Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infectected with tdss, google keeps redirecting


  • This topic is locked This topic is locked
21 replies to this topic

#1 Mr 409

Mr 409

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Confusion
  • Local time:12:20 PM

Posted 04 November 2013 - 09:58 PM

Keep getting google redirects, some parts of google searches are underlined and take you to odd websites.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Steve at 20:43:01 on 2013-11-04
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.63 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Diane\Application Data\defaulttab\defaulttab\dtupdate.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
C:\WINDOWS\system32\EscSvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\Installer\MSI82D.tmp
C:\Program Files\Linksicle\Service\lssvc.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nova Development\Scrapbook Factory Deluxe 5.0\ReminderApp.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIJCE.EXE
C:\Program Files\LTCM Client\ltcmScheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://omaha.cox.net/cci/home
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - <orphaned>
BHO: Linksicle: {2AD2D8CA-D24D-40D2-A8FC-46952409BA9A} - c:\program files\linksicle\ie\LinksicleClientIE.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\documents and settings\diane\application data\defaulttab\defaulttab\DefaultTabBHO.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.9012.1008\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GoogleDriveSync] "c:\program files\google\drive\googledrivesync.exe" /autostart
uRun: [EPLTarget\P0000000000000000] c:\windows\system32\spool\drivers\w32x86\3\e_fatijce.exe /ept "epltarget\P0000000000000000" /M "XP-600 Series" /EF "HKCU"
uRun: [ltcmScheduler] c:\program files\ltcm client\ltcmScheduler.exe
mRun: [ReminderApp] c:\program files\nova development\scrapbook factory deluxe 5.0\ReminderApp.exe
mRun: [OmniPage] c:\program files\caere\omnipagepro90\opware32.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1352868709046
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12 192.168.1.1 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{83926D1A-F607-43ED-A338-46BC768DCDAC} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 192.168.1.1 68.105.28.11 68.105.29.11 68.105.28.12
AppInit_DLLs= 
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 211560]
R1 lsnfd;lsnfd;c:\windows\system32\drivers\lsnfd.sys [2013-10-2 52688]
R2 DefaultTabUpdate;DefaultTabUpdate;c:\documents and settings\diane\application data\defaulttab\defaulttab\dtupdate.exe [2013-10-31 107520]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2012-5-10 539744]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [2013-10-13 122000]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
R2 Level Quality Watcher;Level Quality Watcher;c:\windows\installer\msi82d.tmp run sourceguid=422332b5-f3a6-47f6-93ef-792299ef24dc --> c:\windows\installer\MSI82D.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC [?]
R2 lssvc;Linksicle Client Service;c:\program files\linksicle\service\lssvc.exe [2013-10-2 272936]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-11-29 38608]
RUnknown MpKsle1edf50d;MpKsle1edf50d; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
ShellExec: frontpg.exe: edit=c:\progra~1\micros~4\office10\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2013-11-05 01:00:30 7796464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6454d252-0e12-4f12-bed6-1eaf85af1ea0}\mpengine.dll
2013-11-04 00:55:57 7796464 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-11-01 01:41:30 -------- d-----w- c:\program files\Microsoft
2013-11-01 01:41:07 -------- d-----w- c:\program files\Windows Live SkyDrive
2013-11-01 01:40:26 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2013-11-01 01:40:07 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2013-11-01 01:37:22 74520 ----a-w- c:\program files\common files\windows live\.cache\e9114b161ced6a2\DSETUP.dll
2013-11-01 01:37:22 484632 ----a-w- c:\program files\common files\windows live\.cache\e9114b161ced6a2\DXSETUP.exe
2013-11-01 01:37:22 1670936 ----a-w- c:\program files\common files\windows live\.cache\e9114b161ced6a2\dsetup32.dll
2013-11-01 01:37:02 1013800 ----a-w- c:\program files\common files\windows live\.cache\dcc88d601ced6a2\WindowsXP-KB954708-x86-ENU.exe
2013-11-01 01:26:18 -------- d-----w- c:\program files\common files\Windows Live
2013-10-31 22:11:27 80024 ----a-w- c:\windows\system32\PICSDK.dll
2013-10-31 22:11:27 51360 ----a-w- c:\windows\system32\EpPicPrt.dll
2013-10-31 22:11:27 51360 ----a-w- c:\windows\system32\EpPicMgr.dll
2013-10-31 22:11:27 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2013-10-31 22:11:27 108704 ----a-w- c:\windows\system32\PICEntry.dll
2013-10-31 22:11:06 -------- d-----w- C:\epson
2013-10-31 22:04:34 -------- d--h--w- c:\windows\system32\GroupPolicy
2013-10-31 22:04:02 -------- d-----w- c:\program files\Linksicle
2013-10-31 22:02:42 -------- d-----w- c:\program files\Level Quality Watcher
2013-10-14 00:18:15 -------- d-----w- c:\documents and settings\steve\application data\Acer
2013-10-14 00:04:30 -------- d-----w- c:\documents and settings\steve\application data\Leader Technologies
2013-10-13 15:49:44 -------- d-----w- c:\program files\LTCM Client
2013-10-13 15:47:08 342016 ----a-w- c:\windows\system32\eswiaud.dll
2013-10-13 15:47:08 122000 ----a-w- c:\windows\system32\escsvc.exe
2013-10-13 15:45:40 -------- d-----w- c:\program files\common files\EPSON
2013-10-13 15:45:32 457780 ----a-w- c:\windows\system32\ensppui.dll
2013-10-13 15:45:32 249344 ----a-w- c:\windows\system32\enspres.dll
2013-10-13 15:45:31 475496 ----a-w- c:\windows\system32\ensppmon.dll
2013-10-13 15:45:31 475496 ----a-w- c:\windows\system32\enppmon.dll
2013-10-13 15:45:31 457780 ----a-w- c:\windows\system32\enppui.dll
2013-10-13 15:45:31 249344 ----a-w- c:\windows\system32\enpres.dll
2013-10-13 15:45:30 -------- d-----w- c:\program files\EpsonNet
2013-10-13 15:45:20 -------- d-----w- c:\program files\EPSON
2013-10-13 15:45:01 -------- d-----w- c:\program files\EPSON Software
2013-10-13 15:44:28 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2013-10-13 15:44:25 95232 ----a-w- c:\windows\system32\E_FLBJCE.DLL
2013-10-13 15:44:25 81408 ----a-w- c:\windows\system32\E_FD4BJCE.DLL
2013-10-13 15:43:47 -------- d-----w- c:\documents and settings\all users\application data\EPSON
2013-10-10 08:56:13 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-10 08:56:09 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2013-10-10 08:56:08 60160 ------w- c:\windows\system32\dllcache\usbaudio.sys
2013-10-10 08:56:08 123008 ------w- c:\windows\system32\dllcache\usbvideo.sys
2013-10-10 08:55:16 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-10 08:55:16 32384 ------w- c:\windows\system32\dllcache\usbccgp.sys
2013-10-10 08:55:16 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-10 08:55:16 144128 ------w- c:\windows\system32\dllcache\usbport.sys
.
==================== Find3M  ====================
.
2013-10-09 10:28:27 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-09 10:28:27 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-02 21:14:50 52688 ----a-w- c:\windows\system32\drivers\lsnfd.sys
2013-09-23 18:33:58 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33:57 43520 ------w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06:48 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31:44 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56:45 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55:08 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55:07 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55:06 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
.
============= FINISH: 20:45:06.48 ===============
 


