Redirects etc...

View previous topic View next topic Go down

Redirects etc...

Post by Dom Lightweight on 4th May 2011, 10:36 pm

I've been having redirects for quite a while but have been having extensive problems the last few days...the computer has been shutting down on its own, windows have been freezing, the internet has stopped and started working etc... Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:32:16 PM, on 5/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\HP_Administrator\Application Data\dwm.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\conhost.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\csrss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehRec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\rarliw32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:54283
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\csrss.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Pancake on 4th May 2011, 11:06 pm

Hi.Welcome to the forum.This should fix the problem


Please run all these programs..


Download the [You must be registered and logged in to see this link.] and extract to your Desktop.


Execute TDSSKiller.exe by doubleclicking on it. You may be prompted to restart your machine. Type Y at the prompt.

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.


Attach that log here please.



====================================================


Please download Malwarebytes' Anti-Malware from one of these places:

[You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.Do so.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.



===============================================



Download Combofix from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] and place it on your Desktop

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : [You must be registered and logged in to see this link.]

Please include the C:\ComboFix.txt in your next reply for further review.


Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper













[You must be registered and logged in to see this link.]

Pancake
Senior
Senior

Posts Posts : 222
Joined Joined : 2010-03-06
Gender Gender : Male
OS OS : Windows 7
Points Points : 28208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 5th May 2011, 4:10 am

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/4/2011 11:09:25 PM
mbam-log-2011-05-04 (22-46-14).txt

Scan type: Quick Scan
Objects scanned: 158837
Time elapsed: 25 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\temp\csrss.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HP_Administrator\Application Data\avdrn.dat (Malware.Trace) -> No action taken.

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 5th May 2011, 4:10 am

ComboFix 11-05-04.02 - HP_Administrator 05/04/2011 23:37:33.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1407 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\e6d571031he03p0h7blm0cx
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\avdrn.dat
c:\documents and settings\HP_Administrator\Application Data\dwm.exe
c:\documents and settings\HP_Administrator\Application Data\Microsoft\conhost.exe
c:\documents and settings\HP_Administrator\Application Data\OfferBox
c:\documents and settings\HP_Administrator\Application Data\OfferBox\config.dat
c:\documents and settings\HP_Administrator\Application Data\OfferBox\config.xml
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}\chrome.manifest
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}\chrome\content\_cfg.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}\chrome\content\overlay.xul
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}\install.rdf
c:\documents and settings\HP_Administrator\Local Settings\Application Data\lsh.exe
c:\documents and settings\HP_Administrator\Local Settings\Application Data\yjd.exe
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\rarliw32.exe
c:\documents and settings\HP_Administrator\WINDOWS
C:\Microsoft
c:\program files\OfferBox
c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll
C:\Recycle.Bin
c:\recycle.bin\Recycle.Bin.exe
c:\windows\idijeleh.dll
c:\windows\system32\54178.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\svrwsc.exe
c:\windows\Wagdil6.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SVRWSC
-------\Service_SvrWsc
.
.
((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))
.
.
2011-05-04 21:33 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-04 21:33 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-04 21:33 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-04 21:33 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-04 21:33 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-04 21:33 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-04 21:33 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-04 21:33 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-01 19:03 . 2011-05-02 15:11 179712 ----a-w- c:\program files\Windows NT\dwm.exe
2011-05-01 19:03 . 2011-05-02 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601
2011-05-01 19:03 . 2011-05-01 19:03 170496 ----a-w- c:\program files\Internet Explorer\conhost.exe
2011-04-29 00:24 . 2011-04-29 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-29 00:24 . 2011-04-29 00:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 18:57 . 2010-10-22 01:40 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-17 05:31 . 2010-10-17 16:01 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-04 22:48 . 2004-08-10 04:00 456192 ------w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 04:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-04-14 16:26 . 2011-05-04 21:33 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-01-11 395640]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-13 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-11-12 1064960]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-11-12 61440]
"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-03-06 6449984]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-08 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe.vir [2006-3-2 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-2 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 23:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/17/2010 12:01 PM 136360]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54 PM 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [12/3/2010 5:04 PM 16512]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2/18/2010 9:29 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54 PM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [10/21/2010 9:40 PM 16968]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [9/2/2009 7:57 AM 627072]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/8/2010 5:22 PM 691696]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54]
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30]
.
2011-05-03 c:\windows\Tasks\Norton Security Scan for HP_Administrator.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-19 07:23]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:54283
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: trymedia.com
TCP: {4DC2EB99-A323-4564-AD7D-5D29046CCD1C} = 213.109.64.5,213.109.72.21
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\
FF - prefs.js: browser.startup.homepage - gmail.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54283
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Dyuvumamumuset - c:\windows\Wagdil6.dll
HKCU-Run-SvrWsc - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
HKLM-Run-Ozubetalajoq - c:\windows\idijeleh.dll
HKLM-Run-conhost - c:\documents and settings\HP_Administrator\Application Data\Microsoft\conhost.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-05-04 23:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\uttC.tmp 0 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3620)
c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\DISC\DiscGui.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\rundll32.exe
c:\program files\DISC\DiscStreamHub.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-04 23:59:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-05 03:59
.
Pre-Run: 373,841,920 bytes free
Post-Run: 1,447,030,784 bytes free
.
- - End Of File - - AD16C4F1DFB25409BDA72FAD9E6B552B

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 5th May 2011, 4:11 am

Ran TDSSKiller before the other two but the computer froze and it didn't produce a log..the computer also froze while MalwareBytes was trying to quarantine the files

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Pancake on 5th May 2011, 4:38 am

Ok.Looking good.Just this to do and we are done.


