Jump to content

hiendpawn

Members
  • Posts

    14
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Redirect seems to be better now. Can't see any immediate issues still present. Will keep an eye on. ComboFix 11-05-29.01 - Chris 06/02/2011 14:16:12.6.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638.380 [GMT -4:00] Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Chris\Application Data\Adobe\plugs c:\documents and settings\Chris\Application Data\Adobe\shed . ---- Previous Run ------- . c:\documents and settings\All Users\Application Data\defender.exe . Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 ))))))))))))))))))))))))))))))) . . 2011-05-31 00:11 . 2011-05-31 00:11 -------- d-----w- c:\documents and settings\Chris-User\Local Settings\Application Data\{1DD73503-B8BC-40CE-B614-EDFB14419C18} 2011-05-31 00:00 . 2011-05-31 00:00 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\{91B76EBD-4003-4885-A44C-721A9CD95550} 2011-05-30 17:14 . 2011-05-30 17:14 -------- d-----w- c:\windows\msdownld.tmp 2011-05-30 14:50 . 2011-05-30 14:50 -------- d-----w- c:\documents and settings\Chris\Application Data\tor 2011-05-30 14:48 . 2011-05-30 15:03 -------- d-----w- c:\documents and settings\Chris\Application Data\Vidalia 2011-05-30 13:54 . 2011-05-30 13:54 -------- d-----w- c:\documents and settings\Chris\Application Data\Avira 2011-05-30 13:10 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-05-30 13:10 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-05-30 13:10 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-05-30 13:10 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-05-30 13:10 . 2011-05-30 13:10 -------- d-----w- c:\program files\Avira 2011-05-30 13:10 . 2011-05-30 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-05-30 00:15 . 2011-05-31 01:32 -------- d-----w- c:\documents and settings\Guest 2011-05-30 00:14 . 2011-05-30 00:14 -------- d-----w- c:\windows\system32\wbem\Repository 2011-05-18 02:44 . 2011-05-18 02:45 -------- d-----w- c:\program files\7-Zip 2011-05-15 20:44 . 2011-05-15 20:44 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Doubleclick_Industries 2011-05-15 20:43 . 2011-05-15 20:44 -------- d-----w- c:\documents and settings\Chris\Application Data\FileFactory Turbo 2011-05-15 20:43 . 2011-05-15 20:43 -------- d-----w- c:\program files\FileFactory Turbo . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-29 13:11 . 2011-02-20 01:44 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-07 05:33 . 2009-11-18 21:33 692736 ----a-w- c:\windows\system32\inetcomm.dll . . ((((((((((((((((((((((((((((( SnapShot_2011-05-30_01.18.17 ))))))))))))))))))))))))))))))))))))))))) . + 2011-06-02 18:14 . 2011-06-02 18:14 16384 c:\windows\temp\Perflib_Perfdata_6bc.dat + 2009-11-19 02:48 . 2009-01-07 22:21 26144 c:\windows\system32\spupdsvc.exe - 2009-11-19 02:48 . 2009-01-07 23:21 26144 c:\windows\system32\spupdsvc.exe + 2009-11-19 02:47 . 2009-01-07 22:20 16928 c:\windows\system32\spmsg.dll - 2009-11-19 02:47 . 2009-01-07 23:20 16928 c:\windows\system32\spmsg.dll + 2006-06-29 13:05 . 2009-01-07 22:20 23552 c:\windows\system32\normaliz.dll - 2006-06-29 13:05 . 2009-01-07 23:20 23552 c:\windows\system32\normaliz.dll + 2006-06-28 22:59 . 2009-01-07 22:20 24576 c:\windows\system32\nlsdl.dll - 2006-06-28 22:59 . 2009-01-07 23:20 24576 c:\windows\system32\nlsdl.dll + 2007-08-13 23:39 . 2009-03-08 08:32 36864 c:\windows\system32\ieudinit.exe - 2007-08-13 23:39 . 2009-03-08 09:32 36864 c:\windows\system32\ieudinit.exe - 2006-06-29 13:05 . 2009-01-07 23:20 26112 c:\windows\system32\idndl.dll + 2006-06-29 13:05 . 2009-01-07 22:20 26112 c:\windows\system32\idndl.dll + 2011-05-30 13:10 . 2010-06-17 19:27 28520 c:\windows\system32\drivers\ssmdrv.sys + 2004-08-04 12:00 . 2008-04-13 18:41 52352 c:\windows\system32\dllcache\volsnap.sys - 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe + 2004-08-04 12:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe - 2011-04-23 21:20 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\update\spcustom.dll - 2011-04-23 21:20 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\spmsg.dll - 2011-04-23 21:20 . 2011-02-22 23:27 12800 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\xpshims.dll - 2011-04-23 21:20 . 2011-02-22 23:27 66560 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\mshtmled.dll - 2011-04-23 21:20 . 2011-02-22 23:27 55296 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\msfeedsbs.dll - 2011-04-23 21:20 . 2011-02-22 23:27 43520 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\licmgr10.dll - 2011-04-23 21:20 . 2011-02-22 23:27 25600 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\jsproxy.dll - 2011-04-23 21:20 . 2011-02-22 23:06 12800 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\xpshims.dll - 2011-04-23 21:20 . 2011-02-22 23:06 66560 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\mshtmled.dll - 2011-04-23 21:20 . 2011-02-22 23:06 55296 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\msfeedsbs.dll - 2011-04-23 21:20 . 