I never gave anybody Hell, I just told the truth and they thought it was Hell.

Harry S Truman

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:20 PM

Posted 06 November 2013 - 01:00 PM

Hello Mr 409
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
1.
Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • RcAuto1.gif
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Mr 409

Mr 409
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Confusion
  • Local time:12:20 PM

Posted 09 November 2013 - 08:37 PM

Machine is still getting google redirects.

 

17:02:19.0359 0x01f4  TDSS rootkit removing tool 3.0.0.16 Nov  1 2013 15:53:38
17:02:43.0796 0x01f4  ============================================================
17:02:43.0796 0x01f4  Current date / time: 2013/11/08 17:02:43.0796
17:02:43.0796 0x01f4  SystemInfo:
17:02:43.0796 0x01f4 
17:02:43.0796 0x01f4  OS Version: 5.1.2600 ServicePack: 3.0
17:02:43.0796 0x01f4  Product type: Workstation
17:02:43.0796 0x01f4  ComputerName: OFFICE
17:02:43.0796 0x01f4  UserName: Steve
17:02:43.0796 0x01f4  Windows directory: C:\WINDOWS
17:02:43.0796 0x01f4  System windows directory: C:\WINDOWS
17:02:43.0796 0x01f4  Processor architecture: Intel x86
17:02:43.0796 0x01f4  Number of processors: 2
17:02:43.0796 0x01f4  Page size: 0x1000
17:02:43.0796 0x01f4  Boot type: Normal boot
17:02:43.0796 0x01f4  ============================================================
17:02:51.0156 0x01f4  System UUID: {065AB646-3034-3F42-1954-FC1F341C4A71}
17:02:53.0390 0x01f4  Drive \Device\Harddisk0\DR0 - Size: 0x2540BE4000 (149.01 Gb), SectorSize: 0x200, Cylinders: 0x4BFC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:02:53.0640 0x01f4  ============================================================
17:02:53.0640 0x01f4  \Device\Harddisk0\DR0:
17:02:53.0640 0x01f4  MBR partitions:
17:02:53.0640 0x01f4  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1B747, BlocksNum 0x1209CE16
17:02:53.0640 0x01f4  ============================================================
17:02:53.0703 0x01f4  C: <-> \Device\Harddisk0\DR0\Partition1
17:02:53.0703 0x01f4  ============================================================
17:02:53.0703 0x01f4  Initialize success
17:02:53.0703 0x01f4  ============================================================
17:04:25.0968 0x16b4  Deinitialize success
 

 