WARNING these fixes are designed for this user only and may cause damage if run on any other machine.


Please download the [You must be registered and logged in to see this link.]

Save it to your Desktop.
Please double-click OTM.exe to run it.
Copy the commands with file paths below to the clipboard by highlighting ALL of the green text and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


Code:

:Processes
explorer.exe
:otl
:files
:reg
:services
:Commands
ipconfig /flushdns /c
c:\recycler\
f:\recycler\
g:\recycler\
[clearallrestorepoints]
[createrestorepoint]
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Return to OTM.exe, right click in the "Paste Instructions for Items to be Moved" window (under the light yellow bar) and choose Paste.
Click the red Moveit! button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.






[You must be registered and logged in to see this link.]

Pancake
Senior
Senior

Posts Posts : 222
Joined Joined : 2010-03-06
Gender Gender : Male
OS OS : Windows 7
Points Points : 28208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 5th May 2011, 6:52 am

All processes killed
Error: Unable to interpret ~[Filtered]~ in the current context!
========== PROCESSES ==========
No active process named explorer.exe was found!
Error: Unable to interpret <:otl> in the current context!
========== FILES ==========
========== REGISTRY ==========
========== SERVICES/DRIVERS ==========
========== COMMANDS ==========

Restore points cleared and new OTM Restore Point set!
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 31285 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: HP_Administrator
->Temp folder emptied: 1258234 bytes
->Temporary Internet Files folder emptied: 4765063 bytes
->Java cache emptied: 958118 bytes
->FireFox cache emptied: 139903653 bytes
->Google Chrome cache emptied: 225073626 bytes
->Flash cache emptied: 167424 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 13732 bytes
->Flash cache emptied: 3425 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 236678 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 355.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 05052011_024408

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_8f4.dat moved successfully.

Registry entries deleted on Reboot...

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Pancake on 5th May 2011, 10:50 am

Ok.All done.I see no more malware.Log looks good! All those detections are either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.


Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK.


ComboFix /uninstall






Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.


Please download [You must be registered and logged in to see this link.] to your desktop.


Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.


Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

=============================








[You must be registered and logged in to see this link.]

Pancake
Senior
Senior

Posts Posts : 222
Joined Joined : 2010-03-06
Gender Gender : Male
OS OS : Windows 7
Points Points : 28208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 14th May 2011, 2:29 pm

Maybe this is not fault for not cleaning everything up at the end, but I got infected again. My computer when into "XP Recovery mode" and my desktop went black and everything on the desktop and task bar was hidden. I managed to temporarily get rid of the fake antivirus software. Right now, everything in the taskbar is still hidden, but I managed to unhide the stuff on my desktop even though the background is still black.

Here is a quick Malwarebytes' scan I just did:


Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/14/2011 10:20:36 AM
mbam-log-2011-05-14 (10-20-36).txt

Scan type: Quick Scan
Objects scanned: 125532
Time elapsed: 13 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\temp\0.09649997064303062.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

And here is the OTL scan:

OTL logfile created on: 5/14/2011 10:23:38 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\HP_Administrator\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 270.99 Gb Total Space | 0.86 Gb Free Space | 0.32% Space Free | Partition Type: NTFS
Drive D: | 8.45 Gb Total Space | 0.46 Gb Free Space | 5.43% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 261.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EVAN
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2011/04/27 17:05:33 | 000,136,360 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/04/14 12:25:55 | 000,016,856 | -H-- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2011/04/14 12:25:41 | 000,924,632 | -H-- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/03/17 01:31:15 | 000,269,480 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/02/18 16:37:16 | 000,037,664 | -H-- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2011/01/10 22:46:07 | 000,395,640 | -H-- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2010/12/08 17:15:44 | 000,063,360 | -H-- | M] (DivX, LLC) -- C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
PRC - [2010/12/08 15:17:46 | 001,226,608 | -H-- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/11/03 15:24:45 | 000,281,768 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/06/13 23:11:24 | 000,572,416 | -H-- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\My Documents\Downloads\OTL.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2010/01/07 17:07:10 | 001,394,000 | -H-- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/10/12 21:20:22 | 000,068,856 | -H-- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/09/28 19:34:22 | 000,116,032 | -H-- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2009/09/28 19:34:16 | 000,378,176 | -H-- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/02/16 05:44:55 | 001,358,384 | RH-- | M] (Linksys, LLC) -- C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | -H-- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | -H-- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/08/11 12:41:00 | 000,063,040 | -H-- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/16 16:28:22 | 000,577,536 | -H-- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2007/01/08 16:08:10 | 000,094,208 | -H-- | M] () -- C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
PRC - [2005/11/12 00:11:12 | 000,237,568 | -H-- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DiscGui.exe
PRC - [2005/11/12 00:11:04 | 001,064,960 | -H-- | M] (Digital Interactive Systems Corporation) -- C:\Program Files\DISC\DISCover.exe
PRC - [2005/11/12 00:10:00 | 000,061,440 | -H-- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DISCUpdateMgr.exe
PRC - [2005/11/12 00:10:00 | 000,049,152 | -H-- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DiscStreamHub.exe
PRC - [2005/11/09 20:29:16 | 000,249,856 | -H-- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
PRC - [2005/11/01 13:01:00 | 000,090,112 | -H-- | M] (Sonic Solutions) -- C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
PRC - [2005/08/11 15:30:30 | 000,081,920 | -H-- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2005/08/03 03:19:16 | 000,077,312 | -H-- | M] (Microsoft) -- C:\WINDOWS\arpwrmsg.exe
PRC - [2005/08/03 03:19:16 | 000,058,880 | -H-- | M] (Microsoft) -- C:\WINDOWS\arservice.exe


