Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

Hijack This ANalysis Report Help

bluedog77

Recommended Posts

bluedog77 Newbie

bluedog77

Posted
Posted

Can you kindly help with my Hijack Analysis Report? My big problem is that after doing a Google search, I click on an intended link and I get REDIRECTED somewhere else. Thanks for the help!

 

This is my log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:24:16 PM, on 7/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\WINDOWS\system32\freecell.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [brStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231468720899

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)

O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 5876 bytes

Link to comment
Share on other sites
So_sad Newbie

So_sad

Posted
Posted

Hi there bluedog and welcome :-)

 

Those symptoms sound all too familiar. If it's the infection I think it is, then HijackScan can't see it, just like most tools out there. The rootkit hides very well, even from most rootkit detectors. Not that hard to get with the proper equipment though.

 

Sit tight. A moderator will need to move your topic in the malware removal section of the forum and then help will come.

 

===

Link to comment
Share on other sites
bluedog77 Newbie

bluedog77

Posted
  • Author
Posted

Yes, Superdave I still would appreciate the help. Again the problem is that after I do a Google search and click on the link I get redirected somewhere else. Also, another symptom is that sometimes a new browser/tab pops up by itself sometimes without me click on anything. Thanks for the aid!

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

 

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

=============================================

 

SUPERAntiSpyware

 

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

 

Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.

 

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

 

•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

Please leave the others unchecked

 

•Click the Close button to leave the control center screen.

 

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

 

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

 

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

 

•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

 

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.

 

=====================================

 

Malwarebytes' Anti-Malware (MBAM)

 

If you already have Malwarebytes be sure to check for updates before scanning!

 

Download Malwarebytes Anti-Malware and save it to your desktop. Alternate download link

 

•Double-click mbam-setup.exe and follow the prompts to install the program.

 

•Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

 

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

•If an update is found, it will download and install the latest version.

•Once the program has loaded, select Perform Quick Scan, then click Scan.

 

•When the scan is complete, click OK, then Show Results to view the results.

 

•Be sure that everything is checked, and click Remove Selected.

 

•When completed, a log will open in Notepad. Save it to a convenient location like the Desktop.

 

•The log is also automatically saved and can be viewed later by clicking the Logs tab in MBAM.

 

Copy and Paste the contents of the report in your reply.

 

•Exit MBAM.

.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

==================================

 

Please download: HiJackThis to your Desktop.

  • Double Click the HijackThis icon, located on your Desktop.
  • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
  • Accept the license agreement.
  • Click the Open the Misc Tools section button.
  • Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
  • Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
  • Please post the log in your next reply.

Link to comment
Share on other sites
bluedog77 Newbie

bluedog77

Posted
  • Author
Posted

3 logs

 

SuperDave,

 

Thanks again for the help! Here are the 3 logs as instructed:

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 07/30/2010 at 10:55 PM

 

Application Version : 4.41.1000

 

Core Rules Database Version : 5294

Trace Rules Database Version: 3106

 

Scan type : Complete Scan

Total Scan Time : 00:42:08

 

Memory items scanned : 419

Memory threats detected : 0

Registry items scanned : 5537

Registry threats detected : 0

File items scanned : 64841

File threats detected : 41

 

Adware.Tracking Cookie

C:\Documents and Settings\Van\Cookies\van@ads.undertone[2].txt

C:\Documents and Settings\Van\Cookies\van@advertising[1].txt

C:\Documents and Settings\Van\Cookies\van@doubleclick[1].txt

C:\Documents and Settings\Van\Cookies\van@questionmarket[2].txt

C:\Documents and Settings\Van\Cookies\van@yieldmanager[1].txt

C:\Documents and Settings\Van\Cookies\van@apmebf[1].txt

C:\Documents and Settings\Van\Cookies\van@atdmt[1].txt

C:\Documents and Settings\Van\Cookies\van@fastclick[1].txt

C:\Documents and Settings\Van\Cookies\van@bbfadnet[1].txt

ad.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.content.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.doubleclick.net [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.adbrite.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.adbrite.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.adbrite.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.adbrite.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.atdmt.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.atdmt.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.bs.serving-sys.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.serving-sys.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.serving-sys.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.serving-sys.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.serving-sys.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.serving-sys.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.serving-sys.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.serving-sys.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.content.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

