Start a Conversation

Unsolved

This post is more than 5 years old

3220

July 17th, 2011 23:00

Search Result Redirect/Hijacked Browser

Hello,

      I noticed this morning that many of my search results were leading me to pages with no association to what I had searched for. After a few confusing minutes, I realized I had something wrong and began researching (as best as one can with constant redirects) about the problem. Thus far I've spent the greater part of the day downloading spy/malware scanning and removal applications. So far, I've used Kaspersky anti-virus, Malwarebytes, SUPERAntiSpyware, Hitman and CleanMyPCRegistry. They all seemed to find something new and get rid of it, however Im still having trouble about 30% of the time with redirects to one site. Im currently running XP Professional SP3.

The main things all the scans found were: TDSS.rootkit (removed with rootkiller), Trojan.Win32.Obfuscated.alwf , Backdoor.Win32.Gbot.mgw, Trojan-Downloader.NSIS.Murlo.f, Trojan.Clicker.AS. I believe they are all removed as subsequent scans have not revealed them.

My browser/internet is being routed through a proxy, so for now a work-around is to turn that off, however it resets the default "bad" settings when I open my browser (Firefox 5)

My last scan with SuperAntiSpyware came up with two registry keys that were possibly infected. They are

HKU\.Default\Software\.....\WINLOGON#SHELL

HKU\S-1-5-18\Software\.....\WINLOGON#SHELL

Thats as much as I know and have been able to figure out. Here's my HijackThis Log

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:18:46 PM, on 7/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\ievkbd.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Leidich.local
O17 - HKLM\Software\..\Telephony: DomainName = Leidich.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Leidich.local
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11542 bytes

 

 

Thanks Much, hope this is easy to resolve!

 

 

 

 

1.1K Posts

July 18th, 2011 04:00

I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE

** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE

Please proceed as follows :-

Step 1

Check for proxy server settings in your browser, the following are the most common used.

Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.

Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

Safari
  • Launch Safari
  • Go to general settings menu
  • Then in Preferences/ Advanced
  • Then on line click Proxies change settings ...
  • Click Internet Options, then click the Connections tab, click Network Settings.
  • Disable option (uncheck) for the use of proxy server ...


Step 2

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
    Before saving Combofix to the Desktop re-name to Gotcha.exe as below:

    user posted image








  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the user posted image icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available Here if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


**** Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)


Post the log in next reply please...

Kevin














































July 18th, 2011 08:00

Hi Kevin

Thanks so much for taking the time to help, it's much appreciated!!

Here's the ComboFix log.

ComboFix 11-07-18.01 - ryan 07/18/2011   7:47.1.2 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3574.3091 [GMT -6:00]

Running from: c:\documents and settings\Ryan\Desktop\Gotcha.exe

AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\docume~1\Ryan\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0000\~de7b92.tmp

c:\docume~1\Ryan\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0000\~df394b.tmp

c:\docume~1\Ryan\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0001\~df394b.tmp

c:\documents and settings\Ryan\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000\~de7b92.tmp

c:\documents and settings\Ryan\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000\~df394b.tmp

c:\documents and settings\Ryan\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0001\~df394b.tmp

C:\Microsoft

.

.

(((((((((((((((((((((((((   Files Created from 2011-06-18 to 2011-07-18  )))))))))))))))))))))))))))))))

.

.

2011-07-18 13:32 . 2011-07-18 13:33 -------- d-----w- C:\Gotcha

2011-07-18 06:12 . 2011-07-18 06:12 -------- d-----w- c:\program files\CONEXANT

2011-07-18 06:12 . 2007-07-24 21:08 217088 ----a-r- c:\windows\system32\UCI32M21.dll

2011-07-18 06:12 . 2007-08-02 23:35 989952 ----a-r- c:\windows\system32\drivers\HSF_DPV.sys

2011-07-18 06:12 . 2007-08-02 23:34 211200 ----a-r- c:\windows\system32\drivers\HSFHWAZL.sys

2011-07-18 06:12 . 2007-08-02 23:34 731136 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys

2011-07-18 05:06 . 2011-07-18 05:06 388096 ----a-r- c:\documents and settings\Ryan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-07-18 04:55 . 2011-07-18 04:55 -------- d-----w- c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com

2011-07-18 04:55 . 2011-07-18 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-07-18 04:55 . 2011-07-18 04:55 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-07-17 20:36 . 2011-07-17 20:36 -------- d-----w- c:\program files\CleanMyPC

2011-07-17 20:34 . 2011-07-17 20:34 -------- d-sh--w- c:\documents and settings\Ryan\IECompatCache

2011-07-17 20:24 . 2011-07-17 20:29 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-07-17 20:23 . 2011-07-17 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-07-17 16:57 . 2011-07-17 16:57 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes

2011-07-17 16:57 . 2011-07-17 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-07-17 16:57 . 2011-07-07 01:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-17 16:57 . 2011-07-17 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-17 16:57 . 2011-07-07 01:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-17 04:50 . 2011-07-17 05:48 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-07-17 04:50 . 2011-07-17 05:48 115369 ----a-w- c:\windows\system32\drivers\klin.dat