ComboFix 13-11-07.01 - Steve 11/08/2013  17:30:02.7.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.488 [GMT -6:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\_ctypes.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\_elementtree.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\_hashlib.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\_multiprocessing.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\_socket.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\_ssl.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\msvcp100.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\msvcr100.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\pyexpat.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\pysqlite2._sqlite.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\python27.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\pythoncom27.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\PyWinTypes27.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\select.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\unicodedata.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32api.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32com.shell.shell.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32crypt.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32event.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32file.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32inet.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32pdh.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32process.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32profile.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32security.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\win32ts.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\windows._cacheinvalidation.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wx._controls_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wx._core_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wx._gdi_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wx._html2.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wx._misc_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wx._windows_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wx._wizard.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wxbase294u_net_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wxbase294u_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wxmsw294u_adv_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wxmsw294u_core_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wxmsw294u_html_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI21082\wxmsw294u_webview_vc90.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Diane\WINDOWS
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\_ctypes.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\_elementtree.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\_hashlib.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\_multiprocessing.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\_socket.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\_ssl.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\msvcp100.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\msvcr100.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\pyexpat.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\pysqlite2._sqlite.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\python27.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\pythoncom27.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\PyWinTypes27.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\select.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\unicodedata.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32api.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32com.shell.shell.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32crypt.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32event.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32file.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32inet.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32pdh.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32process.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32profile.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32security.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\win32ts.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\windows._cacheinvalidation.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wx._controls_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wx._core_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wx._gdi_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wx._html2.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wx._misc_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wx._windows_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wx._wizard.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wxbase294u_net_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wxbase294u_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wxmsw294u_adv_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wxmsw294u_core_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wxmsw294u_html_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI21082\wxmsw294u_webview_vc90.dll
c:\documents and settings\Steve\WINDOWS
C:\Thumbs.db
c:\windows\dasetup.log
c:\windows\system32\roboot.exe
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-10 to 2013-11-10  )))))))))))))))))))))))))))))))
.
.
2013-11-09 23:59 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{365D0333-A2C7-49EE-8FD7-6F603204E7C2}\mpengine.dll
2013-11-08 00:34 . 2013-10-14 06:39 7796464 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-01 01:41 . 2013-11-01 01:41 -------- d-----w- c:\program files\Microsoft
2013-11-01 01:41 . 2013-11-01 01:41 -------- d-----w- c:\program files\Windows Live SkyDrive