2011-02-22 23:06 43520 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\licmgr10.dll - 2011-04-23 21:20 . 2011-02-22 23:06 25600 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\jsproxy.dll + 2011-05-30 17:14 . 2009-12-11 08:38 69120 c:\windows\ie8updates\KB2447568-IE8\iecompat.dll + 2010-02-06 16:35 . 2010-10-18 11:10 7680 c:\windows\system32\dllcache\iecompat.dll + 2009-11-19 02:47 . 2009-01-07 22:21 121856 c:\windows\system32\xmllite.dll - 2009-11-19 02:47 . 2008-04-14 00:12 121856 c:\windows\system32\xmllite.dll + 2009-01-07 23:20 . 2009-01-07 22:20 265720 c:\windows\system32\msdbg2.dll - 2009-01-07 23:20 . 2009-01-07 23:20 265720 c:\windows\system32\msdbg2.dll + 2011-05-29 05:56 . 2011-06-02 18:14 224226 c:\windows\system32\inetsrv\MetaBase.bin - 2011-04-23 21:20 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\update\updspapi.dll - 2011-04-23 21:20 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\update\update.exe - 2011-04-23 21:20 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\spuninst.exe - 2011-04-23 21:20 . 2011-02-22 23:27 919552 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\wininet.dll - 2011-04-23 21:20 . 2011-02-22 23:27 206848 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\occache.dll - 2011-04-23 21:20 . 2011-02-22 23:27 611840 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\mstime.dll - 2011-04-23 21:20 . 2011-02-22 23:27 602112 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\msfeeds.dll - 2011-04-23 21:20 . 2011-02-22 23:27 247808 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\ieproxy.dll - 2011-04-23 21:20 . 2011-02-22 23:27 184320 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\iepeers.dll - 2011-04-23 21:20 . 2011-02-22 23:27 743424 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\iedvtool.dll - 2011-04-23 21:20 . 2011-02-22 23:27 387584 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\iedkcs32.dll - 2011-04-23 21:20 . 2011-02-22 12:08 173568 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\ie4uinit.exe - 2011-04-23 21:20 . 2011-02-22 23:06 916480 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\wininet.dll - 2011-04-23 21:20 . 2011-02-22 23:06 206848 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\occache.dll - 2011-04-23 21:20 . 2011-02-22 23:06 611840 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\mstime.dll - 2011-04-23 21:20 . 2011-02-22 23:06 602112 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\msfeeds.dll - 2011-04-23 21:20 . 2011-02-22 23:06 247808 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\ieproxy.dll - 2011-04-23 21:20 . 2011-02-22 23:06 184320 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\iepeers.dll - 2011-04-23 21:20 . 2011-02-22 23:06 743424 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\iedvtool.dll - 2011-04-23 21:20 . 2011-02-22 23:06 387584 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\iedkcs32.dll - 2011-04-23 21:20 . 2011-02-18 11:49 173568 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\ie4uinit.exe + 2011-05-30 17:14 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB2447568-IE8\spuninst\updspapi.dll + 2011-05-30 17:14 . 2010-02-22 14:23 231288 c:\windows\ie8updates\KB2447568-IE8\spuninst\spuninst.exe + 2009-01-07 22:20 . 2009-01-07 22:20 1497088 c:\windows\system32\dllcache\shdocvw.dll + 2009-01-07 22:20 . 2009-01-07 22:20 1022976 c:\windows\system32\dllcache\browseui.dll - 2011-04-23 21:20 . 2011-02-22 23:27 1212928 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\urlmon.dll - 2011-04-23 21:20 . 2011-02-22 23:27 5964800 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\mshtml.dll - 2011-04-23 21:20 . 2011-02-22 23:27 1992192 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\iertutil.dll - 2011-04-23 21:20 . 2011-02-22 23:06 1210880 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\urlmon.dll - 2011-04-23 21:20 . 2011-02-22 23:06 5962240 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\mshtml.dll - 2011-04-23 21:20 . 2011-02-22 23:06 1991680 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\iertutil.dll + 2010-02-06 16:28 . 2011-04-29 15:29 42829768 c:\windows\system32\MRT.exe - 2011-04-23 21:20 . 2011-02-22 23:06 11080704 c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\ieframe.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2009-12-17 149224] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R1 6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415;6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415;c:\windows\iprot\6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415\PhysMem.sys [11/21/2009 11:53 PM 3584] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/30/2011 9:10 AM 136360] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/19/2011 9:44 PM 39984] . Contents of the 'Scheduled Tasks' folder . 2011-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50] . 2011-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-261903793-682003330-1003Core.job - c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-08 00:35] . 