.avgtechnologies.112.2o7.net [ C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\cookies.sqlite ]

 

 

Malwarebytes' Anti-Malware 1.46

http://www.malwarebytes.org

 

Database version: 4373

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

 

7/30/2010 11:21:59 PM

mbam-log-2010-07-30 (23-21-59).txt

 

Scan type: Quick scan

Objects scanned: 174135

Time elapsed: 12 minute(s), 33 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:27:02 PM, on 7/30/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (filesize 75128 bytes, MD5 E96C752BBA0E22330A43258FC800200E)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41760 bytes, MD5 C9EDE29F223A27873E187D9FB6045EA6)

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 73728 bytes, MD5 DEE8F03D1EACE0C8F914A2C76568EA32)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (filesize 34672 bytes, MD5 69B16C7B7746BA5C642FC05B3561FC73)

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit (filesize 33280 bytes, MD5 037B1E7798960E0420003D05BB577EE6)

O4 - HKLM\..\Run: [brStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun (filesize 3618104 bytes, MD5 BFD94352F5998675481FA4F8F9844A0D)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (filesize 33280 bytes, MD5 037B1E7798960E0420003D05BB577EE6)

O4 - HKLM\..\Run: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart (filesize 1280344 bytes, MD5 4126904E21735EF4C7FFFE01ED795872)

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (filesize 65588 bytes, MD5 57CB86B1CDD77EB5138BA05D1F193463)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231468720899

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exeC:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exeC:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)

O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 6690 bytes

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

 

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

 

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

 

Exit out of MessengerDisable then delete the two files that were put on the desktop.

 

===============================

 

Open HijackThis and select Do a system scan only

 

Place a check mark next to the following entries: (if there)

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5577

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)

 

Important: Close all open windows except for HijackThis and then click Fix checked.

 

Once completed, exit HijackThis.

 

==========================================

 

Download Security Check by screen317 from one of the following links and save it to your desktop.

 

Link 1

Link 2

 

* Unzip SecurityCheck.zip and a folder named Security Check should appear.

* Open the Security Check folder and double-click Security Check.bat

* Follow the on-screen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt

* Post the contents of that document in your next reply.

 

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

 

=========================================

 

Download ComboFix by sUBs from one of the below links.

 

Important! You MUST save ComboFix to your desktop

 

link # 1

Link # 2

 

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

 

Double click on ComboFix.exe & follow the prompts.

 

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

When the scan completes it will open a text window.

 

Post the contents of that log in your next reply.

 

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

Link to comment
Share on other sites
bluedog77 Newbie

bluedog77

Posted
  • Author
Posted

Found Something

 

Looks like something was found. Here are the 2 logs:

 

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner

Java 6 Update 17

Out of date Java installed!

Adobe Flash Player 10.0.32.18

Adobe Reader 9

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.8)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

Alwil Software Avast5 AvastSvc.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