2013-11-01 01:40 . 2013-11-01 01:41 -------- d-----w- c:\program files\Windows Live
2013-11-01 01:40 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2013-11-01 01:40 . 2013-11-01 01:40 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2013-11-01 01:26 . 2013-11-01 01:26 -------- d-----w- c:\program files\Common Files\Windows Live
2013-10-31 22:11 . 2006-10-31 05:10 51360 ----a-w- c:\windows\system32\EpPicPrt.dll
2013-10-31 22:11 . 2006-10-31 05:10 51360 ----a-w- c:\windows\system32\EpPicMgr.dll
2013-10-31 22:11 . 2006-10-20 05:10 80024 ----a-w- c:\windows\system32\PICSDK.dll
2013-10-31 22:11 . 2006-10-20 05:10 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2013-10-31 22:11 . 2006-10-20 05:10 108704 ----a-w- c:\windows\system32\PICEntry.dll
2013-10-31 22:11 . 2013-10-31 22:11 -------- d-----w- C:\epson
2013-10-31 22:04 . 2013-10-31 22:04 -------- d--h--w- c:\windows\system32\GroupPolicy
2013-10-31 22:04 . 2013-10-31 22:04 -------- d-----w- c:\program files\Linksicle
2013-10-31 22:02 . 2013-10-31 22:02 -------- d-----w- c:\program files\Level Quality Watcher
2013-10-29 13:04 . 2013-10-29 13:04 -------- d-----w- c:\documents and settings\Diane\New Folder
2013-10-14 00:18 . 2013-10-14 00:18 -------- d-----w- c:\documents and settings\Steve\Application Data\Acer
2013-10-14 00:04 . 2013-10-14 00:04 -------- d-----w- c:\documents and settings\Steve\Application Data\Leader Technologies
2013-10-14 00:04 . 2013-10-14 00:04 -------- d-----w- c:\documents and settings\Steve\Application Data\Epson
2013-10-13 15:45 . 2013-11-01 00:26 -------- d-----w- c:\program files\EPSON Software
2013-10-13 15:44 . 2007-04-10 01:06 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2013-10-13 15:44 . 2011-04-20 03:03 95232 ----a-w- c:\windows\system32\E_FLBJCE.DLL
2013-10-13 15:44 . 2011-03-15 03:03 81408 ----a-w- c:\windows\system32\E_FD4BJCE.DLL
2013-10-13 15:43 . 2013-11-01 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 10:28 . 2012-04-28 01:19 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 10:28 . 2011-09-01 20:47 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-02 21:14 . 2013-10-02 21:14 52688 ----a-w- c:\windows\system32\drivers\lsnfd.sys
2013-09-23 18:33 . 2004-08-19 20:49 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2004-08-19 20:49 43520 ------w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2004-08-19 20:49 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2004-08-19 20:49 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2004-08-19 20:49 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2004-08-19 20:49 1878656 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 68856]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2013-09-25 20133824]
"EPLTarget\P0000000000000000"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIJCE.EXE" [2012-02-29 249440]
"ltcmScheduler"="c:\program files\LTCM Client\ltcmScheduler.exe" [2011-04-07 99072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ReminderApp"="c:\program files\Nova Development\Scrapbook Factory Deluxe 5.0\ReminderApp.exe" [2010-07-09 144672]
"OmniPage"="c:\program files\Caere\OmniPagePro90\opware32.exe" [1998-10-12 44032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-02-19 295072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2012-01-26 1058400]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2011-04-07 2756864]
.
c:\documents and settings\Steve\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Steve\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\EPSON Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R1 lsnfd;lsnfd;c:\windows\system32\drivers\lsnfd.sys [10/2/2013 3:14 PM 52688]
R2 DefaultTabUpdate;DefaultTabUpdate;c:\documents and settings\Diane\Application Data\defaulttab\defaulttab\dtupdate.exe [10/31/2013 4:04 PM 107520]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [5/10/2012 1:00 PM 539744]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [10/13/2013 9:47 AM 122000]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 11:37 AM 13672]
R2 Level Quality Watcher;Level Quality Watcher;c:\windows\Installer\MSI82D.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC --> c:\windows\Installer\MSI82D.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC [?]
R2 lssvc;Linksicle Client Service;c:\program files\Linksicle\Service\lssvc.exe [10/2/2013 3:14 PM 272936]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [11/29/2012 8:31 PM 38608]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 10:28]
.
2013-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2013-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:12]
.
2013-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:12]
.
2013-11-09 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-08-12 15:12]
.
2013-11-10 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2013-11-10 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2013-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2013-11-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2013-11-09 c:\windows\Tasks\User_Feed_Synchronization-{3EB8275D-CDB9-4E8E-A620-58841F53D45A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://omaha.cox.net/cci/home
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 192.168.1.1 68.105.28.11 68.105.29.11 68.105.28.12
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-07759347.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-09 19:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Level Quality Watcher]
"ImagePath"="c:\windows\Installer\MSI82D.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\WININET.dll
c:\program files\Caere\OmniPagePro90\ophook32.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\Installer\MSI82D.tmp
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-11-09  19:33:16 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-10 01:33
.
Pre-Run: 88,215,408,640 bytes free
Post-Run: 91,290,779,648 bytes free
.
- - End Of File - - 40921DF437B6282134784C96B4E36302
B16A2359F4962B0C622D81A1C1F4B703
 