2011-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-261903793-682003330-1003UA.job - c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-08 00:35] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = <local> IE: Download with &FileFactory Turbo - c:\program files\FileFactory Turbo\Plugins\IE\FileFactoryIE.html TCP: DhcpNameServer = 192.168.15.1 FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\b7c30e1u.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-02 14:22 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Completion time: 2011-06-02 14:24:58 ComboFix-quarantined-files.txt 2011-06-02 18:24 ComboFix2.txt 2011-04-23 19:01 . Pre-Run: 21,883,912,192 bytes free Post-Run: 21,955,731,456 bytes free . - - End Of File - - B96D1D8C2B5023AD7ABE0FC8E2CC23BE
  2. Everything seems to be OK...except I am still getting redirects.
  3. Yes, I have it; I have not run it yet. Should I?
  4. I did delete those 2 files; have not run ComboFix until instructed to do so. Still getting redirect in IE/Google, Bing, etc.
  5. I have NOT run ComboFix yet; should I? I'm going to delete those 2 files and check back for further instruction.
  6. Here's the dds.txt. Do you need the attach.txt as well? . DDS (Ver_2011-06-01.06) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Run by Chris at 9:32:24 on 2011-06-02 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638.276 [GMT -4:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} FW: AVG Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe . ============== Pseudo HJT Report =============== . uWindow Title = Windows Internet Explorer provided by MSN & Bing uInternet Settings,ProxyOverride = <local> BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: Download with &FileFactory Turbo - c:\program files\filefactory turbo\plugins\ie\FileFactoryIE.html IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258599316859 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://plugin.slingbox.com/downloads/pc/1.4.0.90/WebSlingPlayer.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 TCP: DhcpNameServer = 192.168.15.1 TCP: Interfaces\{4ABF98BF-7BBF-4FDC-A50E-BE9B5C1E308D} : DhcpNameServer = 192.168.15.1 Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: igfxcui - igfxsrvc.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\b7c30e1u.default\ FF - plugin: c:\documents and settings\chris\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ============= SERVICES / DRIVERS =============== . R1 6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415;6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415;c:\windows\iprot\6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415\PhysMem.sys [2009-11-21 3584] R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-30 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-30 136360] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-30 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-30 61960] S2 PEVSystemStart;PEVSystemStart;c:\combofix\pev.cfxxe [2010-4-26 256512] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-2-19 39984] . =============== Created Last 30 ================ . 2011-05-31 00:29:13 302592 ----a-w- C:\zljbi7ue.exe 2011-05-31 00:00:23 0 ----a-w- c:\windows\Otoho.bin 2011-05-31 00:00:22 -------- d-----w- c:\documents and settings\chris\local settings\application data\{91B76EBD-4003-4885-A44C-721A9CD95550} 2011-05-30 17:14:34 -------- d-----w- c:\windows\msdownld.tmp 2011-05-30 14:50:45 -------- d-----w- c:\documents and settings\chris\application data\tor 2011-05-30 13:54:10 -------- d-----w- c:\documents and settings\chris\application data\Avira 2011-05-30 13:10:19 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-05-30 13:10:18 -------- d-----w- c:\program files\Avira 2011-05-30 13:10:18 -------- d-----w- c:\documents and settings\all users\application data\Avira 2011-05-30 01:12:22 -------- d-----w- C:\ComboFix 2011-05-30 00:14:52 -------- d-----w- c:\windows\system32\wbem\repository\FS 2011-05-30 00:14:52 -------- d-----w- c:\windows\system32\wbem\Repository 2011-05-15 20:44:18 -------- d-----w- c:\documents and settings\chris\local settings\application data\Doubleclick_Industries 2011-05-15 20:43:51 -------- d-----w- c:\documents and settings\chris\application data\FileFactory Turbo 2011-05-15 20:43:39 -------- d-----w- c:\program files\FileFactory Turbo . ==================== Find3M ==================== . 2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll . ============= FINISH: 9:33:07.23 ===============
  7. LT, I hope it's OK...I went ahead a bit. First, I was able to run a full mbam scan and it returned good. Second, I was able to go back and run the unhide.exe without incident...and all my icons, shortcuts, etc appear to be back (out of order in some cases, but I can do some housekeeping). Also, I am now able to get into Java, and I deleted the temp files as instructed. Should I just keep on the look-out for abnormalities and post?