========== Modules (SafeList) ==========

MOD - [2010/08/23 12:12:02 | 001,054,208 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/06/13 23:11:24 | 000,572,416 | -H-- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\My Documents\Downloads\OTL.exe
MOD - [2008/04/13 20:12:08 | 000,118,784 | -H-- | M] () -- C:\WINDOWS\Wagdil6.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2011/04/27 17:05:33 | 000,136,360 | -H-- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/03/17 01:31:15 | 000,269,480 | -H-- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/02/18 16:37:16 | 000,037,664 | -H-- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/09/28 19:34:22 | 000,116,032 | -H-- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2008/12/12 18:06:40 | 000,642,856 | -H-- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/08/11 12:41:00 | 000,063,040 | -H-- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2007/01/08 16:08:10 | 000,094,208 | -H-- | M] () [Auto | Running] -- C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe -- (MA_CMIDI_InstallerService)
SRV - [2005/08/03 03:19:16 | 000,058,880 | -H-- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)
SRV - [2004/09/29 23:14:36 | 000,069,632 | -H-- | M] (HP) [Boot | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/05/04 14:57:06 | 000,016,968 | -H-- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2011/03/17 01:31:16 | 000,137,656 | -H-- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/11/22 21:53:05 | 000,061,960 | -H-- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/09/08 17:22:56 | 000,691,696 | -H-- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/01/07 17:07:14 | 000,038,224 | -H-- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/12/17 12:35:44 | 000,023,456 | -H-- | M] (Phoenix Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DrvAgent32.sys -- (DrvAgent32)
DRV - [2009/09/28 19:34:48 | 000,083,288 | -H-- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/05/11 12:49:19 | 000,011,608 | -H-- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | -H-- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/12/12 18:05:20 | 000,025,264 | -H-- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2008/12/12 18:05:18 | 000,023,984 | -H-- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2008/12/04 09:17:15 | 000,627,072 | RH-- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WUSB54GCv3.sys -- (WUSB54GCv3)
DRV - [2008/09/24 11:40:22 | 004,122,368 | RH-- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/08/11 12:41:00 | 000,047,640 | -H-- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 12:41:00 | 000,012,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/04/13 14:45:34 | 000,046,592 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2008/04/13 14:45:12 | 000,060,032 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2006/08/16 09:23:46 | 000,021,888 | -H-- | M] (M-Audio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ma_cmidi.sys -- (MA_CMIDI)
DRV - [2005/12/12 19:27:00 | 000,019,072 | -H-- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/10/20 19:01:56 | 001,095,009 | -H-- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/09/30 14:11:42 | 000,078,720 | -H-- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/08/14 00:35:00 | 001,313,792 | -H-- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/07/28 21:07:58 | 000,156,800 | -H-- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hcwPP2.sys -- (hcwPP2)
DRV - [2005/06/29 20:03:18 | 000,175,104 | -H-- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - [2005/06/17 09:33:40 | 000,872,064 | -H-- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2005/03/09 16:53:00 | 000,036,352 | -H-- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/03 17:31:34 | 000,020,992 | -H-- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/11/05 10:45:12 | 000,017,408 | -H-- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)
DRV - [2002/07/17 10:05:10 | 000,016,512 | -H-- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:54283

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "gmail.com"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.1.2.0185
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}:2.2010.1.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:7
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: {a95d8332-e4b4-6e7f-98ac-20b733364387}:0.5
FF - prefs.js..extensions.enabledItems: {62782400-020B-45A1-B172-379CD74D936B}:1.9.1
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 54283
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2010/12/14 00:55:08 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2010/12/14 00:55:09 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1} [2011/05/14 00:05:42 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/04 17:33:36 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/04 17:33:35 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2011/03/16 01:07:29 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2011/03/16 01:07:28 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4 \Extensions\\Components: C:\PROGRA~1\NETSCAPE\NETSCA~1\Components [2011/03/16 01:07:29 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4 \Extensions\\Plugins: C:\PROGRA~1\NETSCAPE\NETSCA~1\Plugins [2011/03/16 01:07:28 | 000,000,000 | -H-D | M]

