Spiderstave
asked on
XP Security Tool 2010/Browser Redirect Trojan
Hello,
I have become infected with the XP Security Tool 2010 trojan, as well as a browser/search results redirection trojan. I am able to remove the XP Security Tool 2010 trojan through Malwarebytes, but I have been unable to remove the browser redirect trojan.
Whenever I search on Google, the proper search results will display, but when I click on the link I am re-directed to web sites that re-infect my machine with XP Security Tool 2010 trojan. Occasionally the browser will redirect on it's own, without clicking on any links.
The steps I have taken are:
1) Scan with Malwarebytes - this finds and removes the XP Security Tool 2010 Trojan.
2) Scan with AVG Anti-Virus
3) Run ATF-Cleaner
4) Uninstall and reinstall Firefox
5) Full system scan with SUPERAntiSpyware while in Safe Mode
6) Updated Java to most current version
Unfortunately even after multiple scans with all of these programs that browser redirect trojan is still present. This is my work computer and it has stopped me from working the last 2 days, and I'm getting desperate as I have a project deadline and I need to get back to work. Below is my HijackThis log. If anyone would please take a look and advise me on the next steps, I don't know what else to do. I'm also posting this from my laptop, because when I attempt to post from the infected machine the browser is saying "The Connection Was Reset".
Thanks!
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:57:58 AM, on 4/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\WLTRYS VC.EXE
C:\WINDOWS\System32\bcmwlt ry.exe
C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL 32.EXE
C:\WINDOWS\System32\M-Audi oTaskBarIc on.exe
C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe
C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\PROGRA~1\AVG\AVG8\avgwd svc.exe
C:\Program Files\Java\jre6\bin\jqs.ex e
C:\Program Files\Acronis\TrueImageHom e\Timounte rMonitor.e xe
C:\Program Files\Common Files\Acronis\Schedule2\sc hedhlp.exe
C:\Program Files\LogMeIn\x86\RaMaint. exe
C:\Program Files\Adobe\Distillr\Acrot ray.exe
C:\Program Files\LogMeIn\x86\LMIGuard ian.exe
C:\Program Files\LogMeIn\x86\LogMeIn. exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\PROGRA~1\AVG\AVG8\avgrs x.exe
C:\PROGRA~1\AVG\AVG8\avgns x.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\LogMeIn\x86\LMIGuard ian.exe
C:\Program Files\M-Audio\MobilePre\In stall\MPIn st.exe
C:\Program Files\MozyHome\mozybackup. exe
C:\Program Files\MozyHome\mozystat.ex e
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\System32\svchos t.exe
C:\PROGRA~1\AVG\AVG8\avgem c.exe
C:\WINDOWS\system32\Search Indexer.ex e
C:\Program Files\AVG\AVG8\avgcsrvx.ex e
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
C:\Program Files\TrendMicro\HiJackThi s\HiJackTh is.exe
C:\WINDOWS\system32\Search ProtocolHo st.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre6\bin\ssv.dl l
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\5 .4.4525.17 52\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7 6C02E2E7C4 E} - C:\Program Files\Google\Google Toolbar\Component\fastsear ch_B7C5AC2 42193BB3E. dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E ABFE594F69 C} - C:\Program Files\Java\jre6\lib\deploy \jqs\ie\jq s_plugin.d ll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat\AcroIE FavClient. dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-Audi oTaskBarIc on.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotif ier.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceMana ger\CS4Ser viceManage r.exe" -launchedbylogin
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHom e\Timounte rMonitor.e xe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\sc hedhlp.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrot ray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche d.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpda te.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Luke\Local Settings\Application Data\Google\Update\GoogleU pdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.ex e
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/ SPELLOPTIO N.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/ SPELLCHECK .HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Capture.ht ml
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Append.htm l
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE CaptureSel Links.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE AppendSelL inks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Capture.ht ml
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Append.htm l
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Capture.ht ml
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Append.htm l
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HT M
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.h tm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre6\bin\ssv.dl l
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre6\bin\ssv.dl l
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-C A6EE38B68A 8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-C A6EE38B68A 8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-E D5B2FD488E 7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-E D5B2FD488E 7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\Offic e12\REFIEB AR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B 7B676377EE 3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.h tm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B 7B676377EE 3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.h tm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-3 14DEE697D8 3} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9 0FFA846DF7 E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4 AFFED8E262 E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199134658864
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-1 8920D89842 9} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0 060082AA75 C} (GpcContainer Class) - https://pc.mywebexpc.com/pc/mywebex/tool/syscheck/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-A C9BF37916A 7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F BDDE494F8D 1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1 830C7DD7F5 D} - C:\PROGRA~1\COMMON~1\Skype \SKYPE4~1. DLL
O18 - Filter hijack: text/html - {b19e43c3-ba34-45e4-8298-3 18f769797a d} - C:\WINDOWS\system32\mst122 .dll
O20 - AppInit_DLLs: karna.dat kjkvbv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS WINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0 0A0C90312E 1} - C:\WINDOWS\System32\browse ui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3 078302C203 0} - C:\WINDOWS\System32\browse ui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgem c.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd svc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex e
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint. exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn. exe
O23 - Service: MobilePre Installer (MobilePreInstallerService ) - M-Audio - C:\Program Files\M-Audio\MobilePre\In stall\MPIn st.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup. exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYS VC.EXE
--
End of file - 12888 bytes
I have become infected with the XP Security Tool 2010 trojan, as well as a browser/search results redirection trojan. I am able to remove the XP Security Tool 2010 trojan through Malwarebytes, but I have been unable to remove the browser redirect trojan.
Whenever I search on Google, the proper search results will display, but when I click on the link I am re-directed to web sites that re-infect my machine with XP Security Tool 2010 trojan. Occasionally the browser will redirect on it's own, without clicking on any links.
The steps I have taken are:
1) Scan with Malwarebytes - this finds and removes the XP Security Tool 2010 Trojan.
2) Scan with AVG Anti-Virus
3) Run ATF-Cleaner
4) Uninstall and reinstall Firefox
5) Full system scan with SUPERAntiSpyware while in Safe Mode
6) Updated Java to most current version
Unfortunately even after multiple scans with all of these programs that browser redirect trojan is still present. This is my work computer and it has stopped me from working the last 2 days, and I'm getting desperate as I have a project deadline and I need to get back to work. Below is my HijackThis log. If anyone would please take a look and advise me on the next steps, I don't know what else to do. I'm also posting this from my laptop, because when I attempt to post from the infected machine the browser is saying "The Connection Was Reset".
Thanks!
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:57:58 AM, on 4/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\WLTRYS
C:\WINDOWS\System32\bcmwlt
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL
C:\WINDOWS\System32\M-Audi
C:\Program Files\LogMeIn\x86\LogMeInS
C:\PROGRA~1\AVG\AVG8\avgtr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\PROGRA~1\AVG\AVG8\avgwd
C:\Program Files\Java\jre6\bin\jqs.ex
C:\Program Files\Acronis\TrueImageHom
C:\Program Files\Common Files\Acronis\Schedule2\sc
C:\Program Files\LogMeIn\x86\RaMaint.
C:\Program Files\Adobe\Distillr\Acrot
C:\Program Files\LogMeIn\x86\LMIGuard
C:\Program Files\LogMeIn\x86\LogMeIn.
C:\Program Files\Google\GoogleToolbar
C:\PROGRA~1\AVG\AVG8\avgrs
C:\PROGRA~1\AVG\AVG8\avgns
C:\WINDOWS\system32\ctfmon
C:\Program Files\LogMeIn\x86\LMIGuard
C:\Program Files\M-Audio\MobilePre\In
C:\Program Files\MozyHome\mozybackup.
C:\Program Files\MozyHome\mozystat.ex
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\System32\svchos
C:\PROGRA~1\AVG\AVG8\avgem
C:\WINDOWS\system32\Search
C:\Program Files\AVG\AVG8\avgcsrvx.ex
C:\WINDOWS\System32\svchos
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\Program Files\TrendMicro\HiJackThi
C:\WINDOWS\system32\Search
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O1 - Hosts: ::1 localhost
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-Audi
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotif
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceMana
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHom
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\sc
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpda
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Luke\Local Settings\Application Data\Google\Update\GoogleU
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.ex
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HT
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-C
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-C
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-E
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-E
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {1E54D648-B804-468d-BC78-4
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-1
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O16 - DPF: {E2883E8F-472F-4FB0-9522-A
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O18 - Filter hijack: text/html - {b19e43c3-ba34-45e4-8298-3
O20 - AppInit_DLLs: karna.dat kjkvbv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgem
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.
O23 - Service: MobilePre Installer (MobilePreInstallerService
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYS
--
End of file - 12888 bytes
Have you tried running Malwarebyes in Safe Mode?
Also making sure it's up to date with the latest definitions of course.
Also making sure it's up to date with the latest definitions of course.
run combofix in safemode with networking so that it can update if necessary.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
then reset ie7/ie8
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
then reset ie7/ie8
ASKER
Tymetwister - Yes, I have run Malewarebytes in Safe Mode and the definitions are up to date.
stokerbritt - I checked my hosts file and there were a bunch of extra IP addresses in there. I removed all of them except 127.0.0.1 localhost. The browser redirect was still happening so I ran ComboFix. The browser redirect is still happening. My ComboFix log below.
Also, I ran my HijackThis log through an automatic analyzer and it is reporting that these two registry entries are a known trojan:
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
And it is recommending that I run a program called SDfix:
http://www.bleepingcomputer.com/forums/topic131299.html
Do you think it would be a good idea to run this?
ComboFix Log:
ComboFix 10-04-10.01 - Luke 04/10/2010 12:43:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18. 3327.2493 [GMT -7:00]
Running from: c:\documents and settings\Luke\Desktop\Comb oFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-5 2D74245D6B F}
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
c:\program files\Common
c:\windows\jestertb.dll
c:\windows\patchw32.dll
c:\windows\pw32a.dll
c:\windows\system32\lsprst 7.dll
c:\windows\system32\msvcsv 60.dll
c:\windows\system32\ssprs. dll
c:\windows\wiaservv.log
.
(((((((((((((((((((((((((( (((((((((( ((( Drivers/Services )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
-------\Legacy_TDSSSERV.SY S
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))) )))))
.
