|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Virus/Trojan/Spyware Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
LinkBack | Thread Tools |
05-09-2009, 01:09 PM
|
#1 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 7
OS: winxp
|
malware and redirects
Last week, a fake internet warning box kept popping up. I kept declining it, but then my internet started running slow. In my processes, there is a process called dl32.exe. It constantly crashes, and it is associated with the internet. When it crashes, I lose internet access. I have to manually click new task to open it up for internet again. This process was not there before. I have tried running virus scans, but none fix the problem. Also, whenever i visit a search engine: if i click a link, it redirects me to a random page. The only way to get to the page i want is to right click and open in new tab. Just looking for some help to fix this problem =].
Thanks! Here is the DDS DDS (Ver_09-03-16.01) - NTFSx86 Run by Nick at 12:28:49.84 on Sat 05/09/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.548 [GMT -4:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs SVCHOST.EXE SVCHOST.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\Explorer.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\dl32.exe C:\Documents and Settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Nicholas Laidlaw\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uSearch Page = hxxp://www.google.com uStart Page = hxxp://www.google.com/ uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = http=localhost:7171 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll TB: {57F02779-3D88-4958-8AD3-83C12D86ADC7} - No File TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [DL32] DL32 uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [Google Update] "c:\documents and settings\nicholas laidlaw\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" dPolicies-explorer: NoFolderOptions = 1 (0x1) dPolicies-system: DisableRegistryTools = 1 (0x1) IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll IE: {57F02779-3D88-4958-8AD3-83C12D86ADC7} - {57F02779-3D88-4958-8AD3-83C12D86ADC7} IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121798764390 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: jkhhe - jkhhe.dll AppInit_DLLs: c:\windows\system32\potibubi.dll c:\windows\system32\gizehure.dll c:\windows\system32\rawuyona.dll c:\windows\system32\nagomone.dll,c:\windows\system32\wukaripa.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL LSA: Notification Packages = scecli c:\windows\system32\potibubi.dll c:\windows\system32\wukaripa.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\nichol~1\applic~1\mozilla\firefox\profiles\l7493hpz.default\ FF - prefs.js: network.proxy.http - localhost FF - prefs.js: network.proxy.http_port - 7171 FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\nicholas laidlaw\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll FF - HiddenExtension: XUL Cache: {8F505A93-C9D2-41D8-913E-25ACE2208559} - c:\documents and settings\nicholas laidlaw\local settings\application data\{8F505A93-C9D2-41D8-913E-25ACE2208559} FF - HiddenExtension: XUL Cache: {5BF1DE73-0A14-4B68-AFB1-1ABE1CB6E07C} - c:\windows\system32\config\systemprofile\local settings\application data\{5bf1de73-0a14-4b68-afb1-1abe1cb6e07c}\ ============= SERVICES / DRIVERS =============== R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944] R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664] R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2008-11-7 25824] R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-6-25 19072] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408] S2 IerusO;IerusO;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336] S2 xjsjcevf;Disk Support;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2006-9-3 20608] S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2005-4-9 19677] S4 Windows Action Script;Windows Action Script; [x] =============== Created Last 30 ================ 2009-05-07 20:37 14,848 a------- c:\windows\system32\DL32.EXE 2009-04-30 16:03 <DIR> --d----- c:\docume~1\nichol~1\applic~1\poydodkg 2009-04-30 15:55 0 a------- c:\windows\mqcd.dbt 2009-04-30 15:50 7,680 a------- C:\celkadaa.exe 2009-04-30 15:50 577,536 a------- c:\windows\system32\sfjjysilyf 2009-04-29 17:20 28,672 a------- c:\windows\system32\inqby.sr 2009-04-29 17:20 32,768 a------- c:\windows\system32\ferryl.cbv 2009-04-29 17:20 32,768 a------- c:\windows\system32\fairy.an 2009-04-29 17:20 79,360 a------- c:\windows\system32\ashl.nq 2009-04-29 17:20 28,672 a------- c:\windows\system32\dolman.zt 2009-04-29 17:17 <DIR> --d----- c:\windows\system32\796525 2009-04-29 17:16 205,824 a------- C:\pdtivk.exe 2009-04-29 17:16 2 a------- C:\-1473622793 2009-04-28 21:15 1,434,891 ---sh--- c:\windows\system32\odinayey.ini 2009-04-28 09:15 1,434,904 ---sh--- c:\windows\system32\olagiboy.ini 2009-04-27 21:15 1,428,359 ---sh--- c:\windows\system32\adahozum.ini 2009-04-27 09:15 1,428,359 ---sh--- c:\windows\system32\uhahimim.ini 2009-04-26 21:15 1,407,582 ---sh--- c:\windows\system32\iyawamik.ini 2009-04-26 09:15 1,407,582 ---sh--- c:\windows\system32\uhebejir.ini 2009-04-25 21:15 1,407,582 ---sh--- c:\windows\system32\igebijot.ini 2009-04-25 09:16 2,713 ---sh--- c:\windows\system32\leyiwuni.dll 2009-04-25 09:15 2,713 ---sh--- c:\windows\system32\hililomi.dll 2009-04-25 09:15 47,616 a--sh--- c:\windows\system32\yugafuga.exe 2009-04-24 21:15 1,407,582 ---sh--- c:\windows\system32\ehavewiv.ini 2009-04-24 09:14 1,407,302 ---sh--- c:\windows\system32\owokapos.ini 2009-04-23 21:14 1,407,212 ---sh--- c:\windows\system32\usozoven.ini 2009-04-16 16:34 0 a------- c:\windows\Hyiviwup.bin 2009-04-16 15:55 157,696 a------- c:\windows\obugizoyowohow.dll 2009-04-14 22:27 <DIR> --dsh--- C:\found.001 2009-04-14 22:06 1,407,757 ---sh--- c:\windows\system32\iheluboh.ini 2009-04-10 19:00 <DIR> --d----- C:\My Videos 2009-04-10 16:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MemeoCommon 2009-04-10 16:38 <DIR> --d----- c:\docume~1\nichol~1\applic~1\Memeo 2009-04-10 16:32 <DIR> --d----- c:\program files\Picasa2 2009-04-10 16:31 <DIR> --d----- c:\program files\Western Digital 2009-04-10 16:30 <DIR> --d----- c:\program files\common files\eSellerate 2009-04-10 16:30 <DIR> --d----- c:\program files\Memeo 2009-04-10 16:29 <DIR> --d----- c:\program files\Western Digital Corporation ==================== Find3M ==================== 2009-05-05 23:26 2,522 a------- c:\docume~1\nichol~1\applic~1\wklnhst.dat 2009-04-30 15:50 14,336 a------- c:\windows\system32\SVCHOST.EXE 2009-04-30 15:49 47,104 a--sh--- c:\windows\system32\fidofepu.exe 2009-04-29 17:16 577,536 a------- c:\windows\system32\user32.DLL 2009-04-29 17:16 577,536 a------- c:\windows\system32\dllcache\user32.dll 2009-04-27 09:15 46,592 a--sh--- c:\windows\system32\pokeyupa.exe 2009-04-26 21:15 46,592 a--sh--- c:\windows\system32\tazinege.exe 2009-04-26 09:15 46,592 a--sh--- c:\windows\system32\teyanaze.exe 2009-04-25 21:15 46,592 a--sh--- c:\windows\system32\suyariye.exe 2009-04-24 21:14 47,616 a--sh--- c:\windows\system32\gilagapa.exe 2009-04-24 09:14 46,592 a--sh--- c:\windows\system32\tupopazo.exe 2009-04-23 21:14 46,080 a--sh--- c:\windows\system32\fayabopi.exe 2009-04-19 18:58 47,104 a--sh--- c:\windows\system32\nusoyeta.exe 2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll 2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys 2009-02-09 06:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys 2008-10-18 12:55 30 a------- c:\documents and settings\nicholas laidlaw\jagex_runescape_preferences.dat 2008-05-06 16:39 143,072 a------- c:\docume~1\nichol~1\applic~1\GDIPFONTCACHEV1.DAT 2006-11-05 19:25 164 a---h--- c:\documents and settings\all users\hpothb07.dat 2006-11-05 19:25 0 a---h--- c:\documents and settings\nicholas laidlaw\hpothb07.dat 2005-11-26 16:01 32 a--sh--- c:\windows\{7A9B4061-1BD3-4EB1-AB70-DF0377A29313}.dat 2005-09-15 15:10 408,121 a--sh--- c:\windows\security\logs\elosii.bak1 2006-01-16 18:09 439,662 a--sh--- c:\windows\security\logs\elosii.bak2 2006-01-07 22:28 453,919 a--sh--- c:\windows\security\logs\elosii.ini2 2005-11-26 16:01 32 a--sh--- c:\windows\system32\{CDF7DBB0-9EE7-417A-9AF9-DAC0464C51D8}.dat ============= FINISH: 12:29:29.29 =============== |
|
     
|
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
05-10-2009, 02:09 AM
|
#2 (permalink) |
|
Analyst, Security Team
|
Re: malware and redirects
Howdy there and welcome to TSF Forums
I'm Steve and I will be helping you throughout this fix. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence. Vista users please make sure you all run commands with administrator rights (right click icon - run as administrator) Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review.
