Jump to content

Google Redirect Virus


a50a50

Recommended Posts

My computer, which uses Windows XP, has a Google Redirect Virus. I'm guessing you know how annoying it is. As requested, I am attaching the two files generated from running dds.com. I sure would appreciate your help in removing this virus. I did run Malwarebyte's Anti-Malware program. One trojan came up and I "quarantined" it, but that didn't take care of the problem.

If we are able to remove this virus, I sure would like to know how I got it and how I can prevent it from happening again.

Thank you.

attach.txt

dds.txt

Link to post
Share on other sites

At the top of this forum are several pinned topics. THIS ONE plainly details which user groups are authorized to post advice in the threads found in this forum. The member, Devjit1992 is not authorized. Please forgive this intrusion and kindly wait for one of our trained members who will be along to help as time permits. Thanks for your patience.

Link to post
Share on other sites

Hello a50a50! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Please uninstall this application: Vuze

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • a new fresh DDS log

Link to post
Share on other sites

Hello, Maniac.

Glad to have your assistance. I had a Google Redirect Virus earlier in the summer (it was more severe than what I have now). The Expert who helped me didn't ask me to remove Vuze and we were able to get rid of the virus. Is it absolutely necessary to remove Vuze?

Link to post
Share on other sites

Thanks for your reply. From what I understand, Vuze is Peer 2 Peer software (like uTorrent). So, I disabled it (as instructed in the link you provided) by renaming the suffixes of the executible files. Let me know if that is not sufficient.

In the meantime, I have followed your other directions.

MBAM detected nothing:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.21.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Steve :: MONARCHCOMPUTER [administrator]

9/21/2012 6:27:41 PM

mbam-log-2012-09-21 (18-27-41).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 275592

Time elapsed: 18 minute(s), 40 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Here is the aswMBR report:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-09-21 19:01:41

-----------------------------

19:01:41.687 OS Version: Windows 5.1.2600 Service Pack 3

19:01:41.687 Number of processors: 2 586 0x602

19:01:41.687 ComputerName: MONARCHCOMPUTER UserName: Steve

19:01:45.140 Initialize success

19:02:37.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-f

19:02:37.187 Disk 0 Vendor: WDC_WD2500KS-00MJB0 02.01C03 Size: 238475MB BusType: 3

19:02:37.203 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-17

19:02:37.203 Disk 1 Vendor: WDC_WD10EACS-00D6B0 01.01A01 Size: 953869MB BusType: 3

19:02:37.203 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T0L0-22

19:02:37.203 Disk 2 Vendor: WDC_WD1001FALS-00J7B0 05.00K05 Size: 953869MB BusType: 3

19:02:37.250 Disk 0 MBR read successfully

19:02:37.250 Disk 0 MBR scan

19:02:37.250 Disk 0 Windows XP default MBR code

19:02:37.265 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63

19:02:37.281 Disk 0 scanning sectors +488376000

19:02:37.359 Disk 0 scanning C:\WINDOWS\system32\drivers

19:02:46.671 Service scanning

19:02:53.156 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32

19:02:55.484 Modules scanning

19:03:03.187 Disk 0 trace - called modules:

19:03:03.203 ntoskrnl.exe CLASSPNP.SYS disk.sys SahdIa32.sys atapi.sys sptd.sys hal.dll >>UNKNOWN [0x8a7ba8ac]<<

19:03:03.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6c3ab8]

19:03:03.203 3 CLASSPNP.SYS[f7667fd7] -> nt!IofCallDriver -> [0x8a700bb0]

19:03:03.203 5 SahdIa32.sys[f7698939] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-f[0x8a718b00]

19:03:03.203 Scan finished successfully

19:03:39.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Steve\Desktop\MBR.dat"

19:03:39.531 The log file has been saved successfully to "C:\Documents and Settings\Steve\Desktop\aswMBR.txt"

And here is the new DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1

Run by Steve at 19:08:54 on 2012-09-21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.438 [GMT -4:00]

.

AV: AVG Internet Security *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVG9\avgchsvx.exe

C:\Program Files\AVG9\avgrsx.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe

C:\Program Files\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\AVG9\avgam.exe

C:\Program Files\AVG9\avgnsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG9\avgemc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\RUNDLL32.EXE

K:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe

C:\PROGRA~1\AVG9\avgtray.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\VxBlockServer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\AVG9\avgcsrvx.exe

C:\Program Files\AVG9\avgcsrvx.exe

C:\Program Files\AVG9\avgcsrvx.exe

C:\Program Files\WinAce\WinAce.exe

C:\Program Files\Internet Explorer\iexplore.exe

K:\heroselect\HeroSelect.exe

C:\Program Files\Marvel Ultimate Alliance\Game.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre7\bin\java.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Steve\Desktop\aswMBR.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [bdnlmskra] rundll32.exe "c:\documents and settings\steve\local settings\application data\esentcatlang\bdnlmskra\biuhb.dll",winampGetInModule2W

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Desktop Disc Tool] "k:\program files\roxio 2010\roxio burn\RoxioBurnLauncher.exe"

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [AVG9_TRAY] c:\progra~1\avg9\avgtray.exe

dRun: [bdnlmskra] rundll32.exe "c:\documents and settings\steve\local settings\application data\esentcatlang\bdnlmskra\biuhb.dll",winampGetInModule2W

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: roxio.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

TCP: DhcpNameServer = 192.168.200.1

TCP: Interfaces\{2A4CA2F3-CFB0-43A6-87D3-6F9E3E0C54E0} : DhcpNameServer = 192.168.200.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\steve\application data\mozilla\firefox\profiles\q7of971q.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\steve\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

FF - plugin: c:\windows\system32\npwmsdrm.dll

FF - plugin: k:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: k:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-10-23 52872]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-23 64288]

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-6-30 21488]

R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-6-30 15856]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-4 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-13 29712]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-4 243152]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-4-27 244736]

R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-6-30 25584]

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]

R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008-1-23 501560]

R2 avg9emc;AVG E-mail Scanner;c:\program files\avg9\avgemc.exe [2010-6-21 921952]

R2 avg9wd;AVG WatchDog;c:\program files\avg9\avgwdsvc.exe [2010-6-21 308136]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-21 40776]

S0 oqovp;oqovp; [x]

S0 Winda43;Winda43;c:\windows\system32\drivers\winda43.sys --> c:\windows\system32\drivers\Winda43.sys [?]

S1 MpKsla8ba781a;MpKsla8ba781a;\??\c:\program files\windows live safety center\mpksla8ba781a.sys --> c:\program files\windows live safety center\MpKsla8ba781a.sys [?]

S1 MpKslbe4c5fe5;MpKslbe4c5fe5;\??\c:\program files\windows live safety center\mpkslbe4c5fe5.sys --> c:\program files\windows live safety center\MpKslbe4c5fe5.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]

S2 SessionLauncher;SessionLauncher;c:\docume~1\steve\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\steve\locals~1\temp\dx9\SessionLauncher.exe [?]

S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]

.

=============== Created Last 30 ================

.

2012-09-21 22:26:06 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

.

==================== Find3M ====================

.

2012-09-07 21:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05:18 139784 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40:15 1866112 ------w- c:\windows\system32\win32k.sys

2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll

2012-07-02 17:49:32 43520 ------w- c:\windows\system32\licmgr10.dll

2012-07-02 17:49:32 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-07-02 12:05:43 385024 ------w- c:\windows\system32\html.iec

2012-06-28 23:25:15 1409 ----a-w- c:\windows\QTFont.for

.

============= FINISH: 19:10:14.51 ===============

Link to post
Share on other sites

Note: Please do not run this tool without special supervision and instruction of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Here is the result from running ComboFix:

ComboFix 12-09-22.02 - Steve 09/22/2012 9:58.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1602 [GMT -4:00]

Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe

AV: AVG Internet Security *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-08-22 to 2012-09-22 )))))))))))))))))))))))))))))))

.

.

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-07 21:04 . 2010-02-06 14:06 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-06 13:58 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05 . 2007-04-15 17:14 139784 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40 . 2004-08-04 12:00 1866112 ------w- c:\windows\system32\win32k.sys

2012-07-02 17:49 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-07-02 17:49 . 2010-03-02 00:23 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-07-02 17:49 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-07-02 12:05 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec

2012-06-28 23:25 . 2011-05-13 03:26 1409 ----a-w- c:\windows\QTFont.for

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"RTHDCPL"="RTHDCPL.EXE" [2005-05-25 14477312]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-24 282624]

"nwiz"="nwiz.exe" [2008-10-07 1630208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]

"Desktop Disc Tool"="k:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-23 494064]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-06-08 611712]

"AVG9_TRAY"="c:\progra~1\AVG9\avgtray.exe" [2012-01-26 2077536]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-06-21 16:58 12536 ------w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winda43.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminder 2009.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder 2009.lnk

backup=c:\windows\pss\Event Planner Reminder 2009.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder.lnk

backup=c:\windows\pss\Event Planner Reminder.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"RoxWatch10"=2 (0x2)

"RoxMediaDB10"=3 (0x3)

"Roxio Upnp Server 10"=2 (0x2)

"Roxio UPnP Renderer 10"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Marvel Ultimate Alliance\\game.exe"=

"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"k:\\Program Files\\Street Fighter IV\\StreetFighterIV.exe"=

"k:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=

"k:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=

"k:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

"c:\\Program Files\\AVG9\\avgam.exe"=

"c:\\Program Files\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG9\\avgnsx.exe"=

"k:\\Program Files\\Roxio 2010\\Venue\\Venue.exe"=

"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"n:\\Program Files\\Activision\\Spider-Man - Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"n:\\Program Files\\ANNO 1404\\Anno4.exe"=

"n:\\Program Files\\ANNO 1404\\tools\\Anno4Web.exe"=

"m:\\Program Files\\Rise of Nations\\thrones.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

.

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/23/2009 11:09 PM 52872]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/23/2010 10:58 AM 64288]

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/30/2010 8:16 AM 21488]

R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/30/2010 8:16 AM 15856]

R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/4/2009 8:37 PM 216400]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/4/2009 8:37 PM 243152]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [4/27/2008 3:21 PM 244736]

R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/30/2010 8:16 AM 25584]

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 7:05 PM 457200]

R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [1/23/2008 4:19 AM 501560]

R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG9\avgemc.exe [6/21/2010 12:57 PM 921952]

R2 avg9wd;AVG WatchDog;c:\program files\AVG9\avgwdsvc.exe [6/21/2010 12:58 PM 308136]

S0 oqovp;oqovp; [x]

S0 Winda43;Winda43;c:\windows\system32\Drivers\Winda43.sys --> c:\windows\system32\Drivers\Winda43.sys [?]

S1 MpKsla8ba781a;MpKsla8ba781a;\??\c:\program files\Windows Live Safety Center\MpKsla8ba781a.sys --> c:\program files\Windows Live Safety Center\MpKsla8ba781a.sys [?]

S1 MpKslbe4c5fe5;MpKslbe4c5fe5;\??\c:\program files\Windows Live Safety Center\MpKslbe4c5fe5.sys --> c:\program files\Windows Live Safety Center\MpKslbe4c5fe5.sys [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]

S2 SessionLauncher;SessionLauncher;c:\docume~1\Steve\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Steve\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]

S4 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - ASWMBR

*Deregistered* - aswMBR

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-22 c:\windows\Tasks\Clean System Memory.job

- c:\windows\system32\CleanMem.exe [2011-07-12 19:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

Trusted Zone: roxio.com

TCP: DhcpNameServer = 192.168.200.1

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\q7of971q.default\

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-bdnlmskra - c:\documents and settings\Steve\Local Settings\Application Data\esentcatLang\bdnlmskra\biuhb.dll

HKU-Default-Run-bdnlmskra - c:\documents and settings\Steve\Local Settings\Application Data\esentcatLang\bdnlmskra\biuhb.dll

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-09-22 10:16

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-796845957-839522115-496803368-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:11,94,13,93,b6,c2,d2,8f,4c,e7,82,81,b4,1a,63,8e,9d,07,ef,23,c9,58,e3,

2d,dd,df,eb,15,1d,19,49,81,38,af,f6,8b,ab,6f,74,82,81,90,99,78,bb,99,f7,b4,\

"??"=hex:44,cc,6c,d5,ec,22,ba,36,2c,7b,a8,c5,ae,a8,4d,94

.

[HKEY_USERS\S-1-5-21-796845957-839522115-496803368-1004\Software\SecuROM\License information*]

"datasecu"=hex:51,ae,4a,08,0b,af,c2,7c,60,b9,3e,2f,0a,21,49,97,24,be,af,ee,db,

45,86,dd,fd,46,e0,a5,e0,af,fa,c4,00,56,f9,72,f6,8e,99,bb,98,76,d2,f4,f0,11,\

"rkeysecu"=hex:65,fb,9a,c9,8b,04,4a,94,d4,6c,90,8c,d0,0c,2f,76

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:f3,a8,ce,09,05,0e,96,73,f4,ed,7f,4b,51,12,39,14,ca,43,6e,85,9b,

c7,a4,c9,dd,cc,ca,49,7e,95,0a,0a,bb,50,83,eb,e1,36,dc,7a,7c,66,7b,d1,79,c7,\

.

[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]

"value"="?\0a\01\03\015\1e?"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]

"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

.

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:f3,a8,ce,09,05,0e,96,73,f4,ed,7f,4b,51,12,39,14,ca,43,6e,85,9b,

c7,a4,c9,dd,cc,ca,49,7e,95,0a,0a,bb,50,83,eb,e1,36,dc,7a,7c,66,7b,d1,79,c7,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(964)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Completion time: 2012-09-22 10:20:22

ComboFix-quarantined-files.txt 2012-09-22 14:20

.

Pre-Run: 5,861,597,184 bytes free

Post-Run: 6,891,016,192 bytes free

.

- - End Of File - - 605303FB1D2EC4734D271542610ED114

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\Steve\Local Settings\Application Data\esentcatLang

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Here is the latest ComboFix report as requested.

ComboFix 12-09-23.03 - Steve 09/23/2012 22:45:36.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1408 [GMT -4:00]

Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt

AV: AVG Internet Security *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Steve\Local Settings\Application Data\esentcatLang

.

.

((((((((((((((((((((((((( Files Created from 2012-08-24 to 2012-09-24 )))))))))))))))))))))))))))))))

.

.

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-07 21:04 . 2010-02-06 14:06 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-06 13:58 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05 . 2007-04-15 17:14 139784 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40 . 2004-08-04 12:00 1866112 ------w- c:\windows\system32\win32k.sys

2012-07-02 17:49 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-07-02 17:49 . 2010-03-02 00:23 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-07-02 17:49 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-07-02 12:05 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec

2012-06-28 23:25 . 2011-05-13 03:26 1409 ----a-w- c:\windows\QTFont.for

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"RTHDCPL"="RTHDCPL.EXE" [2005-05-25 14477312]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-24 282624]

"nwiz"="nwiz.exe" [2008-10-07 1630208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]

"Desktop Disc Tool"="k:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-23 494064]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-06-08 611712]

"AVG9_TRAY"="c:\progra~1\AVG9\avgtray.exe" [2012-01-26 2077536]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-06-21 16:58 12536 ------w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winda43.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminder 2009.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder 2009.lnk

backup=c:\windows\pss\Event Planner Reminder 2009.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder.lnk

backup=c:\windows\pss\Event Planner Reminder.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"RoxWatch10"=2 (0x2)

"RoxMediaDB10"=3 (0x3)

"Roxio Upnp Server 10"=2 (0x2)

"Roxio UPnP Renderer 10"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Marvel Ultimate Alliance\\game.exe"=

"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"k:\\Program Files\\Street Fighter IV\\StreetFighterIV.exe"=

"k:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=

"k:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=

"k:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

"c:\\Program Files\\AVG9\\avgam.exe"=

"c:\\Program Files\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG9\\avgnsx.exe"=

"k:\\Program Files\\Roxio 2010\\Venue\\Venue.exe"=

"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"n:\\Program Files\\Activision\\Spider-Man - Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"n:\\Program Files\\ANNO 1404\\Anno4.exe"=

"n:\\Program Files\\ANNO 1404\\tools\\Anno4Web.exe"=

"m:\\Program Files\\Rise of Nations\\thrones.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

.

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/23/2009 11:09 PM 52872]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/23/2010 10:58 AM 64288]

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/30/2010 8:16 AM 21488]

R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/30/2010 8:16 AM 15856]

R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/4/2009 8:37 PM 216400]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/4/2009 8:37 PM 243152]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [4/27/2008 3:21 PM 244736]

R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/30/2010 8:16 AM 25584]

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 7:05 PM 457200]

R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [1/23/2008 4:19 AM 501560]

R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG9\avgemc.exe [6/21/2010 12:57 PM 921952]

R2 avg9wd;AVG WatchDog;c:\program files\AVG9\avgwdsvc.exe [6/21/2010 12:58 PM 308136]

S0 oqovp;oqovp; [x]

S0 Winda43;Winda43;c:\windows\system32\Drivers\Winda43.sys --> c:\windows\system32\Drivers\Winda43.sys [?]

S1 MpKsla8ba781a;MpKsla8ba781a;\??\c:\program files\Windows Live Safety Center\MpKsla8ba781a.sys --> c:\program files\Windows Live Safety Center\MpKsla8ba781a.sys [?]

S1 MpKslbe4c5fe5;MpKslbe4c5fe5;\??\c:\program files\Windows Live Safety Center\MpKslbe4c5fe5.sys --> c:\program files\Windows Live Safety Center\MpKslbe4c5fe5.sys [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]

S2 SessionLauncher;SessionLauncher;c:\docume~1\Steve\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Steve\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]

S4 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - ASWMBR

*Deregistered* - aswMBR

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-24 c:\windows\Tasks\Clean System Memory.job

- c:\windows\system32\CleanMem.exe [2011-07-12 19:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

Trusted Zone: roxio.com

TCP: DhcpNameServer = 192.168.200.1

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\q7of971q.default\

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-09-23 23:00

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-796845957-839522115-496803368-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:11,94,13,93,b6,c2,d2,8f,4c,e7,82,81,b4,1a,63,8e,9d,07,ef,23,c9,58,e3,

2d,dd,df,eb,15,1d,19,49,81,38,af,f6,8b,ab,6f,74,82,81,90,99,78,bb,99,f7,b4,\

"??"=hex:44,cc,6c,d5,ec,22,ba,36,2c,7b,a8,c5,ae,a8,4d,94

.

[HKEY_USERS\S-1-5-21-796845957-839522115-496803368-1004\Software\SecuROM\License information*]

"datasecu"=hex:51,ae,4a,08,0b,af,c2,7c,60,b9,3e,2f,0a,21,49,97,24,be,af,ee,db,

45,86,dd,fd,46,e0,a5,e0,af,fa,c4,00,56,f9,72,f6,8e,99,bb,98,76,d2,f4,f0,11,\

"rkeysecu"=hex:65,fb,9a,c9,8b,04,4a,94,d4,6c,90,8c,d0,0c,2f,76

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:f3,a8,ce,09,05,0e,96,73,f4,ed,7f,4b,51,12,39,14,ca,43,6e,85,9b,

c7,a4,c9,dd,cc,ca,49,7e,95,0a,0a,bb,50,83,eb,e1,36,dc,7a,7c,66,7b,d1,79,c7,\

.

[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]

"value"="?\0a\01\03\015\1e?"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]

"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

.

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:f3,a8,ce,09,05,0e,96,73,f4,ed,7f,4b,51,12,39,14,ca,43,6e,85,9b,

c7,a4,c9,dd,cc,ca,49,7e,95,0a,0a,bb,50,83,eb,e1,36,dc,7a,7c,66,7b,d1,79,c7,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(964)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

- - - - - - - > 'explorer.exe'(3876)

c:\windows\system32\WININET.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-09-23 23:03:26

ComboFix-quarantined-files.txt 2012-09-24 03:03

ComboFix2.txt 2012-09-22 14:20

.

Pre-Run: 6,865,907,712 bytes free

Post-Run: 6,885,699,584 bytes free

.

- - End Of File - - 9E911A4199C62ED71F5AC23FCB3C097D

Link to post
Share on other sites

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Here's the log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=f2c7c2ba55fc1f4f9ccb3b2096030309

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-09-24 03:12:12

# local_time=2012-09-24 11:12:12 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1029 16777189 100 100 0 91206748 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=883659

# found=9

# cleaned=9

# scan_time=17398

C:\Program Files\Azureus\.install4j\i4j_extf_27_5p83tu.dll a variant of Win32/Bunndle application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{268DADB2-30C5-4B8A-9833-E5B5C8A5E1B1}\RP2\A0000162.dll a variant of Win32/Kryptik.ALZT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{268DADB2-30C5-4B8A-9833-E5B5C8A5E1B1}\RP3\A0000429.dll a variant of Win32/Bunndle application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

K:\scriptvox-studio-2.0.4.exe a variant of Win32/Agent.QHQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

L:\Easy MP3 Downloader 4.2.4.2 Software + Patch\Easy MP3 Downloader 4.2.4.2 Software\patch\easy.mp3.downloader.4.2.2.2-patch.exe Win32/HackTool.Patcher.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

L:\Exe Files\cnet2_RamBooster20_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

L:\Exe Files\frostwire-5.3.2.windows.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

L:\Exe Files\SoftonicDownloader_for_hjsplit.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

L:\Exe Files\Easy MP3 Downloader 4.2.4.2 Software\patch\easy.mp3.downloader.4.2.2.2-patch.exe Win32/HackTool.Patcher.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Glad I could help! :)

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Next, uninstall ESET Online Scanner.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing! :)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.