Unsolved
This post is more than 5 years old
8 Posts
0
3281
Search Result Redirect/Hijacked Browser
Hello,
I noticed this morning that many of my search results were leading me to pages with no association to what I had searched for. After a few confusing minutes, I realized I had something wrong and began researching (as best as one can with constant redirects) about the problem. Thus far I've spent the greater part of the day downloading spy/malware scanning and removal applications. So far, I've used Kaspersky anti-virus, Malwarebytes, SUPERAntiSpyware, Hitman and CleanMyPCRegistry. They all seemed to find something new and get rid of it, however Im still having trouble about 30% of the time with redirects to one site. Im currently running XP Professional SP3.
The main things all the scans found were: TDSS.rootkit (removed with rootkiller), Trojan.Win32.Obfuscated.alwf , Backdoor.Win32.Gbot.mgw, Trojan-Downloader.NSIS.Murlo.f, Trojan.Clicker.AS. I believe they are all removed as subsequent scans have not revealed them.
My browser/internet is being routed through a proxy, so for now a work-around is to turn that off, however it resets the default "bad" settings when I open my browser (Firefox 5)
My last scan with SuperAntiSpyware came up with two registry keys that were possibly infected. They are
HKU\.Default\Software\.....\WINLOGON#SHELL
HKU\S-1-5-18\Software\.....\WINLOGON#SHELL
Thats as much as I know and have been able to figure out. Here's my HijackThis Log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:18:46 PM, on 7/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\ievkbd.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Leidich.local
O17 - HKLM\Software\..\Telephony: DomainName = Leidich.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Leidich.local
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11542 bytes
Thanks Much, hope this is easy to resolve!
kevinf80_1d0ac6
1.1K Posts
0
July 18th, 2011 04:00
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE
** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE
Please proceed as follows :-
Step 1
Check for proxy server settings in your browser, the following are the most common used.
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Step 2
Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-
Link 1
Link 2
Before saving Combofix to the Desktop re-name to Gotcha.exe as below:
**** Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.
*EXTRA NOTES*
Post the log in next reply please...
Kevin
LiquidCowBoy
8 Posts
0
July 18th, 2011 08:00
Hi Kevin
Thanks so much for taking the time to help, it's much appreciated!!
Here's the ComboFix log.
ComboFix 11-07-18.01 - ryan 07/18/2011 7:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.3091 [GMT -6:00]
Running from: c:\documents and settings\Ryan\Desktop\Gotcha.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Ryan\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0000\~de7b92.tmp
c:\docume~1\Ryan\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0000\~df394b.tmp
c:\docume~1\Ryan\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0001\~df394b.tmp
c:\documents and settings\Ryan\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000\~de7b92.tmp
c:\documents and settings\Ryan\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000\~df394b.tmp
c:\documents and settings\Ryan\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0001\~df394b.tmp
C:\Microsoft
.
.
((((((((((((((((((((((((( Files Created from 2011-06-18 to 2011-07-18 )))))))))))))))))))))))))))))))
.
.
2011-07-18 13:32 . 2011-07-18 13:33 -------- d-----w- C:\Gotcha
2011-07-18 06:12 . 2011-07-18 06:12 -------- d-----w- c:\program files\CONEXANT
2011-07-18 06:12 . 2007-07-24 21:08 217088 ----a-r- c:\windows\system32\UCI32M21.dll
2011-07-18 06:12 . 2007-08-02 23:35 989952 ----a-r- c:\windows\system32\drivers\HSF_DPV.sys
2011-07-18 06:12 . 2007-08-02 23:34 211200 ----a-r- c:\windows\system32\drivers\HSFHWAZL.sys
2011-07-18 06:12 . 2007-08-02 23:34 731136 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys
2011-07-18 05:06 . 2011-07-18 05:06 388096 ----a-r- c:\documents and settings\Ryan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-18 04:55 . 2011-07-18 04:55 -------- d-----w- c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com
2011-07-18 04:55 . 2011-07-18 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-18 04:55 . 2011-07-18 04:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-17 20:36 . 2011-07-17 20:36 -------- d-----w- c:\program files\CleanMyPC
2011-07-17 20:34 . 2011-07-17 20:34 -------- d-sh--w- c:\documents and settings\Ryan\IECompatCache
2011-07-17 20:24 . 2011-07-17 20:29 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-17 20:23 . 2011-07-17 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-07-17 16:57 . 2011-07-17 16:57 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes
2011-07-17 16:57 . 2011-07-17 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-17 16:57 . 2011-07-07 01:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-17 16:57 . 2011-07-17 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-17 16:57 . 2011-07-07 01:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-17 04:50 . 2011-07-17 05:48 97859 ----a-w- c:\windows\system32\drivers\klick.dat
2011-07-17 04:50 . 2011-07-17 05:48 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2011-07-17 04:48 . 2011-07-18 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-07-17 04:48 . 2011-07-17 04:48 -------- d-----w- c:\program files\Kaspersky Lab
2011-07-17 04:47 . 2011-07-17 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2011-07-17 03:27 . 2011-07-17 03:27 -------- d-----w- c:\program files\Trend Micro
2011-07-17 03:18 . 2011-07-17 03:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-17 03:14 . 2011-07-17 03:16 -------- d-----w- c:\windows\system32\NtmsData
2011-07-15 14:58 . 2011-07-15 14:58 -------- d-----w- c:\documents and settings\Ryan\Application Data\GARMIN
2011-07-14 22:33 . 2011-07-14 22:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-07-14 22:01 . 2011-07-14 22:01 182272 ----a-w- c:\program files\Windows NT\dwm.exe
2011-07-14 22:00 . 2011-07-14 22:00 64000 --sha-r- c:\windows\system32\sti_cim.dll
2011-07-12 23:32 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-07-12 23:32 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-07-12 23:32 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-07-12 23:32 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-07-10 05:03 . 2011-07-10 05:03 -------- d-----w- c:\documents and settings\Ryan\Application Data\vlc
2011-07-10 04:59 . 2011-07-10 04:59 -------- d-----w- c:\program files\VideoLAN
2011-07-05 16:02 . 2011-07-05 16:02 -------- d-----w- c:\documents and settings\Ryan\Application Data\AdobeUM
2011-07-05 16:00 . 2011-07-05 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2011-07-05 16:00 . 2011-07-05 16:00 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2011-07-05 13:07 . 2007-03-08 22:18 8320 ----a-w- c:\windows\system32\drivers\grmnusb.sys
2011-07-05 13:07 . 2007-03-08 22:18 18432 ----a-w- c:\windows\system32\drivers\grmngen.sys
2011-07-05 12:53 . 2011-07-17 03:18 -------- d-----w- C:\Garmin
2011-07-01 13:19 . 2011-07-01 13:19 -------- d-----w- c:\program files\Caminova
2011-06-29 16:47 . 2011-06-29 16:47 -------- d-----w- c:\documents and settings\Ryan\Application Data\deskPDF
2011-06-29 16:42 . 2009-01-12 19:45 20886 ----a-w- c:\windows\system32\ddmon.dll
2011-06-29 16:42 . 2011-06-29 16:48 -------- d-----w- c:\program files\Docudesk
2011-06-29 16:34 . 2011-06-29 16:34 -------- d-----w- c:\documents and settings\Ryan\Application Data\Smart PDF Converter
2011-06-29 16:34 . 2011-06-29 16:39 -------- d-----w- c:\program files\Smart PDF Converter
2011-06-29 14:06 . 2011-07-05 15:15 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\CutePDF Writer
2011-06-29 14:05 . 2011-06-29 14:05 -------- d-----w- c:\program files\GPLGS
2011-06-29 14:04 . 2009-11-05 14:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2011-06-29 14:04 . 2011-06-29 14:04 -------- d-----w- c:\program files\Acro Software
2011-06-28 18:20 . 2011-06-28 18:20 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Apple
2011-06-28 18:20 . 2011-06-29 13:06 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-28 16:23 . 2001-08-17 19:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2011-06-28 16:23 . 2001-08-17 19:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2011-06-28 16:23 . 2011-06-28 16:23 -------- d-----w- c:\documents and settings\Ryan\Application Data\HpUpdate
2011-06-28 16:22 . 2010-11-17 03:10 527208 ------w- c:\windows\system32\HPDiscoPM5312.dll
2011-06-28 16:22 . 2010-11-17 00:01 1792872 ----a-w- c:\windows\system32\HPScanMiniDrv_OJ8500_A910.dll
2011-06-28 16:22 . 2010-11-17 00:01 267112 ----a-w- c:\windows\system32\hpinksts5312LM.dll
2011-06-28 16:22 . 2010-11-17 00:01 232296 ----a-w- c:\windows\system32\hpinksts5312.dll
2011-06-28 16:22 . 2010-11-17 00:01 213864 ----a-w- c:\windows\system32\hpinkcoi5312.dll
2011-06-28 16:20 . 2011-06-28 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-06-28 16:20 . 2011-06-28 16:23 -------- d-----w- c:\program files\HP
2011-06-28 16:19 . 2011-06-28 16:24 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\HP
2011-06-27 22:06 . 2011-06-27 22:06 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Mozilla
2011-06-27 21:18 . 2011-06-27 21:18 -------- d-----w- c:\windows\SchCache
2011-06-23 22:37 . 2011-06-23 22:37 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Google
2011-06-23 20:15 . 2011-06-23 20:15 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Help
2011-06-23 20:05 . 2011-06-30 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-06-23 20:04 . 2011-06-23 20:04 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\MapInfo
2011-06-23 20:04 . 2011-06-23 20:04 -------- d-----w- c:\documents and settings\Ryan\Application Data\MapInfo
2011-06-23 20:01 . 2011-06-23 19:57 4218880 ----a-w- c:\windows\system32\cdintf400.dll