2011-07-17 04:48 . 2011-07-18 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2011-07-17 04:48 . 2011-07-17 04:48 -------- d-----w- c:\program files\Kaspersky Lab

2011-07-17 04:47 . 2011-07-17 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2011-07-17 03:27 . 2011-07-17 03:27 -------- d-----w- c:\program files\Trend Micro

2011-07-17 03:18 . 2011-07-17 03:18 -------- d-----w- c:\windows\system32\wbem\Repository

2011-07-17 03:14 . 2011-07-17 03:16 -------- d-----w- c:\windows\system32\NtmsData

2011-07-15 14:58 . 2011-07-15 14:58 -------- d-----w- c:\documents and settings\Ryan\Application Data\GARMIN

2011-07-14 22:33 . 2011-07-14 22:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2011-07-14 22:01 . 2011-07-14 22:01 182272 ----a-w- c:\program files\Windows NT\dwm.exe

2011-07-14 22:00 . 2011-07-14 22:00 64000 --sha-r- c:\windows\system32\sti_cim.dll

2011-07-12 23:32 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2011-07-12 23:32 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-07-12 23:32 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-07-12 23:32 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-07-10 05:03 . 2011-07-10 05:03 -------- d-----w- c:\documents and settings\Ryan\Application Data\vlc

2011-07-10 04:59 . 2011-07-10 04:59 -------- d-----w- c:\program files\VideoLAN

2011-07-05 16:02 . 2011-07-05 16:02 -------- d-----w- c:\documents and settings\Ryan\Application Data\AdobeUM

2011-07-05 16:00 . 2011-07-05 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems

2011-07-05 16:00 . 2011-07-05 16:00 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared

2011-07-05 13:07 . 2007-03-08 22:18 8320 ----a-w- c:\windows\system32\drivers\grmnusb.sys

2011-07-05 13:07 . 2007-03-08 22:18 18432 ----a-w- c:\windows\system32\drivers\grmngen.sys

2011-07-05 12:53 . 2011-07-17 03:18 -------- d-----w- C:\Garmin

2011-07-01 13:19 . 2011-07-01 13:19 -------- d-----w- c:\program files\Caminova

2011-06-29 16:47 . 2011-06-29 16:47 -------- d-----w- c:\documents and settings\Ryan\Application Data\deskPDF

2011-06-29 16:42 . 2009-01-12 19:45 20886 ----a-w- c:\windows\system32\ddmon.dll

2011-06-29 16:42 . 2011-06-29 16:48 -------- d-----w- c:\program files\Docudesk

2011-06-29 16:34 . 2011-06-29 16:34 -------- d-----w- c:\documents and settings\Ryan\Application Data\Smart PDF Converter

2011-06-29 16:34 . 2011-06-29 16:39 -------- d-----w- c:\program files\Smart PDF Converter

2011-06-29 14:06 . 2011-07-05 15:15 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\CutePDF Writer

2011-06-29 14:05 . 2011-06-29 14:05 -------- d-----w- c:\program files\GPLGS

2011-06-29 14:04 . 2009-11-05 14:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll

2011-06-29 14:04 . 2011-06-29 14:04 -------- d-----w- c:\program files\Acro Software

2011-06-28 18:20 . 2011-06-28 18:20 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Apple

2011-06-28 18:20 . 2011-06-29 13:06 -------- d-----w- c:\windows\SxsCaPendDel

2011-06-28 16:23 . 2001-08-17 19:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys

2011-06-28 16:23 . 2001-08-17 19:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2011-06-28 16:23 . 2011-06-28 16:23 -------- d-----w- c:\documents and settings\Ryan\Application Data\HpUpdate

2011-06-28 16:22 . 2010-11-17 03:10 527208 ------w- c:\windows\system32\HPDiscoPM5312.dll

2011-06-28 16:22 . 2010-11-17 00:01 1792872 ----a-w- c:\windows\system32\HPScanMiniDrv_OJ8500_A910.dll

2011-06-28 16:22 . 2010-11-17 00:01 267112 ----a-w- c:\windows\system32\hpinksts5312LM.dll

2011-06-28 16:22 . 2010-11-17 00:01 232296 ----a-w- c:\windows\system32\hpinksts5312.dll

2011-06-28 16:22 . 2010-11-17 00:01 213864 ----a-w- c:\windows\system32\hpinkcoi5312.dll

2011-06-28 16:20 . 2011-06-28 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2011-06-28 16:20 . 2011-06-28 16:23 -------- d-----w- c:\program files\HP

2011-06-28 16:19 . 2011-06-28 16:24 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\HP

2011-06-27 22:06 . 2011-06-27 22:06 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Mozilla

2011-06-27 21:18 . 2011-06-27 21:18 -------- d-----w- c:\windows\SchCache

2011-06-23 22:37 . 2011-06-23 22:37 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Google

2011-06-23 20:15 . 2011-06-23 20:15 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Help

2011-06-23 20:05 . 2011-06-30 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2011-06-23 20:04 . 2011-06-23 20:04 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\MapInfo

2011-06-23 20:04 . 2011-06-23 20:04 -------- d-----w- c:\documents and settings\Ryan\Application Data\MapInfo