 

``````````End of Log````````````

 

 

ComboFix 10-07-31.02 - Van 07/31/2010 19:18:22.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1659 [GMT -7:00]

Running from: c:\documents and settings\Van\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\service

c:\windows\system32\service\01032009_TIS17_SfFniAU.log

c:\windows\system32\service\01072009_TIS17_SfFniAU.log

c:\windows\system32\service\02072009_TIS17_SfFniAU.log

c:\windows\system32\service\03042009_TIS17_SfFniAU.log

c:\windows\system32\service\03062009_TIS17_SfFniAU.log

c:\windows\system32\service\03082009_TIS17_SfFniAU.log

c:\windows\system32\service\06062009_TIS17_SfFniAU.log

c:\windows\system32\service\06072009_TIS17_SfFniAU.log

c:\windows\system32\service\07092009_TIS17_SfFniAU.log

c:\windows\system32\service\08012009_TIS17_SfFniAU.log

c:\windows\system32\service\10092009_TIS17_SfFniAU.log

c:\windows\system32\service\11052009_TIS17_SfFniAU.log

c:\windows\system32\service\12072009_TIS17_SfFniAU.log

c:\windows\system32\service\13082009_TIS17_SfFniAU.log

c:\windows\system32\service\13102009_TIS17_SfFniAU.log

c:\windows\system32\service\14042009_TIS17_SfFniAU.log

c:\windows\system32\service\14062009_TIS17_SfFniAU.log

c:\windows\system32\service\15032009_TIS17_SfFniAU.log

c:\windows\system32\service\16032009_TIS17_SfFniAU.log

c:\windows\system32\service\17022009_TIS17_SfFniAU.log

c:\windows\system32\service\18062009_TIS17_SfFniAU.log

c:\windows\system32\service\18082009_TIS17_SfFniAU.log

c:\windows\system32\service\18092009_TIS17_SfFniAU.log

c:\windows\system32\service\19022009_TIS17_SfFniAU.log

c:\windows\system32\service\19082009_TIS17_SfFniAU.log

c:\windows\system32\service\20062009_TIS17_SfFniAU.log

c:\windows\system32\service\21062009_TIS17_SfFniAU.log

c:\windows\system32\service\22062009_TIS17_SfFniAU.log

c:\windows\system32\service\23032009_TIS17_SfFniAU.log

c:\windows\system32\service\23072009_TIS17_SfFniAU.log

c:\windows\system32\service\26042009_TIS17_SfFniAU.log

c:\windows\system32\service\26052009_TIS17_SfFniAU.log

c:\windows\system32\service\27072009_TIS17_SfFniAU.log

c:\windows\system32\service\29032009_TIS17_SfFniAU.log

c:\windows\system32\service\29052009_TIS17_SfFniAU.log

c:\windows\system32\service\29062009_TIS17_SfFniAU.log

c:\windows\system32\service\30052009_TIS17_SfFniAU.log

 

.

MBR is infected with the Whistler Bootkit !!

 

((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))

.

 

2010-08-01 01:46 . 2010-08-01 01:47 -------- d-----w- c:\windows\system32\NtmsData

2010-08-01 01:46 . 2010-08-01 01:46 -------- d-----w- c:\documents and settings\Van\Application Data\Avira

2010-08-01 01:45 . 2010-07-26 23:01 66112 ----a-w- c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_Helper_3004.dll

2010-08-01 01:45 . 2010-07-26 23:01 37184 ----a-w- c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

2010-08-01 01:45 . 2010-07-26 23:01 328080 ----a-w- c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe

2010-08-01 01:45 . 2010-07-26 23:01 32032 ----a-w- c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe

2010-08-01 01:33 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-01 01:33 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-01 01:33 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-01 01:33 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-01 01:33 . 2010-08-01 01:33 -------- d-----w- c:\program files\Avira

2010-08-01 01:33 . 2010-08-01 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-07-30 03:44 . 2010-07-31 15:44 63488 ----a-w- c:\documents and settings\Van\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-07-30 03:44 . 2010-07-30 03:44 52224 ----a-w- c:\documents and settings\Van\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-07-30 03:44 . 2010-07-31 15:44 117760 ----a-w- c:\documents and settings\Van\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-07-30 03:42 . 2010-07-30 03:42 -------- d-----w- c:\documents and settings\Van\Application Data\SUPERAntiSpyware.com

2010-07-30 03:42 . 2010-07-30 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-07-30 03:42 . 2010-07-30 03:43 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-15 05:03 . 2010-07-15 05:03 -------- d-----w- c:\program files\Alwil Software

2010-07-15 05:03 . 2010-07-15 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-07-11 00:11 . 2010-07-11 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-07-11 00:11 . 2010-07-11 00:11 -------- d-----w- c:\program files\IObit

2010-07-03 19:38 . 2010-07-03 19:38 -------- d-----w- c:\documents and settings\Venus\Application Data\Malwarebytes

2010-07-03 16:37 . 2010-07-03 17:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\bnonwkbsm