__________________
If we have helped you then please consider donating  Proud Member of ASAP & UNITE Since 2007 |
|
|
|
|
05-10-2009, 10:24 AM
|
#3 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 7
OS: winxp
|
Re: malware and redirects
Thank you so much for the fast reply! I ran combofix and my computer is already working 10x better!!! Here is my log:
ComboFix 09-05-09.05 - Nicholas Laidlaw 05/10/2009 12:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.603 [GMT -4:00] Running from: c:\documents and settings\Nicholas Laidlaw\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\setup.exe c:\windows\INF\tacvrd.tmp2 c:\windows\mainms.vpi c:\windows\megavid.cdt c:\windows\mqcd.dbt c:\windows\muotr.so c:\windows\SECURITY\LOGS\elosii.bak1 c:\windows\SECURITY\LOGS\elosii.bak2 c:\windows\SECURITY\LOGS\elosii.ini c:\windows\SECURITY\LOGS\elosii.ini2 c:\windows\system32\adahozum.ini c:\windows\system32\ashl.nq c:\windows\system32\dl32.exe c:\windows\system32\dolman.zt c:\windows\system32\ehavewiv.ini c:\windows\system32\fairy.an c:\windows\system32\ferryl.cbv c:\windows\system32\fidofepu.exe c:\windows\system32\hililomi.dll c:\windows\system32\hljwugsf.bin c:\windows\system32\igebijot.ini c:\windows\system32\iheluboh.ini c:\windows\system32\inqby.sr c:\windows\system32\iyawamik.ini c:\windows\system32\leyiwuni.dll c:\windows\system32\odinayey.ini c:\windows\system32\olagiboy.ini c:\windows\system32\owokapos.ini c:\windows\system32\pokeyupa.exe c:\windows\system32\suyariye.exe c:\windows\system32\tazinege.exe c:\windows\system32\teyanaze.exe c:\windows\system32\uhahimim.ini c:\windows\system32\uhebejir.ini c:\windows\system32\usozoven.ini c:\windows\wintst32.tmp F:\Autorun.inf ----- BITS: Possible infected sites ----- hxxp://83.149.105.228 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CLBDRIVER -------\Legacy_fci -------\Legacy_MSSECURITY1.209.4 ((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 ))))))))))))))))))))))))))))))) . 2009-05-10 15:08 . 2009-05-10 15:09 -------- d---a-w C:\Music 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\autorun 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\Documentation 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\wd_mac_tools 2009-05-10 15:04 . 2009-05-10 15:05 -------- d---a-w C:\wd_windows_tools 2009-05-10 15:04 . 2009-05-10 15:04 -------- d--h--w C:\_Memeo 2009-04-30 20:03 . 2009-04-30 20:03 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg 2009-04-30 20:03 . 2009-04-30 20:03 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\poydodkg 2009-04-30 19:50 . 2009-04-30 19:50 7680 ----a-w C:\celkadaa.exe 2009-04-29 21:17 . 2009-04-30 21:32 -------- d-----w c:\windows\system32\796525 2009-04-29 21:16 . 2009-04-30 19:50 205824 ----a-w C:\pdtivk.exe 2009-04-25 13:15 . 2009-04-25 13:15 47616 --sha-w c:\windows\system32\yugafuga.exe 2009-04-20 03:01 . 2009-04-20 03:01 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\{8F505A93-C9D2-41D8-913E-25ACE2208559} 2009-04-16 20:34 . 2009-04-16 20:34 0 ----a-w c:\windows\Hyiviwup.bin 2009-04-16 19:55 . 2009-04-16 19:55 157696 ----a-w c:\windows\obugizoyowohow.dll 2009-04-15 02:27 . 2009-04-15 02:27 -------- d-sh--w C:\found.001 2009-04-10 23:00 . 2009-04-10 23:02 -------- d-----w C:\My Videos 2009-04-10 20:39 . 2009-05-10 15:04 -------- d-----w c:\documents and settings\All Users\Application Data\MemeoCommon 2009-04-10 20:38 . 2009-04-12 02:50 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Application Data\Memeo 2009-04-10 20:32 . 2009-04-10 20:32 -------- d-----w c:\program files\Picasa2 2009-04-10 20:31 . 2009-04-24 01:15 -------- d-----w c:\program files\Google 2009-04-10 20:31 . 2009-04-10 20:31 -------- d-----w c:\program files\Western Digital 2009-04-10 20:30 . 2009-04-10 20:30 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest 2009-04-10 20:30 . 2009-04-10 20:30 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\temp 2009-04-10 20:30 . 2009-04-10 20:31 -------- d-----w c:\program files\Common Files\eSellerate 2009-04-10 20:30 . 2009-04-10 20:31 -------- d-----w c:\program files\Memeo 2009-04-10 20:29 . 2009-04-10 20:29 -------- d-----w c:\program files\Western Digital Corporation . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-10 16:05 . 2004-08-04 11:00 577536 ----a-w c:\windows\system32\user32.dll 2009-05-06 03:26 . 2005-08-01 16:08 2522 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\wklnhst.dat 2009-04-30 19:50 . 2009-01-10 06:25 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-30 19:50 . 2004-08-04 11:00 14336 ----a-w c:\windows\system32\SVCHOST.EXE 2009-04-25 01:14 . 2009-01-25 01:14 47616 --sha-w c:\windows\system32\gilagapa.exe 2009-04-24 13:14 . 2009-01-24 13:14 46592 --sha-w c:\windows\system32\tupopazo.exe 2009-04-24 01:14 . 2009-01-24 01:14 46080 --sha-w c:\windows\system32\fayabopi.exe 2009-04-20 03:22 . 2009-01-10 06:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-19 22:58 . 2009-01-19 22:58 47104 --sha-w c:\windows\system32\nusoyeta.exe 2009-04-08 20:33 . 2009-04-08 20:33 -------- d-----w c:\program files\iTunes 2009-04-08 20:33 . 2005-07-18 23:06 -------- d-----w c:\program files\iPod 2009-04-07 23:21 . 2005-11-27 21:58 1100 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\d3d8caps.dat 2009-04-07 23:21 . 2005-08-07 11:35 1324 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\d3d9caps.dat 2009-04-06 19:32 . 2009-03-07 04:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2009-03-07 04:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-03 18:34 . 2008-12-07 19:11 -------- d-----w c:\program files\Common Files\Apple 2009-04-03 18:18 . 2009-03-20 20:12 -------- d-----w c:\program files\QuickTime 2009-04-03 16:11 . 2009-04-03 16:11 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-03 16:10 . 2007-11-15 20:37 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-01 19:50 . 2009-04-01 19:49 128 ----a-w c:\documents and settings\Guest Account\Application Data\wklnhst.dat 2009-03-19 20:32 . 2008-12-07 21:24 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-18 20:54 . 2009-03-11 20:51 143856 ----a-w c:\documents and settings\Guest Account\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-06 03:59 . 2009-04-03 18:35 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-06 03:59 . 2009-04-03 18:35 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-02-20 03:16 . 2005-07-16 06:46 143856 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2005-11-26 20:01 . 2005-11-26 20:01 32 --sha-w c:\windows\{7A9B4061-1BD3-4EB1-AB70-DF0377A29313}.dat 2009-01-19 22:58 . 2009-01-19 22:58 50176 --sha-w c:\windows\SYSTEM32\bidubiti.dll.tmp 2009-01-24 01:14 . 2009-01-24 01:14 50688 --sha-w c:\windows\SYSTEM32\borazufu.dll.tmp 2009-01-19 22:58 . 2009-01-19 22:58 50176 --sha-w c:\windows\SYSTEM32\gesiwoha.dll.tmp 2009-01-24 01:14 . 2009-01-24 01:14 50688 --sha-w c:\windows\SYSTEM32\rafomife.dll.tmp 2009-01-19 22:58 . 2009-01-19 22:58 50176 --sha-w c:\windows\SYSTEM32\yaguwune.dll.tmp 2009-01-24 01:14 . 2009-01-24 01:14 50688 --sha-w c:\windows\SYSTEM32\zitovovi.dll.tmp 2005-11-26 20:01 . 2005-11-26 20:01 32 --sha-w c:\windows\SYSTEM32\{CDF7DBB0-9EE7-417A-9AF9-DAC0464C51D8}.dat . Infected c:\windows\system32\user32.dll hex repaired ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DL32"="DL32" [X] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-24 39408] "Google Update"="c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-13 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPZRCV01.LNK backup=c:\windows\pss\HPZRCV01.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk] backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk] backup=c:\windows\pss\ZDWLan Utility.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jeffrey Laidlaw^Start Menu^Programs^Startup^PowerReg Scheduler.exe] [HKLM\~\startupfolder\C:^Documents and Settings^Nicholas Laidlaw^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Nicholas Laidlaw\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WUSB54GCSVC"=2 (0x2) "Windows Action Script"=2 (0x2) "ScsiAccess"=2 (0x2) "PnkBstrB"=3 (0x3) "PnkBstrA"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "MsSecurity1.209.4"=2 (0x2) "Microsoft Office Groove Audit Service"=3 (0x3) "KodakCCS"=2 (0x2) "iPod Service"=3 (0x3) "IDriverT"=3 (0x3) "IAANTMon"=2 (0x2) "FLEXnet Licensing Service"=3 (0x3) "DSBrokerService"=3 (0x3) "Creative Service for CDROM Access"=2 (0x2) "bgsvcgen"=2 (0x2) "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "fci"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"= "c:\\Program Files\\GameSpy Arcade\\Aphex.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Guild Wars\\Gw.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Compact Wireless-G USB Adapter Wireless Network Monitor\\InvokeSvc2.exe"= "c:\\Program Files\\ZyDAS Technology Corporation\\ZyDAS_802.11g_Utility\\ZDWlan.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Nicholas Laidlaw\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"= R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944] R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [11/7/2008 3:38 PM 25824] R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\ZDCndis5.sys [6/25/2008 3:09 PM 19072] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408] S2 IerusO;IerusO;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336] S2 xjsjcevf;Disk Support;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\BRGSp50.sys [9/3/2006 3:01 PM 20608] S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\SYSTEM32\DRIVERS\xbreader.sys [4/9/2005 10:46 PM 19677] S4 Windows Action Script;Windows Action Script; [x] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs xjsjcevf IerusO [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11b9fcdb-b1c2-11dd-8b37-00038a000015}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-626145550-3952361536-1041508808-1008.job - c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-13 22:13] 2009-05-10 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] 2009-01-01 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] . - - - - ORPHANS REMOVED - - - - Notify-iisole - (no file) Notify-jkhhe - jkhhe.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = http=localhost:7171 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab FF - ProfilePath - c:\documents and settings\Nicholas Laidlaw\Application Data\Mozilla\Firefox\Profiles\l7493hpz.default\ FF - prefs.js: network.proxy.http - localhost FF - prefs.js: network.proxy.http_port - 7171 FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-10 12:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3316) c:\windows\system32\hnetcfg.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\SYSTEM32\wdfmgr.exe c:\windows\SYSTEM32\MsPMSPSv.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-05-10 12:19 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-10 16:19 Pre-Run: 13,180,989,440 bytes free Post-Run: 13,112,070,144 bytes free 330 --- E O F --- 2009-03-16 03:45 |
|
|
|
|
05-10-2009, 12:51 PM
|
#4 (permalink) | |
|
Analyst, Security Team
|
Re: malware and redirects
Hi there Nicholas
Combofix has done a good job. However, still a bit of work to do yet... 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. ===================================== Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. ===================================== Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner. **Vista users - right click IE/Firefox icon and run as administrator Click Accept, when prompted to download and install the program files and database of malware definitions.
This animation will guide you through the process:  **Note** To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. ===================================== Please post back with: The new combofix log The log from Kaspersky Update me on how things are running now...
__________________
If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007 |
|
|
|
|
|
05-10-2009, 09:50 PM
|
#5 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 7
OS: winxp
|
Re: malware and redirects
Thanks for the reply. I ran the two scans. When on search engines, I am no longer redirected to other sites. I now have internet access, and it no longer loses connection. The dl32.exe is gone, and things seem to be moving much smoother.