[2009/09/02 00:03:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2011/05/14 10:08:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\extensions
[2010/02/18 21:29:24 | 000,000,000 | -H-D | M] (DriverAgent Plugin for Firefox and Opera) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\extensions\{F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}
[2011/05/10 08:15:20 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\extensions\DTToolbar@toolbarnet.com
[2010/10/24 13:07:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\extensions\vshare@toolbar
[2011/05/04 17:33:36 | 000,000,000 | -H-D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/28 19:14:18 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/04/14 12:26:02 | 000,142,296 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/12/28 19:14:05 | 000,472,808 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/05 02:44:16 | 000,000,098 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (DivX Plus Web Player HTML5

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Belahzur on 14th May 2011, 3:35 pm

Hello.
Pancake is away so I will take over from here. We need to use Combofix again.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    File::
    c:\program files\Windows NT\dwm.exe
    c:\program files\Internet Explorer\conhost.exe

    Folder::
    c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601

    DDS::
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:54283

    Firefox::
    FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\
    FF - prefs.js: browser.startup.homepage - gmail.com
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 54283
    FF - prefs.js: network.proxy.type - 1
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 14th May 2011, 4:05 pm

ComboFix 11-05-13.03 - HP_Administrator 05/14/2011 11:44:20.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1340 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\program files\Internet Explorer\conhost.exe"
"c:\program files\Windows NT\dwm.exe"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\15064868.exe
c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601
c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601\lJ28601CbNcC28601
C:\Documents and Settings\All Users\Application Data\vKLuVrOIsaEYCN.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc141.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc254797890.txt
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc50.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\shed
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\shed\thr1.chm
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome.manifest
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome\content\_cfg.js
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome\content\overlay.xul
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\install.rdf
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\e6d571031he03p0h7blm0cx
c:\program files\Windows NT\dwm.exe
C:\WINDOWS\eniqegepazo.dll
C:\WINDOWS\Wagdil6.dll


((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))


2011-05-05 06:44:08 . 2011-05-05 06:44:08 -------- d-----w- C:\_OTM
2011-05-04 21:33:36 . 2011-04-14 16:26:02 142296 ---ha-w- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:48 781272 ---ha-w- C:\Program Files\Mozilla Firefox\mozsqlite3.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:47 1874904 ---ha-w- C:\Program Files\Mozilla Firefox\mozjs.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:45 15832 ---ha-w- C:\Program Files\Mozilla Firefox\mozalloc.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:44 465880 ---ha-w- C:\Program Files\Mozilla Firefox\libGLESv2.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:43 89048 ---ha-w- C:\Program Files\Mozilla Firefox\libEGL.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1974616 ---ha-w- C:\Program Files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1892184 ---ha-w- C:\Program Files\Mozilla Firefox\d3dx9_42.dll
2011-04-29 00:24:06 . 2011-04-29 00:24:06 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-29 00:24:03 . 2011-04-29 00:24:03 -------- d--h--w- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-05-04 18:57:06 . 2010-10-22 01:40:52 16968 ---ha-w- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2011-03-17 05:31:16 . 2010-10-17 16:01:38 137656 ---ha-w- C:\WINDOWS\system32\drivers\avipbb.sys
2011-03-07 05:33:50 . 2004-08-10 04:00:00 692736 ---h--w- C:\WINDOWS\system32\inetcomm.dll
2011-03-04 06:45:07 . 2004-08-10 04:00:00 434176 ---h--w- C:\WINDOWS\system32\vbscript.dll
2011-03-03 13:21:11 . 2004-08-10 04:00:00 1857920 ---ha-w- C:\WINDOWS\system32\win32k.sys
2011-02-17 13:51:57 . 2004-08-10 04:00:00 81920 ---h--w- C:\WINDOWS\system32\ieencode.dll
2011-02-17 13:51:57 . 2004-08-10 04:00:00 667136 ---ha-w- C:\WINDOWS\system32\wininet.dll
2011-02-17 13:51:57 . 2004-08-10 04:00:00 61952 ---h--w- C:\WINDOWS\system32\tdc.ocx
2011-02-17 13:18:24 . 2004-08-10 04:00:00 455936 ---ha-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
2011-02-17 13:18:03 . 2004-08-10 04:00:00 357888 ---h--w- C:\WINDOWS\system32\drivers\srv.sys
2011-02-17 12:37:38 . 2004-08-10 04:00:00 369664 ---h--w- C:\WINDOWS\system32\html.iec
2011-02-17 12:32:12 . 2009-09-02 04:46:59 5120 ---ha-w- C:\WINDOWS\system32\xpsp4res.dll
2011-02-15 12:56:39 . 2004-08-10 04:00:00 290432 ---ha-w- C:\WINDOWS\system32\atmfd.dll
2011-04-14 16:26:02 . 2011-05-04 21:33:36 142296 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2011-01-11 02:46:07 395640]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-13 01:20:22 68856]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 09:16:20 357696]
"Dyuvumamumuset"="C:\WINDOWS\Wagdil6.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 04:56:34 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 07:19:16 77312]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 06:35:56 49152]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2005-11-12 04:11:04 1064960]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdateMgr.exe" [2005-11-12 04:10:00 61440]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 17:01:00 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 06:14:00 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 00:29:16 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 10:23:44 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 14:12:54 49152]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 22:06:40 642856]
"Linksys Wireless Manager"="C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 09:44:55 1358384]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 16:41:00 63048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 15:44:34 31072]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30:30 249856]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 20:47:52 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 20:28:22 577536]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 19:24:45 281768]
"HitmanPro35"="C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" [2011-03-06 22:23:03 6449984]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2010-12-08 19:17:46 1226608]
"DivX Download Manager"="C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 21:15:44 63360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 17:49:36 35736]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 17:49:34 932288]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-11-29 21:38:18 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-03-07 19:33:40 421160]
"Ozubetalajoq"="C:\WINDOWS\eniqegepazo.dll" [BU]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe.vir [2006-3-2 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 23:34:30 87352 ---ha-w- C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [10/17/2010 12:01:41 PM 136360]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41:00 PM 12856]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;C:\WINDOWS\system32\drivers\WUSB54GCv3.sys [9/2/2009 7:57:03 AM 627072]
S1 SASDIFSV;SASDIFSV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\system32\drivers\ASPI32.SYS [12/3/2010 5:04:13 PM 16512]
S3 DrvAgent32;DrvAgent32;C:\WINDOWS\system32\drivers\DrvAgent32.sys [2/18/2010 9:29:55 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;C:\WINDOWS\system32\drivers\hitmanpro35.sys [10/21/2010 9:40:52 PM 16968]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [9/8/2010 5:22:56 PM 691696]