2010-04-10 17:53 . 2010-04-10 17:53 -------- d-----w- c:\program files\TrendMicro
2010-04-09 20:33 . 2010-04-09 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-09 20:33 . 2010-04-09 20:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-09 20:33 . 2010-04-09 20:33 -------- d-----w- c:\documents and settings\Luke\Application Data\SUPERAntiSpyware.com
2010-04-09 20:26 . 2010-04-09 19:55 15880 ----a-w- c:\windows\system32\lsdele te.exe
2010-04-09 19:55 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\driver s\Lbd.sys
2010-04-09 19:55 . 2010-04-09 19:55 95024 ----a-w- c:\windows\system32\driver s\SBREDrv. sys
2010-04-09 19:53 . 2010-04-09 19:53 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-9 1E3-F30C1B 031AC6}
2010-04-09 19:53 . 2010-04-09 19:53 -------- d-----w- c:\program files\Lavasoft
2010-04-09 17:51 . 2010-04-09 17:51 183808 --sha-w- c:\documents and settings\Luke\Local Settings\Application Data\562387286.dll
2010-04-07 20:33 . 2010-04-09 20:36 918360 ----a-w- c:\documents and settings\LocalService\Loca l Settings\Application Data\FontCache3.0.0.0.dat
2010-04-05 00:42 . 2010-04-05 00:43 -------- d-----w- C:\3b0ff290e7bcc873702f2a8 f
2010-04-04 01:08 . 2010-04-04 01:08 -------- d-----w- c:\documents and settings\Luke\Local Settings\Application Data\IsolatedStorage
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2010-04-10 19:17 . 2008-04-27 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 17:51 . 2008-01-01 04:36 -------- d-----w- c:\program files\uTorrent
2010-04-10 17:45 . 2008-09-10 20:41 -------- d-----w- c:\program files\LogMeIn
2010-04-09 21:13 . 2008-04-23 01:20 -------- d-----w- c:\program files\Java
2010-04-09 21:13 . 2008-04-23 01:20 -------- d-----w- c:\program files\Common Files\Java
2010-04-09 20:33 . 2008-10-26 22:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-09 17:58 . 2010-04-09 17:58 -------- d-----w- c:\documents and settings\Administrator\App lication Data\Malwarebytes
2010-04-09 17:56 . 2010-01-25 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-09 17:51 . 2008-10-26 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-09 16:33 . 2009-04-11 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-08 23:29 . 2008-01-03 23:38 64 ----a-w- c:\windows\msocreg32.dat
2010-04-07 20:32 . 2007-12-31 23:26 -------- d-----w- c:\program files\Trillian
2010-04-05 00:48 . 2008-03-25 23:57 -------- d-----w- c:\program files\TurboTax
2010-04-05 00:48 . 2007-12-31 21:23 155640 ----a-w- c:\documents and settings\Luke\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-04 01:35 . 2008-01-01 04:36 -------- d-----w- c:\documents and settings\Luke\Application Data\uTorrent
2010-04-01 13:06 . 2009-08-04 06:44 -------- d-----w- c:\program files\EarMaster Pro 5
2010-03-31 22:20 . 2008-02-15 05:31 -------- d-----w- c:\documents and settings\Luke\Application Data\mIRC
2010-03-31 22:19 . 2008-02-15 05:31 -------- d-----w- c:\program files\mIRC
2010-03-30 07:46 . 2008-10-26 23:21 38224 ----a-w- c:\windows\system32\driver s\mbamswis sarmy.sys
2010-03-30 07:45 . 2008-10-26 23:21 20824 ----a-w- c:\windows\system32\driver s\mbam.sys
2010-03-10 21:45 . 2010-03-10 21:45 6 ----a-w- c:\windows\Fonts\wfonts.ke y
2010-02-15 22:27 . 2008-01-09 23:04 -------- d-----w- c:\program files\FLV Player
2010-02-13 19:27 . 2010-02-13 19:26 -------- d-----w- c:\program files\iTunes
2010-02-13 19:26 . 2010-02-13 19:26 -------- d-----w- c:\program files\iPod
2010-02-13 19:26 . 2008-01-01 21:52 -------- d-----w- c:\program files\Common Files\Apple
2010-02-13 19:23 . 2008-01-01 01:12 -------- d-----w- c:\program files\QuickTime
2010-02-12 19:35 . 2010-02-12 19:35 -------- d-----w- c:\documents and settings\Luke\Application Data\Add-in Express
2010-02-12 19:35 . 2010-02-12 19:35 -------- d-----w- c:\program files\Add-in Express
2010-02-10 21:40 . 2010-02-10 21:40 -------- d-----w- c:\documents and settings\Luke\Application Data\ieSpell
2010-02-10 21:40 . 2010-02-10 21:40 -------- d-----w- c:\program files\ieSpell
2010-02-01 18:46 . 2008-12-09 17:59 114156 ---ha-w- c:\windows\system32\mlfcac he.dat
2008-10-26 21:07 . 2008-10-26 21:07 15071 ----a-w- c:\program files\Common Files\ejobemuje.reg
2008-10-26 21:07 . 2008-10-26 21:07 14314 ----a-w- c:\program files\Common Files\ides._sy
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\expl orer\shell iconoverla yidentifie rs\mozy2]
@="{747E722C-CB46-4a9d-BDF E-192AAD50 99B1}"
[HKEY_CLASSES_ROOT\CLSID\{ 747E722C-C B46-4a9d-B DFE-192AAD 5099B1}]
2010-01-04 19:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.d ll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\expl orer\shell iconoverla yidentifie rs\mozy3]
@="{EE6F5A00-7898-40f7-AB7 7-51FF9D6D EB20}"
[HKEY_CLASSES_ROOT\CLSID\{ EE6F5A00-7 898-40f7-A B77-51FF9D 6DEB20}]
2010-01-04 19:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.d ll
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"swg"="c:\program files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe" [2007-12-31 68856]
"Google Update"="c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleU pdate.exe" [2009-10-31 135664]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\window s\system32 \NvMcTray. dll" [2008-10-07 86016]
"NvCplDaemon"="c:\windows\ system32\N vCpl.dll" [2008-10-07 13574144]
"M-Audio Taskbar Icon"="c:\windows\System32 \M-AudioTa skBarIcon. exe" [2005-11-09 91136]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInS ystray.exe " [2008-02-28 63048]
"AVG8_TRAY"="c:\progra~1\A VG\AVG8\av gtray.exe" [2010-03-31 2046816]
"AppleSyncNotifier"="c:\pr ogram files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotif ier.exe" [2009-08-13 177440]
"AdobeCS4ServiceManager"=" c:\program files\Common Files\Adobe\CS4ServiceMana ger\CS4Ser viceManage r.exe" [2008-08-14 611712]
"AcronisTimounterMonitor"= "c:\progra m files\Acronis\TrueImageHom e\Timounte rMonitor.e xe" [2009-06-10 904840]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\sc hedhlp.exe " [2009-06-10 136472]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrot ray.exe" [2006-01-13 483328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe " [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper. exe" [2010-01-23 141608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.ex e [2010-1-4 2893624]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\softwa re\microso ft\windows \currentve rsion\expl orer\Shell ExecuteHoo ks]
"{56F9679E-7826-4C84-81F3- 532071A8BC C5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dl l" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A- EBB7F4A000 DA}"= "c:\program files\SUPERAntiSpyware\SAS SEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\!S ASWinLogon ]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SAS WINLO.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\av grsstarter ]
2009-08-19 16:35 11952 ----a-w- c:\windows\system32\avgrss tx.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\LM Iinit]
2009-10-01 22:15 87352 ----a-w- c:\windows\system32\LMIini t.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\drivers3 2]
"midi"=KORGUMDD.DRV
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\Lavaso ft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Adob e Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adob e Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adob e Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^Luke^Start Menu^Programs^Startup^Magi cDisc.lnk]
path=c:\documents and settings\Luke\Start Menu\Programs\Startup\Magi cDisc.lnk
backup=c:\windows\pss\Magi cDisc.lnkS tartup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ NBJ]
2005-04-09 02:43 1953792 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ NeroFilter Check]
2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCh eck.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ OneTouch Monitor]
2002-09-24 16:21 86016 ----a-w- c:\program files\Visioneer OneTouch\OneTouchMon.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Steam]
2009-09-25 03:27 1217784 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ TrueImageM onitor.exe ]
2009-06-10 10:55 1326080 ----a-w- c:\program files\Acronis\TrueImageHom e\TrueImag eMonitor.e xe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WMP300NSvc"=2 (0x2)
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"SQLWriter"=3 (0x3)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Norton Ghost"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1c9ba4b94b36c70"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\c ontrol\ses sion manager\appcertdlls]
cmdlreg REG_SZ c:\windows\system32\mqtgHo st.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center]
"AntiVirusOverride"=dword: 00000001
"FirewallOverride"=dword:0 0000001
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\system32\\sessm gr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe" =
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe "=
"c:\\Program Files\\Trillian\\trillian. exe"=
"c:\\Program Files\\FTP Commander\\Ftpcomm.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Charles\\Charles.ex e"=
"c:\\Program Files\\Steam\\steamapps\\s piderstave \\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.e xe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.e xe"=
"c:\\Program Files\\Steam\\steamapps\\s piderstave \\counter- strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\c ommon\\emp ire total war\\Empire.exe"=
"c:\\Program Files\\Bonjour\\mDNSRespon der.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\Pn kBstrA.exe "=
"c:\\WINDOWS\\system32\\Pn kBstrB.exe "=
"g:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK. EXE"=
"c:\\wamp\\bin\\apache\\Ap ache2.2.11 \\bin\\htt pd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype .exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc. exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceMa nager\\CS4 ServiceMan ager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe" =
"c:\\Program Files\\Java\\jre6\\bin\\ja va.exe"=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Icmp Settings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 Lbd;Lbd;c:\windows\system3 2\drivers\ Lbd.sys [4/9/2010 12:55 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\dr ivers\avgl dx86.sys [6/18/2008 8:58 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\syst em32\drive rs\avgtdix .sys [6/18/2008 8:58 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\progr am files\SUPERAntiSpyware\sas difsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\progr am files\SUPERAntiSpyware\SAS KUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AV G8\avgemc. exe [8/19/2009 9:35 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\A VG8\avgwds vc.exe [8/19/2009 9:35 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AA WService.e xe [2/4/2010 8:52 AM 1265264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.s ys [2/28/2008 3:31 PM 12856]
R3 SynasUSB;SynasUSB;c:\windo ws\system3 2\drivers\ synasUSB.s ys [1/3/2008 3:20 PM 23288]
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32 \drivers\W MP300Nv1.s ys [1/3/2009 2:57 PM 822400]
S3 ELECTRO;ELECTRO;c:\windows \system32\ drivers\el ectro.sys [1/29/2010 8:15 PM 34260]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system3 2\drivers\ KORGUMDS.S YS [3/29/2007 1:11 AM 21984]
S3 MADFU804;MADFU804;c:\windo ws\system3 2\drivers\ MADFU804.s ys [1/2/2008 5:23 PM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SAS ENUM.SYS [2/17/2010 11:15 AM 12872]
S4 gupdate1c9ba4b94b36c70;Goo gle Update Service (gupdate1c9ba4b94b36c70);c :\program files\Google\Update\Google Update.exe [4/10/2009 7:16 PM 133104]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 WMP300NSvc;WMP300NSvc;c:\p rogram files\Linksys\WMP300N\WLSe rvice.exe [1/3/2009 2:57 PM 53307]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad -AwareAdmi n.exe [2010-02-04 19:54]
2010-04-08 c:\windows\Tasks\AppleSoft wareUpdate .job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2010-04-10 c:\windows\Tasks\GoogleUpd ateTaskMac hineCore.j ob
- c:\program files\Google\Update\Google Update.exe [2009-04-11 02:16]
2010-04-10 c:\windows\Tasks\GoogleUpd ateTaskMac hineUA.job
- c:\program files\Google\Update\Google Update.exe [2009-04-11 02:16]
2010-04-08 c:\windows\Tasks\GoogleUpd ateTaskUse rS-1-5-21- 436374069- 413027322- 839522115- 1003Core.j ob
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleU pdate.exe [2010-01-18 14:30]
2010-04-10 c:\windows\Tasks\GoogleUpd ateTaskUse rS-1-5-21- 436374069- 413027322- 839522115- 1003UA.job
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleU pdate.exe [2010-01-18 14:30]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/ SPELLOPTIO N.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/ SPELLCHECK .HTM