Here is the combofix log: ComboFix 09-05-09.05 - Nicholas Laidlaw 05/10/2009 15:06.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.659 [GMT -4:00] Running from: c:\documents and settings\Nicholas Laidlaw\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Nicholas Laidlaw\Desktop\CFScript.txt FILE :: C:\celkadaa.exe C:\pdtivk.exe c:\windows\Hyiviwup.bin c:\windows\obugizoyowohow.dll c:\windows\SYSTEM32\bidubiti.dll.tmp c:\windows\SYSTEM32\borazufu.dll.tmp c:\windows\system32\fayabopi.exe c:\windows\SYSTEM32\gesiwoha.dll.tmp c:\windows\system32\gilagapa.exe c:\windows\system32\gizehure.dll c:\windows\system32\nagomone.dll c:\windows\system32\nusoyeta.exe c:\windows\system32\potibubi.dll c:\windows\SYSTEM32\rafomife.dll.tmp c:\windows\system32\rawuyona.dll c:\windows\system32\tupopazo.exe c:\windows\system32\wukaripa.dll c:\windows\SYSTEM32\yaguwune.dll.tmp c:\windows\system32\yugafuga.exe c:\windows\SYSTEM32\zitovovi.dll.tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\celkadaa.exe C:\pdtivk.exe c:\windows\Hyiviwup.bin c:\windows\obugizoyowohow.dll c:\windows\SYSTEM32\bidubiti.dll.tmp c:\windows\SYSTEM32\borazufu.dll.tmp c:\windows\system32\fayabopi.exe c:\windows\SYSTEM32\gesiwoha.dll.tmp c:\windows\system32\gilagapa.exe c:\windows\system32\nusoyeta.exe c:\windows\SYSTEM32\rafomife.dll.tmp c:\windows\system32\tupopazo.exe c:\windows\SYSTEM32\yaguwune.dll.tmp c:\windows\system32\yugafuga.exe c:\windows\SYSTEM32\zitovovi.dll.tmp . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_WINDOWS_ACTION_SCRIPT -------\Service_Windows Action Script ((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 ))))))))))))))))))))))))))))))) . 2009-05-10 15:08 . 2009-05-10 15:09 -------- d---a-w C:\Music 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\autorun 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\Documentation 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\wd_mac_tools 2009-04-10 20:38 . 2009-04-12 02:50 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Application Data\Memeo 2009-04-10 20:32 . 2009-04-10 20:32 -------- d-----w c:\program files\Picasa2 2009-04-10 20:31 . 2009-04-24 01:15 -------- d-----w c:\program files\Google 2009-04-10 20:31 . 2009-04-10 20:31 -------- d-----w c:\program files\Western Digital 2009-04-10 20:30 . 2009-04-10 20:30 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest 2009-04-10 20:30 . 2009-04-10 20:30 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\temp 2009-04-10 20:30 . 2009-04-10 20:31 -------- d-----w c:\program files\Common Files\eSellerate 2009-04-10 20:30 . 2009-04-10 20:31 -------- d-----w c:\program files\Memeo 2009-04-10 20:29 . 2009-04-10 20:29 -------- d-----w c:\program files\Western Digital Corporation . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-10 16:05 . 2004-08-04 11:00 577536 ----a-w c:\windows\system32\user32.dll 2009-05-06 03:26 . 2005-08-01 16:08 2522 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\wklnhst.dat 2009-04-30 19:50 . 2009-01-10 06:25 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-30 19:50 . 2004-08-04 11:00 14336 ----a-w c:\windows\system32\SVCHOST.EXE 2009-04-20 03:22 . 2009-01-10 06:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-08 20:33 . 2009-04-08 20:33 -------- d-----w c:\program files\iTunes 2009-04-08 20:33 . 2005-07-18 23:06 -------- d-----w c:\program files\iPod 2009-04-07 23:21 . 2005-11-27 21:58 1100 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\d3d8caps.dat 2009-04-07 23:21 . 2005-08-07 11:35 1324 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\d3d9caps.dat 2009-04-06 19:32 . 2009-03-07 04:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2009-03-07 04:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-03 18:34 . 2008-12-07 19:11 -------- d-----w c:\program files\Common Files\Apple 2009-04-03 18:18 . 2009-03-20 20:12 -------- d-----w c:\program files\QuickTime 2009-04-03 16:11 . 2009-04-03 16:11 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-03 16:10 . 2007-11-15 20:37 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-01 19:50 . 2009-04-01 19:49 128 ----a-w c:\documents and settings\Guest Account\Application Data\wklnhst.dat 2009-03-19 20:32 . 2008-12-07 21:24 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-18 20:54 . 2009-03-11 20:51 143856 ----a-w c:\documents and settings\Guest Account\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-06 03:59 . 2009-04-03 18:35 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-06 03:59 . 2009-04-03 18:35 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-02-20 03:16 . 2005-07-16 06:46 143856 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2005-11-26 20:01 . 2005-11-26 20:01 32 --sha-w c:\windows\{7A9B4061-1BD3-4EB1-AB70-DF0377A29313}.dat 2005-11-26 20:01 . 2005-11-26 20:01 32 --sha-w c:\windows\SYSTEM32\{CDF7DBB0-9EE7-417A-9AF9-DAC0464C51D8}.dat . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\_Memeo ---- 2009-05-10 15:04 . 2009-05-10 15:04 177 ----a-w c:\_memeo\AutoSync\C8766E4D-48F3-4E5A-866F-248BF1A8C30B.jim ((((((((((((((((((((((((((((( SnapShot@2009-05-10_16.08.46 ))))))))))))))))))))))))))))))))))))))))) . - 2004-11-20 04:53 . 2009-05-10 14:56 65044 c:\windows\SYSTEM32\PERFC009.DAT + 2004-11-20 04:53 . 2009-05-10 16:12 65044 c:\windows\SYSTEM32\PERFC009.DAT + 2004-11-20 04:53 . 2009-05-10 16:12 410574 c:\windows\SYSTEM32\PERFH009.DAT - 2004-11-20 04:53 . 2009-05-10 14:56 410574 c:\windows\SYSTEM32\PERFH009.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-24 39408] "Google Update"="c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-13 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPZRCV01.LNK backup=c:\windows\pss\HPZRCV01.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk] backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk] backup=c:\windows\pss\ZDWLan Utility.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jeffrey Laidlaw^Start Menu^Programs^Startup^PowerReg Scheduler.exe] [HKLM\~\startupfolder\C:^Documents and Settings^Nicholas Laidlaw^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Nicholas Laidlaw\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WUSB54GCSVC"=2 (0x2) "Windows Action Script"=2 (0x2) "ScsiAccess"=2 (0x2) "PnkBstrB"=3 (0x3) "PnkBstrA"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "MsSecurity1.209.4"=2 (0x2) "Microsoft Office Groove Audit Service"=3 (0x3) "KodakCCS"=2 (0x2) "iPod Service"=3 (0x3) "IDriverT"=3 (0x3) "IAANTMon"=2 (0x2) "FLEXnet Licensing Service"=3 (0x3) "DSBrokerService"=3 (0x3) "Creative Service for CDROM Access"=2 (0x2) "bgsvcgen"=2 (0x2) "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "fci"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"= "c:\\Program Files\\GameSpy Arcade\\Aphex.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Guild Wars\\Gw.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Compact Wireless-G USB Adapter Wireless Network Monitor\\InvokeSvc2.exe"= "c:\\Program Files\\ZyDAS Technology Corporation\\ZyDAS_802.11g_Utility\\ZDWlan.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Nicholas Laidlaw\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"= R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944] R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [11/7/2008 3:38 PM 25824] R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\ZDCndis5.sys [6/25/2008 3:09 PM 19072] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408] S2 IerusO;IerusO;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336] S2 xjsjcevf;Disk Support;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\BRGSp50.sys [9/3/2006 3:01 PM 20608] S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\SYSTEM32\DRIVERS\xbreader.sys [4/9/2005 10:46 PM 19677] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11b9fcdb-b1c2-11dd-8b37-00038a000015}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-626145550-3952361536-1041508808-1008.job - c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-13 22:13] 2009-05-10 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] 2009-01-01 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = http=localhost:7171 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab FF - ProfilePath - c:\documents and settings\Nicholas Laidlaw\Application Data\Mozilla\Firefox\Profiles\l7493hpz.default\ FF - prefs.js: network.proxy.http - localhost FF - prefs.js: network.proxy.http_port - 7171 FF - prefs.js: network.proxy.type - 1 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-10 15:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3768) c:\windows\system32\hnetcfg.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\SYSTEM32\wdfmgr.exe c:\windows\SYSTEM32\MsPMSPSv.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-05-10 15:18 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-10 19:18 ComboFix2.txt 2009-05-10 16:19 Pre-Run: 12,990,959,616 bytes free Post-Run: 12,968,787,968 bytes free 284 --- E O F --- 2009-03-16 03:45 Here is the log from kaspersky: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Sunday, May 10, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Monday, May 11, 2009 02:19:31 Records in database: 2156939 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ Scan statistics: Files scanned: 190605 Threat name: 13 Infected objects: 41 Suspicious objects: 0 Duration of the scan: 03:18:52 File name / Threat name / Threats count C:\My Music\More Music\foxboro hotboros.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\My Music\More Music\greece national anthem.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\My Music\More Music\june spirit new jersey.wm Infected: Trojan-Downloader.WMA.Wimad.m 1 C:\My Music\More Music\red hot chili peppers bicycle.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\My Music\More Music\the summer set.