2010-07-03 16:37 . 2010-07-03 16:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-02 04:49 . 2010-07-02 04:49 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-02 04:43 . 2010-07-02 04:45 -------- d-----w- c:\documents and settings\Administrator.MCVE\Local Settings\Application Data\Microsoft

2010-07-02 04:43 . 2010-07-02 04:45 -------- d-s---w- c:\documents and settings\Administrator.MCVE

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-01 02:16 . 2010-07-01 01:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-01 01:56 . 2010-03-30 02:47 -------- d-----w- c:\program files\CCleaner

2010-08-01 01:50 . 2010-04-16 15:46 -------- d-----w- c:\program files\WinUtilities

2010-07-31 07:40 . 2010-04-23 16:03 -------- d-----w- c:\program files\NJStar Communicator

2010-07-03 16:46 . 2010-07-03 16:46 -------- d-----w- c:\documents and settings\Administrator.MCVE.000\Application Data\Malwarebytes

2010-07-03 16:37 . 2009-01-08 05:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-03 01:54 . 2010-07-01 01:35 -------- d-----w- c:\program files\Spyware Doctor

2010-07-03 01:52 . 2010-07-01 01:35 -------- d-----w- c:\program files\Common Files\PC Tools

2010-07-01 02:45 . 2010-06-23 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{0B2B6CE1-83F3-4BD2-9CF7-F8688A75BA47}

2010-07-01 01:37 . 2010-07-01 01:37 -------- d-----w- c:\program files\Trend Micro

2010-06-30 13:10 . 2010-06-28 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-28 13:32 . 2010-06-26 20:14 -------- d-----w- c:\documents and settings\Van\Application Data\FinalMediaPlayer

2010-06-28 13:31 . 2010-06-28 04:21 -------- d-----w- c:\documents and settings\Van\Application Data\Mozilla(2)

2010-06-28 02:55 . 2010-06-28 02:55 -------- d-----w- c:\documents and settings\Van\Application Data\Malwarebytes

2010-06-28 02:55 . 2010-06-28 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-26 20:13 . 2010-06-26 20:13 -------- d-----w- c:\program files\Freeze.com

2010-06-23 04:37 . 2010-06-23 04:37 -------- d-----w- c:\program files\Sports Mogul

2010-06-07 00:13 . 2010-06-07 00:13 503808 ----a-w- c:\documents and settings\Venus\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7743bd3b-n\msvcp71.dll

2010-06-07 00:13 . 2010-06-07 00:13 499712 ----a-w- c:\documents and settings\Venus\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7743bd3b-n\jmc.dll

2010-06-07 00:13 . 2010-06-07 00:13 348160 ----a-w- c:\documents and settings\Venus\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7743bd3b-n\msvcr71.dll

2010-06-04 13:17 . 2009-10-31 16:11 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-01 13:36 . 2009-01-08 20:34 55206 ----a-w- c:\windows\system32\nvModes.dat

2010-05-04 17:20 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"NvMediaCenter"="NvMCTray.dll" [2007-05-12 81920]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-06-11 3618104]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-12 8429568]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor Ver.5.lnk]

backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor Ver.5.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

2007-03-17 02:10 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain]

2006-11-02 22:05 282624 ----a-w- c:\windows\system32\KADxMain.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2007-05-12 06:57 8429568 ----a-w- c:\windows\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]

2007-05-12 06:57 67584 ----a-w- c:\windows\system32\nvhotkey.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2007-05-12 06:57 81920 ----a-w- c:\windows\system32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2007-05-12 06:57 1626112 ----a-w- c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

2007-04-17 00:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2007-05-07 01:10 405504 ----a-w- c:\windows\stsystra.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

 

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/30/2010 6:35 PM 207280]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/31/2010 6:33 PM 135336]

R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [7/10/2010 5:11 PM 312152]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [6/30/2010 6:35 PM 112592]

S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - SSMDRV

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?hl=en&tab=nw

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

Trusted Zone: mvwd.org\mail

FF - ProfilePath - c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 5577

FF - prefs.js: network.proxy.type - 0

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

 

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Van\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octoshape\octoshape.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-31 19:28

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: error reading MBR