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Capture.ht ml
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Append.htm l
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE CaptureSel Links.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE AppendSelL inks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Capture.ht ml
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Append.htm l
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Capture.ht ml
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIE FavClient. dll/AcroIE Append.htm l
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Offic e12\EXCEL. EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HT M
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.h tm
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profi les\n4up01 kb.default \
FF - component: c:\program files\AVG\AVG8\Firefox\com ponents\av gssff.dll
FF - plugin: c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\1.2.183 .23\npGoog leOneClick 8.dll
FF - plugin: c:\program files\Adobe\Acrobat\browse r\nppdf32. dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dl l
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCI Detect13.d ll
FF - plugin: c:\program files\Google\Update\1.2.18 3.23\npGoo gleOneClic k8.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_ windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click _image_res izing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browse withcaret_ shortcut.e nabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.m em.high_wa ter_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.m em.gc_freq uency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-g eneric-ntl m", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.e nabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.deb ug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.age dWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.buc ketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.max TimeGroupi ngs", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.tim eGroupingS ize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bou ndaryWeigh t", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.pre fixWeight" , 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security- prefs.js - pref("security.ssl.allow_u nrestricte d_renego_e verywhere_ _temporari ly_availab le_pref", true);
c:\program files\Mozilla Firefox\greprefs\security- prefs.js - pref("security.ssl.renego_ unrestrict ed_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security- prefs.js - pref("security.ssl.treat_u nsafe_nego tiation_as _broken", false);
c:\program files\Mozilla Firefox\greprefs\security- prefs.js - pref("security.ssl.require _safe_nego tiation", false);
c:\program files\Mozilla Firefox\defaults\pref\fire fox-brandi ng.js - pref("app.update.download. background Interval", 600);
c:\program files\Mozilla Firefox\defaults\pref\fire fox-brandi ng.js - pref("app.update.url.manua l", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\fire fox-brandi ng.js - pref("browser.search.param .yahoo-fr- ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("extensions.{972ce4c6 -7e08-4474 -a285-3208 198ce6fd}. name", "chrome://browser/locale/b rowser.pro perties");
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("extensions.{972ce4c6 -7e08-4474 -a285-3208 198ce6fd}. descriptio n", "chrome://browser/locale/b rowser.pro perties");
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("xpinstall.whitelist. add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("xpinstall.whitelist. add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("lightweightThemes.up date.enabl ed", true);
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("browser.allTabs.prev iews", false);
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("plugins.hide_infobar _for_outda ted_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("plugins.update.notif yUser", false);
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("toolbar.customizatio n.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("browser.taskbar.prev iews.enabl e", false);
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("browser.taskbar.prev iews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\fire fox.js - pref("browser.taskbar.prev iews.cache time", 20);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BMUpdate - c:\windows\system32\BMUpda te.exe
HKLM-Run-SunJavaUpdateSche d - c:\program files\Java\jre6\bin\jusche d.exe
HKU-Default-Run-msiexec.ex e - msiconf.exe
Notify-AtiExtEvent - (no file)
MSConfigStartUp-SkyTel - SkyTel.EXE
MSConfigStartUp-SunJavaUpd ateSched - c:\program files\Java\jre1.6.0_07\bin \jusched.e xe
AddRemove-3D Shadow by Lokas Software - c:\windows\AWuninstall.exe Software\Lokas Ltd\3D Shadow
AddRemove-Arturia Moog Modular V2 v1.0 - g:\progra~1\Arturia\MOOGMO ~1\UNWISE. EXE
AddRemove-Native Instruments - Kore 2 Controller - g:\program files\Native Instruments\Kore 2 Controller\uninst.exe Software\Native Instruments\Kore 2 Controller\Setup
AddRemove-REAPER - c:\program files\REAPER\Uninstall.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Luke\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
************************** ********** ********** ********** ********** ********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 12:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-43637 4069-41302 7322-83952 2115-1003\ Software\M icrosoft\W indows\Cur rentVersio n\Shell Extensions\Approved\{B3AF4 199-5D70-2 237-8DE0-A EE4945063F E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaeafppahhfgcgdcbk"=hex:6 a,61,68,66 ,6c,6a,6c, 65,6b,6c,7 0,68,68,67 ,67,61,6d, 6f,
69,6f,00,06
"hakahegjljkhamag"=hex:6a, 61,6a,66,6 e,6c,6f,6d ,69,6a,6e, 70,66,6c,6 2,6a,6f,6b ,
65,6f,00,1c
[HKEY_LOCAL_MACHINE\softwa re\Classes \.bcp\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.cc\Persi stentHandl er]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.cod\Pers istentHand ler]
@DACL=(02 0000)
@="{098f2470-bae0-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.dsp\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.dsw\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.i\Persis tentHandle r]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.inl\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.lst\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.mak\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.map\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.mk\Persi stentHandl er]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.odh\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.odl\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.pps\Pers istentHand ler]
@DACL=(02 0000)
@="{98de59a0-d175-11cd-a7b d-00006b82 7d94}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.prc\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.rc2\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.rct\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.rgs\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.rtf\Pers istentHand ler]
@DACL=(02 0000)
@="{2e2294a9-50d7-4fe7-a09 f-e6492e18 5884}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.s\Persis tentHandle r]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.tlh\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.tli\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.trg\Pers istentHand ler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.user\Per sistentHan dler]
@DACL=(02 0000)
@="{eec97550-47a9-11cf-b95 2-00aa0051 fe20}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.vcproj\P ersistentH andler]
@DACL=(02 0000)
@="{eec97550-47a9-11cf-b95 2-00aa0051 fe20}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.vspscc\P ersistentH andler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.vsscc\Pe rsistentHa ndler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.vssscc\P ersistentH andler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \.xsd\Pers istentHand ler]
@DACL=(02 0000)
@="{7E9D8D44-6926-426F-AA2 B-217A819A 5CCE}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{17 DE1F14-B3E 4-1035-F05 7BA15C83B1 D27}\{8EAD AA70-8C9A- 100D-77D42 F75FD08129 7}\{521598 79-7142-2C A4-73B8A92 3B4C8F27A} *]
"SE4K5INHHR1EDZYY15BVZC6TK G1"=hex:01 ,00,01,00, 00,00,00,0 0,7e,c3,c3 ,8e,86,b4, 21,
5e,35,81,92,71,e8,29,5a,84 ,14,35,16, 70,d8,6e,f f,61
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{18 D6E519-4C2 7-E4AD-074 C5D1F171B4 0FB}\{8D7A 772B-93EE- 6905-4C751 BA1B544AFC 9}\{7029C7 3E-0020-BA 9C-F3FADF0 3D99AF0E6} *]
"{3EE4C831-B7E0-4ed1-B9FC- EDC523C961 2F}1"=hex: 01,00,01,0 0,0c,00,00 ,00,1b,ea, 19,
80,38,fc,84,be,90,ff,d5,d3 ,f6,56,78, 2e,b7,9c,d f,bf,2a,43 ,28,57,06, 5c,80,5f,\
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{55 1E7168-6B6 B-73F4-235 8001EBB1BF A13}\{9EB3 9097-9AF5- 4CC7-A66D0 4881D6D821 1}\{B54D5F C9-25C8-0F B7-F96BD94 B39BD18AF} *]
"SE4K5INHHR1EDZYY15BVZC6TK G1"=hex:01 ,00,01,00, 00,00,00,0 0,7e,c3,c3 ,8e,86,b4, 21,
5e,35,81,92,71,e8,29,5a,84 ,14,35,16, 70,d8,6e,f f,61
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{56 4572D7-BA6 B-A81E-173 32C14105A2 4EF}\{35AC 4256-1B84- 66D8-7C458 3AC3B4AA35 B}\{791C07 03-8CF5-81 3B-67470F6 6B09458B3} *]
"{3EE4C831-B7E0-4ed1-B9FC- EDC523C961 2F}1"=hex: 01,00,01,0 0,0c,00,00 ,00,1b,ea, 19,
80,38,fc,84,be,90,ff,d5,d3 ,f6,56,78, 2e,b7,9c,d f,bf,2a,43 ,28,57,06, 5c,80,5f,\
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{B3 A3A58F-967 E-A40A-C7D DFB524B0CD FB3}\{B28E 8422-363F- 1C4B-CC056 478281B7FC E}\{569EFB 20-10B3-C9 F5-895B6A1 9B8852344} *]
"{3EE4C831-B7E0-4ed1-B9FC- EDC523C961 2F}1"=hex: 01,00,01,0 0,0c,00,00 ,00,1b,ea, 19,
80,38,fc,84,be,90,ff,d5,d3 ,f6,56,78, 2e,b7,9c,d f,bf,2a,43 ,28,57,06, 5c,80,5f,\
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{FC CB8240-DCE 2-E75D-AC1 4FD41A6B69 7E0}\{CCBB BFAF-D782- 4243-9A223 EC5C9E9D74 B}\{381F6F 0A-6948-72 AB-1509791 87EC28E60} *]
"SE4K5INHHR1EDZYY15BVZC6TK G1"=hex:01 ,00,01,00, 00,00,00,0 0,7e,c3,c3 ,8e,86,b4, 21,
5e,35,81,92,71,e8,29,5a,84 ,14,35,16, 70,d8,6e,f f,61
[HKEY_LOCAL_MACHINE\softwa re\Classes \mapi\Shel l]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SAS WINLO.dll
c:\windows\system32\LMIini t.dll
- - - - - - - > 'lsass.exe'(896)
c:\windows\system32\relog_ ap.dll
- - - - - - - > 'explorer.exe'(3996)
c:\program files\MozyHome\mozyshell.d ll
c:\windows\system32\iefram e.dll
c:\windows\system32\OneX.D LL
c:\windows\system32\eapppr xy.dll
c:\windows\system32\webche ck.dll
c:\windows\system32\WPDShS erviceObj. dll
c:\windows\system32\Portab leDeviceTy pes.dll
c:\windows\system32\Portab leDeviceAp i.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\LMIRfs ClientNP.d ll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYS VC.EXE
c:\windows\System32\bcmwlt ry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
c:\program files\Java\jre6\bin\jqs.ex e
c:\program files\LogMeIn\x86\RaMaint. exe
c:\program files\LogMeIn\x86\LogMeIn. exe
c:\progra~1\AVG\AVG8\avgrs x.exe
c:\progra~1\AVG\AVG8\avgns x.exe
c:\program files\LogMeIn\x86\LMIGuard ian.exe
c:\program files\M-Audio\MobilePre\In stall\MPIn st.exe
c:\program files\MozyHome\mozybackup. exe
c:\windows\system32\nvsvc3 2.exe
c:\windows\system32\Search Indexer.ex e
c:\program files\AVG\AVG8\avgcsrvx.ex e
c:\windows\System32\wbem\u nsecapp.ex e
c:\program files\Lavasoft\Ad-Aware\AA WTray.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL 32.EXE
c:\program files\LogMeIn\x86\LMIGuard ian.exe
c:\windows\system32\rundll 32.exe
c:\windows\system32\taskmg r.exe
.
************************** ********** ********** ********** ********** ********
.
Completion time: 2010-04-11 00:16:52 - machine was rebooted
ComboFix-quarantined-files .txt 2010-04-11 07:16
Pre-Run: 854,233,620,480 bytes free
Post-Run: 854,191,910,912 bytes free
WindowsXP-KB310994-SP2-Pro -BootDisk- ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdi sk(0)parti tion(1)\WI NDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M icrosoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)par tition(1)\ WINDOWS="M icrosoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)par tition(1)\ WINDOWS="M icrosoft Windows 3GB DAW" /noexecute=optin /fastdetect /3GB /userva=3030
- - End Of File - - 7D6D08657109F0DF837DF61062 BF989E
stokerbritt - I checked my hosts file and there were a bunch of extra IP addresses in there. I removed all of them except 127.0.0.1 localhost. The browser redirect was still happening so I ran ComboFix. The browser redirect is still happening. My ComboFix log below.