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DL32.EXE.vir Infected: Trojan.Win32.Agent2.iwh 1 C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-10_15.05.12.ZIP Infected: Trojan.Win32.Agent2.hoc 1 C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-10_15.05.12.ZIP Infected: Trojan-Downloader.Win32.Agent.bqxc 6 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0003483.EXE Infected: Trojan.Win32.Agent2.iwh 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HSMPKAL6\ddsuper2[1].htm Infected: Trojan-Dropper.Win32.Agent.ansc 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HSMPKAL6\hnwtu[1].htm Infected: Trojan.Win32.Agent2.hoc 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HSMPKAL6\iolvvift[1].htm Infected: Trojan.Win32.Agent.cdbs 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MV7E8NU7\bqwkgherb[1].htm Infected: Trojan.Win32.Agent2.hoc 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MV7E8NU7\ddsuper0[1].htm Infected: Trojan-Downloader.Win32.Boltolog.bfw 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MV7E8NU7\ddsuper3[1].htm Infected: Net-Worm.Win32.Koobface.hn 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NVCRJ9Z5\djspmz[1].htm Infected: Worm.Win32.Pinit.dp 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PBHB3FZR\ahurebocmi[1].htm Infected: Trojan.Win32.Tdss.absk 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PBHB3FZR\ddsuper1[1].htm Infected: Trojan-Dropper.Win32.Agent.aofv 1 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PBHB3FZR\pifccpdnab[1].htm Infected: Trojan.Win32.Agent2.hoc 1 C:\WINDOWS\Windows Update Setup Files\include.EXE Infected: not-a-virus:AdWare.Win32.Mostofate.jx 1 F:\Music\foxboro hotboros.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\Music\greece national anthem.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\Music\june spirit new jersey.wm Infected: Trojan-Downloader.WMA.Wimad.m 1 F:\Music\red hot chili peppers bicycle.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\Music\the summer set.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\Nicholas Laidlaw_Backup_HD3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\foxboro hotboros.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\Nicholas Laidlaw_Backup_HD3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\greece national anthem.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\Nicholas Laidlaw_Backup_HD3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\june spirit new jersey.wm Infected: Trojan-Downloader.WMA.Wimad.m 1 F:\Nicholas Laidlaw_Backup_HD3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\red hot chili peppers bicycle.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\Nicholas Laidlaw_Backup_HD3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\the summer set.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\pdtivk.exe Infected: Trojan.Win32.Agent2.hoc 1 F:\C Drive\My Music\More Music\foxboro hotboros.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\C Drive\My Music\More Music\greece national anthem.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\C Drive\My Music\More Music\june spirit new jersey.wm Infected: Trojan-Downloader.WMA.Wimad.m 1 F:\C Drive\My Music\More Music\red hot chili peppers bicycle.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 F:\C Drive\My Music\More Music\the summer set.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 The selected area was scanned. |
|
|
|
|
05-11-2009, 01:10 AM
|
#6 (permalink) | |
|
Analyst, Security Team
|
Re: malware and redirects
Hi there
1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
__________________
If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007 |
|
|
|
|
|
05-11-2009, 01:59 PM
|
#7 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 7
OS: winxp
|
Re: malware and redirects
Thanks. Here is the log from combofix:
ComboFix 09-05-09.05 - Nicholas Laidlaw 05/11/2009 15:44.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.651 [GMT -4:00] Running from: c:\documents and settings\Nicholas Laidlaw\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Nicholas Laidlaw\Desktop\CFScript.txt FILE :: c:\my music\More Music\foxboro hotboros.mp3 c:\my music\More Music\greece national anthem.mp3 c:\my music\More Music\june spirit new jersey.wm c:\my music\More Music\red hot chili peppers bicycle.mp3 c:\my music\More Music\the summer set.mp3 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HSMPKAL6\ddsuper2[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HSMPKAL6\hnwtu[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HSMPKAL6\iolvvift[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MV7E8NU7\bqwkgherb[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MV7E8NU7\ddsuper0[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MV7E8NU7\ddsuper3[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NVCRJ9Z5\djspmz[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PBHB3FZR\ahurebocmi[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PBHB3FZR\ddsuper1[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PBHB3FZR\pifccpdnab[1].htm c:\windows\Windows Update Setup Files\include.EXE f:\c drive\My Music\More Music\foxboro hotboros.mp3 f:\c drive\My Music\More Music\greece national anthem.mp3 f:\c drive\My Music\More Music\june spirit new jersey.wm f:\c drive\My Music\More Music\red hot chili peppers bicycle.mp3 f:\c drive\My Music\More Music\the summer set.mp3 f:\music\foxboro hotboros.mp3 f:\music\greece national anthem.mp3 f:\music\june spirit new jersey.wm f:\music\red hot chili peppers bicycle.mp3 f:\music\the summer set.mp3 f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\foxboro hotboros.mp3 f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\greece national anthem.mp3 f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\june spirit new jersey.wm f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\red hot chili peppers bicycle.mp3 f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\the summer set.mp3 F:\pdtivk.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\my music\More Music\foxboro hotboros.mp3 c:\my music\More Music\greece national anthem.mp3 c:\my music\More Music\june spirit new jersey.wm c:\my music\More Music\red hot chili peppers bicycle.mp3 c:\my music\More Music\the summer set.mp3 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HSMPKAL6\ddsuper2[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HSMPKAL6\hnwtu[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HSMPKAL6\iolvvift[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MV7E8NU7\bqwkgherb[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MV7E8NU7\ddsuper0[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MV7E8NU7\ddsuper3[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NVCRJ9Z5\djspmz[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PBHB3FZR\ahurebocmi[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PBHB3FZR\ddsuper1[1].htm c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PBHB3FZR\pifccpdnab[1].htm c:\windows\Windows Update Setup Files\include.EXE f:\c drive\My Music\More Music\foxboro hotboros.mp3 f:\c drive\My Music\More Music\greece national anthem.mp3 f:\c drive\My Music\More Music\june spirit new jersey.wm f:\c drive\My Music\More Music\red hot chili peppers bicycle.mp3 f:\c drive\My Music\More Music\the summer set.mp3 f:\music\foxboro hotboros.mp3 f:\music\greece national anthem.mp3 f:\music\june spirit new jersey.wm f:\music\red hot chili peppers bicycle.mp3 f:\music\the summer set.mp3 f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\foxboro hotboros.mp3 f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\greece national anthem.mp3 f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\june spirit new jersey.wm f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\red hot chili peppers bicycle.mp3 f:\nicholas laidlaw_backup_hd3\Memeo\Nicholas Laidlaw_Backup_HD3\C_\My Music\More Music\the summer set.mp3 F:\pdtivk.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ieruso -------\Legacy_xjsjcevf -------\Service_IerusO -------\Service_xjsjcevf ((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 ))))))))))))))))))))))))))))))) . 2009-05-10 16:19 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll 2009-05-10 16:19 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-05-10 16:19 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll 2009-05-10 16:19 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-05-10 15:08 . 2009-05-10 15:09 -------- d---a-w C:\Music 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\autorun 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\Documentation 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\wd_mac_tools 2009-05-10 15:04 . 2009-05-10 15:05 -------- d---a-w C:\wd_windows_tools 2009-05-10 15:04 . 2009-05-10 15:04 -------- d--h--w C:\_Memeo 2009-04-30 20:03 . 2009-04-30 20:03 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg 2009-04-30 20:03 . 2009-04-30 20:03 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\poydodkg 2009-04-29 21:17 . 2009-04-30 21:32 -------- d-----w c:\windows\system32\796525 2009-04-20 03:01 . 2009-04-20 03:01 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\{8F505A93-C9D2-41D8-913E-25ACE2208559} 2009-04-15 02:27 . 2009-04-15 02:27 -------- d-sh--w C:\found.001 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-10 16:05 . 2004-08-04 11:00 577536 ----a-w c:\windows\system32\user32.dll 2009-05-06 03:26 . 2005-08-01 16:08 2522 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\wklnhst.dat 2009-04-30 19:50 . 2009-01-10 06:25 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-30 19:50 . 2004-08-04 11:00 14336 ----a-w c:\windows\system32\SVCHOST.EXE 2009-04-24 01:15 . 2009-04-10 20:31 -------- d-----w c:\program files\Google 2009-04-20 03:22 . 2009-01-10 06:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-10 20:32 . 2009-04-10 20:32 -------- d-----w c:\program files\Picasa2 2009-04-10 20:31 . 2009-04-10 20:31 -------- d-----w c:\program files\Western Digital 2009-04-10 20:31 . 2009-04-10 20:30 -------- d-----w c:\program files\Common Files\eSellerate 2009-04-10 20:31 . 2009-04-10 20:30 -------- d-----w c:\program files\Memeo 2009-04-10 20:29 . 