Contents of the 'Scheduled Tasks' folder

2011-05-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50:20 . 2009-10-22 15:50:20]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-13 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008Core.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008UA.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-14 C:\WINDOWS\Tasks\Norton Security Scan for HP_Administrator.job
- C:\PROGRA~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-19 20:59:52 . 2011-04-01 07:23:58]


------- Supplementary Scan -------

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: trymedia.com
TCP: {4DC2EB99-A323-4564-AD7D-5D29046CCD1C} = 213.109.64.5,213.109.72.21
FF - ProfilePath - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Belahzur on 14th May 2011, 5:26 pm

Hello.
The malware tried to reinstall itself so a few leftovers got left behind, need to get them now.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Dyuvumamumuset"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Ozubetalajoq"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 14th May 2011, 6:06 pm

ComboFix 11-05-13.03 - HP_Administrator 05/14/2011 13:46:09.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1420 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


---- Previous Run -------

C:\Documents and Settings\All Users\Application Data\15064868.exe
c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601\lJ28601CbNcC28601
C:\Documents and Settings\All Users\Application Data\vKLuVrOIsaEYCN.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc141.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc254797890.txt
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc50.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\shed\thr1.chm
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome.manifest
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome\content\_cfg.js
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome\content\overlay.xul
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\install.rdf
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\e6d571031he03p0h7blm0cx
c:\program files\Windows NT\dwm.exe
C:\WINDOWS\eniqegepazo.dll
C:\WINDOWS\Wagdil6.dll


((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))