Also, I ran my HijackThis log through an automatic analyzer and it is reporting that these two registry entries are a known trojan:
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
And it is recommending that I run a program called SDfix:
http://www.bleepingcomputer.com/forums/topic131299.html
Do you think it would be a good idea to run this?
ComboFix Log:
ComboFix 10-04-10.01 - Luke 04/10/2010 12:43:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.
Running from: c:\documents and settings\Luke\Desktop\Comb
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-5
.
((((((((((((((((((((((((((
.
c:\program files\Common
c:\windows\jestertb.dll
c:\windows\patchw32.dll
c:\windows\pw32a.dll
c:\windows\system32\lsprst
c:\windows\system32\msvcsv
c:\windows\system32\ssprs.
c:\windows\wiaservv.log
.
((((((((((((((((((((((((((
.
-------\Legacy_TDSSSERV.SY
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 ))))))))))))))))))))))))))
.
2010-04-10 17:53 . 2010-04-10 17:53 -------- d-----w- c:\program files\TrendMicro
2010-04-09 20:33 . 2010-04-09 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-09 20:33 . 2010-04-09 20:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-09 20:33 . 2010-04-09 20:33 -------- d-----w- c:\documents and settings\Luke\Application Data\SUPERAntiSpyware.com
2010-04-09 20:26 . 2010-04-09 19:55 15880 ----a-w- c:\windows\system32\lsdele
2010-04-09 19:55 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\driver
2010-04-09 19:55 . 2010-04-09 19:55 95024 ----a-w- c:\windows\system32\driver
2010-04-09 19:53 . 2010-04-09 19:53 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-9
2010-04-09 19:53 . 2010-04-09 19:53 -------- d-----w- c:\program files\Lavasoft
2010-04-09 17:51 . 2010-04-09 17:51 183808 --sha-w- c:\documents and settings\Luke\Local Settings\Application Data\562387286.dll
2010-04-07 20:33 . 2010-04-09 20:36 918360 ----a-w- c:\documents and settings\LocalService\Loca
2010-04-05 00:42 . 2010-04-05 00:43 -------- d-----w- C:\3b0ff290e7bcc873702f2a8
2010-04-04 01:08 . 2010-04-04 01:08 -------- d-----w- c:\documents and settings\Luke\Local Settings\Application Data\IsolatedStorage
.
((((((((((((((((((((((((((
.
2010-04-10 19:17 . 2008-04-27 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 17:51 . 2008-01-01 04:36 -------- d-----w- c:\program files\uTorrent
2010-04-10 17:45 . 2008-09-10 20:41 -------- d-----w- c:\program files\LogMeIn
2010-04-09 21:13 . 2008-04-23 01:20 -------- d-----w- c:\program files\Java
2010-04-09 21:13 . 2008-04-23 01:20 -------- d-----w- c:\program files\Common Files\Java
2010-04-09 20:33 . 2008-10-26 22:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-09 17:58 . 2010-04-09 17:58 -------- d-----w- c:\documents and settings\Administrator\App
2010-04-09 17:56 . 2010-01-25 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-09 17:51 . 2008-10-26 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-09 16:33 . 2009-04-11 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-08 23:29 . 2008-01-03 23:38 64 ----a-w- c:\windows\msocreg32.dat
2010-04-07 20:32 . 2007-12-31 23:26 -------- d-----w- c:\program files\Trillian
2010-04-05 00:48 . 2008-03-25 23:57 -------- d-----w- c:\program files\TurboTax
2010-04-05 00:48 . 2007-12-31 21:23 155640 ----a-w- c:\documents and settings\Luke\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-04 01:35 . 2008-01-01 04:36 -------- d-----w- c:\documents and settings\Luke\Application Data\uTorrent
2010-04-01 13:06 . 2009-08-04 06:44 -------- d-----w- c:\program files\EarMaster Pro 5
2010-03-31 22:20 . 2008-02-15 05:31 -------- d-----w- c:\documents and settings\Luke\Application Data\mIRC
2010-03-31 22:19 . 2008-02-15 05:31 -------- d-----w- c:\program files\mIRC
2010-03-30 07:46 . 2008-10-26 23:21 38224 ----a-w- c:\windows\system32\driver
2010-03-30 07:45 . 2008-10-26 23:21 20824 ----a-w- c:\windows\system32\driver
2010-03-10 21:45 . 2010-03-10 21:45 6 ----a-w- c:\windows\Fonts\wfonts.ke
2010-02-15 22:27 . 2008-01-09 23:04 -------- d-----w- c:\program files\FLV Player
2010-02-13 19:27 . 2010-02-13 19:26 -------- d-----w- c:\program files\iTunes
2010-02-13 19:26 . 2010-02-13 19:26 -------- d-----w- c:\program files\iPod
2010-02-13 19:26 . 2008-01-01 21:52 -------- d-----w- c:\program files\Common Files\Apple
2010-02-13 19:23 . 2008-01-01 01:12 -------- d-----w- c:\program files\QuickTime
2010-02-12 19:35 . 2010-02-12 19:35 -------- d-----w- c:\documents and settings\Luke\Application Data\Add-in Express
2010-02-12 19:35 . 2010-02-12 19:35 -------- d-----w- c:\program files\Add-in Express
2010-02-10 21:40 . 2010-02-10 21:40 -------- d-----w- c:\documents and settings\Luke\Application Data\ieSpell
2010-02-10 21:40 . 2010-02-10 21:40 -------- d-----w- c:\program files\ieSpell
2010-02-01 18:46 . 2008-12-09 17:59 114156 ---ha-w- c:\windows\system32\mlfcac
2008-10-26 21:07 . 2008-10-26 21:07 15071 ----a-w- c:\program files\Common Files\ejobemuje.reg
2008-10-26 21:07 . 2008-10-26 21:07 14314 ----a-w- c:\program files\Common Files\ides._sy
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\softwa
@="{747E722C-CB46-4a9d-BDF
[HKEY_CLASSES_ROOT\CLSID\{
2010-01-04 19:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.d
[HKEY_LOCAL_MACHINE\softwa
@="{EE6F5A00-7898-40f7-AB7
[HKEY_CLASSES_ROOT\CLSID\{
2010-01-04 19:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.d
[HKEY_CURRENT_USER\SOFTWAR
"swg"="c:\program files\Google\GoogleToolbar
"Google Update"="c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleU
[HKEY_LOCAL_MACHINE\SOFTWA
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\window
"NvCplDaemon"="c:\windows\
"M-Audio Taskbar Icon"="c:\windows\System32
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInS
"AVG8_TRAY"="c:\progra~1\A
"AppleSyncNotifier"="c:\pr
"AdobeCS4ServiceManager"="
"AcronisTimounterMonitor"=
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\sc
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe
"iTunesHelper"="c:\program
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.ex
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\softwa
"{56F9679E-7826-4C84-81F3-
"{5AE067D3-9AFB-48E0-853A-
[HKEY_LOCAL_MACHINE\softwa
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SAS
[HKEY_LOCAL_MACHINE\softwa
2009-08-19 16:35 11952 ----a-w- c:\windows\system32\avgrss
[HKEY_LOCAL_MACHINE\softwa
2009-10-01 22:15 87352 ----a-w- c:\windows\system32\LMIini
[HKEY_LOCAL_MACHINE\softwa
"midi"=KORGUMDD.DRV
[HKEY_LOCAL_MACHINE\SYSTEM
@="Service"
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adob
backup=c:\windows\pss\Adob
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\Luke\Start Menu\Programs\Startup\Magi
backup=c:\windows\pss\Magi
[HKEY_LOCAL_MACHINE\softwa
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa
2005-04-09 02:43 1953792 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\softwa
2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCh
[HKEY_LOCAL_MACHINE\softwa
2002-09-24 16:21 86016 ----a-w- c:\program files\Visioneer OneTouch\OneTouchMon.exe
[HKEY_LOCAL_MACHINE\softwa
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\softwa
2009-09-25 03:27 1217784 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\softwa
2009-06-10 10:55 1326080 ----a-w- c:\program files\Acronis\TrueImageHom
[HKEY_LOCAL_MACHINE\softwa
"WMPNetworkSvc"=3 (0x3)
"WMP300NSvc"=2 (0x2)
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"SQLWriter"=3 (0x3)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Norton Ghost"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1c9ba4b94b36c70"=2
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\system
cmdlreg REG_SZ c:\windows\system32\mqtgHo
[HKEY_LOCAL_MACHINE\softwa
"AntiVirusOverride"=dword:
"FirewallOverride"=dword:0
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe
"c:\\Program Files\\Trillian\\trillian.
"c:\\Program Files\\FTP Commander\\Ftpcomm.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Charles\\Charles.ex
"c:\\Program Files\\Steam\\steamapps\\s
"c:\\Program Files\\AVG\\AVG8\\avgupd.e
"c:\\Program Files\\AVG\\AVG8\\avgemc.e
"c:\\Program Files\\Steam\\steamapps\\s
"c:\\Program Files\\Steam\\steamapps\\c
"c:\\Program Files\\Bonjour\\mDNSRespon
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\Pn
"c:\\WINDOWS\\system32\\Pn
"g:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.
"c:\\wamp\\bin\\apache\\Ap
"c:\\Program Files\\Skype\\Phone\\Skype
"c:\\Program Files\\VideoLAN\\VLC\\vlc.