I never gave anybody Hell, I just told the truth and they thought it was Hell.

Harry S Truman

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:20 PM

Posted 10 November 2013 - 06:48 PM

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\documents and settings\Diane\Application Data\defaulttab\defaulttab\dtupdate.exe

Driver::
DefaultTabUpdate

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

Still getting redirected?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Mr 409

Mr 409
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Confusion
  • Local time:12:20 PM

Posted 10 November 2013 - 09:52 PM

Redirects seem to be better. Still get the stray one from certain actions.

 

ComboFix 13-11-10.02 - Steve 11/10/2013  20:01:19.8.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.419 [GMT -6:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\documents and settings\Diane\Application Data\defaulttab\defaulttab\dtupdate.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\_ctypes.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\_elementtree.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\_hashlib.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\_multiprocessing.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\_socket.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\_ssl.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\msvcp100.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\msvcr100.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\pyexpat.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\pysqlite2._sqlite.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\python27.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\pythoncom27.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\PyWinTypes27.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\select.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\unicodedata.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32api.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32com.shell.shell.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32crypt.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32event.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32file.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32inet.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32pdh.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32process.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32profile.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32security.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\win32ts.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\windows._cacheinvalidation.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wx._controls_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wx._core_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wx._gdi_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wx._html2.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wx._misc_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wx._windows_.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wx._wizard.pyd
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wxbase294u_net_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wxbase294u_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wxmsw294u_adv_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wxmsw294u_core_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wxmsw294u_html_vc90.dll
c:\docume~1\Steve\LOCALS~1\Temp\_MEI31362\wxmsw294u_webview_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\_ctypes.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\_elementtree.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\_hashlib.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\_multiprocessing.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\_socket.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\_ssl.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\msvcp100.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\msvcr100.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\pyexpat.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\pysqlite2._sqlite.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\python27.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\pythoncom27.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\PyWinTypes27.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\select.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\unicodedata.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32api.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32com.shell.shell.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32crypt.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32event.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32file.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32inet.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32pdh.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32process.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32profile.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32security.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\win32ts.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\windows._cacheinvalidation.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wx._controls_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wx._core_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wx._gdi_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wx._html2.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wx._misc_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wx._windows_.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wx._wizard.pyd
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wxbase294u_net_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wxbase294u_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wxmsw294u_adv_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wxmsw294u_core_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wxmsw294u_html_vc90.dll
c:\documents and settings\Steve\Local Settings\temp\_MEI31362\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DEFAULTTABUPDATE
-------\Service_DefaultTabUpdate
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-11 to 2013-11-11  )))))))))))))))))))))))))))))))
.
.
2013-11-10 20:43 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CD4CD9CE-5A72-4291-B53F-B575DFB55D01}\mpengine.dll