  8. Also, my Avira detected java/dldr.scuds.a
  9. Sorry; I did run mbam under my account. When I said I've been using my Guest account, I meant just to post this stuff.
  10. Lt, it appeared to be working. I could see my favorites bar URLs restored, so I assume the desktop and stuff was doing its thing behind the scenes. But then I got an error "services and controller app had an error" and system was set to shut down in 60 seconds. C:\windows\system32\services.exe with a status code 1073740972. I saw this once before as well. Oh, and I am still getting redirected from Google. Thanks again.
  11. Is it safe to go back? I've been corresponding off my Guest account. Looks like all my desktops files and programs are hidden (transparent icon)...and I get the occasional program not working error. No program icons on my taskbar, and I haven't tried to Google search; it was redirect ALL my searches.
  12. Thanks LT. Here's what I was able to do, of what I consider the 3 steps you advised me on: 1. I set my computer to show all hidden files. 2. I was not able to access Java in control panel; it was saying I did not have sufficient priviledge, even though AFAIK I have admin priviledge. 3. I was able to run a quick scan; 24 objects found, here is the log Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6697 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/1/2011 7:46:42 PM mbam-log-2011-06-01 (19-46-42).txt Scan type: Quick scan Objects scanned: 180865 Time elapsed: 14 minute(s), 18 second(s) Memory Processes Infected: 2 Memory Modules Infected: 2 Registry Keys Infected: 0 Registry Values Infected: 4 Registry Data Items Infected: 9 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: c:\documents and settings\all users\application data\reanowdtdeg.exe (Trojan.FakeMS) -> 512 -> Unloaded process successfully. c:\documents and settings\all users\application data\18341668.exe (Trojan.Agent) -> 4040 -> Unloaded process successfully. Memory Modules Infected: c:\WINDOWS\imstexpi.dll (Trojan.Hiloti) -> Delete on reboot. c:\WINDOWS\otibiveba.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Njelivafe (Trojan.Hiloti) -> Value: Njelivafe -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rEAnOwDTDeg (Trojan.FakeMS) -> Value: rEAnOwDTDeg -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rkawehusuca (IPH.Trojan.Hiloti.B) -> Value: Rkawehusuca -> Delete on reboot. HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Chris\Local Settings\Application Data\ssk.exe" -a "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Chris\Local Settings\Application Data\ssk.exe" -a "firefox.exe") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Chris\Local Settings\Application Data\ssk.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\imstexpi.dll (Trojan.Hiloti) -> Delete on reboot. c:\documents and settings\all users\application data\reanowdtdeg.exe (Trojan.FakeMS) -> Quarantined and deleted successfully. c:\WINDOWS\otibiveba.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot. c:\documents and settings\Chris\local settings\temporary internet files\Content.IE5\X7O963A1\windows-update-sp4-kb66481-setup[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully. c:\documents and settings\Chris\application data\Adobe\plugs\mmc207.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\Chris\application data\Adobe\plugs\mmc213.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\all users\application data\18341668.exe (Trojan.Agent) -> Quarantined and deleted successfully. Thanks.
  13. I've had some viruses or malwares...whatever...in the past; but nothing like this. Started by telling me my hard drive was going bad. Then it started launching XP recovery steps. Pop-ups galore, and then all my desktop icons and some programs started disappearing and/or malfunctioning. I also get redirects, whenever I try to search for help...and this happens on all my accounts, even those with limited priviledges...and safe mode isn't much better. I'm not sure where to go at this point, other than to re-load XP and risk losing anything I can't retrieve from the hard drive. This is my first post here; can anyone offer another solution? Thanks
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.