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceMa
"c:\\Program Files\\iTunes\\iTunes.exe"
"c:\\Program Files\\Java\\jre6\\bin\\ja
[HKLM\~\services\sharedacc
"5353:TCP"= 5353:TCP:Adobe CSI CS4
[HKLM\~\services\sharedacc
"AllowInboundEchoRequest"=
R0 Lbd;Lbd;c:\windows\system3
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\dr
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\syst
R1 SASDIFSV;SASDIFSV;c:\progr
R1 SASKUTIL;SASKUTIL;c:\progr
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AV
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\A
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AA
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.s
R3 SynasUSB;SynasUSB;c:\windo
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32
S3 ELECTRO;ELECTRO;c:\windows
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system3
S3 MADFU804;MADFU804;c:\windo
S3 SASENUM;SASENUM;c:\program
S4 gupdate1c9ba4b94b36c70;Goo
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 WMP300NSvc;WMP300NSvc;c:\p
[HKEY_LOCAL_MACHINE\softwa
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad
2010-04-08 c:\windows\Tasks\AppleSoft
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2010-04-10 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
2010-04-10 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
2010-04-08 c:\windows\Tasks\GoogleUpd
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleU
2010-04-10 c:\windows\Tasks\GoogleUpd
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleU
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIE
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIE
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIE
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIE
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIE
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIE
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIE
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIE
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Offic
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HT
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.h
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profi
FF - component: c:\program files\AVG\AVG8\Firefox\com
FF - plugin: c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\1.2.183
FF - plugin: c:\program files\Adobe\Acrobat\browse
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dl
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCI
FF - plugin: c:\program files\Google\Update\1.2.18
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.m
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.m
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-g
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.e
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.deb
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.age
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.buc
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.max
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.tim
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bou
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.pre
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-
c:\program files\Mozilla Firefox\greprefs\security-
c:\program files\Mozilla Firefox\greprefs\security-
c:\program files\Mozilla Firefox\greprefs\security-
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
c:\program files\Mozilla Firefox\defaults\pref\fire
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BMUpdate - c:\windows\system32\BMUpda
HKLM-Run-SunJavaUpdateSche
HKU-Default-Run-msiexec.ex
Notify-AtiExtEvent - (no file)
MSConfigStartUp-SkyTel - SkyTel.EXE
MSConfigStartUp-SunJavaUpd
AddRemove-3D Shadow by Lokas Software - c:\windows\AWuninstall.exe
AddRemove-Arturia Moog Modular V2 v1.0 - g:\progra~1\Arturia\MOOGMO
AddRemove-Native Instruments - Kore 2 Controller - g:\program files\Native Instruments\Kore 2 Controller\uninst.exe Software\Native Instruments\Kore 2 Controller\Setup
AddRemove-REAPER - c:\program files\REAPER\Uninstall.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Luke\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 12:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-43637
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaeafppahhfgcgdcbk"=hex:6
69,6f,00,06
"hakahegjljkhamag"=hex:6a,
65,6f,00,1c
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{098f2470-bae0-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{98de59a0-d175-11cd-a7b
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{2e2294a9-50d7-4fe7-a09
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{eec97550-47a9-11cf-b95
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{eec97550-47a9-11cf-b95
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b57
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@="{7E9D8D44-6926-426F-AA2
[HKEY_LOCAL_MACHINE\softwa
"SE4K5INHHR1EDZYY15BVZC6TK
5e,35,81,92,71,e8,29,5a,84
[HKEY_LOCAL_MACHINE\softwa
"{3EE4C831-B7E0-4ed1-B9FC-
80,38,fc,84,be,90,ff,d5,d3
[HKEY_LOCAL_MACHINE\softwa
"SE4K5INHHR1EDZYY15BVZC6TK
5e,35,81,92,71,e8,29,5a,84
[HKEY_LOCAL_MACHINE\softwa
"{3EE4C831-B7E0-4ed1-B9FC-
80,38,fc,84,be,90,ff,d5,d3
[HKEY_LOCAL_MACHINE\softwa
"{3EE4C831-B7E0-4ed1-B9FC-
80,38,fc,84,be,90,ff,d5,d3
[HKEY_LOCAL_MACHINE\softwa
"SE4K5INHHR1EDZYY15BVZC6TK
5e,35,81,92,71,e8,29,5a,84
[HKEY_LOCAL_MACHINE\softwa
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SAS
c:\windows\system32\LMIini
- - - - - - - > 'lsass.exe'(896)
c:\windows\system32\relog_
- - - - - - - > 'explorer.exe'(3996)
c:\program files\MozyHome\mozyshell.d
c:\windows\system32\iefram
c:\windows\system32\OneX.D
c:\windows\system32\eapppr
c:\windows\system32\webche
c:\windows\system32\WPDShS
c:\windows\system32\Portab
c:\windows\system32\Portab
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\LMIRfs
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYS
c:\windows\System32\bcmwlt
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
c:\program files\Java\jre6\bin\jqs.ex
c:\program files\LogMeIn\x86\RaMaint.
c:\program files\LogMeIn\x86\LogMeIn.
c:\progra~1\AVG\AVG8\avgrs
c:\progra~1\AVG\AVG8\avgns
c:\program files\LogMeIn\x86\LMIGuard
c:\program files\M-Audio\MobilePre\In
c:\program files\MozyHome\mozybackup.
c:\windows\system32\nvsvc3
c:\windows\system32\Search
c:\program files\AVG\AVG8\avgcsrvx.ex
c:\windows\System32\wbem\u
c:\program files\Lavasoft\Ad-Aware\AA
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL
c:\program files\LogMeIn\x86\LMIGuard
c:\windows\system32\rundll
c:\windows\system32\taskmg
.
**************************
.
Completion time: 2010-04-11 00:16:52 - machine was rebooted
ComboFix-quarantined-files
Pre-Run: 854,233,620,480 bytes free
Post-Run: 854,191,910,912 bytes free
WindowsXP-KB310994-SP2-Pro
[boot loader]
timeout=2
default=multi(0)disk(0)rdi
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M
multi(0)disk(0)rdisk(0)par
multi(0)disk(0)rdisk(0)par
- - End Of File - - 7D6D08657109F0DF837DF61062
Can you run a scan with Hitmanpro and note what is detected
http://www.surfright.nl/en/hitmanpro
http://www.surfright.nl/en/hitmanpro
Try running Internet Explorer without add-ons. Start then Run and enter iexplore -extoff
Go to google and test it. If it works as it should that means it's an add-on causing the problem. Go to Tools>Manage Add-ons and you should be able to find it then disable it.
Go to google and test it. If it works as it should that means it's an add-on causing the problem. Go to Tools>Manage Add-ons and you should be able to find it then disable it.
Go ahead and run SDFIX, follow the instructions, im pretty sure you run that in safe mode, and do it just normal safemode, not safemode with networking. you dont want the virus downloading buddies.
you might also check your downloaded program files, delete all of those, turn off system restore, control panel, system, system restore tab, run a disk cleanup, delete all temp files,
C:\Windows\Downloaded Program Files
let me know
you might also check your downloaded program files, delete all of those, turn off system restore, control panel, system, system restore tab, run a disk cleanup, delete all temp files,
C:\Windows\Downloaded Program Files
let me know
I'd advise against turning off system restore for the moment.
Harmless unless restored to a recent date but sometimes a restore is needed and a follow up cleanup :)
Harmless unless restored to a recent date but sometimes a restore is needed and a follow up cleanup :)
ASKER
Stokerbritt - I ran SDFix, it did find 1 trojan and deleted it, but unfortunately the browser redirect is still happening. I went through and removed all programs in C:\Windows\Downloaded Program Files. I was about to follow your other instructions, but wanted to make sure I was clear that I should disable system restore. I went to do it, but it warned me that I would be deleting all system restore points, which worried me. Is this safe to do? Just want to make sure I'm following your instructions properly.
If so, I would disable system restore, then run a disk cleanup and delete all temp files?
Also, pasting my SDFix log below just to having everything here.
SFFix Log:
[b]SDFix: Version 1.240 [/b]
Run by Luke on Sun 04/11/2010 at 12:47 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\Program Files\Common Files\ides._sy - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 01:00:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Shell Extensions\Approved\{B3AF4 199-5D70-2 237-8DE0-A EE4945063F E}]
"iaeafppahhfgcgdcbk"=hex:6 a,61,68,66 ,6c,6a,6c, 65,6b,6c,7 0,68,68,67 ,67,61,6d, 6f,69,6f,0 0,..
"hakahegjljkhamag"=hex:6a, 61,6a,66,6 e,6c,6f,6d ,69,6a,6e, 70,66,6c,6 2,6a,6f,6b ,65,6f,00, ..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\s ervices\sh aredaccess \parameter s\firewall policy\sta ndardprofi le\authori zedapplica tions\list ]
"%windir%\\system32\\sessm gr.exe"="% windir%\\s ystem32\\s essmgr.exe :*:enabled :@xpsp2res .dll,-2201 9"
"%windir%\\Network Diagnostic\\xpnetdiag.exe" ="%windir% \\Network Diagnostic\\xpnetdiag.exe: *:Enabled: @xpsp3res. dll,-20000 "
"C:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe "="C:\\Pro gram Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe :*:Enabled :WS_FTP Pro Application"
"C:\\Program Files\\Trillian\\trillian. exe"="C:\\ Program Files\\Trillian\\trillian. exe:*:Enab led:Trilli an"
"C:\\Program Files\\FTP Commander\\Ftpcomm.exe"="C :\\Program Files\\FTP Commander\\Ftpcomm.exe:*:E nabled:Ftp comm"
"C:\\Program Files\\mIRC\\mirc.exe"="C: \\Program Files\\mIRC\\mirc.exe:*:En abled:mIRC "
"C:\\Program Files\\Charles\\Charles.ex e"="C:\\Pr ogram Files\\Charles\\Charles.ex e:*:Enable d:Charles Web Debugging Proxy"
"C:\\Program Files\\Steam\\steamapps\\s piderstave \\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\s piderstave \\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\AVG\\AVG8\\avgupd.e xe"="C:\\P rogram Files\\AVG\\AVG8\\avgupd.e xe:*:Enabl ed:avgupd. exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.e xe"="C:\\P rogram Files\\AVG\\AVG8\\avgemc.e xe:*:Enabl ed:avgemc. exe"
"C:\\Program Files\\Steam\\steamapps\\s piderstave \\counter- strike source\\hl2.exe"="C:\\Prog ram Files\\Steam\\steamapps\\s piderstave \\counter- strike source\\hl2.exe:*:Enabled: hl2"
"C:\\Program Files\\Steam\\steamapps\\c ommon\\emp ire total war\\Empire.exe"="C:\\Prog ram Files\\Steam\\steamapps\\c ommon\\emp ire total war\\Empire.exe:*:Enabled: Empire: Total War"
"C:\\Program Files\\Bonjour\\mDNSRespon der.exe"=" C:\\Progra m Files\\Bonjour\\mDNSRespon der.exe:*: Enabled:Bo njour"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\ \Program Files\\Mozilla Firefox\\firefox.exe:*:Ena bled:Firef ox"
"C:\\WINDOWS\\system32\\Pn kBstrA.exe "="C:\\WIN DOWS\\syst em32\\PnkB strA.exe:* :Enabled:P nkBstrA"
"C:\\WINDOWS\\system32\\Pn kBstrB.exe "="C:\\WIN DOWS\\syst em32\\PnkB strB.exe:* :Enabled:P nkBstrB"
"G:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="G:\\P rogram Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabl ed:Call of Duty(R) 4 - Modern Warfare(TM)"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK. EXE"="C:\\ Program Files\\Microsoft Office\\Office12\\OUTLOOK. EXE:*:Enab led:Micros oft Office Outlook"
"C:\\wamp\\bin\\apache\\Ap ache2.2.11 \\bin\\htt pd.exe"="C :\\wamp\\b in\\apache \\Apache2. 2.11\\bin\ \httpd.exe :*:Enabled :Apache HTTP Server"
"C:\\Program Files\\Skype\\Phone\\Skype .exe"="C:\ \Program Files\\Skype\\Phone\\Skype .exe:*:Ena bled:Skype "
"C:\\Program Files\\VideoLAN\\VLC\\vlc. exe"="C:\\ Program Files\\VideoLAN\\VLC\\vlc. exe:*:Enab led:VLC media player"
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceMa nager\\CS4 ServiceMan ager.exe"= "C:\\Progr am Files\\Common Files\\Adobe\\CS4ServiceMa nager\\CS4 ServiceMan ager.exe:* :Enabled:A dobe CSI CS4"
"C:\\Program Files\\iTunes\\iTunes.exe" ="C:\\Prog ram Files\\iTunes\\iTunes.exe: *:Enabled: iTunes"
"C:\\Program Files\\Java\\jre6\\bin\\ja va.exe"="C :\\Program Files\\Java\\jre6\\bin\\ja va.exe:*:E nabled:Jav a(TM) Platform SE binary"
"C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateServi ce.exe"="C :\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateServi ce.exe:Loc alSubNet:D isabled:In tuit Update Shared Downloads Server"
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\s ervices\sh aredaccess \parameter s\firewall policy\dom ainprofile \authorize dapplicati ons\list]
"%windir%\\system32\\sessm gr.exe"="% windir%\\s ystem32\\s essmgr.exe :*:enabled :@xpsp2res .dll,-2201 9"
"%windir%\\Network Diagnostic\\xpnetdiag.exe" ="%windir% \\Network Diagnostic\\xpnetdiag.exe: *:Enabled: @xpsp3res. dll,-20000 "
[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.z ip
[b]Files with Hidden Attributes [/b]:
Thu 18 Sep 2008 77,312 ...H. --- "C:\Proposal&Contract\Brac elet.name\ ~WRL2688.t mp"
Thu 18 Sep 2008 78,336 ...H. --- "C:\Proposal&Contract\Brac elet.name\ ~WRL3275.t mp"
Tue 9 Sep 2008 80,896 ...H. --- "C:\Proposal&Contract\Brac elet.name\ ~WRL3422.t mp"
Tue 19 May 2009 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 9 Apr 2010 34,282 ...H. --- "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpgui.exe- CommandBar s"
Mon 9 Jun 2008 73,728 ...H. --- "C:\Proposal&Contract\Espa rza Advertising\Estimates\~WRL 1324.tmp"
Mon 9 Jun 2008 74,752 ...H. --- "C:\Proposal&Contract\Espa rza Advertising\Estimates\~WRL 1523.tmp"
Mon 9 Jun 2008 74,752 ...H. --- "C:\Proposal&Contract\Espa rza Advertising\Estimates\~WRL 1777.tmp"
Mon 9 Jun 2008 75,264 ...H. --- "C:\Proposal&Contract\Espa rza Advertising\Estimates\~WRL 3058.tmp"
Mon 9 Jun 2008 74,240 ...H. --- "C:\Proposal&Contract\Espa rza Advertising\Estimates\~WRL 3174.tmp"
Thu 9 Aug 2007 73,216 ...H. --- "C:\Proposal&Contract\Espa rza Advertising\Estimates\~WRL 3818.tmp"
Mon 9 Jun 2008 74,752 ...H. --- "C:\Proposal&Contract\Espa rza Advertising\Estimates\~WRL 3912.tmp"
Sun 21 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools \All.exe"
Thu 18 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools \Change.ex e"
Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools \CheckPath .exe"
Mon 19 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools \Counter.e xe"
Mon 22 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools \DelFolder s.exe"
Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools \DirectSet up.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools \RegClean. exe"
Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools \Regexe.ex e"
Sun 1 Dec 2002 431,616 ...HR --- "C:\WINDOWS\system32\Tools \Restart.e xe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools \RunRegexe .exe"
Mon 31 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tm p"
Fri 9 Apr 2010 183,808 A.SH. --- "C:\Documents and Settings\Luke\Local Settings\Application Data\562387286.dll"
Tue 8 Sep 2009 30,748 ...H. --- "C:\Documents and Settings\Luke\My Documents\Ideal Boy\~WRL0003.tmp"
Sun 4 Oct 2009 30,176 ...H. --- "C:\Documents and Settings\Luke\My Documents\Ideal Boy\~WRL0004.tmp"
Thu 10 Jan 2008 120,832 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL0171.tmp"
Fri 16 Nov 2007 114,176 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL1149.tmp"
Thu 10 Jan 2008 121,344 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL3003.tmp"
Thu 10 Jan 2008 121,344 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL3738.tmp"
Thu 10 Jan 2008 121,344 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL3858.tmp"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\Luke\Application Data\U3\temp\Launchpad Removal.exe"
[b]Finished![/b]
If so, I would disable system restore, then run a disk cleanup and delete all temp files?