2011-05-05 06:44:08 . 2011-05-05 06:44:08 -------- d-----w- C:\_OTM
2011-05-04 21:33:36 . 2011-04-14 16:26:02 142296 ---ha-w- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:48 781272 ---ha-w- C:\Program Files\Mozilla Firefox\mozsqlite3.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:47 1874904 ---ha-w- C:\Program Files\Mozilla Firefox\mozjs.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:45 15832 ---ha-w- C:\Program Files\Mozilla Firefox\mozalloc.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:44 465880 ---ha-w- C:\Program Files\Mozilla Firefox\libGLESv2.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:43 89048 ---ha-w- C:\Program Files\Mozilla Firefox\libEGL.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1974616 ---ha-w- C:\Program Files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1892184 ---ha-w- C:\Program Files\Mozilla Firefox\d3dx9_42.dll
2011-04-29 00:24:06 . 2011-04-29 00:24:06 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-29 00:24:03 . 2011-04-29 00:24:03 -------- d--h--w- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-05-04 18:57:06 . 2010-10-22 01:40:52 16968 ---ha-w- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2011-03-17 05:31:16 . 2010-10-17 16:01:38 137656 ---ha-w- C:\WINDOWS\system32\drivers\avipbb.sys
2011-03-07 05:33:50 . 2004-08-10 04:00:00 692736 ---h--w- C:\WINDOWS\system32\inetcomm.dll
2011-03-04 06:45:07 . 2004-08-10 04:00:00 434176 ---h--w- C:\WINDOWS\system32\vbscript.dll
2011-03-03 13:21:11 . 2004-08-10 04:00:00 1857920 ---ha-w- C:\WINDOWS\system32\win32k.sys
2011-02-17 13:51:57 . 2004-08-10 04:00:00 81920 ---h--w- C:\WINDOWS\system32\ieencode.dll
2011-02-17 13:51:57 . 2004-08-10 04:00:00 667136 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-02-17 13:51:57 . 2004-08-10 04:00:00 61952 ---h--w- C:\WINDOWS\system32\tdc.ocx
2011-02-17 13:18:24 . 2004-08-10 04:00:00 455936 ---ha-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
2011-02-17 13:18:03 . 2004-08-10 04:00:00 357888 ---h--w- C:\WINDOWS\system32\drivers\srv.sys
2011-02-17 12:37:38 . 2004-08-10 04:00:00 369664 ---h--w- C:\WINDOWS\system32\html.iec
2011-02-17 12:32:12 . 2009-09-02 04:46:59 5120 ---ha-w- C:\WINDOWS\system32\xpsp4res.dll
2011-02-15 12:56:39 . 2004-08-10 04:00:00 290432 ---ha-w- C:\WINDOWS\system32\atmfd.dll
2011-04-14 16:26:02 . 2011-05-04 21:33:36 142296 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2011-01-11 02:46:07 395640]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-13 01:20:22 68856]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 09:16:20 357696]
"vKLuVrOIsaEYCN"="C:\Documents and Settings\All Users\Application Data\vKLuVrOIsaEYCN.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 04:56:34 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 07:19:16 77312]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 06:35:56 49152]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2005-11-12 04:11:04 1064960]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdateMgr.exe" [2005-11-12 04:10:00 61440]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 17:01:00 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 06:14:00 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 00:29:16 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 10:23:44 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 14:12:54 49152]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 22:06:40 642856]
"Linksys Wireless Manager"="C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 09:44:55 1358384]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 16:41:00 63048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 15:44:34 31072]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30:30 249856]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 20:47:52 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 20:28:22 577536]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 19:24:45 281768]
"HitmanPro35"="C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" [2011-03-06 22:23:03 6449984]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2010-12-08 19:17:46 1226608]
"DivX Download Manager"="C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 21:15:44 63360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 17:49:36 35736]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 17:49:34 932288]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-11-29 21:38:18 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-03-07 19:33:40 421160]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe.vir [2006-3-2 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 23:34:30 87352 ---ha-w- C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [10/17/2010 12:01:41 PM 136360]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41:00 PM 12856]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;C:\WINDOWS\system32\drivers\WUSB54GCv3.sys [9/2/2009 7:57:03 AM 627072]
S1 SASDIFSV;SASDIFSV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\system32\drivers\ASPI32.SYS [12/3/2010 5:04:13 PM 16512]
S3 DrvAgent32;DrvAgent32;C:\WINDOWS\system32\drivers\DrvAgent32.sys [2/18/2010 9:29:55 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;C:\WINDOWS\system32\drivers\hitmanpro35.sys [10/21/2010 9:40:52 PM 16968]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [9/8/2010 5:22:56 PM 691696]

Contents of the 'Scheduled Tasks' folder

2011-05-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50:20 . 2009-10-22 15:50:20]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-13 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008Core.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008UA.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-14 C:\WINDOWS\Tasks\Norton Security Scan for HP_Administrator.job
- C:\PROGRA~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-19 20:59:52 . 2011-04-01 07:23:58]


------- Supplementary Scan -------

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: trymedia.com
TCP: {4DC2EB99-A323-4564-AD7D-5D29046CCD1C} = 213.109.64.5,213.109.72.21
FF - ProfilePath - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\


Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Belahzur on 14th May 2011, 6:10 pm

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 14th May 2011, 6:34 pm

I'm having problems starting the scanner...I open it and can read the license & agreement. I can check the box that says Yes, I accept the Terms of Use, but the Start button remains gray and unclickable even if I scroll down on the contract

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Belahzur on 14th May 2011, 6:43 pm

Hmm.
Skip the online scan for now.

Please re-enable Avira protection.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 14th May 2011, 6:46 pm