2009-04-10 20:29 -------- d-----w c:\program files\Western Digital Corporation 2009-04-08 20:33 . 2009-04-08 20:33 -------- d-----w c:\program files\iTunes 2009-04-08 20:33 . 2005-07-18 23:06 -------- d-----w c:\program files\iPod 2009-04-07 23:21 . 2005-11-27 21:58 1100 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\d3d8caps.dat 2009-04-07 23:21 . 2005-08-07 11:35 1324 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\d3d9caps.dat 2009-04-06 19:32 . 2009-03-07 04:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2009-03-07 04:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-03 18:34 . 2008-12-07 19:11 -------- d-----w c:\program files\Common Files\Apple 2009-04-03 18:18 . 2009-03-20 20:12 -------- d-----w c:\program files\QuickTime 2009-04-03 16:11 . 2009-04-03 16:11 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-03 16:10 . 2007-11-15 20:37 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-01 19:50 . 2009-04-01 19:49 128 ----a-w c:\documents and settings\Guest Account\Application Data\wklnhst.dat 2009-03-19 20:32 . 2008-12-07 21:24 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-18 20:54 . 2009-03-11 20:51 143856 ----a-w c:\documents and settings\Guest Account\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-06 14:44 . 2004-08-04 11:00 283648 ----a-w c:\windows\system32\pdh.dll 2009-03-06 03:59 . 2009-04-03 18:35 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-06 03:59 . 2009-04-03 18:35 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-20 18:09 . 2004-08-04 11:00 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-20 03:16 . 2005-07-16 06:46 143856 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2005-11-26 20:01 . 2005-11-26 20:01 32 --sha-w c:\windows\{7A9B4061-1BD3-4EB1-AB70-DF0377A29313}.dat 2005-11-26 20:01 . 2005-11-26 20:01 32 --sha-w c:\windows\SYSTEM32\{CDF7DBB0-9EE7-417A-9AF9-DAC0464C51D8}.dat . ((((((((((((((((((((((((((((( SnapShot@2009-05-10_16.08.46 ))))))))))))))))))))))))))))))))))))))))) . + 2005-06-16 10:03 . 2008-07-09 07:38 26488 c:\windows\SYSTEM32\spupdsvc.exe - 2004-11-20 05:01 . 2007-11-30 11:18 17272 c:\windows\SYSTEM32\spmsg.dll + 2004-11-20 05:01 . 2007-11-30 12:39 17272 c:\windows\SYSTEM32\spmsg.dll + 2004-08-04 11:00 . 2009-02-03 20:08 55808 c:\windows\SYSTEM32\secur32.dll - 2004-08-04 11:00 . 2004-08-04 11:00 55808 c:\windows\SYSTEM32\SECUR32.DLL + 2004-08-04 11:00 . 2009-02-06 16:54 35328 c:\windows\SYSTEM32\sc.exe - 2004-08-04 11:00 . 2008-12-20 23:15 44544 c:\windows\SYSTEM32\pngfilt.dll + 2004-08-04 11:00 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\pngfilt.dll + 2004-11-20 04:53 . 2009-05-11 19:42 65044 c:\windows\SYSTEM32\PERFC009.DAT - 2004-11-20 04:53 . 2009-05-10 14:56 65044 c:\windows\SYSTEM32\PERFC009.DAT + 2004-08-04 11:00 . 2008-06-12 14:16 91648 c:\windows\SYSTEM32\mtxoci.dll - 2004-08-04 11:00 . 2006-03-01 19:42 66560 c:\windows\SYSTEM32\mtxclu.dll + 2004-08-04 11:00 . 2008-06-12 14:16 66560 c:\windows\SYSTEM32\mtxclu.dll + 2007-08-13 23:54 . 2009-02-20 18:09 52224 c:\windows\SYSTEM32\msfeedsbs.dll - 2007-08-13 23:54 . 2008-12-20 23:15 52224 c:\windows\SYSTEM32\msfeedsbs.dll - 2004-08-04 11:00 . 2004-08-04 11:00 58880 c:\windows\SYSTEM32\MSDTCLOG.DLL + 2004-08-04 11:00 . 2008-06-12 14:16 58880 c:\windows\SYSTEM32\msdtclog.dll + 2004-08-04 11:00 . 2009-02-20 18:09 27648 c:\windows\SYSTEM32\jsproxy.dll - 2004-08-04 11:00 . 2008-12-20 23:15 27648 c:\windows\SYSTEM32\jsproxy.dll + 2007-08-13 23:39 . 2009-02-20 10:20 13824 c:\windows\SYSTEM32\ieudinit.exe - 2007-08-13 23:39 . 2008-12-19 09:10 13824 c:\windows\SYSTEM32\ieudinit.exe + 2004-08-04 11:00 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\iernonce.dll - 2004-08-04 11:00 . 2008-12-20 23:15 44544 c:\windows\SYSTEM32\iernonce.dll - 2004-08-04 11:00 . 2008-12-19 09:10 70656 c:\windows\SYSTEM32\ie4uinit.exe + 2004-08-04 11:00 . 2009-02-20 10:20 70656 c:\windows\SYSTEM32\ie4uinit.exe + 2007-08-13 23:36 . 2009-02-20 18:09 63488 c:\windows\SYSTEM32\icardie.dll - 2007-08-13 23:36 . 2008-12-20 23:15 63488 c:\windows\SYSTEM32\icardie.dll + 2004-08-04 11:00 . 2009-02-03 20:08 55808 c:\windows\SYSTEM32\DLLCACHE\secur32.dll - 2004-08-04 11:00 . 2004-08-04 11:00 55808 c:\windows\SYSTEM32\DLLCACHE\secur32.dll + 2006-05-10 05:25 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll - 2006-05-10 05:25 . 2008-12-20 23:15 44544 c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll + 2008-06-12 14:16 . 2008-06-12 14:16 91648 c:\windows\SYSTEM32\DLLCACHE\mtxoci.dll + 2008-06-12 14:16 . 2008-06-12 14:16 66560 c:\windows\SYSTEM32\DLLCACHE\mtxclu.dll + 2007-11-29 03:07 . 2009-02-20 18:09 52224 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll - 2007-11-29 03:07 . 2008-12-20 23:15 52224 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll + 2008-06-12 14:16 . 2008-06-12 14:16 58880 c:\windows\SYSTEM32\DLLCACHE\msdtclog.dll - 2006-05-10 05:25 . 2008-12-20 23:15 27648 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll + 2006-05-10 05:25 . 2009-02-20 18:09 27648 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll + 2007-11-29 03:07 . 2009-02-20 10:20 13824 c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe - 2007-11-29 03:07 . 2008-12-19 09:10 13824 c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe - 2007-08-13 23:39 . 2008-12-20 23:15 44544 c:\windows\SYSTEM32\DLLCACHE\iernonce.dll + 2007-08-13 23:39 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\DLLCACHE\iernonce.dll - 2007-08-13 23:45 . 2007-08-13 23:45 78336 c:\windows\SYSTEM32\DLLCACHE\ieencode.dll + 2007-08-13 23:45 . 2009-02-20 18:09 78336 c:\windows\SYSTEM32\DLLCACHE\ieencode.dll - 2007-08-13 23:39 . 2008-12-19 09:10 70656 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe + 2007-08-13 23:39 . 2009-02-20 10:20 70656 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe + 2007-11-29 03:07 . 2009-02-20 18:09 63488 c:\windows\SYSTEM32\DLLCACHE\icardie.dll - 2007-11-29 03:07 . 2008-12-20 23:15 63488 c:\windows\SYSTEM32\DLLCACHE\icardie.dll + 2004-11-20 05:07 . 2009-05-11 04:37 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe - 2004-11-20 05:07 . 2009-02-04 01:47 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe + 2004-11-20 05:07 . 2009-05-11 04:37 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe - 2004-11-20 05:07 . 2009-02-04 01:47 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe + 2004-11-20 05:07 . 2009-05-11 04:37 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe - 2004-11-20 05:07 . 2009-02-04 01:47 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe + 2004-11-20 05:07 . 2009-05-11 04:37 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe - 2004-11-20 05:07 . 2009-02-04 01:47 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe + 2008-02-09 00:21 . 2009-05-11 04:38 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe - 2008-02-09 00:21 . 2009-03-12 03:03 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe - 2008-02-09 00:21 . 2009-03-12 03:03 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe + 2008-02-09 00:21 . 2009-05-11 04:38 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe + 2008-02-09 00:21 . 2009-05-11 04:38 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe - 2008-02-09 00:21 . 2009-03-12 03:03 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe + 2007-12-06 20:32 . 2009-05-11 04:37 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe - 2007-12-06 20:32 . 2009-03-12 03:04 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe + 2007-12-06 20:32 . 2009-05-11 04:37 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe - 2007-12-06 20:32 . 2009-03-12 03:04 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe + 2007-12-06 20:32 . 2009-05-11 04:37 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe - 2007-12-06 20:32 . 2009-03-12 03:04 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe - 2007-12-06 20:32 . 2009-03-12 03:04 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe + 2007-12-06 20:32 . 2009-05-11 04:37 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe + 2007-12-06 20:32 . 2009-05-11 04:37 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe - 2007-12-06 20:32 . 2009-03-12 03:04 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe - 2007-12-06 20:32 . 2009-03-12 03:04 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe + 2007-12-06 20:32 . 2009-05-11 04:37 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe + 2009-05-11 04:41 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll + 2009-05-11 04:41 . 2008-12-20 23:15 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll + 2009-05-11 04:41 . 2008-12-20 23:15 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll + 2009-05-11 04:41 . 2008-12-19 09:10 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe + 2009-05-11 04:41 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll + 2009-05-11 04:41 . 2007-08-13 23:45 78336 c:\windows\ie7updates\KB963027-IE7\ieencode.dll + 2009-05-11 04:41 . 2008-12-19 09:10 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe + 2009-05-11 04:41 . 2008-12-20 23:15 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll + 2004-11-20 05:07 . 2009-05-11 04:37 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe - 2004-11-20 05:07 . 2009-02-04 01:47 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe - 2004-11-20 05:07 . 2009-02-04 01:47 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe + 2004-11-20 05:07 . 2009-05-11 04:37 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe + 2004-11-20 05:07 . 2009-05-11 04:37 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe - 2004-11-20 05:07 . 2009-02-04 01:47 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe + 2007-12-06 20:32 . 2009-05-11 04:37 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe - 2007-12-06 20:32 . 2009-03-12 03:04 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe + 2004-08-04 11:00 . 2008-12-16 12:47 351232 c:\windows\SYSTEM32\winhttp.dll - 2004-08-04 11:00 . 2004-08-04 11:00 351232 c:\windows\SYSTEM32\WINHTTP.DLL + 2004-08-04 11:00 . 