Also, pasting my SDFix log below just to having everything here.
SFFix Log:
[b]SDFix: Version 1.240 [/b]
Run by Luke on Sun 04/11/2010 at 12:47 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\Program Files\Common Files\ides._sy - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 01:00:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Softwar
"iaeafppahhfgcgdcbk"=hex:6
"hakahegjljkhamag"=hex:6a,
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system
"%windir%\\system32\\sessm
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"C:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe
"C:\\Program Files\\Trillian\\trillian.
"C:\\Program Files\\FTP Commander\\Ftpcomm.exe"="C
"C:\\Program Files\\mIRC\\mirc.exe"="C:
"C:\\Program Files\\Charles\\Charles.ex
"C:\\Program Files\\Steam\\steamapps\\s
"C:\\Program Files\\AVG\\AVG8\\avgupd.e
"C:\\Program Files\\AVG\\AVG8\\avgemc.e
"C:\\Program Files\\Steam\\steamapps\\s
"C:\\Program Files\\Steam\\steamapps\\c
"C:\\Program Files\\Bonjour\\mDNSRespon
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\
"C:\\WINDOWS\\system32\\Pn
"C:\\WINDOWS\\system32\\Pn
"G:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="G:\\P
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.
"C:\\wamp\\bin\\apache\\Ap
"C:\\Program Files\\Skype\\Phone\\Skype
"C:\\Program Files\\VideoLAN\\VLC\\vlc.
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceMa
"C:\\Program Files\\iTunes\\iTunes.exe"
"C:\\Program Files\\Java\\jre6\\bin\\ja
"C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateServi
[HKEY_LOCAL_MACHINE\system
"%windir%\\system32\\sessm
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.z
[b]Files with Hidden Attributes [/b]:
Thu 18 Sep 2008 77,312 ...H. --- "C:\Proposal&Contract\Brac
Thu 18 Sep 2008 78,336 ...H. --- "C:\Proposal&Contract\Brac
Tue 9 Sep 2008 80,896 ...H. --- "C:\Proposal&Contract\Brac
Tue 19 May 2009 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 9 Apr 2010 34,282 ...H. --- "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpgui.exe-
Mon 9 Jun 2008 73,728 ...H. --- "C:\Proposal&Contract\Espa
Mon 9 Jun 2008 74,752 ...H. --- "C:\Proposal&Contract\Espa
Mon 9 Jun 2008 74,752 ...H. --- "C:\Proposal&Contract\Espa
Mon 9 Jun 2008 75,264 ...H. --- "C:\Proposal&Contract\Espa
Mon 9 Jun 2008 74,240 ...H. --- "C:\Proposal&Contract\Espa
Thu 9 Aug 2007 73,216 ...H. --- "C:\Proposal&Contract\Espa
Mon 9 Jun 2008 74,752 ...H. --- "C:\Proposal&Contract\Espa
Sun 21 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools
Thu 18 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools
Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools
Mon 19 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools
Mon 22 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools
Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools
Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools
Sun 1 Dec 2002 431,616 ...HR --- "C:\WINDOWS\system32\Tools
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools
Mon 31 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tm
Fri 9 Apr 2010 183,808 A.SH. --- "C:\Documents and Settings\Luke\Local Settings\Application Data\562387286.dll"
Tue 8 Sep 2009 30,748 ...H. --- "C:\Documents and Settings\Luke\My Documents\Ideal Boy\~WRL0003.tmp"
Sun 4 Oct 2009 30,176 ...H. --- "C:\Documents and Settings\Luke\My Documents\Ideal Boy\~WRL0004.tmp"
Thu 10 Jan 2008 120,832 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL0171.tmp"
Fri 16 Nov 2007 114,176 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL1149.tmp"
Thu 10 Jan 2008 121,344 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL3003.tmp"
Thu 10 Jan 2008 121,344 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL3738.tmp"
Thu 10 Jan 2008 121,344 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL3858.tmp"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\Luke\Application Data\U3\temp\Launchpad Removal.exe"
[b]Finished![/b]
ASKER
Optoma - Thanks for your post, I didn't see it when I asked stokerbritt if he was sure it was okay to disable it. If it won't cause any problems I'd feel safer leaving it enabled. Do you also think it's a good idea to run disk cleanup and delete all temp files?
Yes its safe to disable system restore, we do that because the virus/spyware hides in there also, and if you ever do a system restore after we clean it, it will come back,
yes please try to clear up any temp files,
yes please try to clear up any temp files,
Here is a list of files that are related to the virus you had, makes sure they have been deleted,
note: you may have to do show hidden files, or system protected files to see them
Windows XP:
c:\Documents and Settings\All Users\Application Data\QJyrk5wvCU1
%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\ave.exe
%UserProfile%\Local Settings\Application Data\QJyrk5wvCU1
%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\Local Settings\Temp\QJyrk5wvCU1
%UserProfile%\Templates\QJ yrk5wvCU1
note: you may have to do show hidden files, or system protected files to see them
Windows XP:
c:\Documents and Settings\All Users\Application Data\QJyrk5wvCU1
%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\ave.exe
%UserProfile%\Local Settings\Application Data\QJyrk5wvCU1
%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\Local Settings\Temp\QJyrk5wvCU1
%UserProfile%\Templates\QJ
ASKER
Stokerbritt - Okay, thanks for your help, I will disable system restore, run disk cleanup and delete all temp files.
Optoma - I downloaded HitmanPro and ran it, and it did find 2 files none of the other scans did, but it did not produce a log for me to post, and I couldn't find any option to produce a log.
Optoma - I downloaded HitmanPro and ran it, and it did find 2 files none of the other scans did, but it did not produce a log for me to post, and I couldn't find any option to produce a log.
ASKER
Stokerbritt - Okay, I ran a Disk Cleanup with system restore off, but there aren't really any temp files left. The list looks like this:
Downloaded Program Files - 0 KB
Temporary Internet Files - 127 KB
Old Chkdsk files - 25 KB
Recycle Bin - 0 KB
Setup Log Files - 2,654 KB
Temporary files - 0 KB
WebClient/Publisher Temporary Files - 32 KB
Compress old files - 48,193,05 KB
Catalog files for the Content Indexer - 0 KB
By default the only items checked are "Downloaded Program Files" and "Temporary Internet Files". Should I clear these? Are there any other items I should delete?
Downloaded Program Files - 0 KB
Temporary Internet Files - 127 KB
Old Chkdsk files - 25 KB
Recycle Bin - 0 KB
Setup Log Files - 2,654 KB
Temporary files - 0 KB
WebClient/Publisher Temporary Files - 32 KB
Compress old files - 48,193,05 KB
Catalog files for the Content Indexer - 0 KB
By default the only items checked are "Downloaded Program Files" and "Temporary Internet Files". Should I clear these? Are there any other items I should delete?
Hi again,
Try Hitmanpro scan which I mentioned above.
Only takes few minutes to run :)
Try Hitmanpro scan which I mentioned above.
Only takes few minutes to run :)
also do a search for "msiconf.exe" that file is a known virus file, i saw it in your hijack this logs, if you find it, look at its date created/modified, if its with the past few days, and it doesnt have a description, it may be part of the virus
Sorry didn't refresh page :(
Open Hitmanpro, hit settings and history tab to view what was removed
Open Hitmanpro, hit settings and history tab to view what was removed
You can go ahead and dump, the temp files, dont bother with the rest right now,
ASKER
optoma - HitManPro files removed:
SWFDecompiler.exe - C:\Program Files\SourceTec\Sothink SWF Decompiler\ - Deleted
562387286.dll - C:\Documents and settings\Luke\Local Settings\Application Data\ - Quarantined
stokerbritt - I'll do a search for msiconf.exe.
Any other ideas? This thing is a bugger!
SWFDecompiler.exe - C:\Program Files\SourceTec\Sothink SWF Decompiler\ - Deleted
562387286.dll - C:\Documents and settings\Luke\Local Settings\Application Data\ - Quarantined
stokerbritt - I'll do a search for msiconf.exe.
Any other ideas? This thing is a bugger!
download this tool
http://www.norman.com/support/support_tools/58732/
run a full scan, might take a bit, also did you run a full scan with malware bytes? make sure all scanners are updated complelely,
other than the browser hijacker, are you getting any weird popups?
this a little like a needle in a hay stack, but hang in there and we will be able to get it,
http://www.norman.com/support/support_tools/58732/
run a full scan, might take a bit, also did you run a full scan with malware bytes? make sure all scanners are updated complelely,
other than the browser hijacker, are you getting any weird popups?
this a little like a needle in a hay stack, but hang in there and we will be able to get it,
ASKER
stokerbritt - Okay, I will download that tool and conduct a full scan.
I have not done a full scan with malewarebytes, only a "Smart Scan". Should I do a full scan? Should it be in safe mode?
Also, I have 3 hard drives. When I run full scans, do I need to scan all 3 hard drives or only my OS hard drive? I ran a full system scan with SUPERAntiSpyware and it took almost 20 hours to scan all drives. The other 2 drives are almost exclusively storage, and don't really have any programs installed on them.
Thanks for your help!
I have not done a full scan with malewarebytes, only a "Smart Scan". Should I do a full scan? Should it be in safe mode?
Also, I have 3 hard drives. When I run full scans, do I need to scan all 3 hard drives or only my OS hard drive? I ran a full system scan with SUPERAntiSpyware and it took almost 20 hours to scan all drives. The other 2 drives are almost exclusively storage, and don't really have any programs installed on them.
Thanks for your help!
ASKER
stokerbritt - I searched my C:\ drive for msiconf.exe and didn't find anything. There is 1 entry in my registry for "msiconf.exe". Should I consider removing that registry item?
Ok, thanks :)
Is redirects happening in both firefox + Ie explorer?
Check the hosts file again for extra entries
Show all files first
http://www.bleepingcomputer.com/tutorials/tutorial62.html
Is redirects happening in both firefox + Ie explorer?
Check the hosts file again for extra entries
Show all files first
http://www.bleepingcomputer.com/tutorials/tutorial62.html
Yes Definetely run the fulls can will malware bytes, and the full scan with norman malware removal,
then remove anything they find, then reboot.
then remove anything they find, then reboot.
ASKER
Showed all hidden files... checked hosts file and the only entry is:
127.0.0.1 localhost
Yes, re-direct is happening in both Internet Explorer and Firefox. When I perform a Google search the first time I click on a link it's fine, but the second time it always re-directs to a bad URL.
127.0.0.1 localhost
Yes, re-direct is happening in both Internet Explorer and Firefox. When I perform a Google search the first time I click on a link it's fine, but the second time it always re-directs to a bad URL.
ASKER
stokerbritt - Okay, I will run full systems scans in safe mode on all 3 drives with both malwarebytes and Norman Malware Cleaner. Will post again with results as soon as they are done, will probably be awhile.
If you want to try this first as will only take a min or so
Fix these entries in Hijackthis:
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')O18 - Filter hijack: text/html - {b19e43c3-ba34-45e4-8298-3 18f769797a d} - C:\WINDOWS\system32\mst122 .dllO20 - AppInit_DLLs: karna.dat kjkvbv.dll
Then run Tdsskiller
Reboot and testIf you want to try this first as will only take a min or so
Fix these entries in Hijackthis:
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O18 - Filter hijack: text/html - {b19e43c3-ba34-45e4-8298-3 18f769797a d} - C:\WINDOWS\system32\mst122 .dll
O20 - AppInit_DLLs: karna.dat kjkvbv.dll
Then run Tdsskiller
Reboot and test
Fix these entries in Hijackthis:
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')O18 - Filter hijack: text/html - {b19e43c3-ba34-45e4-8298-3
Then run Tdsskiller
Reboot and testIf you want to try this first as will only take a min or so
Fix these entries in Hijackthis:
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O18 - Filter hijack: text/html - {b19e43c3-ba34-45e4-8298-3
O20 - AppInit_DLLs: karna.dat kjkvbv.dll
Then run Tdsskiller
Reboot and test
ASKER
optoma - Thanks for the info! What do you mean by "fix these entries"? Just delete those files, or remove them from the registry or?
Thanks!
Thanks!
Re run hijackthis and check the boxes relevant to above entries and select "fix checked"
ASKER
optoma - Ran HijackThis again and none of the files you listed were present any longer. I believe some of the scans I ran removed them.
Also, I ran TDDSKiller, it did find one infection "nvata.sys", but I googled it and that is actually the driver for my video card, so I believe that was a false positive.
I guess all that is left is to run full system scans with Malwarebytes and Norman Maleware Cleaner? If that doesn't work I guess I just have to reinstall my OS? This is so close to being fixed, it's just the browser redirect trojan that I can't find :(
Also, I ran TDDSKiller, it did find one infection "nvata.sys", but I googled it and that is actually the driver for my video card, so I believe that was a false positive.
I guess all that is left is to run full system scans with Malwarebytes and Norman Maleware Cleaner? If that doesn't work I guess I just have to reinstall my OS? This is so close to being fixed, it's just the browser redirect trojan that I can't find :(
Create a system restore point first.
Run Tdsskiller again and let it clean the driver.
Rootkits infect system drivers and redirects can be a result
Run Tdsskiller again and let it clean the driver.
Rootkits infect system drivers and redirects can be a result
ASKER
optoma - I ran TDDSKiller again, but it won't cure the file. It says this:
Scanning Kernel memory...
Driver "nvata" infected by TDSS rootkit!
File "C:\WINDOWS\system32\DRIVE RS\nvata.s ys" infected by TDSS rootkit ... cure failed
Compelted
Results:
Memory objects infected / cured / cured on reboot: 1 / 0 / 0
Registry objects infected / cured /cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 0
Any ideas on what to do with this file?
Scanning Kernel memory...
Driver "nvata" infected by TDSS rootkit!
File "C:\WINDOWS\system32\DRIVE
Compelted
Results:
Memory objects infected / cured / cured on reboot: 1 / 0 / 0
Registry objects infected / cured /cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 0
Any ideas on what to do with this file?
It can't cure it as it cant find a non-infected replacement
Do a system search and check to search everywhere, ie system files etc for nvata.sys
What make and model is machine?
Do a system search and check to search everywhere, ie system files etc for nvata.sys
What make and model is machine?
ASKER
Performed a search and only found 1 version at C:\WINDOWS\system32\driver s
The machine is a PC that I built myself. The MOBO is an nFORCE 570-SLIT-A, the video card is an NVIDIA GeForce 9600.
The machine is a PC that I built myself. The MOBO is an nFORCE 570-SLIT-A, the video card is an NVIDIA GeForce 9600.
This may work.
>>>>>Create a system restore point again!
Boot into safe mode with networking and download the Nvidia motherboard package
and re/install it or download it on another machine and see if it installs in safe mode with networking.
It may overwrite the infected one.
If that completes run Tdsskiller again
>>>>>Create a system restore point again!
Boot into safe mode with networking and download the Nvidia motherboard package
and re/install it or download it on another machine and see if it installs in safe mode with networking.
It may overwrite the infected one.
If that completes run Tdsskiller again
ASKER
Two questions:
1) How do I manually create a new system restore point? I know how to turn on system restore so that it monitors the drives, but I'm not sure how to force it to create a restore point.
2) I have the nVIDIA motherboard disc. Can I just use that and/or could I just search the CD for nvata.sys?
Thanks again for your help!
Luke
1) How do I manually create a new system restore point? I know how to turn on system restore so that it monitors the drives, but I'm not sure how to force it to create a restore point.
2) I have the nVIDIA motherboard disc. Can I just use that and/or could I just search the CD for nvata.sys?
Thanks again for your help!
Luke
ASKER
Just a heads up, I found the exact same file (nvata.sys) on the mobo disc. Same file size, same last modified date (4/24/2006 2:52 AM).
Start,programs,accessories ,system tools, system restore
Should be option to create a restore point.
Yeah cd may also work.
>If you find nvata.sys on cd, copy and paste it into C:\WINDOWS\system32\dllcac he
Then re run Tdsskiller
>Otherwise run the setup
Should be option to create a restore point.
Yeah cd may also work.
>If you find nvata.sys on cd, copy and paste it into C:\WINDOWS\system32\dllcac
Then re run Tdsskiller
>Otherwise run the setup
Ok copy it to dllcache and run Tdsskiller.
Post its logfile after!
Post its logfile after!
ASKER
Replaced nvata.sys from the manufacturer's CD, re-ran TDDSKiller and it's still thinking that file is infected.
Did you place it in dllcache?
ASKER
oh, I'm sorry, I missed that. I replaced it in system32/drivers, and I placed it in system32/dllcache. Note that it was not in dllcache previously.
I re-ran TDSSKiller and it said the exact same thing as I posted above.
I re-ran TDSSKiller and it said the exact same thing as I posted above.
If you can reach virustotal upload both files and note how many hits they get.
I havn't see Tdsskiller detect a false positive before :(
http://www.virustotal.com/
I havn't see Tdsskiller detect a false positive before :(
http://www.virustotal.com/
.I haven't check at all the logs... as my connection is terribly bad - disconnected every few minutes.
If the problem still exists:
Can you please run Gmer again but make sure that "Sections" box is checked.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked.
Ensure the following are UNCHECKED:
*IAT/EAT
*Drives/Partition other than Systemdrive (typically C:\)
*Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
If the problem still exists:
Can you please run Gmer again but make sure that "Sections" box is checked.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked.
Ensure the following are UNCHECKED:
*IAT/EAT
*Drives/Partition other than Systemdrive (typically C:\)
*Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
Hi Rpg, the right person at the right time ;)
Hi optoma,
I'm on Holiday with a REALLY bad connection.... sometimes only last 45 seconds and I'm cut off.
I just want to check the Gmer log that I asked and if I find something then it's all to you guys.
I'm on Holiday with a REALLY bad connection.... sometimes only last 45 seconds and I'm cut off.
I just want to check the Gmer log that I asked and if I find something then it's all to you guys.
ASKER
rpggamergirl - Wow, thanks for helping out on your holiday. Much appreciated!
I ran Gmer per your specifications, and while it was running I left the room for about 30 mionutes. When I returned my machine was at the XP logon screen, apparently the system had rebooted. I opened Gmer again, but there was no option to view a log and it doesn't appear that one was created.
Is it expected for the machine to re-boot? Should I try to run another scan?
Thanks!
I ran Gmer per your specifications, and while it was running I left the room for about 30 mionutes. When I returned my machine was at the XP logon screen, apparently the system had rebooted. I opened Gmer again, but there was no option to view a log and it doesn't appear that one was created.
Is it expected for the machine to re-boot? Should I try to run another scan?
Thanks!
No problem, :)
Try another scan please.
You need to save the log, make sure no other programs that are running during the scan.
If Gmer hangs, alternatively you can use this tool ,though I prefer to analyze a Gmer log:
http://bamajim.com/Tools/F ileLister. zip.
[*]Save it to your Desktop
[*]Click ->> Extract all ->> And extract it to your Desktop
[*]Open the File Lister Folder.
[*]Note: Leave the FileLister.vbe file in the folder and run it from there.
[*]Right Click FileLister.vbe ->>Select Open. Then Open to confirm.
[*]When the program is finished it will produce a log for you C:\Files.txt
Copy and paste the contents of that log in your reply.
Try another scan please.
You need to save the log, make sure no other programs that are running during the scan.
If Gmer hangs, alternatively you can use this tool ,though I prefer to analyze a Gmer log:
http://bamajim.com/Tools/F
[*]Save it to your Desktop
[*]Click ->> Extract all ->> And extract it to your Desktop
[*]Open the File Lister Folder.
[*]Note: Leave the FileLister.vbe file in the folder and run it from there.
[*]Right Click FileLister.vbe ->>Select Open. Then Open to confirm.
[*]When the program is finished it will produce a log for you C:\Files.txt
Copy and paste the contents of that log in your reply.
@Rpg
Would running Gmer in safe mode produce accurate results?
Nice to see you helping out, even though you're on Hol's with a bad connection..
Helpful dedication! ;)
Would running Gmer in safe mode produce accurate results?
Nice to see you helping out, even though you're on Hol's with a bad connection..
Helpful dedication! ;)
"Would running Gmer in safe mode produce accurate results"?
Not really because rootkits that are not active in safe mode will not be detected.