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x89BD2EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f5fcb8

\Driver\atapi -> atapi.sys @ 0xb9f17852

IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9df4bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9de3a0d

SendHandler -> NDIS.sys @ 0xb9df7b40

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(868)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\System32\BCMLogon.dll

 

- - - - - - - > 'lsass.exe'(928)

c:\windows\system32\WININET.dll

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

.

Completion time: 2010-07-31 19:32:12

ComboFix-quarantined-files.txt 2010-08-01 02:32

 

Pre-Run: 182,872,453,120 bytes free

Post-Run: 184,095,776,768 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

 

- - End Of File - - 6CD220F84840848E75EDDF8753B89835

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

I'm am required to give this speech when rootkits are found. Just so you will know.

 

It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

 

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

 

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

 

What danger is presented by rootkits?

Rootkits and how to combat them

r00tkit Analysis: What Is A Rootkit

 

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

What Should I Do If I've Become A Victim Of Identity Theft?

Identity Theft Victims Guide - What to do

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot

be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

When should I re-format? How should I reinstall?

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

Where to draw the line? When to recommend a format and reinstall?

 

Guides for format and reinstall:

 

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

 

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.

If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

 

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

 

=====================================

Re-running ComboFix to remove infections:

 

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::
     
    Dirlook::
    c:\windows\system32\NtmsData
     
    DDS::
    Trusted Zone: mvwd.org\mail
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe
     
    http://img19.imageshack.us/img19/5660/cfscriptb4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

 

=================================

 

Download the MBR Rootkit Detector to your desktop.

 

* Doubleclick mbr.exe and follow prompts.

* A black DOS window will quickly appear then disappear.

* When mbr.exe is finished it will create a log on your desktop.

* Copy and paste contents of that log file to your next reply.

Link to comment
Share on other sites
bluedog77 Newbie

bluedog77

Posted
  • Author
Posted

MBR and ComboFix

 

Thanks. Here are what the logs came up with:

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: error reading MBR

kernel: MBR read successfully

 

 

ComboFix 10-07-31.02 - Van 08/01/2010 22:10:59.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1690 [GMT -7:00]

Running from: c:\documents and settings\Van\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Van\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))

.

 

2010-08-01 01:46 . 2010-08-01 03:11 -------- d-----w- c:\windows\system32\NtmsData

2010-08-01 01:46 . 2010-08-01 01:46 -------- d-----w- c:\documents and settings\Van\Application Data\Avira

2010-08-01 01:45 . 2010-07-26 23:01 66112 ----a-w- c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_Helper_3004.dll

2010-08-01 01:45 . 2010-07-26 23:01 37184 ----a-w- c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

2010-08-01 01:45 . 2010-07-26 23:01 328080 ----a-w- c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe

2010-08-01 01:45 . 2010-07-26 23:01 32032 ----a-w- c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe

2010-08-01 01:33 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-01 01:33 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-01 01:33 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-01 01:33 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-01 01:33 . 2010-08-01 01:33 -------- d-----w- c:\program files\Avira

2010-08-01 01:33 . 2010-08-01 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-07-30 03:44 . 2010-07-31 15:44 63488 ----a-w- c:\documents and settings\Van\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-07-30 03:44 . 2010-07-30 03:44 52224 ----a-w- c:\documents and settings\Van\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-07-30 03:44 . 2010-07-31 15:44 117760 ----a-w- c:\documents and settings\Van\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-07-30 03:42 . 2010-07-30 03:42 -------- d-----w- c:\documents and settings\Van\Application Data\SUPERAntiSpyware.com