2011-06-23 20:01 . 2011-06-23 19:57 4218880 ----a-w- c:\windows\system32\cdintf400.dll

2011-06-23 20:01 . 2011-06-23 20:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2011-06-23 19:59 . 2011-06-23 19:59 -------- d-----w- c:\windows\Crystal

2011-06-23 19:59 . 2011-06-23 19:59 -------- d-----w- c:\program files\Seagate Software

2011-06-23 19:59 . 2011-06-23 19:59 -------- d-----w- c:\program files\MapInfo

2011-06-23 19:59 . 2011-06-23 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MapInfo

2011-06-23 19:30 . 2011-06-23 19:30 -------- d-----w- c:\windows\system32\XPSViewer

2011-06-23 19:30 . 2011-06-23 19:30 -------- d-----w- c:\program files\MSBuild

2011-06-23 19:30 . 2011-06-23 19:30 -------- d-----w- c:\program files\Reference Assemblies

2011-06-23 19:29 . 2011-07-01 14:59 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Adobe

2011-06-23 19:29 . 2011-06-23 19:29 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Temp

2011-06-23 19:29 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-06-23 19:29 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-06-23 19:29 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-06-23 19:29 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-06-23 19:29 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2011-06-23 19:29 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-06-23 19:29 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2011-06-23 19:29 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-06-23 19:29 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-06-23 19:29 . 2011-06-23 19:29 -------- d-----w- C:\bf9bf6b5da93fd5a3a720340155e79e9

2011-06-23 18:08 . 2011-07-15 00:13 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\RockWare

2011-06-21 14:29 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

2011-06-18 23:56 . 2011-06-23 19:25 -------- d-----w- c:\program files\MSECache

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-11 02:02 . 2011-06-07 21:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 14:02 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-02 15:31 . 2010-06-11 20:34 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-04 10:00 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 11:07 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-04-26 11:07 . 2004-08-04 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-25 16:11 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-04 10:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-07-08 07:16 . 2011-07-17 20:20 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-03 365336]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-06-06 18:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2010-06-10 02:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]

2008-10-22 04:18 471650 ----a-w- c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2011-06-30 13:50 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

.

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 12:51 PM 65584]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/12/2011 3:55 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/16/2011 11:07 AM 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/16/2011 11:07 AM 136176]

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-16 17:07]

.

2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-16 17:07]

.

.

------- Supplementary Scan -------

.

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 206.123.202.145

FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\9h1uw1cf.default\

FF - prefs.js: browser.startup.homepage - www.google.com|www.gmail.com

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-18 07:57

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...  

.

scanning hidden autostart entries ...

.

scanning hidden files ...  

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1416)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll

.

- - - - - - - > 'explorer.exe'(2996)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\system32\rundll32.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\stsystra.exe

c:\program files\Citrix\ICA Client\wfcrun32.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

.

**************************************************************************

.

Completion time: 2011-07-18  08:02:36 - machine was rebooted

ComboFix-quarantined-files.txt  2011-07-18 14:02

.

Pre-Run: 93,832,441,856 bytes free

Post-Run: 94,923,776,000 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 6E9DE812F2D430B95FE8319DF1ECB08A

1.1K Posts

July 18th, 2011 13:00

Can you uninstall the following via Start > Control Panel > Add/Remove Programs :-

Step 1

SUPERAntiSpyware
Hitman
CleanMyPCRegistry


Step 2

Run ESET Online Scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.ESET OnlineScan
  • Click the user posted image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

 

  • Click on user posted image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the user posted image icon on your desktop.

 

  • Check user posted image
  • Click the user posted image button.
  • Accept any security warnings from your browser.
  • Check user posted image
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push user posted image
  • Push user posted image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the user posted image button.
  • Push user posted image


You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take between one and several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Step 3

We need to see some additional information about what is happening in your machine.
Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs 1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.user posted image

  • Instead of attaching, please copy/past both logs into your next reply.
  • Close the program window, and delete the program from your desktop.


Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

What I`d like in your reply :-

  • Log from ESET
  • DDS.txt
  • Attach.txt
  • Update on current issues/concerns



Kevin

July 18th, 2011 21:00

Hi Kevin,

             Here are the logs per requested. The ESET found 2 or 3 trojans the other programs missed.

ESET LOG:

C:\Program Files\Windows NT\dwm.exe a variant of Win32/Kryptik.QJC trojan

C:\System Volume Information\_restore{CDFB9338-CDE6-4BDE-AB73-0D25B01B60CB}\RP4\A0000089.exe Win32/Cycbot.AH.Gen trojan

C:\System Volume Information\_restore{CDFB9338-CDE6-4BDE-AB73-0D25B01B60CB}\RP4\A0000102.exe a variant of Win32/Kryptik.QJC trojan

DDS.txt

DDS (Ver_2011-07-14.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by ryan at 21:49:56 on 2011-07-18

#Option Extended Search is enabled.

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3574.2419 [GMT -6:00]

.

AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

============== Running Processes ================

.