2011-06-23 20:01 . 2011-06-23 20:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-06-23 19:59 . 2011-06-23 19:59 -------- d-----w- c:\windows\Crystal
2011-06-23 19:59 . 2011-06-23 19:59 -------- d-----w- c:\program files\Seagate Software
2011-06-23 19:59 . 2011-06-23 19:59 -------- d-----w- c:\program files\MapInfo
2011-06-23 19:59 . 2011-06-23 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MapInfo
2011-06-23 19:30 . 2011-06-23 19:30 -------- d-----w- c:\windows\system32\XPSViewer
2011-06-23 19:30 . 2011-06-23 19:30 -------- d-----w- c:\program files\MSBuild
2011-06-23 19:30 . 2011-06-23 19:30 -------- d-----w- c:\program files\Reference Assemblies
2011-06-23 19:29 . 2011-07-01 14:59 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Adobe
2011-06-23 19:29 . 2011-06-23 19:29 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Temp
2011-06-23 19:29 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-06-23 19:29 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-06-23 19:29 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-06-23 19:29 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-06-23 19:29 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-06-23 19:29 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-06-23 19:29 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-06-23 19:29 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-06-23 19:29 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-06-23 19:29 . 2011-06-23 19:29 -------- d-----w- C:\bf9bf6b5da93fd5a3a720340155e79e9
2011-06-23 18:08 . 2011-07-15 00:13 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\RockWare
2011-06-21 14:29 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-06-18 23:56 . 2011-06-23 19:25 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-11 02:02 . 2011-06-07 21:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2010-06-11 20:34 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 10:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-04 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 10:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-07-08 07:16 . 2011-07-17 20:20 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-03 365336]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 18:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-06-10 02:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]
2008-10-22 04:18 471650 ----a-w- c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-06-30 13:50 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 12:51 PM 65584]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/12/2011 3:55 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/16/2011 11:07 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/16/2011 11:07 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-16 17:07]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-16 17:07]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 206.123.202.145
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\9h1uw1cf.default\
FF - prefs.js: browser.startup.homepage - www.google.com|www.gmail.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-18 07:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1416)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
.
- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
.
**************************************************************************
.
Completion time: 2011-07-18 08:02:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-18 14:02
.
Pre-Run: 93,832,441,856 bytes free
Post-Run: 94,923,776,000 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6E9DE812F2D430B95FE8319DF1ECB08A
kevinf80_1d0ac6
1.1K Posts
0
July 18th, 2011 13:00
Can you uninstall the following via Start > Control Panel > Add/Remove Programs :-
Step 1
SUPERAntiSpyware
Hitman
CleanMyPCRegistry
Step 2
Run ESET Online Scan
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.
Also be aware this scan can take between one and several hours to complete depending on the size of your system.
ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".
Step 3
We need to see some additional information about what is happening in your machine.
Please perform the following scan:
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE
What I`d like in your reply :-
Kevin
LiquidCowBoy
8 Posts
0
July 18th, 2011 21:00
Hi Kevin,
Here are the logs per requested. The ESET found 2 or 3 trojans the other programs missed.
ESET LOG:
C:\Program Files\Windows NT\dwm.exe a variant of Win32/Kryptik.QJC trojan
C:\System Volume Information\_restore{CDFB9338-CDE6-4BDE-AB73-0D25B01B60CB}\RP4\A0000089.exe Win32/Cycbot.AH.Gen trojan
C:\System Volume Information\_restore{CDFB9338-CDE6-4BDE-AB73-0D25B01B60CB}\RP4\A0000102.exe a variant of Win32/Kryptik.QJC trojan
DDS.txt
DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by ryan at 21:49:56 on 2011-07-18
#Option Extended Search is enabled.
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2419 [GMT -6:00]
.