µTorrent
4Musics FLAC to MP3 Converter 4.0
5 Card Slingo from HP Media Center (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X
Agere Systems PCI-SV92PP Soft Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
AstroPop Deluxe from HP Media Center (remove only)
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Barnyard Invasion from HP Media Center (remove only)
Bejeweled 2 Deluxe from HP Media Center (remove only)
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Remix from HP Media Center (remove only)
Boggle Supreme from HP Media Center (remove only)
Bonjour
Bookworm Deluxe from HP Media Center (remove only)
Bounce Symphony from HP Media Center (remove only)
Chuzzle Deluxe from HP Media Center (remove only)
Collab
Crystal Maze from HP Media Center (remove only)
Customer Experience Enhancement
DAEMON Tools Toolbar
dBpoweramp Music Converter
DISCover
DivX Setup
DriverAgent Plugin for Netscape by eSupport.com
Easy Internet Sign-up
Easy Mail Merge for Outlook
Enigma
ESET Online Scanner v3
Family Feud
FATE from HP Media Center (remove only)
FL Studio 8
GemMaster Mystic
GoldWave v5.55
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
GTK+ Runtime 2.14.7 rev a (remove only)
High Definition Audio Driver Package - KB888111
HiJackThis
Hitman Pro 3.5
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP DVD Play 1.0
HP Game Console and games
HP Imaging Device Functions 6.0
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Rhapsody
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Web Helper
IL Download Manager
Insaniquarium Deluxe from HP Media Center (remove only)
ITCH
iTunes
Java(TM) 6 Update 23
KRISTAL Audio Engine
Lemonade Tycoon 2 from HP Media Center (remove only)
Lexibox Deluxe from HP Media Center (remove only)
Linksys Wireless Manager
LogMeIn
Magic FLAC to MP3 Converter 3.72
Mah Jong Quest from HP Media Center (remove only)
Malwarebytes' Anti-Malware
M-Audio Series II MIDI
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Money 2006
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox 4.0.1 (x86 en-US)
MP3 to AIFF 1.0
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
Netscape Browser (remove only)
Norton Security Scan
Otto
PC-Doctor 5 for Windows
Pidgin
Pidgin-Musictracker plugin (remove only)
PoiZone
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
PS2
Puzzle Express from HP Media Center (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
QuickTime
RealPlayer
Realtek AC'97 Audio
Remove IntelliMover Demo
Ricochet Lost Worlds from HP Media Center (remove only)
SCRABBLE from HP Media Center (remove only)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shooting Stars Pool from HP Media Center (remove only)
Shrek 2 Ogre Bowler from HP Media Center (remove only)
SimCity 2000® Special Edition
Slingo Deluxe from HP Media Center (remove only)
Snowboard SuperJam from HP Media Center (remove only)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Super Granny from HP Media Center (remove only)
Toxic Biohazard
Tradewinds from HP Media Center (remove only)
Unreal Tournament
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Updates from HP (remove only)
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.1.5
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Zuma Deluxe from HP Media Center (remove only)


Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Belahzur on 14th May 2011, 6:51 pm

Hello.
Lets secure the updates for now.

I see that you are running µTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    µTorrent
    Java(TM) 6 Update 23

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe that you downloaded to install the newest version.

I see you have VLC player installed. It's an old versions and need updating.

Download and install [You must be registered and logged in to see this link.]
When installing, it will ask if you want to uninstall the old version first before it can install the new version, so please select yes and allow it to install.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 14th May 2011, 6:58 pm

I'm going to make those changes and get back to you tomorrow so I can fully assess. Thanks for the help.

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Belahzur on 15th May 2011, 3:17 pm

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:
Thank you for choosing GeekPolice. [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 15th May 2011, 7:56 pm

So after 24 hours I know have another, different virus. I was on a website in Mozilla when the page got redirected, the browser closed and the XP Security window popped up. The virus also changed my Firefox settings to use a proxy (which I never use) and changed my default internet from Firefox to Internet Explorer. I used rkill and it deleted biu.exe.

I've had several viruses over the last few months and I have a feeling that they're all tied to some kind of root virus...thoughts? Another thing that I've always found odd is that I'll sometimes get Internet Explorer pop-up ads while using Firefox, even if I don't have an "active virus" at the time.

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 15th May 2011, 7:56 pm

Oh, and I've also had Avira enabled for the past several months while this has happened and it hasn't been too effective - I'll absolutely look into the alternative you provided.

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Belahzur on 15th May 2011, 9:20 pm

Okay please download a new version of Combofix and run it, see if you can get a log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 19th May 2011, 12:24 am

ComboFix 11-05-17.03 - HP_Administrator 05/18/2011 19:39:59.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1398 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\HP_Administrator\2gweorjqjutp92vjy9gake
C:\Documents and Settings\HP_Administrator\Application Data\Oghac\roon.exe

---- Previous Run -------

C:\Documents and Settings\HP_Administrator\Application Data\Oghac
C:\Documents and Settings\HP_Administrator\Application Data\Oghac\roon.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\biu.exe


((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))


2011-05-15 19:36:52 . 2011-05-15 21:55:45 -------- d-----w- C:\Documents and Settings\HP_Administrator\Application Data\Voxe
2011-05-14 18:45:03 . 2011-05-14 18:45:03 388096 ----a-r- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-14 18:45:03 . 2011-05-14 18:45:03 -------- d-----w- C:\Program Files\Trend Micro
2011-05-05 06:44:08 . 2011-05-05 06:44:08 -------- d-----w- C:\_OTM
2011-05-04 21:33:36 . 2011-04-14 16:26:02 142296 ---ha-w- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:48 781272 ---ha-w- C:\Program Files\Mozilla Firefox\mozsqlite3.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:47 1874904 ---ha-w- C:\Program Files\Mozilla Firefox\mozjs.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:45 15832 ---ha-w- C:\Program Files\Mozilla Firefox\mozalloc.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:44 465880 ---ha-w- C:\Program Files\Mozilla Firefox\libGLESv2.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:43 89048 ---ha-w- C:\Program Files\Mozilla Firefox\libEGL.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1974616 ---ha-w- C:\Program Files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1892184 ---ha-w- C:\Program Files\Mozilla Firefox\d3dx9_42.dll
2011-04-29 00:24:06 . 2011-04-29 00:24:06 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-29 00:24:03 . 2011-04-29 00:24:03 -------- d--h--w- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-05-04 18:57:06 . 2010-10-22 01:40:52 16968 ---ha-w- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2011-03-17 05:31:16 . 2010-10-17 16:01:38 137656 ---ha-w- C:\WINDOWS\system32\drivers\avipbb.sys
2011-03-07 05:33:50 . 2004-08-10 04:00:00 692736 ---h--w- C:\WINDOWS\system32\inetcomm.dll
2011-03-04 06:45:07 . 2004-08-10 04:00:00 434176 ---h--w- C:\WINDOWS\system32\vbscript.dll
2011-03-03 13:21:11 . 2004-08-10 04:00:00 1857920 ---ha-w- C:\WINDOWS\system32\win32k.sys
2011-04-14 16:26:02 . 2011-05-04 21:33:36 142296 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))