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} -

BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll

BHO: AcroIEToolbarHelper Class: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [SigmatelSysTrayApp] stsystra.exe

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 206.123.202.145

TCP: Interfaces\{6B5E5841-1BE7-4215-80AE-54B17D1392C5} : DHCPNameServer = 206.123.202.145

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Handler: ipp -

Handler: msdaipp -

Notify: igfxcui - igfxdev.dll

Notify: klogon - c:\windows\system32\klogon.dll

mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

IFEO: Your Image File Name Here without a path - ntsd -d

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ryan\application data\mozilla\firefox\profiles\9h1uw1cf.default\

FF - prefs.js: browser.startup.homepage - www.google.com|www.gmail.com

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll

.

============= SERVICES / DRIVERS ===============

.

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-7-16 475736]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-16 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-16 136176]

.

=============== Created Last 60 ================

.

2011-07-18 19:18:50 -------- d-----w- c:\program files\ESET

2011-07-18 13:42:34 -------- d-sha-r- C:\cmdcons

2011-07-18 13:34:27 98816 ----a-w- c:\windows\sed.exe

2011-07-18 13:34:27 208896 ----a-w- c:\windows\MBR.exe

2011-07-18 13:32:40 -------- d-----w- C:\Gotcha

2011-07-18 06:12:54 217088 ----a-r- c:\windows\system32\UCI32M21.dll

2011-07-18 06:12:54 -------- d-----w- c:\program files\CONEXANT

2011-07-18 06:12:53 989952 ----a-r- c:\windows\system32\drivers\HSF_DPV.sys

2011-07-18 06:12:53 731136 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys

2011-07-18 06:12:53 211200 ----a-r- c:\windows\system32\drivers\HSFHWAZL.sys

2011-07-18 05:06:43 388096 ----a-r- c:\documents and settings\ryan\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-07-18 04:55:23 -------- d-----w- c:\documents and settings\ryan\application data\SUPERAntiSpyware.com

2011-07-18 04:55:23 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-07-17 20:36:43 -------- d-----w- c:\program files\CleanMyPC

2011-07-17 20:34:45 -------- d-sh--w- c:\documents and settings\ryan\IECompatCache

2011-07-17 20:23:44 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-07-17 16:57:49 -------- d-----w- c:\documents and settings\ryan\application data\Malwarebytes

2011-07-17 16:57:41 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-17 16:57:41 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-07-17 16:57:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-17 16:57:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-17 04:50:33 150200 ----a-w- c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru_bak\components\kavlinkfilter.dll

2011-07-17 04:50:15 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-07-17 04:50:15 115369 ----a-w- c:\windows\system32\drivers\klin.dat

2011-07-17 04:48:41 -------- d-----w- c:\program files\Kaspersky Lab

2011-07-17 04:48:41 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab

2011-07-17 04:47:06 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab Setup Files

2011-07-17 03:27:23 -------- d-----w- c:\program files\Trend Micro

2011-07-17 03:18:24 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-07-17 03:18:24 -------- d-----w- c:\windows\system32\wbem\Repository

2011-07-17 03:14:57 -------- d-----w- c:\windows\system32\NtmsData

2011-07-15 14:58:54 -------- d-----w- c:\documents and settings\ryan\application data\GARMIN

2011-07-14 22:01:30 182272 ----a-w- c:\program files\windows nt\dwm.exe

2011-07-14 22:00:16 64000 --sha-r- c:\windows\system32\sti_cim.dll

2011-07-12 23:32:08 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-07-12 23:32:08 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2011-07-12 23:32:08 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-07-12 23:32:07 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-07-10 04:59:45 -------- d-----w- c:\program files\VideoLAN

2011-07-05 16:00:32 -------- d-----w- c:\program files\common files\Adobe Systems Shared

2011-07-05 13:07:13 9344 ----a-w- c:\windows\system32\drivers\grmnusb.sys

2011-07-05 13:07:13 18304 ----a-w- c:\windows\system32\drivers\grmngen.sys

2011-07-05 12:53:56 -------- d-----w- C:\Garmin

2011-07-01 13:19:32 1680272 ----a-w- c:\program files\mozilla firefox\plugins\npdjvu.dll

2011-07-01 13:19:31 -------- d-----w- c:\program files\Caminova

2011-06-29 16:47:38 -------- d-----w- c:\documents and settings\ryan\application data\deskPDF

2011-06-29 16:42:25 20886 ----a-w- c:\windows\system32\ddmon.dll

2011-06-29 16:42:03 -------- d-----w- c:\program files\Docudesk

2011-06-29 16:34:53 -------- d-----w- c:\documents and settings\ryan\application data\Smart PDF Converter

2011-06-29 16:34:44 -------- d-----w- c:\program files\Smart PDF Converter

2011-06-29 14:06:10 -------- d-----w- c:\documents and settings\ryan\local settings\application data\CutePDF Writer

2011-06-29 14:05:09 -------- d-----w- c:\program files\GPLGS

2011-06-29 14:04:51 87552 ----a-w- c:\windows\system32\cpwmon2k.dll

2011-06-29 14:04:43 -------- d-----w- c:\program files\Acro Software

2011-06-28 18:20:58 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Apple

2011-06-28 18:20:41 -------- d-----w- c:\windows\system32\appmgmt

2011-06-28 18:20:40 -------- d-----w- c:\windows\SxsCaPendDel

2011-06-28 18:17:50 -------- d-----w- c:\windows\pss

2011-06-28 16:23:28 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys

2011-06-28 16:23:28 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2011-06-28 16:23:02 -------- d-----w- c:\documents and settings\ryan\application data\HpUpdate

2011-06-28 16:22:25 527208 ------w- c:\windows\system32\HPDiscoPM5312.dll

2011-06-28 16:22:21 1792872 ----a-w- c:\windows\system32\HPScanMiniDrv_OJ8500_A910.dll

2011-06-28 16:22:19 267112 ----a-w- c:\windows\system32\hpinksts5312LM.dll

2011-06-28 16:22:19 232296 ----a-w- c:\windows\system32\hpinksts5312.dll

2011-06-28 16:22:19 213864 ----a-w- c:\windows\system32\hpinkcoi5312.dll

2011-06-28 16:20:14 -------- d-----w- c:\program files\HP

2011-06-28 16:19:21 -------- d-----w- c:\documents and settings\ryan\local settings\application data\HP

2011-06-27 22:06:55 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Mozilla

2011-06-27 21:18:15 -------- d-----w- c:\windows\SchCache

2011-06-23 22:37:09 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Google

2011-06-23 20:15:14 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Help

2011-06-23 20:04:48 -------- d-----w- c:\documents and settings\ryan\local settings\application data\MapInfo

2011-06-23 20:04:48 -------- d-----w- c:\documents and settings\ryan\application data\MapInfo

2011-06-23 20:01:23 4218880 ----a-w- c:\windows\system32\cdintf400.dll

2011-06-23 20:01:11 -------- d-----w- c:\program files\common files\Macrovision Shared

2011-06-23 19:59:46 -------- d-----w- c:\windows\Crystal

2011-06-23 19:59:46 -------- d-----w- c:\program files\Seagate Software

2011-06-23 19:59:46 -------- d-----w- c:\program files\MapInfo

2011-06-23 19:59:46 -------- d-----w- c:\documents and settings\all users\application data\MapInfo

2011-06-23 19:30:22 -------- d-----w- c:\windows\system32\XPSViewer

2011-06-23 19:29:56 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Temp

2011-06-23 19:29:56 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Adobe

2011-06-23 19:29:47 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-06-23 19:29:27 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-06-23 19:29:27 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-06-23 19:29:27 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-06-23 19:29:27 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-06-23 19:29:27 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-06-23 19:29:27 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2011-06-23 19:29:27 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-06-23 19:29:27 117760 ------w- c:\windows\system32\prntvpt.dll

2011-06-23 19:29:26 -------- d-----w- C:\bf9bf6b5da93fd5a3a720340155e79e9

2011-06-23 18:08:12 -------- d-----w- c:\documents and settings\ryan\local settings\application data\RockWare

2011-06-21 14:29:29 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

2011-06-18 23:56:23 -------- d-----w- c:\program files\MSECache

2011-06-17 15:38:01 -------- d-----w- c:\program files\RockWare

2011-06-17 13:08:18 -------- d-sh--w- c:\documents and settings\ryan\PrivacIE

2011-06-17 13:07:06 -------- d-----w- c:\documents and settings\ryan\application data\ICAClient

2011-06-17 13:07:01 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Citrix

2011-06-17 13:07:01 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Apple Computer

2011-06-17 13:07:00 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Toshiba

2011-06-16 17:06:40 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2011-06-16 17:06:40 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-06-16 17:06:38 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2011-06-16 17:06:38 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-06-16 17:06:35 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-06-16 17:06:35 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-06-16 17:06:29 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2011-06-16 17:06:29 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2011-06-16 17:06:24 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-06-16 17:06:24 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-06-16 13:38:39 -------- d-----w- c:\documents and settings\all users\application data\Citrix

2011-06-16 13:38:13 -------- d-----w- c:\program files\Citrix

2011-06-15 07:59:24 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-14 20:08:50 -------- d-----w- c:\program files\Yahoo!

2011-06-14 20:01:19 28552 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll

2011-06-14 20:01:19 28040 ----a-w- c:\windows\system32\mdimon.dll

2011-06-14 20:00:38 -------- d-----w- c:\program files\Microsoft ActiveSync

2011-06-14 19:59:29 -------- d-----w- c:\windows\SHELLNEW

2011-06-07 21:10:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-06 18:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find6M  ====================

.

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-06 22:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 22:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2011-04-06 22:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 22:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-02-17 13:18:03 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-16 13:22:48 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

============= FINISH: 21:50:08.73 ===============

ATTACH.TXT

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-07-14.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 6/11/2010 2:40:24 PM

System Uptime: 7/18/2011 8:40:59 PM (1 hours ago)

.

Motherboard: Dell Inc. |  | 0HN341

Processor: Intel(R) Core(TM)2 Duo CPU     T7100  @ 1.80GHz | Microprocessor | 1795/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 112 GiB total, 88.422 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Biometric Coprocessor

Device ID: USB\VID_0483&PID_2016\5&1F158A8D&0&2

Manufacturer:

Name: Biometric Coprocessor

PNP Device ID: USB\VID_0483&PID_2016\5&1F158A8D&0&2

Service:

.

==== System Restore Points ===================

.

RP1: 7/15/2011 7:49:14 AM - System Checkpoint

RP2: 7/15/2011 9:18:32 AM - Unsigned driver install

RP3: 7/16/2011 8:47:58 PM - System Checkpoint

RP4: 7/16/2011 9:17:36 PM - Restore Operation

RP5: 7/16/2011 9:27:20 PM - Installed HiJackThis

RP6: 7/16/2011 10:01:04 PM - Removed HiJackThis

RP7: 7/16/2011 10:48:25 PM - Installed Kaspersky Anti-Virus 2011.

RP8: 7/17/2011 11:06:38 PM - Installed HiJackThis

.

==== Installed Programs ======================

.

Adobe Acrobat 7.0 Professional

Adobe AIR

Adobe Anchor Service CS4

Adobe Bridge CS4

Adobe CMaps CS4

Adobe Color - Photoshop Specific CS4

Adobe Color EU Extra Settings CS4

Adobe Color JA Extra Settings CS4

Adobe Color NA Recommended Settings CS4

Adobe Color Video Profiles CS CS4

Adobe CSI CS4

Adobe Default Language CS4

Adobe Drive CS4

Adobe ExtendScript Toolkit CS4

Adobe Extension Manager CS4

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Fonts All

Adobe Linguistics CS4

Adobe Output Module

Adobe PDF Library Files CS4

Adobe Photoshop CS4

Adobe Photoshop CS4 Support

Adobe Photoshop Lightroom 3.2

Adobe Reader X (10.1.0)

Adobe Search for Help

Adobe Service Manager Extension

Adobe Setup

Adobe Type Support CS4

Adobe Update Manager CS4

Adobe WinSoft Linguistics Plugin

Adobe XMP Panels CS4

AdobeColorCommonSetCMYK

AdobeColorCommonSetRGB

Bluetooth Stack for Windows by Toshiba

Bonjour

Broadcom Gigabit Integrated Controller

Citrix online plug-in - web

Citrix online plug-in (DV)

Citrix online plug-in (HDX)

Citrix online plug-in (USB)

Citrix online plug-in (Web)

Compatibility Pack for the 2007 Office system

Conexant HDA D330 MDC V.92 Modem

Connect

CutePDF Writer 2.8

Dell Resource CD

Document Express DjVu Plug-in

ESET Online Scanner v3

Garmin TOPO U.S. 2008

Google Earth

Google Update Helper

High Definition Audio Driver Package - KB835221

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB981793)

HP Officejet Pro 8500 A910 Basic Device Software

HP Officejet Pro 8500 A910 Help

HP Update

Intel(R) Graphics Media Accelerator Driver

Intel(R) PROSet/Wireless Software

Kaspersky Anti-Virus 2011

kuler

Malwarebytes' Anti-Malware version 1.51.1.1800

MapInfo Professional 10.5

mCore

mDriver

mDrWiFi

mHlpDell

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Office Access database engine 2007 (English)

Microsoft Office File Validation Add-In

Microsoft Office Professional Edition 2003

Microsoft Silverlight

mIWA

mLogView

mMHouse

Mozilla Firefox 5.0.1 (x86 en-US)

mPfMgr

mPfWiz

mProSafe

mSCfg

mSSO

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

mWlsSafe

mWMI

mZConfig

OZ776 SCR Driver V1.1.3.9

PDF Settings CS4

Photoshop Camera Raw

PowerDVD

QuickTime

RockWorks 15

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982381)

Security Update for Windows XP (KB982665)

SigmaTel Audio

Suite Shared Configuration CS4

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VLC media player 1.1.1

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 8

Windows XP Service Pack 3

WinRAR archiver

.

==== Event Viewer Messages From Past Week ========

.

7/18/2011 8:41:38 PM, error: Dhcp [1002]  - The IP address lease 192.168.1.101 for the Network Card with network address 0019B9890BA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

7/17/2011 2:35:22 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

7/17/2011 12:36:08 AM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'.  It has stopped monitoring the volume.

7/17/2011 12:34:53 AM, error: DCOM [10000]  - Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}. The error: "%193" Happened while starting this command: C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding

7/17/2011 1:53:11 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

7/17/2011 1:32:27 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  ctxusbm Fips intelppm KLIF Tosrfcom

7/17/2011 1:31:16 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

7/12/2011 4:53:33 PM, error: Dhcp [1002]  - The IP address lease 192.168.1.102 for the Network Card with network address 0019B9890BA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

7/12/2011 2:41:00 PM, error: NETLOGON [5719]  - No Domain Controller is available for domain LEIDICH due to the following:  There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

.

==== End Of File ===========================

Again this morning pages were still being redirected to one site (earthonlyone - or something like that). It never loads and most of the time if I try the links again a few times it will eventually go to the correct site. Otherwise, I've noticed no other oddities.

cheers~

ryan

1.1K Posts

July 19th, 2011 00:00

Hiya Ryan,

Continue as follows please :-

Step 1

Upload a File to Virustotal
Please visit Virustotal

  • Click the Browse... button
  • Navigate to the file C:\Program Files\Windows NT\dwm.exe
  • Click the Open button
  • Click the Send button
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.



Step 2

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content from between the dotted lines into the main textfield:
    -------------------------------------------------------------------------------
    :dir
    C:\Program Files\Windows NT /s
    -------------------------------------------------------------------------------

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Let me see the results from VirusTotal and the log from System Look...

Thanks,

Kevin

July 19th, 2011 07:00

G'day Kevin,

    Here's the results from the VirusTotal scan of dwm.exe. It didn't look so good, lots of red and 'trojan' :/

File name:

dwm.exe

Submission date:

2011-07-19 13:28:05 (UTC)

Current status:

finished

Result:

26/ 43 (60.5%)

Antivirus Version         Last Update                Result

AhnLab-V3 2011.07.19.02 2011.07.19          Backdoor/Win32.Gbot

AntiVir        7.11.11.228 2011.07.19                  TR/Crypt.EPACK.Gen2

Antiy-AVL 2.0.3.7 2011.07.15 -

Avast        4.8.1351.0 2011.07.19 -

Avast5        5.0.677.0 2011.07.19                 Win32:Cycbot-HJ [Trj]

AVG                10.0.0.1190 2011.07.19                 BackDoor.Generic14.JBR

BitDefender 7.2 2011.07.19                                 Gen:Variant.Kazy.30967

CAT-QuickHeal 11.00 2011.07.19                 (Suspicious) - DNAScan

ClamAV        0.97.0.0 2011.07.19 -

Commtouch 5.3.2.6 2011.07.19 -

Comodo 9436 2011.07.19 -

DrWeb        5.0.2.03300 2011.07.19                 Trojan.DownLoader4.12898

Emsisoft 5.1.0.8 2011.07.19                         Trojan.Win32.Menti.hdsi!A2

eSafe        7.0.17.0 2011.07.19 -

eTrust-Vet 36.1.8452 2011.07.19                 Win32/FakeAlert.J!generic

F-Prot        4.6.2.117 2011.07.19 -

F-Secure 9.0.16440.0 2011.07.19                 Gen:Variant.Kazy.30967

Fortinet        4.2.257.0 2011.07.19                 W32/Kryptik.POT!tr

GData        22 2011.07.19                                 Gen:Variant.Kazy.30967

Ikarus        T3.1.1.104.0 2011.07.19 -

Jiangmin 13.0.900 2011.07.18                Trojan/Menti.dmq

K7AntiVirus 9.108.4919 2011.07.18 -

Kaspersky 9.0.0.837 2011.07.19                HEUR:Trojan.Win32.Generic

McAfee        5.400.0.1158 2011.07.19         BackDoor-EXI.gen.k

McAfee-GW-Edition 2010.1D 2011.07.19        BackDoor-EXI.gen.k

Microsoft 1.7000 2011.07.19                        Backdoor:Win32/Cycbot.B

NOD32        6307 2011.07.19                        a variant of Win32/Kryptik.QJC

Norman        6.07.10 2011.07.18 -

nProtect        2011-07-19.01 2011.07.19        Gen:Variant.Kazy.30967

Panda        10.0.3.5 2011.07.19                        Suspicious file

PCTools        8.0.0.5 2011.07.13 -

Prevx        3.0 2011.07.19 -

Rising        23.67.01.05 2011.07.19 -

Sophos        4.67.0 2011.07.19                        Troj/FakeAV-EFL

SUPERAntiSpyware 4.40.0.1006 2011.07.19 Trojan.Agent/Gen-Backdoor

Symantec 20111.1.0.186 2011.07.19        Trojan.Gen.2

TheHacker 6.7.0.1.257 2011.07.18 -

TrendMicro 9.200.0.1012 2011.07.19        BKDR_CYCBOT.SME3

TrendMicro-HouseCall 9.200.0.101 2011.07.19 BKDR_CYCBOT.SME3

VBA32       3.12.16.4 2011.07.19 -

VIPRE       9902 2011.07.19                        Trojan.Win32.Generic!BT

ViRobot        2011.7.19.4577 2011.07.19 -

VirusBuster 14.0.129.0 2011.07.18 -

Additional information

MD5   : 49d3eedb5421352e895ad43b24df23cd

SHA1  : 58870855aaff44297463683c4bfc3cf83009b17b

SHA256: c136596178ed53f8dd8c7c72ca280c964b95965fda7c1265950ca95fef9a59f2

As for the SystemLook, I downloaded it and hit run and was stopped by an error message "Script Required" thus no results. I tried both mirror sites and ended up with the same result.

Thanks =D

ryan

1.1K Posts

July 19th, 2011 14:00

Hiya Ryan,

Continue as follows :-

Step 1


Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
  • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    -------------------------------------------------------------------

    :Services
    :Files
    ipconfig /flushdns /c
    C:\Program Files\Windows NT\dwm.exe
    :Commands
    [EmptyFlash]
    [EmptyTemp]
    [ResetHosts]
    [ClearAllRestorePoints]

    ---------------------------------------------------------------------

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red user posted image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Step 2

user posted image Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.


Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Let me see the logs from OTM and Malwarebytes, also give update on issues/concerns...

Kevin

July 20th, 2011 00:00

Howdy Kevin.

     Just got in from work, a looong day out in the field. Anyways, the logs are attached. It seems the Kaspersky AV found a trojan in the dwm.exe file and deleted it... not sure if thats a problem or not, however from the looks of a previous scan you had me do, it showed quite a few nasty things in it.

Rerunning Malwarebytes (had previously run it before searching for help) found Trojan.Agent.GGE as shown by the log.

I've been working late and have been away from my computer, so im not sure how the hijacked search results are fairing, however, I'd imagine its still happening since we have been scanning for problems and not removing anything yet. I'll keep you posted in that regard.

OTE LOG

All processes killed

========== SERVICES/DRIVERS ==========

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Ryan\My Documents\Downloads\cmd.bat deleted successfully.

C:\Documents and Settings\Ryan\My Documents\Downloads\cmd.txt deleted successfully.

File/Folder C:\Program Files\Windows NT\dwm.exe not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 56468 bytes

User: LocalService

->Temp folder emptied: 16384 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: Mike

->Temp folder emptied: 5430185 bytes

->Temporary Internet Files folder emptied: 1647328154 bytes

->Flash cache emptied: 3129051 bytes

User: Mike.LEIDICH

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 294871 bytes

->Flash cache emptied: 700 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 9093254 bytes

->Flash cache emptied: 14003 bytes

User: Ryan

->Temp folder emptied: 35135 bytes

->Temporary Internet Files folder emptied: 1005629 bytes

->FireFox cache emptied: 50200153 bytes

->Flash cache emptied: 57079 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2195181 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 106013 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 3376782 bytes

RecycleBin emptied: 27166719 bytes

Total Files Cleaned = 1,668.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

Restore points cleared and new OTM Restore Point set!

OTM by OldTimer - Version 3.1.18.0 log created on 07192011_233418

Files moved on Reboot...

File C:\WINDOWS\temp\klsBEDA.tmp not found!

Registry entries deleted on Reboot...

MalwareBytes LOG

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7208

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/20/2011 12:06:09 AM

mbam-log-2011-07-20 (00-06-09).txt

Scan type: Quick scan

Objects scanned: 192037

Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\sti_cim.dll (Trojan.Agent.GGE) -> Quarantined and deleted successfully.

thanks mate~

1.1K Posts

July 20th, 2011 02:00

Hiya Ryan,

 

Do a full system scan with your security program (Kaspersky) let me know if it finds anything. If the log comes back clean and you have no remaining issues we can clean up the tools we`ve used.....

 

Kevin

July 21st, 2011 10:00

Hole Kevin,

     I completed a scan with no threats/objects found. WOO. Everything seems well and good now. Thanks a million!

I've uninstalled HijackThis and MalwareBytes via add/remove programs. I know there are some CMD's to remove combofix and possibly others, so awaiting instructions.

Also, is there any programs and or settings you'd recommend to help prevent infection? Im somewhat lost as to how so many trojans etc got on this system, as its my travel/work computer.

ryan

1.1K Posts

July 21st, 2011 15:00

Hiya Ryan,

Continue as follows :-

Step 1

Remove Combofix now that we're done with it





  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")user posted image



  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.


The above procedure will delete the following:

  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Step 2





  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click user posted image icon to start the program. If you are using Vista or Windows 7, please right-click and choose run as administrator
  • Then Click the big user posted image button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself. Any tools/logs remaining on the Desktop can be deleted.



Step 3

1. Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER.
2. Click to select ESET Online Scanner from the application list, and then click Remove. Only re-boot if prompted

Step 4

Download and scan with CCleaner

1. Use either one of the two free links below the Premium version. If you are offered any Toolbars etc such as Yahoo just decline the offer.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.

In the Windows Tab:

















  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
  • Make sure "Wipe free space" is unticked, this will dramatically increase scan time if selected.




In the Applications Tab:


  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.



4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

CCleaner is an excellent Utility and well worth keeping, bottom left hand corner of main interface is link "Online Help" use that link to get the full instructions for this very handy application.

Let me know if the above steps complete OK, also any remaining issues/concerns.

Kevin










July 21st, 2011 16:00

KEVIN!

All seem to be super duper and running better than ever! Thanks so much for taking the time to help me! Its VERY appreciated. Im pretty sure everything is resolved =D

Have a great rest of the year!

ryan

1.1K Posts

July 22nd, 2011 04:00

Hiya Ryan,

Your latest logs are clean and you say that your system is running well, it would be an excellent idea to keep it that way. The following advice will go along way to keeping you secure so that you can enjoy safe and happy surfing.

Here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained Here

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing.... user posted image
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

Firefox,

Opera, and

Chrome.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.

Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

Post back and let me know if you`re happy to close this one out,

Take care,

Kevin

July 22nd, 2011 07:00

Kevin, Mate,

   Im content and ready to close this out. All seems to be well and great. Muchas Gracias amigo!

ryan

1.1K Posts

July 22nd, 2011 08:00

Since this issue appears to be resolved  the topic has been closed. Glad we could help.  :emotion-21:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.

No Events found!

Top