2013-11-09 23:59 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-01 01:41 . 2013-11-01 01:41 -------- d-----w- c:\program files\Microsoft
2013-11-01 01:41 . 2013-11-01 01:41 -------- d-----w- c:\program files\Windows Live SkyDrive
2013-11-01 01:40 . 2013-11-01 01:41 -------- d-----w- c:\program files\Windows Live
2013-11-01 01:40 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2013-11-01 01:40 . 2013-11-01 01:40 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2013-11-01 01:26 . 2013-11-01 01:26 -------- d-----w- c:\program files\Common Files\Windows Live
2013-10-31 22:11 . 2006-10-31 05:10 51360 ----a-w- c:\windows\system32\EpPicPrt.dll
2013-10-31 22:11 . 2006-10-31 05:10 51360 ----a-w- c:\windows\system32\EpPicMgr.dll
2013-10-31 22:11 . 2006-10-20 05:10 80024 ----a-w- c:\windows\system32\PICSDK.dll
2013-10-31 22:11 . 2006-10-20 05:10 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2013-10-31 22:11 . 2006-10-20 05:10 108704 ----a-w- c:\windows\system32\PICEntry.dll
2013-10-31 22:11 . 2013-10-31 22:11 -------- d-----w- C:\epson
2013-10-31 22:04 . 2013-10-31 22:04 -------- d--h--w- c:\windows\system32\GroupPolicy
2013-10-31 22:04 . 2013-10-31 22:04 -------- d-----w- c:\program files\Linksicle
2013-10-31 22:02 . 2013-10-31 22:02 -------- d-----w- c:\program files\Level Quality Watcher
2013-10-29 13:04 . 2013-10-29 13:04 -------- d-----w- c:\documents and settings\Diane\New Folder
2013-10-14 00:18 . 2013-10-14 00:18 -------- d-----w- c:\documents and settings\Steve\Application Data\Acer
2013-10-14 00:04 . 2013-10-14 00:04 -------- d-----w- c:\documents and settings\Steve\Application Data\Leader Technologies
2013-10-14 00:04 . 2013-10-14 00:04 -------- d-----w- c:\documents and settings\Steve\Application Data\Epson
2013-10-13 15:45 . 2013-11-01 00:26 -------- d-----w- c:\program files\EPSON Software
2013-10-13 15:44 . 2007-04-10 01:06 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2013-10-13 15:44 . 2011-04-20 03:03 95232 ----a-w- c:\windows\system32\E_FLBJCE.DLL
2013-10-13 15:44 . 2011-03-15 03:03 81408 ----a-w- c:\windows\system32\E_FD4BJCE.DLL
2013-10-13 15:43 . 2013-11-01 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 10:28 . 2012-04-28 01:19 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 10:28 . 2011-09-01 20:47 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-02 21:14 . 2013-10-02 21:14 52688 ----a-w- c:\windows\system32\drivers\lsnfd.sys
2013-09-23 18:33 . 2004-08-19 20:49 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2004-08-19 20:49 43520 ------w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2004-08-19 20:49 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2004-08-19 20:49 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2004-08-19 20:49 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2004-08-19 20:49 1878656 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-09-25 22:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 68856]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2013-09-25 20133824]
"EPLTarget\P0000000000000000"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIJCE.EXE" [2012-02-29 249440]
"ltcmScheduler"="c:\program files\LTCM Client\ltcmScheduler.exe" [2011-04-07 99072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ReminderApp"="c:\program files\Nova Development\Scrapbook Factory Deluxe 5.0\ReminderApp.exe" [2010-07-09 144672]
"OmniPage"="c:\program files\Caere\OmniPagePro90\opware32.exe" [1998-10-12 44032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-02-19 295072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2012-01-26 1058400]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2011-04-07 2756864]
.
c:\documents and settings\Steve\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Steve\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\EPSON Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R1 lsnfd;lsnfd;c:\windows\system32\drivers\lsnfd.sys [10/2/2013 3:14 PM 52688]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [5/10/2012 1:00 PM 539744]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [10/13/2013 9:47 AM 122000]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 11:37 AM 13672]
R2 Level Quality Watcher;Level Quality Watcher;c:\windows\Installer\MSI82D.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC --> c:\windows\Installer\MSI82D.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC [?]
R2 lssvc;Linksicle Client Service;c:\program files\Linksicle\Service\lssvc.exe [10/2/2013 3:14 PM 272936]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [11/29/2012 8:31 PM 38608]
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 10:28]
.
2013-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2013-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:12]
.
2013-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:12]
.
2013-11-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-08-12 15:12]
.
2013-11-11 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2013-11-11 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2013-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4030910126-953941055-2049199888-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2013-11-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2011-12-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4030910126-953941055-2049199888-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 21:30]
.
2013-11-11 c:\windows\Tasks\User_Feed_Synchronization-{3EB8275D-CDB9-4E8E-A620-58841F53D45A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://omaha.cox.net/cci/home
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 192.168.1.1 68.105.28.11 68.105.29.11 68.105.28.12
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-10 20:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Level Quality Watcher]
"ImagePath"="c:\windows\Installer\MSI82D.tmp run sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(180)
c:\windows\system32\WININET.dll
c:\program files\Caere\OmniPagePro90\ophook32.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\Installer\MSI82D.tmp
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2013-11-10  20:27:56 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-11 02:27
ComboFix2.txt  2013-11-10 01:33
.
Pre-Run: 91,121,889,280 bytes free
Post-Run: 91,127,169,024 bytes free
.
- - End Of File - - 5EE5A51D06F6FC62292A1575F9C77356
B16A2359F4962B0C622D81A1C1F4B703
 


I never gave anybody Hell, I just told the truth and they thought it was Hell.

Harry S Truman

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:20 PM

Posted 11 November 2013 - 02:40 PM

  • Download Malwarebytes Anti-Rootkit from HERE

      
  • Unzip the contents to a folder in a convenient location.
      
  • Open the folder where the contents were unzipped and run mbar.exe
      
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
      
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
      
  • Wait while the system shuts down and the cleanup process is performed.
      
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
      
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Mr 409

Mr 409
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Confusion
  • Local time:12:20 PM

Posted 11 November 2013 - 08:08 PM

Unable to get to internet on infected computer.
I never gave anybody Hell, I just told the truth and they thought it was Hell.

Harry S Truman

#8 Mr 409

Mr 409
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Confusion
  • Local time:12:20 PM

Posted 11 November 2013 - 09:08 PM

logs requested below:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.11.12.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Steve :: OFFICE [administrator]

11/11/2013 7:21:32 PM
mbar-log-2013-11-11 (19-21-32).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 331127
Time elapsed: 44 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

 

 

system log below:

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.992000 GHz
Memory total: 1071722496, free: 97570816

Downloaded database version: v2013.11.12.01
Downloaded database version: v2013.10.11.02
Initializing...
======================
------------ Kernel report ------------
     11/11/2013 19:20:59
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
MpFilter.sys
PxHelp20.sys
drvmcdb.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\IntelC53.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\IntelC51.sys
\SystemRoot\system32\DRIVERS\IntelC52.sys
\SystemRoot\system32\DRIVERS\mohfilt.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\drivers\sscdbhk5.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\omci.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\sthda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\MODEMCSA.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\drivers\ssrtln.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\drivers\lsnfd.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\drvnddm.sys
\SystemRoot\system32\dla\tfsndres.sys
\SystemRoot\system32\dla\tfsnifs.sys
\SystemRoot\system32\dla\tfsnopio.sys
\SystemRoot\system32\dla\tfsnpool.sys
\SystemRoot\system32\dla\tfsnboio.sys
\SystemRoot\system32\dla\tfsncofs.sys
\SystemRoot\system32\dla\tfsndrct.sys
\SystemRoot\system32\dla\tfsnudf.sys
\SystemRoot\system32\dla\tfsnudfa.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\dsunidrv.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\MASPINT.SYS
\??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DDF436AC-7392-4671-9194-9D8B5100022F}\MpKslb3881226.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\e100b325.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR5
Upper Device Object: 0xffffffff86e2a338
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000068\
Lower Device Object: 0xffffffff86d62a78
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR4
Upper Device Object: 0xffffffff86e139b8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000067\
Lower Device Object: 0xffffffff86d42ea0
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86fcdab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-17\
Lower Device Object: 0xffffffff86f8bd98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86fcdab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86fd0930, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86fcdab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86f8bd98, DeviceName: \Device\Ide\IdeDeviceP1T0L0-17\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: EB275B50

