure if that is of any value...

I will run all things you requested.

#7 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 24 August 2012 - 06:46 PM

ComboFix 12-08-24.02 - Jon 08/24/2012 19:36:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3039.2516 [GMT -4:00]
Running from: c:\documents and settings\Jon.AMD3\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 128 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jon.AMD3\Application Data\msaplp.dll
c:\documents and settings\Jon.AMD3\Application Data\wimap.dll
c:\documents and settings\Jon.AMD3\Recent\American ....url
c:\documents and settings\Jon\WINDOWS
c:\program files\Common Files\Uninstall
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\fse
c:\temp\fse\tmpZTF.log
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\service
.
.
((((((((((((((((((((((((( Files Created from 2012-07-24 to 2012-08-24 )))))))))))))))))))))))))))))))
.
.
2012-08-15 16:27 . 2008-04-14 09:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2012-08-15 16:25 . 2008-04-14 09:41 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
2012-08-15 16:23 . 2006-12-29 04:31 19569 ----a-w- c:\windows\003440_.tmp
2012-08-15 15:58 . 2002-08-29 12:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2012-08-15 15:57 . 2008-04-14 09:42 45568 ----a-w- c:\windows\system32\safrslv.dll
2012-08-15 15:56 . 2008-04-14 09:42 217088 ----a-w- c:\program files\Common Files\System\Ole DB\sqlxmlx.dll
2012-08-15 15:54 . 2008-04-14 04:15 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2012-08-15 15:54 . 2008-04-14 04:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2012-08-15 15:54 . 2008-04-14 04:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-08-15 15:52 . 2008-04-14 09:42 129536 ----a-w- c:\windows\system32\ksproxy.ax
2012-08-15 15:52 . 2008-04-14 09:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2012-08-15 15:49 . 2008-04-14 09:43 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2012-08-15 15:49 . 2008-04-14 04:02 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2012-08-15 15:48 . 2008-04-14 09:42 741376 ----a-w- c:\program files\Common Files\Microsoft Shared\Speech\sapi.dll
2012-08-15 15:48 . 2008-04-14 09:42 146432 ----a-w- c:\windows\system\winspool.drv
2012-08-15 15:48 . 2008-04-14 04:24 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2012-08-15 15:48 . 2002-08-29 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-08-15 15:48 . 2002-08-29 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-08-15 15:48 . 2002-08-29 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-08-15 15:48 . 2002-08-29 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-08-15 15:48 . 2008-04-14 09:42 74752 ----a-w- c:\windows\system32\storprop.dll
2012-08-15 15:48 . 2002-08-29 12:00 13608 ----a-r- c:\windows\SETD5.tmp
2012-08-15 15:48 . 2002-08-29 12:00 1086182 ----a-r- c:\windows\SETC0.tmp
2012-08-15 15:13 . 2012-08-15 16:32 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-15 14:58 . 2012-08-15 16:32 -------- d-----w- c:\documents and settings\Jon.AMD3\Local Settings\Application Data\LogMeIn Rescue Applet
2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 08:54 . 2012-03-30 15:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 08:54 . 2011-12-24 17:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 02:43 . 2012-07-05 23:11 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-06-24 14:12 . 2012-03-18 13:26 230808 ----a-r- c:\windows\system32\cpnprt2.cid
2012-06-19 12:48 . 2012-06-19 12:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-19 12:48 . 2012-06-19 12:48 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-19 12:48 . 2012-05-18 13:05 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-06 13:01 . 2012-06-06 13:01 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2012-06-05 15:50 . 2011-12-24 17:33 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-02 19:19 . 2009-08-07 00:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2011-12-24 17:33 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2011-12-24 17:33 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2011-12-24 17:33 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-08-07 00:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2009-08-07 00:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2011-12-24 17:33 577048 ----a-w- c:\windows\system32\wuapi.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2002-08-29 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 561920 . . [------] . . c:\windows\system32\drivers\ntfs.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"d:\\Program files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"d:\\Program files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/24/2011 12:52 PM 13696]
R1 FsFilter;FsFilter;c:\documents and settings\Jon.AMD3\Application Data\Adobe\rxsupply.sys [6/16/2012 5:24 PM 21504]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/9/2010 7:09 PM 2116480]
S2 Tardis;Tardis time service;c:\windows\system32\tardisnt.exe [12/25/2011 2:51 PM 233472]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 11:34 AM 250056]
S3 AMBFilt;AMBFilt;c:\windows\system32\drivers\Ambfilt.sys [6/26/2009 4:29 PM 1656960]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [6/6/2012 9:01 AM 23456]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/26/2012 6:39 PM 113120]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S4 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/2/2012 11:03 AM 22344]
S4 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2010 9:12 AM 654408]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 08:54]
.
2012-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1563985344-682003330-1003Core.job
- c:\documents and settings\Jon.AMD3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-06-23 01:53]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1563985344-682003330-1003UA.job
- c:\documents and settings\Jon.AMD3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-06-23 01:53]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - d:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.100.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-NvCplDaemon - c:\windows\System32\NvCpl.dll
HKLM-Run-msaplp - c:\documents and settings\Jon.AMD3\Application Data\msaplp.dll
HKLM-Run-NvMediaCenter - c:\windows\System32\NvMcTray.dll
HKLM-Run-sntsi - c:\documents and settings\Jon.AMD3\Application Data\sntsi.dll
HKLM-Run-wimap - c:\documents and settings\Jon.AMD3\Application Data\wimap.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-24 19:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-08-24 19:40:54
ComboFix-quarantined-files.txt 2012-08-24 23:40
.
Pre-Run: 821,682,176 bytes free
Post-Run: 1,297,592,320 bytes free
.
- - End Of File - - E3D24D09228E4228FC3D0417A25508B8


===========================================================================================================================

Results of screen317's Security Check version 0.99.46
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Please wait while WMIC compiles updated MOF files.
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 33
Java version out of Date!
Adobe Flash Player 11.3.300.271
Adobe Reader X (10.1.4)
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 47% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


==================================================================================================================================

# AdwCleaner v1.801 - Logfile created 08/24/2012 at 19:42:45
# Updated 14/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Jon - AMD3
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Jon.AMD3\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKLM\SOFTWARE\Freeze.com

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

-\\ Google Chrome v20.0.1132.47

*************************

AdwCleaner[R1].txt - [758 octets] - [24/08/2012 19:42:45]

########## EOF - C:\AdwCleaner[R1].txt - [885 octets] ##########

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 AM

Posted 25 August 2012 - 08:16 AM

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 33


===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    ntfs.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#9 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 25 August 2012 - 01:23 PM

# AdwCleaner v1.801 - Logfile created 08/25/2012 at 14:04:41
# Updated 14/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Jon - AMD3
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Jon.AMD3\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Freeze.com

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

-\\ Google Chrome v20.0.1132.47

*************************

AdwCleaner[R1].txt - [885 octets] - [24/08/2012 19:42:45]
AdwCleaner[S1].txt - [821 octets] - [25/08/2012 14:04:41]

########## EOF - C:\AdwCleaner[S1].txt - [948 octets] ##########


========================================================================================================================

SystemLook 30.07.11 by jpshortstuff
Log created at 14:21 on 25/08/2012 by Jon
Administrator - Elevation successful

========== filefind ==========

Searching for "ntfs.sys"
C:\WINDOWS\ServicePackFiles\i386\ntfs.sys ------- 574976 bytes [04:45 14/04/2008] [04:45 14/04/2008] 78A08DD6A8D65E697C18E1DB01C5CDCA
C:\WINDOWS\system32\drivers\ntfs.sys --a---- 561920 bytes [12:00 29/08/2002] [12:00 29/08/2002] (Unable to calculate MD5)

-= EOF =-

=================================================================================================================================

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 AM

Posted 26 August 2012 - 06:01 AM

Open notepad and copy/paste the text in the quote box below into it:

FCOPY::
C:\WINDOWS\system32\drivers\ntfs.sys | C:\

C:\WINDOWS\ServicePackFiles\i386\ntfs.sys | C:\WINDOWS\system32\drivers\ntfs.sys



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

#11 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 26 August 2012 - 10:14 AM

ComboFix 12-08-25.04 - Jon 08/26/2012 10:59:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3039.1904 [GMT -4:00]
Running from: c:\documents and settings\Jon.AMD3\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jon.AMD3\Desktop\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\ntfs.sys --> c:\windows\system32\drivers\ntfs.sys
.
((((((((((((((((((((((((( Files Created from 2012-07-26 to 2012-08-26 )))))))))))))))))))))))))))))))
.
.
2012-08-25 18:20 . 2012-08-25 18:20 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-25 18:20 . 2012-08-25 18:20 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-15 22:36 . 2012-08-15 22:36 -------- d-----w- c:\program files\Microsoft Sync Framework
2012-08-15 22:36 . 2012-08-15 22:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Microsoft
2012-08-15 22:33 . 2012-08-15 22:33 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-08-15 22:33 . 2012-08-15 22:38 -------- d-----w- c:\windows\SHELLNEW
2012-08-15 22:33 . 2012-08-15 22:33 -------- d-----w- c:\documents and settings\Jon.AMD3\Local Settings\Application Data\Microsoft Help
2012-08-15 22:32 . 2012-08-15 22:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2012-08-15 16:32 . 2008-04-14 10:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-08-15 16:25 . 2008-04-14 09:41 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
2012-08-15 16:23 . 2006-12-29 04:31 19569 ----a-w- c:\windows\003440_.tmp
2012-08-15 15:58 . 2002-08-29 12:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2012-08-15 15:57 . 2008-04-14 09:42 45568 ----a-w- c:\windows\system32\safrslv.dll
2012-08-15 15:56 . 2008-04-14 09:42 217088 ----a-w- c:\program files\Common Files\System\Ole DB\sqlxmlx.dll
2012-08-15 15:54 . 2008-04-14 04:15 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2012-08-15 15:54 . 2008-04-14 04:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2012-08-15 15:54 . 2008-04-14 04:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-08-15 15:52 . 2008-04-14 09:42 129536 ----a-w- c:\windows\system32\ksproxy.ax
2012-08-15 15:52 . 2008-04-14 09:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2012-08-15 15:49 . 2008-04-14 09:43 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2012-08-15 15:49 . 2008-04-14 04:02 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2012-08-15 15:48 . 2008-04-14 09:42 741376 ----a-w- c:\program files\Common Files\Microsoft Shared\Speech\sapi.dll
2012-08-15 15:48 . 2008-04-14 09:42 146432 ----a-w- c:\windows\system\winspool.drv
2012-08-15 15:48 . 2008-04-14 04:24 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2012-08-15 15:48 . 2002-08-29 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-08-15 15:48 . 2002-08-29 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-08-15 15:48 . 2002-08-29 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-08-15 15:48 . 2002-08-29 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-08-15 15:48 . 2008-04-14 09:42 74752 ----a-w- c:\windows\system32\storprop.dll
2012-08-15 15:48 . 2002-08-29 12:00 13608 ----a-r- c:\windows\SETD5.tmp
2012-08-15 15:48 . 2002-08-29 12:00 1086182 ----a-r- c:\windows\SETC0.tmp
2012-08-15 15:13 . 2012-08-15 16:32 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-15 14:58 . 2012-08-15 16:32 -------- d-----w- c:\documents and settings\Jon.AMD3\Local Settings\Application Data\LogMeIn Rescue Applet
2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-25 18:20 . 2012-06-19 12:48 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-25 18:20 . 2012-05-18 13:05 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-15 08:54 . 2012-03-30 15:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 08:54 . 2011-12-24 17:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 02:43 . 2012-07-05 23:11 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-07-03 17:46 . 2012-06-02 15:03 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-24 14:12 . 2012-03-18 13:26 230808 ----a-r- c:\windows\system32\cpnprt2.cid
2012-06-06 13:01 . 2012-06-06 13:01 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2012-06-05 15:50 . 2011-12-24 17:33 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-02 19:19 . 2009-08-07 00:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2011-12-24 17:33 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2011-12-24 17:33 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2011-12-24 17:33 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-08-07 00:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2009-08-07 00:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2011-12-24 17:33 577048 ----a-w- c:\windows\system32\wuapi.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2002-08-29 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 561920 . . [------] . . c:\windows\system32\drivers\ntfs.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-08-24_23.39.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-26 15:06 . 2012-08-26 15:06 16384 c:\windows\TEMP\Perflib_Perfdata_c4.dat
+ 2012-08-25 18:20 . 2012-08-25 18:20 246760 c:\windows\system32\javaws.exe
+ 2012-08-25 18:20 . 2012-08-25 18:20 174056 c:\windows\system32\javaw.exe
+ 2012-08-25 18:20 . 2012-08-25 18:20 174056 c:\windows\system32\java.exe
+ 2012-08-25 18:21 . 2012-08-25 18:21 176128 c:\windows\Installer\35867.msi
+ 2012-08-25 18:20 . 2012-08-25 18:20 873984 c:\windows\Installer\35861.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"d:\\Program files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"d:\\Program files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/24/2011 12:52 PM 13696]
R1 FsFilter;FsFilter;c:\documents and settings\Jon.AMD3\Application Data\Adobe\rxsupply.sys [6/16/2012 5:24 PM 21504]
R2 Tardis;Tardis time service;c:\windows\system32\tardisnt.exe [12/25/2011 2:51 PM 233472]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/9/2010 7:09 PM 2116480]
S2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2010 9:12 AM 655944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 11:34 AM 250056]
S3 AMBFilt;AMBFilt;c:\windows\system32\drivers\Ambfilt.sys [6/26/2009 4:29 PM 1656960]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [6/6/2012 9:01 AM 23456]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/26/2012 6:39 PM 113120]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S4 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/2/2012 11:03 AM 22344]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 08:54]
.
2012-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1563985344-682003330-1003Core.job
- c:\documents and settings\Jon.AMD3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-06-23 01:53]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1563985344-682003330-1003UA.job
- c:\documents and settings\Jon.AMD3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-06-23 01:53]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - d:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.100.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-26 11:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3104)
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
d:\progra~1\MICROS~1\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\program files\java\jre7\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-08-26 11:09:00 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-26 15:08
.
Pre-Run: 1,061,732,352 bytes free
Post-Run: 1,067,114,496 bytes free
.
- - End Of File - - 253262A715572B906A69F8E25AD02956

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 AM

Posted 26 August 2012 - 12:00 PM

Are you still having issues with this computer?

#13 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 26 August 2012 - 01:22 PM

The redirects are random and intermittent. However I did about 10 random searchs and clicked nearly 25 links with no issue. I'm felling confident about success. I will post IF I get another redirect. Please advise if I can get any information from the redirect for you if it happens again.

If it doesnt happen again Thanks again to all the great people at bleeping computer!

Jon D

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 AM

Posted 27 August 2012 - 06:27 AM

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove adwcleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users