2009-02-20 18:09 233472 c:\windows\SYSTEM32\webcheck.dll - 2004-08-04 11:00 . 2008-12-20 23:15 233472 c:\windows\SYSTEM32\webcheck.dll + 2004-08-04 11:00 . 2009-02-06 16:39 227840 c:\windows\SYSTEM32\WBEM\wmiprvse.exe + 2004-08-04 11:00 . 2009-02-09 10:20 453120 c:\windows\SYSTEM32\WBEM\wmiprvsd.dll + 2004-08-04 11:00 . 2009-02-09 10:20 473088 c:\windows\SYSTEM32\WBEM\fastprox.dll + 2004-08-04 11:00 . 2009-02-20 18:09 105984 c:\windows\SYSTEM32\url.dll - 2004-08-04 11:00 . 2008-12-20 23:15 105984 c:\windows\SYSTEM32\url.dll + 2004-08-04 11:00 . 2009-02-06 17:14 110592 c:\windows\SYSTEM32\services.exe + 2004-08-04 11:00 . 2009-02-09 10:20 399360 c:\windows\SYSTEM32\rpcss.dll - 2004-11-20 04:53 . 2009-05-10 14:56 410574 c:\windows\SYSTEM32\PERFH009.DAT + 2004-11-20 04:53 . 2009-05-11 19:42 410574 c:\windows\SYSTEM32\PERFH009.DAT + 2004-08-04 11:00 . 2009-02-20 18:09 102912 c:\windows\SYSTEM32\occache.dll - 2004-08-04 11:00 . 2008-12-20 23:15 102912 c:\windows\SYSTEM32\occache.dll + 2004-08-04 11:00 . 2009-02-09 10:20 714752 c:\windows\SYSTEM32\ntdll.dll - 2004-08-04 11:00 . 2008-12-20 23:15 671232 c:\windows\SYSTEM32\mstime.dll + 2004-08-04 11:00 . 2009-02-20 18:09 671232 c:\windows\SYSTEM32\mstime.dll - 2004-08-04 11:00 . 2008-12-20 23:15 193024 c:\windows\SYSTEM32\msrating.dll + 2004-08-04 11:00 . 2009-02-20 18:09 193024 c:\windows\SYSTEM32\msrating.dll + 2004-08-04 11:00 . 2009-02-20 18:09 477696 c:\windows\SYSTEM32\mshtmled.dll - 2004-08-04 11:00 . 2008-12-20 23:15 477696 c:\windows\SYSTEM32\mshtmled.dll - 2007-08-13 23:54 . 2008-12-20 23:15 459264 c:\windows\SYSTEM32\msfeeds.dll + 2007-08-13 23:54 . 2009-02-20 18:09 459264 c:\windows\SYSTEM32\msfeeds.dll + 2004-08-04 11:00 . 2008-06-12 14:16 161792 c:\windows\SYSTEM32\msdtcuiu.dll + 2004-08-04 11:00 . 2008-06-12 14:16 956928 c:\windows\SYSTEM32\msdtctm.dll + 2004-08-04 11:00 . 2008-06-12 14:16 428032 c:\windows\SYSTEM32\msdtcprx.dll + 2004-08-04 11:00 . 2009-02-09 10:20 723456 c:\windows\SYSTEM32\lsasrv.dll + 2004-08-04 11:00 . 2009-03-21 14:18 986112 c:\windows\SYSTEM32\kernel32.dll + 2007-08-13 23:34 . 2009-02-20 18:09 268288 c:\windows\SYSTEM32\iertutil.dll + 2004-08-04 11:00 . 2009-02-20 18:09 385024 c:\windows\SYSTEM32\iedkcs32.dll - 2007-07-11 17:27 . 2008-12-20 23:15 383488 c:\windows\SYSTEM32\ieapfltr.dll + 2007-07-11 17:27 . 2009-02-20 18:09 383488 c:\windows\SYSTEM32\ieapfltr.dll - 2004-08-04 11:00 . 2008-12-19 05:23 161792 c:\windows\SYSTEM32\ieakui.dll + 2004-08-04 11:00 . 2009-02-20 05:14 161792 c:\windows\SYSTEM32\ieakui.dll + 2004-08-04 11:00 . 2009-02-20 18:09 230400 c:\windows\SYSTEM32\ieaksie.dll - 2004-08-04 11:00 . 2008-12-20 23:15 230400 c:\windows\SYSTEM32\ieaksie.dll + 2004-08-04 11:00 . 2009-02-20 18:09 153088 c:\windows\SYSTEM32\ieakeng.dll - 2004-08-04 11:00 . 2008-12-20 23:15 153088 c:\windows\SYSTEM32\ieakeng.dll - 2004-08-04 11:00 . 2008-12-20 23:15 133120 c:\windows\SYSTEM32\extmgr.dll + 2004-08-04 11:00 . 2009-02-20 18:09 133120 c:\windows\SYSTEM32\extmgr.dll + 2004-08-04 11:00 . 2009-02-20 18:09 214528 c:\windows\SYSTEM32\dxtrans.dll - 2004-08-04 11:00 . 2008-12-20 23:15 214528 c:\windows\SYSTEM32\dxtrans.dll - 2004-08-04 11:00 . 2008-12-20 23:15 347136 c:\windows\SYSTEM32\dxtmsft.dll + 2004-08-04 11:00 . 2009-02-20 18:09 347136 c:\windows\SYSTEM32\dxtmsft.dll + 2004-08-04 11:00 . 2009-02-06 16:39 227840 c:\windows\SYSTEM32\DLLCACHE\wmiprvse.exe + 2004-08-04 11:00 . 2009-02-09 10:20 453120 c:\windows\SYSTEM32\DLLCACHE\wmiprvsd.dll - 2004-08-04 11:00 . 2008-12-20 23:15 826368 c:\windows\SYSTEM32\DLLCACHE\wininet.dll + 2004-08-04 11:00 . 2009-03-03 00:18 826368 c:\windows\SYSTEM32\DLLCACHE\wininet.dll - 2004-08-04 11:00 . 2004-08-04 11:00 351232 c:\windows\SYSTEM32\DLLCACHE\winhttp.dll + 2004-08-04 11:00 . 2008-12-16 12:47 351232 c:\windows\SYSTEM32\DLLCACHE\winhttp.dll - 2004-08-04 11:00 . 2008-12-20 23:15 233472 c:\windows\SYSTEM32\DLLCACHE\webcheck.dll + 2004-08-04 11:00 . 2009-02-20 18:09 233472 c:\windows\SYSTEM32\DLLCACHE\webcheck.dll + 2004-08-04 11:00 . 2009-02-20 18:09 105984 c:\windows\SYSTEM32\DLLCACHE\url.dll - 2004-08-04 11:00 . 2008-12-20 23:15 105984 c:\windows\SYSTEM32\DLLCACHE\url.dll + 2004-08-04 11:00 . 2009-02-06 17:14 110592 c:\windows\SYSTEM32\DLLCACHE\services.exe + 2004-08-04 11:00 . 2009-02-09 10:20 399360 c:\windows\SYSTEM32\DLLCACHE\rpcss.dll - 2007-08-13 23:44 . 2008-12-20 23:15 102912 c:\windows\SYSTEM32\DLLCACHE\occache.dll + 2007-08-13 23:44 . 2009-02-20 18:09 102912 c:\windows\SYSTEM32\DLLCACHE\occache.dll + 2004-08-04 11:00 . 2009-02-09 10:20 714752 c:\windows\SYSTEM32\DLLCACHE\ntdll.dll - 2006-05-10 05:25 . 2008-12-20 23:15 671232 c:\windows\SYSTEM32\DLLCACHE\mstime.dll + 2006-05-10 05:25 . 2009-02-20 18:09 671232 c:\windows\SYSTEM32\DLLCACHE\mstime.dll + 2006-05-10 05:25 . 2009-02-20 18:09 193024 c:\windows\SYSTEM32\DLLCACHE\msrating.dll - 2006-05-10 05:25 . 2008-12-20 23:15 193024 c:\windows\SYSTEM32\DLLCACHE\msrating.dll - 2004-08-04 11:00 . 2008-12-20 23:15 477696 c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll + 2004-08-04 11:00 . 2009-02-20 18:09 477696 c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll - 2007-11-29 03:07 . 2008-12-20 23:15 459264 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll + 2007-11-29 03:07 . 2009-02-20 18:09 459264 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll + 2008-06-12 14:16 . 2008-06-12 14:16 161792 c:\windows\SYSTEM32\DLLCACHE\msdtcuiu.dll + 2008-06-12 14:16 . 2008-06-12 14:16 956928 c:\windows\SYSTEM32\DLLCACHE\msdtctm.dll + 2008-06-12 14:16 . 2008-06-12 14:16 428032 c:\windows\SYSTEM32\DLLCACHE\msdtcprx.dll + 2004-08-04 11:00 . 2009-02-09 10:20 723456 c:\windows\SYSTEM32\DLLCACHE\lsasrv.dll + 2004-08-04 11:00 . 2009-03-21 14:18 986112 c:\windows\SYSTEM32\DLLCACHE\kernel32.dll + 2004-08-04 11:00 . 2009-02-28 04:54 636072 c:\windows\SYSTEM32\DLLCACHE\iexplore.exe + 2007-11-29 03:07 . 2009-02-20 18:09 268288 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll + 2007-08-13 23:39 . 2009-02-20 18:09 385024 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll + 2007-11-29 03:07 . 2009-02-20 18:09 383488 c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll - 2007-11-29 03:07 . 2008-12-20 23:15 383488 c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll + 2007-08-13 22:56 . 2009-02-20 05:14 161792 c:\windows\SYSTEM32\DLLCACHE\ieakui.dll - 2007-08-13 22:56 . 2008-12-19 05:23 161792 c:\windows\SYSTEM32\DLLCACHE\ieakui.dll + 2007-08-13 23:39 . 2009-02-20 18:09 230400 c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll - 2007-08-13 23:39 . 2008-12-20 23:15 230400 c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll - 2007-08-13 23:39 . 2008-12-20 23:15 153088 c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll + 2007-08-13 23:39 . 2009-02-20 18:09 153088 c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll + 2006-05-10 05:25 . 2009-02-20 18:09 133120 c:\windows\SYSTEM32\DLLCACHE\extmgr.dll - 2006-05-10 05:25 . 2008-12-20 23:15 133120 c:\windows\SYSTEM32\DLLCACHE\extmgr.dll + 2004-08-04 11:00 . 2009-02-20 18:09 214528 c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll - 2004-08-04 11:00 . 2008-12-20 23:15 214528 c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll + 2006-05-10 05:25 . 2009-02-20 18:09 347136 c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll - 2006-05-10 05:25 . 2008-12-20 23:15 347136 c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll + 2004-08-04 11:00 . 2009-02-20 18:09 124928 c:\windows\SYSTEM32\DLLCACHE\advpack.dll - 2004-08-04 11:00 . 2008-12-20 23:15 124928 c:\windows\SYSTEM32\DLLCACHE\advpack.dll - 2004-08-04 11:00 . 2004-08-04 11:00 616960 c:\windows\SYSTEM32\DLLCACHE\advapi32.dll + 2004-08-04 11:00 . 2009-02-09 10:20 616960 c:\windows\SYSTEM32\DLLCACHE\advapi32.dll - 2004-08-04 11:00 . 2008-12-20 23:15 124928 c:\windows\SYSTEM32\advpack.dll + 2004-08-04 11:00 . 2009-02-20 18:09 124928 c:\windows\SYSTEM32\advpack.dll + 2004-08-04 11:00 . 2009-02-09 10:20 616960 c:\windows\SYSTEM32\advapi32.dll - 2004-08-04 11:00 . 2004-08-04 11:00 616960 c:\windows\SYSTEM32\ADVAPI32.DLL - 2008-02-09 00:21 . 2009-03-12 03:03 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe + 2008-02-09 00:21 . 2009-05-11 04:38 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe + 2008-02-09 00:21 . 2009-05-11 04:38 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe - 2008-02-09 00:21 . 2009-03-12 03:03 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe + 2008-02-09 00:21 . 2009-05-11 04:38 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe - 2008-02-09 00:21 . 2009-03-12 03:03 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe + 2008-02-09 00:21 . 2009-05-11 04:38 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe - 2008-02-09 00:21 . 2009-03-12 03:03 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe - 2008-02-09 00:21 . 2009-03-12 03:03 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe + 2008-02-09 00:21 . 2009-05-11 04:38 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe - 2008-02-09 00:21 . 2009-03-12 03:03 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe + 2008-02-09 00:21 . 2009-05-11 04:38 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe + 2008-02-09 00:21 . 2009-05-11 04:38 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe - 2008-02-09 00:21 . 2009-03-12 03:03 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe - 2007-12-06 20:32 . 2009-03-12 03:04 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe + 2007-12-06 20:32 . 2009-05-11 04:37 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe + 2007-12-06 20:32 . 2009-05-11 04:37 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe - 2007-12-06 20:32 . 2009-03-12 03:04 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe - 2007-12-06 20:32 . 2009-03-12 03:04 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe + 2007-12-06 20:32 . 2009-05-11 04:37 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe - 2007-12-06 20:32 . 2009-03-12 03:04 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe + 2007-12-06 20:32 . 