2010-07-30 03:42 . 2010-07-30 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-07-30 03:42 . 2010-07-30 03:43 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-15 05:03 . 2010-07-15 05:03 -------- d-----w- c:\program files\Alwil Software

2010-07-15 05:03 . 2010-07-15 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-07-11 00:11 . 2010-07-11 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-07-11 00:11 . 2010-07-11 00:11 -------- d-----w- c:\program files\IObit

2010-07-03 19:38 . 2010-07-03 19:38 -------- d-----w- c:\documents and settings\Venus\Application Data\Malwarebytes

2010-07-03 16:37 . 2010-07-03 17:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\bnonwkbsm

2010-07-03 16:37 . 2010-07-03 16:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-02 05:16 . 2010-07-01 01:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-01 01:56 . 2010-03-30 02:47 -------- d-----w- c:\program files\CCleaner

2010-08-01 01:50 . 2010-04-16 15:46 -------- d-----w- c:\program files\WinUtilities

2010-07-31 07:40 . 2010-04-23 16:03 -------- d-----w- c:\program files\NJStar Communicator

2010-07-03 16:46 . 2010-07-03 16:46 -------- d-----w- c:\documents and settings\Administrator.MCVE.000\Application Data\Malwarebytes

2010-07-03 16:37 . 2009-01-08 05:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-03 01:54 . 2010-07-01 01:35 -------- d-----w- c:\program files\Spyware Doctor

2010-07-03 01:52 . 2010-07-01 01:35 -------- d-----w- c:\program files\Common Files\PC Tools

2010-07-01 02:45 . 2010-06-23 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{0B2B6CE1-83F3-4BD2-9CF7-F8688A75BA47}

2010-07-01 01:37 . 2010-07-01 01:37 -------- d-----w- c:\program files\Trend Micro

2010-06-30 13:10 . 2010-06-28 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-28 13:32 . 2010-06-26 20:14 -------- d-----w- c:\documents and settings\Van\Application Data\FinalMediaPlayer

2010-06-28 13:31 . 2010-06-28 04:21 -------- d-----w- c:\documents and settings\Van\Application Data\Mozilla(2)

2010-06-28 02:55 . 2010-06-28 02:55 -------- d-----w- c:\documents and settings\Van\Application Data\Malwarebytes

2010-06-28 02:55 . 2010-06-28 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-26 20:13 . 2010-06-26 20:13 -------- d-----w- c:\program files\Freeze.com

2010-06-23 04:37 . 2010-06-23 04:37 -------- d-----w- c:\program files\Sports Mogul

2010-06-07 00:13 . 2010-06-07 00:13 503808 ----a-w- c:\documents and settings\Venus\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7743bd3b-n\msvcp71.dll

2010-06-07 00:13 . 2010-06-07 00:13 499712 ----a-w- c:\documents and settings\Venus\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7743bd3b-n\jmc.dll

2010-06-07 00:13 . 2010-06-07 00:13 348160 ----a-w- c:\documents and settings\Venus\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7743bd3b-n\msvcr71.dll

2010-06-04 13:17 . 2009-10-31 16:11 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-01 13:36 . 2009-01-08 20:34 55206 ----a-w- c:\windows\system32\nvModes.dat

2010-05-04 17:20 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\windows\system32\NtmsData ----

 

2010-08-01 01:46 . 2010-08-01 01:46 816 ----a-w- c:\windows\system32\NtmsData\NTMSREG

2010-08-01 01:46 . 2010-08-01 03:11 87656 ----a-w- c:\windows\system32\NtmsData\NTMSIDX

2010-08-01 01:46 . 2010-08-01 03:11 110592 ----a-w- c:\windows\system32\NtmsData\NTMSDATA

2010-08-01 01:46 . 2010-08-01 03:11 110592 ----a-w- c:\windows\system32\NtmsData\NTMSDATA.BAK

 

 

((((((((((((((((((((((((((((( SnapShot@2010-08-01_02.29.08 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-08-02 05:16 . 2010-08-02 05:16 16384 c:\windows\temp\Perflib_Perfdata_69c.dat

+ 2004-08-04 10:00 . 2010-08-02 05:03 40394 c:\windows\system32\perfc009.dat

- 2004-08-04 10:00 . 2010-08-01 02:21 40394 c:\windows\system32\perfc009.dat

+ 2009-01-08 05:30 . 2010-08-02 05:16 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-01-08 05:30 . 2010-08-01 02:17 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-08 05:30 . 2010-08-02 05:16 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-01-08 05:30 . 2010-08-01 02:17 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-01-08 05:30 . 2010-08-01 02:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-08 05:30 . 2010-08-02 05:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2004-08-04 10:00 . 2010-08-02 05:03 312172 c:\windows\system32\perfh009.dat

- 2004-08-04 10:00 . 2010-08-01 02:21 312172 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"NvMediaCenter"="NvMCTray.dll" [2007-05-12 81920]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-06-11 3618104]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-12 8429568]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor Ver.5.lnk]

backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor Ver.5.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

2007-03-17 02:10 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain]

2006-11-02 22:05 282624 ----a-w- c:\windows\system32\KADxMain.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2007-05-12 06:57 8429568 ----a-w- c:\windows\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]

2007-05-12 06:57 67584 ----a-w- c:\windows\system32\nvhotkey.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2007-05-12 06:57 81920 ----a-w- c:\windows\system32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2007-05-12 06:57 1626112 ----a-w- c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

2007-04-17 00:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2007-05-07 01:10 405504 ----a-w- c:\windows\stsystra.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

 

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/30/2010 6:35 PM 207280]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/31/2010 6:33 PM 135336]

R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [7/10/2010 5:11 PM 312152]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [6/30/2010 6:35 PM 112592]

S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?hl=en&tab=nw

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\v9k074u2.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 5577

FF - prefs.js: network.proxy.type - 0

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-01 22:16

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(708)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\System32\BCMLogon.dll

 

- - - - - - - > 'lsass.exe'(764)

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

 

- - - - - - - > 'explorer.exe'(2956)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\RunDLL32.exe

.

**************************************************************************

.

Completion time: 2010-08-01 22:19:35 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-02 05:19

ComboFix2.txt 2010-08-01 02:32

 

Pre-Run: 184,035,966,976 bytes free

Post-Run: 184,052,482,048 bytes free

 

- - End Of File - - 6CC5FC160C55AEA44FD040B8E481EE9E

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

SysProt Antirootkit

 

Download

SysProt Antirootkit from the link below (you will find it at the bottom

of the page under attachments, or you can get it from one of the

mirrors).

 

http://sites.google.com/site/sysprotantirootkit/

 

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

    [*]At the bottom of the page

    • Hidden Objects Only << Selected

    [*]Click on the Create Log button on the bottom right.

    [*]After a few seconds a new window should appear.

    [*]Select Scan Root Drive. Click on the Start button.

    [*]When it is complete a new window will appear to indicate that the scan is finished.

    [*]The log will be saved automatically in the same folder Sysprot.exe was

    extracted to. Open the text file and copy/paste the log here.

Link to comment
Share on other sites
bluedog77 Newbie

bluedog77

Posted
  • Author
Posted

Blue Screen

 

SuperDave,

 

I can't seem to run SysProt. When I get to hitting the Create Log action, the screen turns blue and a whole bunch of words in white pop up. The first sentence says something like: A problem has been detected and Windows is shutting down to prevent damage to your computer.

 

That doesn't sound too good! What do we do next??

 

Thanks.

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

Ok. Please try this one.

 

* Download the following tool: RootRepeal - Rootkit Detector

* Direct download link is here: RootRepeal.zip

 

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.

* Click this link to see a list of such programs and how to disable them.

 

* Extract the program file to a new folder such as C:\RootRepeal

* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.

* Select ALL of the checkboxes and then click OK and it will start scanning your system.

* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

* When done, click on Save Report

* Save it to the same location where you ran it from, such as C:RootRepeal

* Save it as rootrepeal.txt

* Then open that log and select all and copy/paste it back on your next reply please.

* Close RootRepeal.

Link to comment
Share on other sites
bluedog77 Newbie

bluedog77

Posted
  • Author
Posted

Thanks!

 

SuperDave - I truly appreciate all the help. Frankly, my frustartation level reached a level where I felt it was best to just reformat the hard drive and reinstall everything. Hopefully that is the end of that! Thanks again!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...