"Nice to see you helping out, even though you're on Hol's with a bad connection.".
I guess EE is too addictive lol.... and it's a pleasure IF I can be of some help, :)
Not really because rootkits that are not active in safe mode will not be detected.
"Nice to see you helping out, even though you're on Hol's with a bad connection.".
I guess EE is too addictive lol.... and it's a pleasure IF I can be of some help, :)
Ah, I thought that once a .sys file is modified, it wouldn't matter.
I'd be the same with EE on Hols, although would probably get an ear bashing for doing so!
Anyway, have a nice break!
I'd be the same with EE on Hols, although would probably get an ear bashing for doing so!
Anyway, have a nice break!
ASKER
Just an update, running another full scan of Gmer. Was having problems last night, for some reason my CPU kept spiking. Ran Malewarebytes again and it removed 1 infection, and the system is running better now. Re-running the scan, it's just taking forever to scan my hard drive :P Too many files.
All you can do is let it roll!
When it completes can you post Mbam's logfile as well
When it completes can you post Mbam's logfile as well
If Gmer hangs or having problem scanning, you can uncheck one of the Options - uncheck the "Files" box and it usually fix scan issues.
ASKER
rpggamergirl - Thanks for letting me know! I'd been trying to run Gmer scans all day yesterday, but it kept locking up half way through the "Files" scan. Below is my Gmer log with "Files" unchecked, as well as the other parameters you listed.
Gmer Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 09:53:50
Windows 5.1.2600 Service Pack 3
Running: 9eqd9ogk.exe; Driver: C:\DOCUME~1\Luke\LOCALS~1\ Temp\uflda poc.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVER S\nv4_mini .sys section is writeable [0xB76CC360, 0x32E00D, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[77 2] ntdll.dll!NtProtectVirtual Memory 7C90D6D0 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[77 2] ntdll.dll!NtWriteVirtualMe mory 7C90DF90 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[77 2] ntdll.dll!KiUserExceptionD ispatcher 7C90E45C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchos t.exe[1168 ] ntdll.dll!NtProtectVirtual Memory 7C90D6D0 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchos t.exe[1168 ] ntdll.dll!NtWriteVirtualMe mory 7C90DF90 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchos t.exe[1168 ] ntdll.dll!KiUserExceptionD ispatcher 7C90E45C 5 Bytes JMP 0098000C
.text C:\WINDOWS\system32\Search Indexer.ex e[3444] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH .DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\wuaucl t.exe[3484 ] ntdll.dll!NtProtectVirtual Memory 7C90D6D0 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuaucl t.exe[3484 ] ntdll.dll!NtWriteVirtualMe mory 7C90DF90 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuaucl t.exe[3484 ] ntdll.dll!KiUserExceptionD ispatcher 7C90E45C 5 Bytes JMP 0098000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\.bcp \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.cc\ Persistent Handler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.cod \Persisten tHandler@ {098f2470-bae0-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.dsp \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.dsw \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.i\P ersistentH andler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.inl \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.lst \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.mak \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.map \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.mk\ Persistent Handler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.odh \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.odl \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.pps \Persisten tHandler@ {98de59a0-d175-11cd-a7bd-0 0006b827d9 4}
Reg HKLM\SOFTWARE\Classes\.prc \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.rc2 \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.rct \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.rgs \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.rtf \Persisten tHandler@ {2e2294a9-50d7-4fe7-a09f-e 6492e18588 4}
Reg HKLM\SOFTWARE\Classes\.s\P ersistentH andler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.tlh \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.tli \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.trg \Persisten tHandler@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.use r\Persiste ntHandler@ {eec97550-47a9-11cf-b952-0 0aa0051fe2 0}
Reg HKLM\SOFTWARE\Classes\.vcp roj\Persis tentHandle r@ {eec97550-47a9-11cf-b952-0 0aa0051fe2 0}
Reg HKLM\SOFTWARE\Classes\.vsp scc\Persis tentHandle r@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.vss cc\Persist entHandler @ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.vss scc\Persis tentHandle r@ {5e941d80-bf96-11cd-b579-0 8002b30bfe b}
Reg HKLM\SOFTWARE\Classes\.xsd \Persisten tHandler@ {7E9D8D44-6926-426F-AA2B-2 17A819A5CC E}
Reg HKLM\SOFTWARE\Classes\CLSI D\{17DE1F1 4-B3E4-103 5-F057BA15 C83B1D27}\ {8EADAA70- 8C9A-100D- 77D42F75FD 081297}\{5 2159879-71 42-2CA4-73 B8A923B4C8 F27A}
Reg HKLM\SOFTWARE\Classes\CLSI D\{17DE1F1 4-B3E4-103 5-F057BA15 C83B1D27}\ {8EADAA70- 8C9A-100D- 77D42F75FD 081297}\{5 2159879-71 42-2CA4-73 B8A923B4C8 F27A}@SE4K 5INHHR1EDZ YY15BVZC6T KG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSI D\{18D6E51 9-4C27-E4A D-074C5D1F 171B40FB}\ {8D7A772B- 93EE-6905- 4C751BA1B5 44AFC9}\{7 029C73E-00 20-BA9C-F3 FADF03D99A F0E6}
Reg HKLM\SOFTWARE\Classes\CLSI D\{18D6E51 9-4C27-E4A D-074C5D1F 171B40FB}\ {8D7A772B- 93EE-6905- 4C751BA1B5 44AFC9}\{7 029C73E-00 20-BA9C-F3 FADF03D99A F0E6}@{3EE 4C831-B7E0 -4ed1-B9FC -EDC523C96 12F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSI D\{551E716 8-6B6B-73F 4-2358001E BB1BFA13}\ {9EB39097- 9AF5-4CC7- A66D04881D 6D8211}\{B 54D5FC9-25 C8-0FB7-F9 6BD94B39BD 18AF}
Reg HKLM\SOFTWARE\Classes\CLSI D\{551E716 8-6B6B-73F 4-2358001E BB1BFA13}\ {9EB39097- 9AF5-4CC7- A66D04881D 6D8211}\{B 54D5FC9-25 C8-0FB7-F9 6BD94B39BD 18AF}@SE4K 5INHHR1EDZ YY15BVZC6T KG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSI D\{564572D 7-BA6B-A81 E-17332C14 105A24EF}\ {35AC4256- 1B84-66D8- 7C4583AC3B 4AA35B}\{7 91C0703-8C F5-813B-67 470F66B094 58B3}
Reg HKLM\SOFTWARE\Classes\CLSI D\{564572D 7-BA6B-A81 E-17332C14 105A24EF}\ {35AC4256- 1B84-66D8- 7C4583AC3B 4AA35B}\{7 91C0703-8C F5-813B-67 470F66B094 58B3}@{3EE 4C831-B7E0 -4ed1-B9FC -EDC523C96 12F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSI D\{B3A3A58 F-967E-A40 A-C7DDFB52 4B0CDFB3}\ {B28E8422- 363F-1C4B- CC05647828 1B7FCE}\{5 69EFB20-10 B3-C9F5-89 5B6A19B885 2344}
Reg HKLM\SOFTWARE\Classes\CLSI D\{B3A3A58 F-967E-A40 A-C7DDFB52 4B0CDFB3}\ {B28E8422- 363F-1C4B- CC05647828 1B7FCE}\{5 69EFB20-10 B3-C9F5-89 5B6A19B885 2344}@{3EE 4C831-B7E0 -4ed1-B9FC -EDC523C96 12F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSI D\{FCCB824 0-DCE2-E75 D-AC14FD41 A6B697E0}\ {CCBBBFAF- D782-4243- 9A223EC5C9 E9D74B}\{3 81F6F0A-69 48-72AB-15 0979187EC2 8E60}
Reg HKLM\SOFTWARE\Classes\CLSI D\{FCCB824 0-DCE2-E75 D-AC14FD41 A6B697E0}\ {CCBBBFAF- D782-4243- 9A223EC5C9 E9D74B}\{3 81F6F0A-69 48-72AB-15 0979187EC2 8E60}@SE4K 5INHHR1EDZ YY15BVZC6T KG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\mapi \Shell@
Reg HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Shell Extensions\Approved\{B3AF4 199-5D70-2 237-8DE0-A EE4945063F E}
Reg HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Shell Extensions\Approved\{B3AF4 199-5D70-2 237-8DE0-A EE4945063F E}@iaeafpp ahhfgcgdcb k 0x6A 0x61 0x68 0x66 ...
Reg HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Shell Extensions\Approved\{B3AF4 199-5D70-2 237-8DE0-A EE4945063F E}@hakaheg jljkhamag 0x6A 0x61 0x6A 0x66 ...
---- EOF - GMER 1.0.15 ----
Gmer Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 09:53:50
Windows 5.1.2600 Service Pack 3
Running: 9eqd9ogk.exe; Driver: C:\DOCUME~1\Luke\LOCALS~1\
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVER
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[77
.text C:\WINDOWS\Explorer.EXE[77
.text C:\WINDOWS\Explorer.EXE[77
.text C:\WINDOWS\System32\svchos
.text C:\WINDOWS\System32\svchos
.text C:\WINDOWS\System32\svchos
.text C:\WINDOWS\system32\Search
.text C:\WINDOWS\system32\wuaucl
.text C:\WINDOWS\system32\wuaucl
.text C:\WINDOWS\system32\wuaucl
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\.bcp
Reg HKLM\SOFTWARE\Classes\.cc\
Reg HKLM\SOFTWARE\Classes\.cod
Reg HKLM\SOFTWARE\Classes\.dsp
Reg HKLM\SOFTWARE\Classes\.dsw
Reg HKLM\SOFTWARE\Classes\.i\P
Reg HKLM\SOFTWARE\Classes\.inl
Reg HKLM\SOFTWARE\Classes\.lst
Reg HKLM\SOFTWARE\Classes\.mak
Reg HKLM\SOFTWARE\Classes\.map
Reg HKLM\SOFTWARE\Classes\.mk\
Reg HKLM\SOFTWARE\Classes\.odh
Reg HKLM\SOFTWARE\Classes\.odl
Reg HKLM\SOFTWARE\Classes\.pps
Reg HKLM\SOFTWARE\Classes\.prc
Reg HKLM\SOFTWARE\Classes\.rc2
Reg HKLM\SOFTWARE\Classes\.rct
Reg HKLM\SOFTWARE\Classes\.rgs
Reg HKLM\SOFTWARE\Classes\.rtf
Reg HKLM\SOFTWARE\Classes\.s\P
Reg HKLM\SOFTWARE\Classes\.tlh
Reg HKLM\SOFTWARE\Classes\.tli
Reg HKLM\SOFTWARE\Classes\.trg
Reg HKLM\SOFTWARE\Classes\.use
Reg HKLM\SOFTWARE\Classes\.vcp
Reg HKLM\SOFTWARE\Classes\.vsp
Reg HKLM\SOFTWARE\Classes\.vss
Reg HKLM\SOFTWARE\Classes\.vss
Reg HKLM\SOFTWARE\Classes\.xsd
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\CLSI
Reg HKLM\SOFTWARE\Classes\mapi
Reg HKCU\Software\Microsoft\Wi
Reg HKCU\Software\Microsoft\Wi
Reg HKCU\Software\Microsoft\Wi
---- EOF - GMER 1.0.15 ----
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oh, and one other question, or I can create a new questions if that's better. If my old XP drive is mounted as a slave drive to my Windows 7 install, do I have to worry about the rootkit trojan infecting Windows 7?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the only entry after the #'s is
127.0.0.1 localhost
if you see any weird ips in there delete them and save it, then try internet again, if that doesnt work,
try, it cleans out rootkits
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
download and run combo fix,