2009-05-11 04:37 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe + 2007-12-06 20:32 . 2009-05-11 04:37 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe - 2007-12-06 20:32 . 2009-03-12 03:04 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe + 2007-12-06 20:32 . 2009-05-11 04:37 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe - 2007-12-06 20:32 . 2009-03-12 03:04 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe + 2009-05-11 04:41 . 2008-12-20 23:15 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll + 2009-05-11 04:41 . 2008-12-20 23:15 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll + 2009-05-11 04:41 . 2008-12-20 23:15 105984 c:\windows\ie7updates\KB963027-IE7\url.dll + 2009-05-11 04:41 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll + 2009-05-11 04:41 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe + 2009-05-11 04:41 . 2008-12-20 23:15 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll + 2009-05-11 04:41 . 2008-12-20 23:15 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll + 2009-05-11 04:41 . 2008-12-20 23:15 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll + 2009-05-11 04:41 . 2008-12-20 23:15 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll + 2009-05-11 04:41 . 2008-12-20 23:15 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll + 2009-05-11 04:41 . 2008-12-19 05:25 634024 c:\windows\ie7updates\KB963027-IE7\iexplore.exe + 2009-05-11 04:41 . 2008-12-20 23:15 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll + 2009-05-11 04:41 . 2008-12-20 23:15 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll + 2009-05-11 04:41 . 2008-12-20 23:15 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll + 2009-05-11 04:41 . 2008-12-19 05:23 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll + 2009-05-11 04:41 . 2008-12-20 23:15 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll + 2009-05-11 04:41 . 2008-12-20 23:15 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll + 2009-05-11 04:41 . 2008-12-20 23:15 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll + 2009-05-11 04:41 . 2008-12-20 23:15 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll + 2009-05-11 04:41 . 2008-12-20 23:15 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll + 2009-05-11 04:41 . 2008-12-20 23:15 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll - 2004-08-04 11:00 . 2008-12-20 23:15 1160192 c:\windows\SYSTEM32\urlmon.dll + 2004-08-04 11:00 . 2009-02-20 18:09 1160192 c:\windows\SYSTEM32\urlmon.dll - 2004-08-04 11:00 . 2008-05-07 05:18 1287680 c:\windows\SYSTEM32\quartz.dll + 2004-08-04 11:00 . 2008-12-20 22:43 1287680 c:\windows\SYSTEM32\quartz.dll - 1980-01-01 06:00 . 2008-08-14 09:58 2136064 c:\windows\SYSTEM32\ntoskrnl.exe + 1980-01-01 06:00 . 2009-02-06 17:22 2136064 c:\windows\SYSTEM32\ntoskrnl.exe - 1980-01-01 06:00 . 2008-08-14 09:22 2015744 c:\windows\SYSTEM32\ntkrnlpa.exe + 1980-01-01 06:00 . 2009-02-06 16:49 2015744 c:\windows\SYSTEM32\ntkrnlpa.exe + 2004-08-04 11:00 . 2009-02-20 18:09 3595264 c:\windows\SYSTEM32\mshtml.dll + 2007-08-13 23:54 . 2009-02-20 18:09 6066176 c:\windows\SYSTEM32\ieframe.dll + 2007-02-12 21:10 . 2008-07-09 14:25 2455488 c:\windows\SYSTEM32\ieapfltr.dat - 2007-02-12 21:10 . 2007-04-17 09:32 2455488 c:\windows\SYSTEM32\ieapfltr.dat - 2004-08-04 11:00 . 2008-12-20 23:15 1160192 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll + 2004-08-04 11:00 . 2009-02-20 18:09 1160192 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll + 2007-10-29 22:43 . 2008-12-20 22:43 1287680 c:\windows\SYSTEM32\DLLCACHE\quartz.dll - 2007-10-29 22:43 . 2008-05-07 05:18 1287680 c:\windows\SYSTEM32\DLLCACHE\quartz.dll + 2006-12-19 14:17 . 2009-02-06 17:24 2180480 c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe - 2006-12-19 12:55 . 2008-08-14 09:22 2015744 c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe + 2006-12-19 12:55 . 2009-02-06 16:49 2015744 c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe - 2006-12-19 12:55 . 2008-08-14 09:22 2057728 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe + 2006-12-19 12:55 . 2009-02-06 16:49 2057728 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe - 2006-12-19 14:15 . 2008-08-14 09:58 2136064 c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe + 2006-12-19 14:15 . 2009-02-06 17:22 2136064 c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe + 2004-08-04 11:00 . 2009-02-20 18:09 3595264 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll + 2007-11-29 03:07 . 2009-02-20 18:09 6066176 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll - 2007-11-29 03:07 . 2007-04-17 09:32 2455488 c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat + 2007-11-29 03:07 . 2008-07-09 14:25 2455488 c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat - 2008-02-09 00:21 . 2009-03-12 03:03 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe + 2008-02-09 00:21 . 2009-05-11 04:38 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe + 2008-02-09 00:21 . 2009-05-11 04:38 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe - 2008-02-09 00:21 . 2009-03-12 03:03 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe + 2009-05-11 04:41 . 2008-12-20 23:15 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll + 2009-05-11 04:41 . 2009-01-17 02:35 3594752 c:\windows\ie7updates\KB963027-IE7\mshtml.dll + 2009-05-11 04:41 . 2008-12-20 23:15 6066688 c:\windows\ie7updates\KB963027-IE7\ieframe.dll + 2009-05-11 04:41 . 2007-04-17 09:32 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat + 2005-03-02 00:59 . 2009-02-06 17:24 2180480 c:\windows\Driver Cache\I386\ntoskrnl.exe + 2005-03-02 00:34 . 2009-02-06 16:49 2015744 c:\windows\Driver Cache\I386\ntkrpamp.exe - 2005-03-02 00:34 . 2008-08-14 09:22 2015744 c:\windows\Driver Cache\I386\ntkrpamp.exe - 2005-03-02 00:34 . 2008-08-14 09:22 2057728 c:\windows\Driver Cache\I386\ntkrnlpa.exe + 2005-03-02 00:34 . 2009-02-06 16:49 2057728 c:\windows\Driver Cache\I386\ntkrnlpa.exe - 2005-03-02 00:57 . 2008-08-14 09:58 2136064 c:\windows\Driver Cache\I386\ntkrnlmp.exe + 2005-03-02 00:57 . 2009-02-06 17:22 2136064 c:\windows\Driver Cache\I386\ntkrnlmp.exe + 2009-05-11 04:39 . 2009-04-06 11:57 24921544 c:\windows\SYSTEM32\MRT.exe . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-24 39408] "Google Update"="c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-13 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPZRCV01.LNK backup=c:\windows\pss\HPZRCV01.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk] backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk] backup=c:\windows\pss\ZDWLan Utility.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jeffrey Laidlaw^Start Menu^Programs^Startup^PowerReg Scheduler.exe] [HKLM\~\startupfolder\C:^Documents and Settings^Nicholas Laidlaw^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Nicholas Laidlaw\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WUSB54GCSVC"=2 (0x2) "Windows Action Script"=2 (0x2) "ScsiAccess"=2 (0x2) "PnkBstrB"=3 (0x3) "PnkBstrA"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "MsSecurity1.209.4"=2 (0x2) "Microsoft Office Groove Audit Service"=3 (0x3) "KodakCCS"=2 (0x2) "iPod Service"=3 (0x3) "IDriverT"=3 (0x3) "IAANTMon"=2 (0x2) "FLEXnet Licensing Service"=3 (0x3) "DSBrokerService"=3 (0x3) "Creative Service for CDROM Access"=2 (0x2) "bgsvcgen"=2 (0x2) "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "fci"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"= "c:\\Program Files\\GameSpy Arcade\\Aphex.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Guild Wars\\Gw.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Compact Wireless-G USB Adapter Wireless Network Monitor\\InvokeSvc2.exe"= "c:\\Program Files\\ZyDAS Technology Corporation\\ZyDAS_802.11g_Utility\\ZDWlan.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Nicholas Laidlaw\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"= R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944] R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [11/7/2008 3:38 PM 25824] R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\ZDCndis5.sys [6/25/2008 3:09 PM 19072] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\BRGSp50.sys [9/3/2006 3:01 PM 20608] S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\SYSTEM32\DRIVERS\xbreader.sys [4/9/2005 10:46 PM 19677] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11b9fcdb-b1c2-11dd-8b37-00038a000015}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-626145550-3952361536-1041508808-1008.job - c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-13 22:13] 2009-05-11 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] 2009-01-01 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = http=localhost:7171 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab FF - ProfilePath - c:\documents and settings\Nicholas Laidlaw\Application Data\Mozilla\Firefox\Profiles\l7493hpz.default\ FF - prefs.js: network.proxy.http - localhost FF - prefs.js: network.proxy.http_port - 7171 FF - prefs.js: network.proxy.type - 1 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-11 15:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2568) c:\windows\system32\hnetcfg.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\SYSTEM32\wdfmgr.exe c:\windows\SYSTEM32\MsPMSPSv.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-05-11 15:58 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-11 19:58 ComboFix2.txt 2009-05-10 19:18 ComboFix3.txt 2009-05-10 16:19 Pre-Run: 12,585,824,256 bytes free Post-Run: 12,634,411,008 bytes free 597 --- E O F --- 2009-05-11 04:41 |
|
|
|
|
05-11-2009, 04:39 PM
|
#8 (permalink) | |
|
Analyst, Security Team
|
Re: malware and redirects
Hi there
Good work, so far so good. Things are looking much better. Just one folder I am curious about and I want to look deeper. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply Post this log back to me, also update me on how things are running now.
__________________
If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007 |
|
|
|
|
|
05-11-2009, 05:11 PM
|
#9 (permalink) |
|
Registered User
Join Date: May 2009
Posts: 7
OS: winxp
|
Re: malware and redirects
Thanks. Things seem to be running as they were previous to the problem. My internet is experiencing no problems, and is running fast. Here is the log from combofix:
ComboFix 09-05-09.05 - Nicholas Laidlaw 05/11/2009 19:01.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.669 [GMT -4:00] Running from: c:\documents and settings\Nicholas Laidlaw\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Nicholas Laidlaw\Desktop\CFScript.txt . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 ))))))))))))))))))))))))))))))) . 2009-05-10 16:19 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll 2009-05-10 16:19 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-05-10 16:19 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll 2009-05-10 16:19 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-05-10 15:08 . 2009-05-10 15:09 -------- d---a-w C:\Music 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\autorun 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\Documentation 2009-05-10 15:08 . 2009-05-10 15:08 -------- d---a-w C:\wd_mac_tools 2009-05-10 15:04 . 2009-05-10 15:05 -------- d---a-w C:\wd_windows_tools 2009-05-10 15:04 . 2009-05-10 15:04 -------- d--h--w C:\_Memeo 2009-04-30 20:03 . 2009-04-30 20:03 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg 2009-04-30 20:03 . 2009-04-30 20:03 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\poydodkg 2009-04-29 21:17 . 2009-04-30 21:32 -------- d-----w c:\windows\system32\796525 2009-04-20 03:01 . 2009-04-20 03:01 -------- d-----w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\{8F505A93-C9D2-41D8-913E-25ACE2208559} 2009-04-15 02:27 . 2009-04-15 02:27 -------- d-sh--w C:\found.001 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-10 16:05 . 2004-08-04 11:00 577536 ----a-w c:\windows\system32\user32.dll 2009-05-06 03:26 . 2005-08-01 16:08 2522 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\wklnhst.dat 2009-04-30 19:50 . 2009-01-10 06:25 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-30 19:50 . 2004-08-04 11:00 14336 ----a-w c:\windows\system32\SVCHOST.EXE 2009-04-24 01:15 . 2009-04-10 20:31 -------- d-----w c:\program files\Google 2009-04-20 03:22 . 2009-01-10 06:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-10 20:32 . 2009-04-10 20:32 -------- d-----w c:\program files\Picasa2 2009-04-10 20:31 . 2009-04-10 20:31 -------- d-----w c:\program files\Western Digital 2009-04-10 20:31 . 2009-04-10 20:30 -------- d-----w c:\program files\Common Files\eSellerate 2009-04-10 20:31 . 2009-04-10 20:30 -------- d-----w c:\program files\Memeo 2009-04-10 20:29 . 2009-04-10 20:29 -------- d-----w c:\program files\Western Digital Corporation 2009-04-08 20:33 . 2009-04-08 20:33 -------- d-----w c:\program files\iTunes 2009-04-08 20:33 . 2005-07-18 23:06 -------- d-----w c:\program files\iPod 2009-04-07 23:21 . 2005-11-27 21:58 1100 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\d3d8caps.dat 2009-04-07 23:21 . 2005-08-07 11:35 1324 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\d3d9caps.dat 2009-04-06 19:32 . 2009-03-07 04:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2009-03-07 04:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-03 18:34 . 2008-12-07 19:11 -------- d-----w c:\program files\Common Files\Apple 2009-04-03 18:18 . 2009-03-20 20:12 -------- d-----w c:\program files\QuickTime 2009-04-03 16:11 . 2009-04-03 16:11 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-03 16:10 . 2007-11-15 20:37 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-01 19:50 . 2009-04-01 19:49 128 ----a-w c:\documents and settings\Guest Account\Application Data\wklnhst.dat 2009-03-19 20:32 . 2008-12-07 21:24 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-18 20:54 . 2009-03-11 20:51 143856 ----a-w c:\documents and settings\Guest Account\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-06 14:44 . 2004-08-04 11:00 283648 ----a-w c:\windows\system32\pdh.dll 2009-03-06 03:59 . 2009-04-03 18:35 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-06 03:59 . 2009-04-03 18:35 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-20 18:09 . 2004-08-04 11:00 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-20 03:16 . 2005-07-16 06:46 143856 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2005-11-26 20:01 . 2005-11-26 20:01 32 --sha-w c:\windows\{7A9B4061-1BD3-4EB1-AB70-DF0377A29313}.dat 2005-11-26 20:01 . 2005-11-26 20:01 32 --sha-w c:\windows\SYSTEM32\{CDF7DBB0-9EE7-417A-9AF9-DAC0464C51D8}.dat . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg ---- 2009-04-30 20:03 . 2009-04-30 20:03 569 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\localstore.rdf 2009-04-30 20:03 . 2009-04-30 20:03 10383 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\pluginreg.dat 2009-04-30 20:03 . 2009-04-30 20:03 2048 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\webappsstore.sqlite 2009-04-30 20:03 . 2009-04-30 20:03 4096 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\formhistory.sqlite 2009-04-30 20:03 . 2009-04-30 20:03 131072 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\places.sqlite 2009-04-30 20:03 . 2009-04-30 20:03 0 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\places.sqlite-journal 2009-04-30 20:03 . 2009-04-30 20:03 16384 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\key3.db 2009-04-30 20:03 . 2009-04-30 20:04 65536 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\cert8.db 2009-04-30 20:03 . 2009-04-30 20:03 16384 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\secmod.db 2009-04-30 20:03 . 2009-04-30 20:04 2048 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\cookies.sqlite 2009-04-30 20:03 . 2009-04-30 20:03 2048 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\permissions.sqlite 2009-04-30 20:03 . 2009-04-30 20:03 367 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\prefs.js 2009-04-30 20:03 . 2009-04-30 20:03 127820 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\compreg.dat 2009-04-30 20:03 . 2009-04-30 20:03 96173 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\xpti.dat 2009-04-30 20:03 . 2009-04-30 20:03 207 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\Profiles\rqfy9vu4.default\compatibility.ini 2009-04-30 20:03 . 2009-04-30 20:03 111 ----a-w c:\documents and settings\Nicholas Laidlaw\Application Data\poydodkg\profiles.ini ---- Directory of c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\poydodkg ---- 2009-04-30 20:03 . 2009-04-30 20:04 32768 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\poydodkg\Profiles\rqfy9vu4.default\urlclassifier3.sqlite 2009-04-30 20:03 . 2009-04-30 20:03 438116 ----a-w c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\poydodkg\Profiles\rqfy9vu4.default\XPC.mfl ((((((((((((((((((((((((((((( SnapShot_2009-05-11_19.51.21 ))))))))))))))))))))))))))))))))))))))))) . - 2004-11-20 04:53 . 2009-05-11 19:42 65044 c:\windows\SYSTEM32\PERFC009.DAT + 2004-11-20 04:53 . 2009-05-11 19:55 65044 c:\windows\SYSTEM32\PERFC009.DAT + 2004-11-20 04:53 . 2009-05-11 19:55 410574 c:\windows\SYSTEM32\PERFH009.DAT - 2004-11-20 04:53 . 2009-05-11 19:42 410574 c:\windows\SYSTEM32\PERFH009.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-24 39408] "Google Update"="c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-13 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPZRCV01.LNK backup=c:\windows\pss\HPZRCV01.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk] backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk] backup=c:\windows\pss\ZDWLan Utility.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jeffrey Laidlaw^Start Menu^Programs^Startup^PowerReg Scheduler.exe] [HKLM\~\startupfolder\C:^Documents and Settings^Nicholas Laidlaw^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Nicholas Laidlaw\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WUSB54GCSVC"=2 (0x2) "Windows Action Script"=2 (0x2) "ScsiAccess"=2 (0x2) "PnkBstrB"=3 (0x3) "PnkBstrA"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "MsSecurity1.209.4"=2 (0x2) "Microsoft Office Groove Audit Service"=3 (0x3) "KodakCCS"=2 (0x2) "iPod Service"=3 (0x3) "IDriverT"=3 (0x3) "IAANTMon"=2 (0x2) "FLEXnet Licensing Service"=3 (0x3) "DSBrokerService"=3 (0x3) "Creative Service for CDROM Access"=2 (0x2) "bgsvcgen"=2 (0x2) "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "fci"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"= "c:\\Program Files\\GameSpy Arcade\\Aphex.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Guild Wars\\Gw.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Compact Wireless-G USB Adapter Wireless Network Monitor\\InvokeSvc2.exe"= "c:\\Program Files\\ZyDAS Technology Corporation\\ZyDAS_802.11g_Utility\\ZDWlan.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Nicholas Laidlaw\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"= R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944] R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [11/7/2008 3:38 PM 25824] R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\ZDCndis5.sys [6/25/2008 3:09 PM 19072] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\BRGSp50.sys [9/3/2006 3:01 PM 20608] S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\SYSTEM32\DRIVERS\xbreader.sys [4/9/2005 10:46 PM 19677] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11b9fcdb-b1c2-11dd-8b37-00038a000015}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-626145550-3952361536-1041508808-1008.job - c:\documents and settings\Nicholas Laidlaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-13 22:13] 2009-05-11 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] 2009-01-01 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = http=localhost:7171 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab FF - ProfilePath - c:\documents and settings\Nicholas Laidlaw\Application Data\Mozilla\Firefox\Profiles\l7493hpz.default\ FF - prefs.js: network.proxy.http - localhost FF - prefs.js: network.proxy.http_port - 7171 FF - prefs.js: network.proxy.type - 1 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-11 19:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(4040) c:\windows\system32\hnetcfg.dll . Completion time: 2009-05-11 19:07 ComboFix-quarantined-files.txt 2009-05-11 23:05 ComboFix2.txt 2009-05-11 19:58 ComboFix3.txt 2009-05-10 19:18 ComboFix4.txt 2009-05-10 16:19 Pre-Run: 12,682,072,064 bytes free Post-Run: 12,661,161,984 bytes free 258 --- E O F --- 2009-05-11 04:41 |
|
|
|
|
05-11-2009, 05:22 PM
|
#10 (permalink) |
|
Analyst, Security Team
|
Re: malware and redirects
Howdy there Nicholas
All appears to be good. Just a spot of updating to do.... Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system. There is a newer version of Adobe Acrobat Reader available.
When the installation is complete go to Add/Remove Programs and uninstall all previous versions. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
I also notice that you have RegCure installed. Registry cleaners tend to present more problems than they solve. The positive effects of registry cleaners are barely noticable, if any. I recommend that you uninstall the product to minimise any risk to your system. I have placed a couple of links for you to read below in your own time. Information from Bill Castner (MS-MVP) on why you should NOT use one here - http://aumha.net/viewtopic.php?t=28099 Information from miekiemoes (MS-MVP) on why you should NOT use one here - http://miekiemoes.blogspot.com/2008/...eaking_13.html IMPORTANT Lets tidy up after ourselves The following will implement some cleanup procedures as well as reset System Restore points: Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /u Now that you appear to be free from malware lets help you stay that way! Update windows on a regular basis - If you do not have automatic updates enabled then Visit Microsoft's Update Page and update your computer from there Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions. Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here Make your Internet Explorer more secure - This can be done by following these simple instructions: Open Internet Explorer, click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialise and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Safer Browsing Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes. Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects) Use an alternative browser Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser. Computer Maintenance Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis. Scan your computer regularly for malware Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active. Secure your router Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access. Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for. I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet. -> So How Did I Get Infected In First Place - By TonyKlein -> How to prevent Malware - By miekiemoes -> I'm not pulling your leg, honest - By Sandi Hardmeie **Kindly respond one more time and let me know if we may consider this thread resolved.
__________________
If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007 Last edited by sjb007; 05-11-2009 at 05:23 PM. |
|
|
|
|
05-11-2009, 06:18 PM
|
#12 (permalink) |
|
Analyst, Security Team
|
Re: malware and redirects
Not a problem, only too glad to lend a hand
 As this issue is now resolved I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums Good luck and happy safe surfing!
__________________
If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007 |
|
|
|
|
| Thread Tools | |
|
|