+ 2011-05-15 22:18:05 . 2011-05-15 22:18:05 16384 C:\WINDOWS\temp\Perflib_Perfdata_494.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2011-01-11 02:46:07 395640]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-13 01:20:22 68856]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 09:16:20 357696]
"vKLuVrOIsaEYCN"="C:\Documents and Settings\All Users\Application Data\vKLuVrOIsaEYCN.exe" [BU]
"{0C53291D-D069-B392-C3DD-6C64F6FFE8D8}"="C:\Documents and Settings\HP_Administrator\Application Data\Oghac\roon.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 04:56:34 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 07:19:16 77312]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 06:35:56 49152]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2005-11-12 04:11:04 1064960]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdateMgr.exe" [2005-11-12 04:10:00 61440]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 17:01:00 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 06:14:00 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 00:29:16 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 10:23:44 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 14:12:54 49152]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 22:06:40 642856]
"Linksys Wireless Manager"="C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 09:44:55 1358384]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 16:41:00 63048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 15:44:34 31072]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30:30 249856]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 20:47:52 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 20:28:22 577536]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 19:24:45 281768]
"HitmanPro35"="C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" [2011-03-06 22:23:03 6449984]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2010-12-08 19:17:46 1226608]
"DivX Download Manager"="C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 21:15:44 63360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 17:49:36 35736]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 17:49:34 932288]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-11-29 21:38:18 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-03-07 19:33:40 421160]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe.vir [2006-3-2 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 23:34:30 87352 ---ha-w- C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [10/17/2010 12:01:41 PM 136360]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41:00 PM 12856]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;C:\WINDOWS\system32\drivers\WUSB54GCv3.sys [9/2/2009 7:57:03 AM 627072]
S1 SASDIFSV;SASDIFSV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\system32\drivers\ASPI32.SYS [12/3/2010 5:04:13 PM 16512]
S3 DrvAgent32;DrvAgent32;C:\WINDOWS\system32\drivers\DrvAgent32.sys [2/18/2010 9:29:55 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;C:\WINDOWS\system32\drivers\hitmanpro35.sys [10/21/2010 9:40:52 PM 16968]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [9/8/2010 5:22:56 PM 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WUAUSERV

Contents of the 'Scheduled Tasks' folder

2011-05-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50:20 . 2009-10-22 15:50:20]

2011-05-18 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-18 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-18 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008Core.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-18 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008UA.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-18 C:\WINDOWS\Tasks\Norton Security Scan for HP_Administrator.job
- C:\PROGRA~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-19 20:59:52 . 2011-04-01 07:23:58]


------- Supplementary Scan -------

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: trymedia.com
TCP: {4DC2EB99-A323-4564-AD7D-5D29046CCD1C} = 213.109.64.5,213.109.72.21
FF - ProfilePath - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false


Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Belahzur on 30th May 2011, 8:25 pm

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 8th June 2011, 9:07 pm

OK so now things are in bad shape. There is a "rogue" antirvirus program making everything unusable. In the past, the program affected the computer the same way but usually I was able to run programs in the 30 seconds or so after starting up - now anything I open will be shut down automatically. The only program I can essentially run on the computer is Firefox (though Adobe, Flash, etc... won't work in Firefox). I tried to do the ESET Scanner on Internet Explorer but IE isn't working ("visiting this website may harm my computer") and when I try to turn off the proxy, it simply reinstates itself once I close the window. I tried doing the ESET Scanner on Firefox, but I had to download an installer to do that and have been unable to open the installer.

I tried running in safe mode, but the virus is also active there. I tried removing the viruses through Hiren's Boot CD using SuperAntiSpyware - it removed several viruses and advised me to restart the computer, to which I did with the main problem still present. I'm unable to open any programs at this point. Please advise and thanks as always for your help.

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Dom Lightweight on 9th June 2011, 1:12 am

Things seem to be in a bit better shape...here is a scan from HijackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:11:14 PM, on 6/8/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:47392
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5

Dom Lightweight
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2010-01-15
OS OS : Windows XP
Points Points : 26033
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Redirects etc...

Post by Belahzur on 9th June 2011, 2:45 pm

We need to use the RKill Tool by Grinler

[You must be registered and logged in to see this link.]

  • Please Download Rkill.com. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this [You must be registered and logged in to see this link.] if you are not sure how.

  • NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.

  • Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
  • Please be patient while the program looks for various malware programs and ends them.
  • When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
[You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]
which are renamed copies of rkill.com, and try them instead.

Try Combofix again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum