Attached Files
-
dds.txt 11.53KB
7 downloads
-
attach.txt 12.08KB
6 downloads
-
This topic is locked
13 replies to this topic
#1
musicb
-
- Members
-
- 6 posts
New Member
Posted 09 September 2012 - 01:39 PM
Hello, earlier today I noticed that my google search results were being redirected. This seems to happen randomly, and is sporadic. If I tried to search again, the site that was redirected would load fine sometimes. I ran a malwarebytes scan, and it said I was infected with trojan.happili. I removed and restarted, but my results are still being redirected. I did another malwarebytes scan and nothing came up. According to other threads I've read, it looks like I'm going to need some help. Thanks in advance.
#2
Maniac
-
- Experts
-
- 17,441 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 10 September 2012 - 06:12 AM
Hello musicb and 
! My name is Maniac and I will be glad to help you solve your malware problem.
Please note:
Step 1
Please uninstall the following applications:
Ask Toolbar
Ask Toolbar Updater
Step 2
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.
Step 3
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
In your next reply, post the following log files:
! My name is Maniac and I will be glad to help you solve your malware problem.Please note:
- If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
- I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
- Make sure you read all of the instructions and fixes thoroughly before continuing with them.
- Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
- Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
Step 1
Please uninstall the following applications:
Ask Toolbar
Ask Toolbar Updater
Step 2
- Launch Malwarebytes' Anti-Malware
- Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
- Go to Scanner tab and select Perform Quick Scan, then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.
Step 3
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
In your next reply, post the following log files:
- Malwarebytes' Anti-Malware log
- aswMBR log
- a new fresh DDS log
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here 
#3
musicb
-
- Members
-
- 6 posts
New Member
Posted 11 September 2012 - 02:47 PM
Hi Maniac,
Here are the logs you asked for. I also have the new attach log from the dds, so let me know if you need that as well.
Thanks!
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org
Database version: v2012.09.11.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Administrator :: TMB [administrator]
9/11/2012 3:27:28 PM
mbam-log-2012-09-11 (15-27-28).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 439212
Time elapsed: 7 minute(s), 23 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-11 15:36:13
-----------------------------
15:36:13.218 OS Version: Windows 5.1.2600 Service Pack 3
15:36:13.218 Number of processors: 2 586 0x170A
15:36:13.218 ComputerName: TMB UserName:
15:36:14.031 Initialize success
15:36:45.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:36:45.531 Disk 0 Vendor: ST325031 HP35 Size: 238475MB BusType: 3
15:36:45.546 Disk 0 MBR read successfully
15:36:45.546 Disk 0 MBR scan
15:36:45.546 Disk 0 Windows 7 default MBR code
15:36:45.546 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238463 MB offset 2048
15:36:45.546 Disk 0 scanning sectors +488376000
15:36:45.625 Disk 0 scanning C:\WINDOWS\system32\drivers
15:36:51.859 Service scanning
15:37:06.406 Modules scanning
15:37:15.890 Disk 0 trace - called modules:
15:37:15.906
15:37:15.906 Scan finished successfully
15:41:53.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
15:41:53.296 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 15:42:35 on 2012-09-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2463 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\DYMO\DYMO Label Software\DLSService.exe
C:\Program Files\DYMO File\DYMOFileMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe
C:\Documents and Settings\Administrator\Application Data\Spotify\Data\SpotifyWebHelper.exe
C:\Documents and Settings\Administrator\Application Data\Spotify\Spotify.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
mDefault_Page_URL = hxxp://intra1.nhsb.local/
uInternet Settings,ProxyOverride = *.local;192.168.*.*
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [DymoQuickPrint] "c:\program files\dymo\dymo label software\DymoQuickPrint.exe" /startup
uRun: [Spotify Web Helper] "c:\documents and settings\administrator\application data\spotify\data\SpotifyWebHelper.exe"
uRun: [Spotify] "c:\documents and settings\administrator\application data\spotify\Spotify.exe" /uri spotify:autostart
uRun: [Apple] rundll32.exe "c:\documents and settings\administrator\local settings\application data\apple computer\apple\tfohkvg.dll",DllRegisterServerW
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [DLSService] "c:\program files\dymo\dymo label software\DLSService.exe"
mRun: [DYMOFileMonitor] "c:\program files\dymo file\DYMOFileMonitor.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [Apple] rundll32.exe "c:\documents and settings\administrator\local settings\application data\apple computer\apple\tfohkvg.dll",DllRegisterServerW
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: adp.com\ipay
Trusted Zone: anthem.com\www
Trusted Zone: bai.org\www
Trusted Zone: benefits4us.com\www
Trusted Zone: betraining.com\www
Trusted Zone: bsiweb.com\www
Trusted Zone: conexis.org\www
Trusted Zone: ct.gov\www.concord.sots
Trusted Zone: harland.net\branchprod
Trusted Zone: healthnet.com\www
Trusted Zone: hostedeet.com\majnhs
Trusted Zone: iapprove01
Trusted Zone: learnbai.org
Trusted Zone: lifebalance.net\www
Trusted Zone: myappro.com\www
Trusted Zone: MyAppro.Com \CTX
Trusted Zone: newalliancehr.com\www
Trusted Zone: synweb
Trusted Zone: tecaccess.com\www
Trusted Zone: ups.com\www
Trusted Zone: userconnect.com
Trusted Zone: usicg.com\www
Trusted Zone: vms1
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1302367197153
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 10.1.10.1
TCP: Interfaces\{01DABF7F-049D-4E41-ACEE-8E9BE82C90B5} : DhcpNameServer = 10.1.10.1
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\anqdakd8.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 237408]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 301920]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-6-30 1248256]
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\propatches\scheduler\stSchedEx.exe [2010-10-6 1287520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2008-10-24 149600]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-3-5 44800]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-11 40776]
S?2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-8-13 5167736]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-14 250056]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys --> c:\windows\system32\drivers\motfilt.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\motousbnet.sys --> c:\windows\system32\drivers\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys --> c:\windows\system32\drivers\motusbdevice.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 114144]
S3 RDID1118;BR-80;c:\windows\system32\drivers\RDWM1118.sys [2012-2-14 141312]
S4 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-11-21 238736]
.
=============== Created Last 30 ================
.
2012-09-11 19:26:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-09-04 20:29:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Spotify
2012-09-04 20:29:00 -------- d-----w- c:\documents and settings\administrator\application data\Spotify
2012-08-30 23:18:45 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
.
==================== Find3M ====================
.
2012-09-07 21:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-24 19:43:18 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-08-15 01:19:05 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 01:19:05 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-26 07:21:30 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
============= FINISH: 15:42:44.68 ===============
Here are the logs you asked for. I also have the new attach log from the dds, so let me know if you need that as well.
Thanks!
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org
Database version: v2012.09.11.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Administrator :: TMB [administrator]
9/11/2012 3:27:28 PM
mbam-log-2012-09-11 (15-27-28).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 439212
Time elapsed: 7 minute(s), 23 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-11 15:36:13
-----------------------------
15:36:13.218 OS Version: Windows 5.1.2600 Service Pack 3
15:36:13.218 Number of processors: 2 586 0x170A
15:36:13.218 ComputerName: TMB UserName:
15:36:14.031 Initialize success
15:36:45.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:36:45.531 Disk 0 Vendor: ST325031 HP35 Size: 238475MB BusType: 3
15:36:45.546 Disk 0 MBR read successfully
15:36:45.546 Disk 0 MBR scan
15:36:45.546 Disk 0 Windows 7 default MBR code
15:36:45.546 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238463 MB offset 2048
15:36:45.546 Disk 0 scanning sectors +488376000
15:36:45.625 Disk 0 scanning C:\WINDOWS\system32\drivers
15:36:51.859 Service scanning
15:37:06.406 Modules scanning
15:37:15.890 Disk 0 trace - called modules:
15:37:15.906
15:37:15.906 Scan finished successfully
15:41:53.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
15:41:53.296 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 15:42:35 on 2012-09-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2463 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\DYMO\DYMO Label Software\DLSService.exe
C:\Program Files\DYMO File\DYMOFileMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe
C:\Documents and Settings\Administrator\Application Data\Spotify\Data\SpotifyWebHelper.exe
C:\Documents and Settings\Administrator\Application Data\Spotify\Spotify.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
mDefault_Page_URL = hxxp://intra1.nhsb.local/
uInternet Settings,ProxyOverride = *.local;192.168.*.*
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [DymoQuickPrint] "c:\program files\dymo\dymo label software\DymoQuickPrint.exe" /startup
uRun: [Spotify Web Helper] "c:\documents and settings\administrator\application data\spotify\data\SpotifyWebHelper.exe"
uRun: [Spotify] "c:\documents and settings\administrator\application data\spotify\Spotify.exe" /uri spotify:autostart
uRun: [Apple] rundll32.exe "c:\documents and settings\administrator\local settings\application data\apple computer\apple\tfohkvg.dll",DllRegisterServerW
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [DLSService] "c:\program files\dymo\dymo label software\DLSService.exe"
mRun: [DYMOFileMonitor] "c:\program files\dymo file\DYMOFileMonitor.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [Apple] rundll32.exe "c:\documents and settings\administrator\local settings\application data\apple computer\apple\tfohkvg.dll",DllRegisterServerW
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: adp.com\ipay
Trusted Zone: anthem.com\www
Trusted Zone: bai.org\www
Trusted Zone: benefits4us.com\www
Trusted Zone: betraining.com\www
Trusted Zone: bsiweb.com\www
Trusted Zone: conexis.org\www
Trusted Zone: ct.gov\www.concord.sots
Trusted Zone: harland.net\branchprod
Trusted Zone: healthnet.com\www
Trusted Zone: hostedeet.com\majnhs
Trusted Zone: iapprove01
Trusted Zone: learnbai.org
Trusted Zone: lifebalance.net\www
Trusted Zone: myappro.com\www
Trusted Zone: MyAppro.Com \CTX
Trusted Zone: newalliancehr.com\www
Trusted Zone: synweb
Trusted Zone: tecaccess.com\www
Trusted Zone: ups.com\www
Trusted Zone: userconnect.com
Trusted Zone: usicg.com\www
Trusted Zone: vms1
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1302367197153
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 10.1.10.1
TCP: Interfaces\{01DABF7F-049D-4E41-ACEE-8E9BE82C90B5} : DhcpNameServer = 10.1.10.1
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\anqdakd8.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 237408]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 301920]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-6-30 1248256]
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\propatches\scheduler\stSchedEx.exe [2010-10-6 1287520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2008-10-24 149600]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-3-5 44800]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-11 40776]
S?2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-8-13 5167736]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-14 250056]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys --> c:\windows\system32\drivers\motfilt.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\motousbnet.sys --> c:\windows\system32\drivers\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys --> c:\windows\system32\drivers\motusbdevice.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 114144]
S3 RDID1118;BR-80;c:\windows\system32\drivers\RDWM1118.sys [2012-2-14 141312]
S4 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-11-21 238736]
.
=============== Created Last 30 ================
.
2012-09-11 19:26:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-09-04 20:29:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Spotify
2012-09-04 20:29:00 -------- d-----w- c:\documents and settings\administrator\application data\Spotify
2012-08-30 23:18:45 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
.
==================== Find3M ====================
.
2012-09-07 21:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-24 19:43:18 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-08-15 01:19:05 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 01:19:05 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-26 07:21:30 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
============= FINISH: 15:42:44.68 ===============
#4
Maniac
-
- Experts
-
- 17,441 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 11 September 2012 - 05:29 PM
Thanks!
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingc...to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please post the C:\ComboFix.txt in your next reply for further review.
Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingc...to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please post the C:\ComboFix.txt in your next reply for further review.
Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#5
musicb
-
- Members
-
- 6 posts
New Member
Posted 11 September 2012 - 06:04 PM
Hi, here's the combofix log.
ComboFix 12-09-11.02 - Administrator 09/11/2012 18:48:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2855 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll
c:\documents and settings\Administrator\My Documents\~WRL3007.tmp
c:\documents and settings\All Users\Application Data\313055a4m715j113g838v8avg1e3
c:\windows\null
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-11 to 2012-09-11 )))))))))))))))))))))))))))))))
.
.
2012-09-04 20:29 . 2012-09-11 14:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Spotify
2012-09-04 20:29 . 2012-09-11 15:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spotify
2012-08-30 23:18 . 2012-09-07 21:25 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-07 21:04 . 2012-01-28 15:19 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-24 19:43 . 2011-02-10 11:54 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-08-15 01:19 . 2012-04-14 16:45 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 01:19 . 2011-12-10 21:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-26 07:21 . 2011-01-07 10:41 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-09-07 21:25 . 2011-04-07 18:22 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-06 . B175B44DE1C18935F5F1D61BADCFE164 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2009-10-29 1885944]
"Spotify Web Helper"="c:\documents and settings\Administrator\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-09-04 1193176]
"Spotify"="c:\documents and settings\Administrator\Application Data\Spotify\Spotify.exe" [2012-09-04 5576408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-27 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-27 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-27 142872]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2009-10-28 55808]
"DYMOFileMonitor"="c:\program files\DYMO File\DYMOFileMonitor.exe" [2009-05-30 196608]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-14 1527128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-6-30 5832536]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-7-6 1156968]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE [2011-7-6 1178984]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-126107\Scripts\Logon\0\0]
"Script"=VipSales.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-50617\Scripts\Logon\0\0]
"Script"=VipSales.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-53443\Scripts\Logon\0\0]
"Script"=VipSales.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-81624\Scripts\Logon\0\0]
"Script"=VipSales.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2011\\QBDBMgrN.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 4:32 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 237408]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 7:54 AM 301920]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [6/30/2011 1:25 PM 1248256]
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\ProPatches\Scheduler\stSchedEx.exe [10/6/2010 11:28 AM 1287520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [10/24/2008 3:02 AM 149600]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/5/2010 3:02 PM 44800]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [8/13/2012 3:24 AM 5167736]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/14/2012 12:45 PM 250056]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/2/2012 3:17 PM 114144]
S3 RDID1118;BR-80;c:\windows\system32\drivers\RDWM1118.sys [2/14/2012 12:49 PM 141312]
S4 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/21/2008 2:27 AM 238736]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 01:19]
.
2012-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: adp.com\ipay
Trusted Zone: anthem.com\www
Trusted Zone: bai.org\www
Trusted Zone: benefits4us.com\www
Trusted Zone: betraining.com\www
Trusted Zone: bsiweb.com\www
Trusted Zone: conexis.org\www
Trusted Zone: ct.gov\www.concord.sots
Trusted Zone: harland.net\branchprod
Trusted Zone: healthnet.com\www
Trusted Zone: hostedeet.com\majnhs
Trusted Zone: iapprove01
Trusted Zone: learnbai.org
Trusted Zone: lifebalance.net\www
Trusted Zone: myappro.com\www
Trusted Zone: MyAppro.Com \CTX
Trusted Zone: newalliancehr.com\www
Trusted Zone: synweb
Trusted Zone: tecaccess.com\www
Trusted Zone: ups.com\www
Trusted Zone: userconnect.com
Trusted Zone: usicg.com\www
Trusted Zone: vms1
TCP: DhcpNameServer = 10.1.10.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\anqdakd8.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Apple - c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll
HKU-Default-Run-Apple - c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-11 18:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\system32\wuauclt.exe.wusetup.136062.bak 53472 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.137828.bak 1929952 bytes executable
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.EXE'(2128)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-09-11 18:56:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-11 22:56
.
Pre-Run: 218,915,336,192 bytes free
Post-Run: 221,464,977,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 835DCFE83E99B76245BA84583846CDEB
ComboFix 12-09-11.02 - Administrator 09/11/2012 18:48:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2855 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll
c:\documents and settings\Administrator\My Documents\~WRL3007.tmp
c:\documents and settings\All Users\Application Data\313055a4m715j113g838v8avg1e3
c:\windows\null
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-11 to 2012-09-11 )))))))))))))))))))))))))))))))
.
.
2012-09-04 20:29 . 2012-09-11 14:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Spotify
2012-09-04 20:29 . 2012-09-11 15:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spotify
2012-08-30 23:18 . 2012-09-07 21:25 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-07 21:04 . 2012-01-28 15:19 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-24 19:43 . 2011-02-10 11:54 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-08-15 01:19 . 2012-04-14 16:45 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 01:19 . 2011-12-10 21:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-26 07:21 . 2011-01-07 10:41 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-09-07 21:25 . 2011-04-07 18:22 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-06 . B175B44DE1C18935F5F1D61BADCFE164 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2009-10-29 1885944]
"Spotify Web Helper"="c:\documents and settings\Administrator\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-09-04 1193176]
"Spotify"="c:\documents and settings\Administrator\Application Data\Spotify\Spotify.exe" [2012-09-04 5576408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-27 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-27 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-27 142872]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2009-10-28 55808]
"DYMOFileMonitor"="c:\program files\DYMO File\DYMOFileMonitor.exe" [2009-05-30 196608]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-14 1527128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-6-30 5832536]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-7-6 1156968]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE [2011-7-6 1178984]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-126107\Scripts\Logon\0\0]
"Script"=VipSales.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-50617\Scripts\Logon\0\0]
"Script"=VipSales.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-53443\Scripts\Logon\0\0]
"Script"=VipSales.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-220523388-682003330-81624\Scripts\Logon\0\0]
"Script"=VipSales.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2011\\QBDBMgrN.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 4:32 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 237408]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 7:54 AM 301920]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [6/30/2011 1:25 PM 1248256]
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\ProPatches\Scheduler\stSchedEx.exe [10/6/2010 11:28 AM 1287520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [10/24/2008 3:02 AM 149600]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/5/2010 3:02 PM 44800]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [8/13/2012 3:24 AM 5167736]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/14/2012 12:45 PM 250056]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/2/2012 3:17 PM 114144]
S3 RDID1118;BR-80;c:\windows\system32\drivers\RDWM1118.sys [2/14/2012 12:49 PM 141312]
S4 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/21/2008 2:27 AM 238736]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 01:19]
.
2012-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: adp.com\ipay
Trusted Zone: anthem.com\www
Trusted Zone: bai.org\www
Trusted Zone: benefits4us.com\www
Trusted Zone: betraining.com\www
Trusted Zone: bsiweb.com\www
Trusted Zone: conexis.org\www
Trusted Zone: ct.gov\www.concord.sots
Trusted Zone: harland.net\branchprod
Trusted Zone: healthnet.com\www
Trusted Zone: hostedeet.com\majnhs
Trusted Zone: iapprove01
Trusted Zone: learnbai.org
Trusted Zone: lifebalance.net\www
Trusted Zone: myappro.com\www
Trusted Zone: MyAppro.Com \CTX
Trusted Zone: newalliancehr.com\www
Trusted Zone: synweb
Trusted Zone: tecaccess.com\www
Trusted Zone: ups.com\www
Trusted Zone: userconnect.com
Trusted Zone: usicg.com\www
Trusted Zone: vms1
TCP: DhcpNameServer = 10.1.10.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\anqdakd8.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Apple - c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll
HKU-Default-Run-Apple - c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-11 18:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\system32\wuauclt.exe.wusetup.136062.bak 53472 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.137828.bak 1929952 bytes executable
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.EXE'(2128)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-09-11 18:56:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-11 22:56
.
Pre-Run: 218,915,336,192 bytes free
Post-Run: 221,464,977,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 835DCFE83E99B76245BA84583846CDEB
#6
Maniac
-
- Experts
-
- 17,441 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 11 September 2012 - 06:07 PM
Please open www.virustotal.com and upload the following file:
c:\windows\system32\sfcfiles.dll
Wait until scan finished and then copy/paste the URL in your next reply here.
c:\windows\system32\sfcfiles.dll
Wait until scan finished and then copy/paste the URL in your next reply here.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#7
musicb
-
- Members
-
- 6 posts
New Member
#8
Maniac
-
- Experts
-
- 17,441 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 11 September 2012 - 06:37 PM
Could you please compress for me the following folder: C:\Qoobox\Quarantine and to upload it somewhere, for example in www.rapidshare.com . Next, please send me a download link via PM.
http://support.microsoft.com/kb/307987
Thanks in advance!
http://support.microsoft.com/kb/307987
Thanks in advance!
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#9
Maniac
-
- Experts
-
- 17,441 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 11 September 2012 - 07:10 PM
Thanks!
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#10
musicb
-
- Members
-
- 6 posts
New Member
Posted 13 September 2012 - 02:52 PM
Hi, here is the log from the ESET Scanner.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=c2541a363079394c8f3b79ab3f13a2e2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-09-13 07:49:20
# local_time=2012-09-13 03:49:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 28559083 28559083 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=79897
# found=5
# cleaned=5
# scan_time=2609
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\anqdakd8.default\extensions\yvlwuxymdm@yvlwuxymdm.org.xpi JS/Redirector.NCA trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\My Documents\Downloads\musicnotesSuite.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\My Documents\Downloads\SetupImgBurn_2.5.6.0.exe Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine.zip Win32/BHO.OEI trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll.vir Win32/BHO.OEI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=c2541a363079394c8f3b79ab3f13a2e2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-09-13 07:49:20
# local_time=2012-09-13 03:49:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 28559083 28559083 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=79897
# found=5
# cleaned=5
# scan_time=2609
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\anqdakd8.default\extensions\yvlwuxymdm@yvlwuxymdm.org.xpi JS/Redirector.NCA trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\My Documents\Downloads\musicnotesSuite.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\My Documents\Downloads\SetupImgBurn_2.5.6.0.exe Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine.zip Win32/BHO.OEI trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer\Apple\tfohkvg.dll.vir Win32/BHO.OEI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
#11
Maniac
-
- Experts
-
- 17,441 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 13 September 2012 - 05:59 PM
How are things now?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#12
musicb
-
- Members
-
- 6 posts
New Member
Posted 13 September 2012 - 06:04 PM
I've clicked through about 30 different google results and everything's loaded and functioned properly. It looks like everything should be good? Thanks for your help once again!
#13
Maniac
-
- Experts
-
- 17,441 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 13 September 2012 - 06:05 PM
Glad I could help!
Please uninstall ComboFix:
http://www.bleepingc...bofix#uninstall
Next, uninstall ESET Online Scanner and then manually delete DDS and aswMBR.
Some malware prevention tips:
www.users.telenet.be/bluepatchy/miekiemoes/prevention.html
Safe surfing!
Please uninstall ComboFix:
http://www.bleepingc...bofix#uninstall
Next, uninstall ESET Online Scanner and then manually delete DDS and aswMBR.
Some malware prevention tips:
www.users.telenet.be/bluepatchy/miekiemoes/prevention.html
Safe surfing!
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#14
Maurice Naggar
-
- Moderators
-
- 13,598 posts
Eradicator de logiciels malveillants
- Gender:Male
- Location:USA
- Interests:Security, Windows, Windows Update, malware prevention
Posted 14 September 2012 - 06:43 AM
Glad we could help.
If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.
Other members who need assistance please start your own topic in a new thread. Thanks!
If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.
Other members who need assistance please start your own topic in a new thread. Thanks!
Maurice Naggar
Consumer Support Specialist
Follow us: Twitter, Become a fan: Facebook
I close my threads if there is 5 days without a response.
Consumer Support Specialist
Follow us: Twitter, Become a fan: Facebook
I close my threads if there is 5 days without a response.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