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} -
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: AcroIEToolbarHelper Class: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 206.123.202.145
TCP: Interfaces\{6B5E5841-1BE7-4215-80AE-54B17D1392C5} : DHCPNameServer = 206.123.202.145
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: ipp -
Handler: msdaipp -
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan\application data\mozilla\firefox\profiles\9h1uw1cf.default\
FF - prefs.js: browser.startup.homepage - www.google.com|www.gmail.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-7-16 475736]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-16 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-16 136176]
.
=============== Created Last 60 ================
.
2011-07-18 19:18:50 -------- d-----w- c:\program files\ESET
2011-07-18 13:42:34 -------- d-sha-r- C:\cmdcons
2011-07-18 13:34:27 98816 ----a-w- c:\windows\sed.exe
2011-07-18 13:34:27 208896 ----a-w- c:\windows\MBR.exe
2011-07-18 13:32:40 -------- d-----w- C:\Gotcha
2011-07-18 06:12:54 217088 ----a-r- c:\windows\system32\UCI32M21.dll
2011-07-18 06:12:54 -------- d-----w- c:\program files\CONEXANT
2011-07-18 06:12:53 989952 ----a-r- c:\windows\system32\drivers\HSF_DPV.sys
2011-07-18 06:12:53 731136 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys
2011-07-18 06:12:53 211200 ----a-r- c:\windows\system32\drivers\HSFHWAZL.sys
2011-07-18 05:06:43 388096 ----a-r- c:\documents and settings\ryan\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-18 04:55:23 -------- d-----w- c:\documents and settings\ryan\application data\SUPERAntiSpyware.com
2011-07-18 04:55:23 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-07-17 20:36:43 -------- d-----w- c:\program files\CleanMyPC
2011-07-17 20:34:45 -------- d-sh--w- c:\documents and settings\ryan\IECompatCache
2011-07-17 20:23:44 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-07-17 16:57:49 -------- d-----w- c:\documents and settings\ryan\application data\Malwarebytes
2011-07-17 16:57:41 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-17 16:57:41 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-17 16:57:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-17 16:57:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-17 04:50:33 150200 ----a-w- c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru_bak\components\kavlinkfilter.dll
2011-07-17 04:50:15 97859 ----a-w- c:\windows\system32\drivers\klick.dat
2011-07-17 04:50:15 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2011-07-17 04:48:41 -------- d-----w- c:\program files\Kaspersky Lab
2011-07-17 04:48:41 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2011-07-17 04:47:06 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab Setup Files
2011-07-17 03:27:23 -------- d-----w- c:\program files\Trend Micro
2011-07-17 03:18:24 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-17 03:18:24 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-17 03:14:57 -------- d-----w- c:\windows\system32\NtmsData
2011-07-15 14:58:54 -------- d-----w- c:\documents and settings\ryan\application data\GARMIN
2011-07-14 22:01:30 182272 ----a-w- c:\program files\windows nt\dwm.exe
2011-07-14 22:00:16 64000 --sha-r- c:\windows\system32\sti_cim.dll
2011-07-12 23:32:08 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-07-12 23:32:08 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-07-12 23:32:08 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-07-12 23:32:07 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-07-10 04:59:45 -------- d-----w- c:\program files\VideoLAN
2011-07-05 16:00:32 -------- d-----w- c:\program files\common files\Adobe Systems Shared
2011-07-05 13:07:13 9344 ----a-w- c:\windows\system32\drivers\grmnusb.sys
2011-07-05 13:07:13 18304 ----a-w- c:\windows\system32\drivers\grmngen.sys
2011-07-05 12:53:56 -------- d-----w- C:\Garmin
2011-07-01 13:19:32 1680272 ----a-w- c:\program files\mozilla firefox\plugins\npdjvu.dll
2011-07-01 13:19:31 -------- d-----w- c:\program files\Caminova
2011-06-29 16:47:38 -------- d-----w- c:\documents and settings\ryan\application data\deskPDF
2011-06-29 16:42:25 20886 ----a-w- c:\windows\system32\ddmon.dll
2011-06-29 16:42:03 -------- d-----w- c:\program files\Docudesk
2011-06-29 16:34:53 -------- d-----w- c:\documents and settings\ryan\application data\Smart PDF Converter
2011-06-29 16:34:44 -------- d-----w- c:\program files\Smart PDF Converter
2011-06-29 14:06:10 -------- d-----w- c:\documents and settings\ryan\local settings\application data\CutePDF Writer
2011-06-29 14:05:09 -------- d-----w- c:\program files\GPLGS
2011-06-29 14:04:51 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2011-06-29 14:04:43 -------- d-----w- c:\program files\Acro Software
2011-06-28 18:20:58 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Apple
2011-06-28 18:20:41 -------- d-----w- c:\windows\system32\appmgmt
2011-06-28 18:20:40 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-28 18:17:50 -------- d-----w- c:\windows\pss
2011-06-28 16:23:28 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2011-06-28 16:23:28 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2011-06-28 16:23:02 -------- d-----w- c:\documents and settings\ryan\application data\HpUpdate
2011-06-28 16:22:25 527208 ------w- c:\windows\system32\HPDiscoPM5312.dll
2011-06-28 16:22:21 1792872 ----a-w- c:\windows\system32\HPScanMiniDrv_OJ8500_A910.dll
2011-06-28 16:22:19 267112 ----a-w- c:\windows\system32\hpinksts5312LM.dll
2011-06-28 16:22:19 232296 ----a-w- c:\windows\system32\hpinksts5312.dll
2011-06-28 16:22:19 213864 ----a-w- c:\windows\system32\hpinkcoi5312.dll
2011-06-28 16:20:14 -------- d-----w- c:\program files\HP
2011-06-28 16:19:21 -------- d-----w- c:\documents and settings\ryan\local settings\application data\HP
2011-06-27 22:06:55 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Mozilla
2011-06-27 21:18:15 -------- d-----w- c:\windows\SchCache
2011-06-23 22:37:09 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Google
2011-06-23 20:15:14 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Help
2011-06-23 20:04:48 -------- d-----w- c:\documents and settings\ryan\local settings\application data\MapInfo
2011-06-23 20:04:48 -------- d-----w- c:\documents and settings\ryan\application data\MapInfo
2011-06-23 20:01:23 4218880 ----a-w- c:\windows\system32\cdintf400.dll
2011-06-23 20:01:11 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-06-23 19:59:46 -------- d-----w- c:\windows\Crystal
2011-06-23 19:59:46 -------- d-----w- c:\program files\Seagate Software
2011-06-23 19:59:46 -------- d-----w- c:\program files\MapInfo
2011-06-23 19:59:46 -------- d-----w- c:\documents and settings\all users\application data\MapInfo
2011-06-23 19:30:22 -------- d-----w- c:\windows\system32\XPSViewer
2011-06-23 19:29:56 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Temp
2011-06-23 19:29:56 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Adobe
2011-06-23 19:29:47 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-06-23 19:29:27 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-06-23 19:29:27 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-06-23 19:29:27 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-06-23 19:29:27 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-06-23 19:29:27 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-06-23 19:29:27 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-06-23 19:29:27 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-06-23 19:29:27 117760 ------w- c:\windows\system32\prntvpt.dll
2011-06-23 19:29:26 -------- d-----w- C:\bf9bf6b5da93fd5a3a720340155e79e9
2011-06-23 18:08:12 -------- d-----w- c:\documents and settings\ryan\local settings\application data\RockWare
2011-06-21 14:29:29 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-06-18 23:56:23 -------- d-----w- c:\program files\MSECache
2011-06-17 15:38:01 -------- d-----w- c:\program files\RockWare
2011-06-17 13:08:18 -------- d-sh--w- c:\documents and settings\ryan\PrivacIE
2011-06-17 13:07:06 -------- d-----w- c:\documents and settings\ryan\application data\ICAClient
2011-06-17 13:07:01 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Citrix
2011-06-17 13:07:01 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Apple Computer
2011-06-17 13:07:00 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Toshiba
2011-06-16 17:06:40 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-06-16 17:06:40 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-06-16 17:06:38 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-06-16 17:06:38 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-06-16 17:06:35 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-06-16 17:06:35 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-06-16 17:06:29 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-06-16 17:06:29 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-06-16 17:06:24 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-06-16 17:06:24 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-06-16 13:38:39 -------- d-----w- c:\documents and settings\all users\application data\Citrix
2011-06-16 13:38:13 -------- d-----w- c:\program files\Citrix
2011-06-15 07:59:24 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-14 20:08:50 -------- d-----w- c:\program files\Yahoo!
2011-06-14 20:01:19 28552 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2011-06-14 20:01:19 28040 ----a-w- c:\windows\system32\mdimon.dll
2011-06-14 20:00:38 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-06-14 19:59:29 -------- d-----w- c:\windows\SHELLNEW
2011-06-07 21:10:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-06 18:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find6M ====================
.
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 22:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 22:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 22:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 22:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-02-17 13:18:03 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-16 13:22:48 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 21:50:08.73 ===============
ATTACH.TXT
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-07-14.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/11/2010 2:40:24 PM
System Uptime: 7/18/2011 8:40:59 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0HN341
Processor: Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz | Microprocessor | 1795/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 88.422 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Biometric Coprocessor
Device ID: USB\VID_0483&PID_2016\5&1F158A8D&0&2
Manufacturer:
Name: Biometric Coprocessor
PNP Device ID: USB\VID_0483&PID_2016\5&1F158A8D&0&2
Service:
.
==== System Restore Points ===================
.
RP1: 7/15/2011 7:49:14 AM - System Checkpoint
RP2: 7/15/2011 9:18:32 AM - Unsigned driver install
RP3: 7/16/2011 8:47:58 PM - System Checkpoint
RP4: 7/16/2011 9:17:36 PM - Restore Operation
RP5: 7/16/2011 9:27:20 PM - Installed HiJackThis
RP6: 7/16/2011 10:01:04 PM - Removed HiJackThis
RP7: 7/16/2011 10:48:25 PM - Installed Kaspersky Anti-Virus 2011.
RP8: 7/17/2011 11:06:38 PM - Installed HiJackThis
.
==== Installed Programs ======================
.
Adobe Acrobat 7.0 Professional
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Photoshop Lightroom 3.2
Adobe Reader X (10.1.0)
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom Gigabit Integrated Controller
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Connect
CutePDF Writer 2.8
Dell Resource CD
Document Express DjVu Plug-in
ESET Online Scanner v3
Garmin TOPO U.S. 2008
Google Earth
Google Update Helper
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Officejet Pro 8500 A910 Basic Device Software
HP Officejet Pro 8500 A910 Help
HP Update
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Kaspersky Anti-Virus 2011
kuler
Malwarebytes' Anti-Malware version 1.51.1.1800
MapInfo Professional 10.5
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Access database engine 2007 (English)
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Silverlight
mIWA
mLogView
mMHouse
Mozilla Firefox 5.0.1 (x86 en-US)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
mWlsSafe
mWMI
mZConfig
OZ776 SCR Driver V1.1.3.9
PDF Settings CS4
Photoshop Camera Raw
PowerDVD
QuickTime
RockWorks 15
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SigmaTel Audio
Suite Shared Configuration CS4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.1.1
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows XP Service Pack 3
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
7/18/2011 8:41:38 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0019B9890BA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/17/2011 2:35:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/17/2011 12:36:08 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
7/17/2011 12:34:53 AM, error: DCOM [10000] - Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}. The error: "%193" Happened while starting this command: C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
7/17/2011 1:53:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/17/2011 1:32:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ctxusbm Fips intelppm KLIF Tosrfcom
7/17/2011 1:31:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/12/2011 4:53:33 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 0019B9890BA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/12/2011 2:41:00 PM, error: NETLOGON [5719] - No Domain Controller is available for domain LEIDICH due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
.
==== End Of File ===========================
Again this morning pages were still being redirected to one site (earthonlyone - or something like that). It never loads and most of the time if I try the links again a few times it will eventually go to the correct site. Otherwise, I've noticed no other oddities.
cheers~
ryan
kevinf80_1d0ac6
1.1K Posts
0
July 19th, 2011 00:00
Hiya Ryan,
Continue as follows please :-
Step 1
Upload a File to Virustotal
Please visit Virustotal
Step 2
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
-------------------------------------------------------------------------------
:dir
C:\Program Files\Windows NT /s
-------------------------------------------------------------------------------
Note: The log can also be found on your Desktop entitled SystemLook.txt
Let me see the results from VirusTotal and the log from System Look...
Thanks,
Kevin
LiquidCowBoy
8 Posts
0
July 19th, 2011 07:00
G'day Kevin,
Here's the results from the VirusTotal scan of dwm.exe. It didn't look so good, lots of red and 'trojan' :/
File name:
dwm.exe
Submission date:
2011-07-19 13:28:05 (UTC)
Current status:
finished
Result:
26/ 43 (60.5%)
Antivirus Version Last Update Result
AhnLab-V3 2011.07.19.02 2011.07.19 Backdoor/Win32.Gbot
AntiVir 7.11.11.228 2011.07.19 TR/Crypt.EPACK.Gen2
Antiy-AVL 2.0.3.7 2011.07.15 -
Avast 4.8.1351.0 2011.07.19 -
Avast5 5.0.677.0 2011.07.19 Win32:Cycbot-HJ [Trj]
AVG 10.0.0.1190 2011.07.19 BackDoor.Generic14.JBR
BitDefender 7.2 2011.07.19 Gen:Variant.Kazy.30967
CAT-QuickHeal 11.00 2011.07.19 (Suspicious) - DNAScan
ClamAV 0.97.0.0 2011.07.19 -
Commtouch 5.3.2.6 2011.07.19 -
Comodo 9436 2011.07.19 -
DrWeb 5.0.2.03300 2011.07.19 Trojan.DownLoader4.12898
Emsisoft 5.1.0.8 2011.07.19 Trojan.Win32.Menti.hdsi!A2
eSafe 7.0.17.0 2011.07.19 -
eTrust-Vet 36.1.8452 2011.07.19 Win32/FakeAlert.J!generic
F-Prot 4.6.2.117 2011.07.19 -
F-Secure 9.0.16440.0 2011.07.19 Gen:Variant.Kazy.30967
Fortinet 4.2.257.0 2011.07.19 W32/Kryptik.POT!tr
GData 22 2011.07.19 Gen:Variant.Kazy.30967
Ikarus T3.1.1.104.0 2011.07.19 -
Jiangmin 13.0.900 2011.07.18 Trojan/Menti.dmq
K7AntiVirus 9.108.4919 2011.07.18 -
Kaspersky 9.0.0.837 2011.07.19 HEUR:Trojan.Win32.Generic
McAfee 5.400.0.1158 2011.07.19 BackDoor-EXI.gen.k
McAfee-GW-Edition 2010.1D 2011.07.19 BackDoor-EXI.gen.k
Microsoft 1.7000 2011.07.19 Backdoor:Win32/Cycbot.B
NOD32 6307 2011.07.19 a variant of Win32/Kryptik.QJC
Norman 6.07.10 2011.07.18 -
nProtect 2011-07-19.01 2011.07.19 Gen:Variant.Kazy.30967
Panda 10.0.3.5 2011.07.19 Suspicious file
PCTools 8.0.0.5 2011.07.13 -
Prevx 3.0 2011.07.19 -
Rising 23.67.01.05 2011.07.19 -
Sophos 4.67.0 2011.07.19 Troj/FakeAV-EFL
SUPERAntiSpyware 4.40.0.1006 2011.07.19 Trojan.Agent/Gen-Backdoor
Symantec 20111.1.0.186 2011.07.19 Trojan.Gen.2
TheHacker 6.7.0.1.257 2011.07.18 -
TrendMicro 9.200.0.1012 2011.07.19 BKDR_CYCBOT.SME3
TrendMicro-HouseCall 9.200.0.101 2011.07.19 BKDR_CYCBOT.SME3
VBA32 3.12.16.4 2011.07.19 -
VIPRE 9902 2011.07.19 Trojan.Win32.Generic!BT
ViRobot 2011.7.19.4577 2011.07.19 -
VirusBuster 14.0.129.0 2011.07.18 -
Additional information
MD5 : 49d3eedb5421352e895ad43b24df23cd
SHA1 : 58870855aaff44297463683c4bfc3cf83009b17b
SHA256: c136596178ed53f8dd8c7c72ca280c964b95965fda7c1265950ca95fef9a59f2
As for the SystemLook, I downloaded it and hit run and was stopped by an error message "Script Required" thus no results. I tried both mirror sites and ended up with the same result.
Thanks =D
ryan
kevinf80_1d0ac6
1.1K Posts
0
July 19th, 2011 14:00
Continue as follows :-
Step 1
Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
-------------------------------------------------------------------
:Services
:Files
ipconfig /flushdns /c
C:\Program Files\Windows NT\dwm.exe
:Commands
[EmptyFlash]
[EmptyTemp]
[ResetHosts]
[ClearAllRestorePoints]
---------------------------------------------------------------------
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Step 2
Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Let me see the logs from OTM and Malwarebytes, also give update on issues/concerns...
Kevin
LiquidCowBoy
8 Posts
0
July 20th, 2011 00:00
Howdy Kevin.
Just got in from work, a looong day out in the field. Anyways, the logs are attached. It seems the Kaspersky AV found a trojan in the dwm.exe file and deleted it... not sure if thats a problem or not, however from the looks of a previous scan you had me do, it showed quite a few nasty things in it.
Rerunning Malwarebytes (had previously run it before searching for help) found Trojan.Agent.GGE as shown by the log.
I've been working late and have been away from my computer, so im not sure how the hijacked search results are fairing, however, I'd imagine its still happening since we have been scanning for problems and not removing anything yet. I'll keep you posted in that regard.
OTE LOG
All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Ryan\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Ryan\My Documents\Downloads\cmd.txt deleted successfully.
File/Folder C:\Program Files\Windows NT\dwm.exe not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes
User: LocalService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: Mike
->Temp folder emptied: 5430185 bytes
->Temporary Internet Files folder emptied: 1647328154 bytes
->Flash cache emptied: 3129051 bytes
User: Mike.LEIDICH
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Flash cache emptied: 700 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 9093254 bytes
->Flash cache emptied: 14003 bytes
User: Ryan
->Temp folder emptied: 35135 bytes
->Temporary Internet Files folder emptied: 1005629 bytes
->FireFox cache emptied: 50200153 bytes
->Flash cache emptied: 57079 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 106013 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 3376782 bytes
RecycleBin emptied: 27166719 bytes
Total Files Cleaned = 1,668.00 mb
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore points cleared and new OTM Restore Point set!
OTM by OldTimer - Version 3.1.18.0 log created on 07192011_233418
Files moved on Reboot...
File C:\WINDOWS\temp\klsBEDA.tmp not found!
Registry entries deleted on Reboot...
MalwareBytes LOG
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7208
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
7/20/2011 12:06:09 AM
mbam-log-2011-07-20 (00-06-09).txt
Scan type: Quick scan
Objects scanned: 192037
Time elapsed: 3 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\sti_cim.dll (Trojan.Agent.GGE) -> Quarantined and deleted successfully.
thanks mate~
kevinf80_1d0ac6
1.1K Posts
0
July 20th, 2011 02:00
Hiya Ryan,
Do a full system scan with your security program (Kaspersky) let me know if it finds anything. If the log comes back clean and you have no remaining issues we can clean up the tools we`ve used.....
Kevin
LiquidCowBoy
8 Posts
0
July 21st, 2011 10:00
Hole Kevin,
I completed a scan with no threats/objects found. WOO. Everything seems well and good now. Thanks a million!
I've uninstalled HijackThis and MalwareBytes via add/remove programs. I know there are some CMD's to remove combofix and possibly others, so awaiting instructions.
Also, is there any programs and or settings you'd recommend to help prevent infection? Im somewhat lost as to how so many trojans etc got on this system, as its my travel/work computer.
ryan
kevinf80_1d0ac6
1.1K Posts
0
July 21st, 2011 15:00
Hiya Ryan,
Continue as follows :-
Step 1
Remove Combofix now that we're done with it
The above procedure will delete the following:
It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.
Step 2
Step 3
1. Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER.
2. Click to select ESET Online Scanner from the application list, and then click Remove. Only re-boot if prompted
Step 4
Download and scan with CCleaner
1. Use either one of the two free links below the Premium version. If you are offered any Toolbars etc such as Yahoo just decline the offer.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
In the Applications Tab:
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.
CCleaner is an excellent Utility and well worth keeping, bottom left hand corner of main interface is link "Online Help" use that link to get the full instructions for this very handy application.
Let me know if the above steps complete OK, also any remaining issues/concerns.
Kevin
LiquidCowBoy
8 Posts
0
July 21st, 2011 16:00
KEVIN!
All seem to be super duper and running better than ever! Thanks so much for taking the time to help me! Its VERY appreciated. Im pretty sure everything is resolved =D
Have a great rest of the year!
ryan
kevinf80_1d0ac6
1.1K Posts
0
July 22nd, 2011 04:00
Hiya Ryan,
Your latest logs are clean and you say that your system is running well, it would be an excellent idea to keep it that way. The following advice will go along way to keeping you secure so that you can enjoy safe and happy surfing.
Here are some tips to reduce the potential for malware infection in the future:
Make proper use of your antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.
You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.
Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.
WinPatrol features explained Here
You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.
Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
Firefox,
Opera, and
Chrome.
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.
These browser add-ons will help to make your browser safer:
Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:
Available for Firefox and Internet Explorer.
Green to go,
Yellow for caution, and
Red to stop.
Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.
These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.
Here a couple of links by two security experts that will give some excellent tips and advice.
So how did I get infected in the first place by Tony Klein
How to prevent Malware by Miekiemoes
Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.
Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.
Post back and let me know if you`re happy to close this one out,
Take care,
Kevin
LiquidCowBoy
8 Posts
0
July 22nd, 2011 07:00
Kevin, Mate,
Im content and ready to close this out. All seems to be well and great. Muchas Gracias amigo!
ryan
kevinf80_1d0ac6
1.1K Posts
0
July 22nd, 2011 08:00
Since this issue appears to be resolved the topic has been closed. Glad we could help. :emotion-21:
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.