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 112392

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 112455  Numsec = 302632470
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Other (0xdb)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 302760990  Numsec = 9735390

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 160000000000 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312480000-312500000)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff86e139b8, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86ee1e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86e139b8, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86cc15c0, DeviceName: Unknown, DriverName: \Driver\drvmcdb\
DevicePointer: 0xffffffff86d42ea0, DeviceName: \Device\00000067\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff86e2a338, DeviceName: \Device\Harddisk2\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86ec2580, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86e2a338, DeviceName: \Device\Harddisk2\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86eb5ed0, DeviceName: Unknown, DriverName: \Driver\drvmcdb\
DevicePointer: 0xffffffff86d62a78, DeviceName: \Device\00000068\, DriverName: \Driver\USBSTOR\
------------ End ----------
Read File: File "C:\WINDOWS\system32\config\Internet.evt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\IETldCache\index.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Steve\IECompatCache\index.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Steve\IETldCache\index.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Steve\PrivacIE\index.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Steve\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Scan finished
=======================================

Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_112455_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished


I never gave anybody Hell, I just told the truth and they thought it was Hell.

Harry S Truman

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:20 PM

Posted 12 November 2013 - 10:21 AM

How is the computer running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 Mr 409

Mr 409
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Confusion
  • Local time:12:20 PM

Posted 12 November 2013 - 12:07 PM

Still having redirects. Web searches will have certain words hyperlinked to other sites.
I never gave anybody Hell, I just told the truth and they thought it was Hell.

Harry S Truman

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:20 PM

Posted 12 November 2013 - 12:46 PM

Which browser are you using?

 

  •    
  • Download RogueKiller on the desktop
       
  • Close all the running processes
       
  • Under Vista/Seven, right click -> Run as Administrator
       
  • Otherwise just double-click on RogueKiller.exe
       
  • When prompted, Click Scan 
       
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
       
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 Mr 409

Mr 409
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Confusion
  • Local time:12:20 PM

Posted 12 November 2013 - 03:24 PM

Windows XP. IE don't know which version.

Edited by Mr 409, 12 November 2013 - 03:26 PM.

I never gave anybody Hell, I just told the truth and they thought it was Hell.

Harry S Truman

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:20 PM

Posted 12 November 2013 - 03:46 PM

Please download and run Roguekiller as requested in my previous post.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 Mr 409

Mr 409
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Confusion
  • Local time:12:20 PM

Posted 12 November 2013 - 06:22 PM

works ok until i search then back to the same. Logs requested are below:

 

RogueKiller V8.7.7 [Nov 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Steve [Admin rights]
Mode : Remove -- Date : 11/12/2013 17:19:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Maxtor 6Y160M0 +++++
--- User ---
[MBR] 4940516cf1ec4ded60f822509918334f
[BSP] 9e8cc5107820818e58b975ed41c3fcaf : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 147769 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 302760990 | Size: 4753 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_11122013_171928.txt >>
RKreport[0]_D_11122013_170625.txt;RKreport[0]_S_11122013_170549.txt;RKreport[0]_S_11122013_171857.txt

 

 


I never gave anybody Hell, I just told the truth and they thought it was Hell.

Harry S Truman

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:20 PM

Posted 12 November 2013 - 07:53 PM

1.

 Download the yorkyt.exe disinfection tool (1,31 MB).

    Save the file to your hard disk; to the Windows Desktop, for example.
    Double click the yorkyt.exe file.
    A reboot will be requested to install a driver.
    Another reboot will be requested to complete the disinfection.
    When the disinfection is completed, accept the message that will be displayed.
    In order to ensure a full cleanup, run a scan of your PC with the antivirus installed.

 

2.

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
       icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users