Solved Undetectable redirect
- Thread starter greg0418
- Start date
- Status
Broni
Posts: 56,041 +516
You didn't answer:
=======================================================
The log, you attached is not from MBRCheck.
Please, redo.
======================================================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
======================================================================
Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
=======================================================
The log, you attached is not from MBRCheck.
Please, redo.
======================================================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
- Double-click SystemLook.exe to run it.
- Vista users:: Right click on SystemLook.exe, click Run As Administrator
- Copy the content of the following box into the main textfield:
Code::filefind termsrv.dll - Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
======================================================================
Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
In answer to your question it is Mozilla Firefox
I re-downloaded the link for mbr above and ran it again. it gave me the exact same log. I have attached it and the system look log.
Also when I try to run the command you have me I get an error:
"Valid command line perimeters:
-I <file name> (path to file log)
-qpath <folder_name> (path to quarantine folder)
-qall (copy all object to quarantine)
-qsus (copy all suspicious objects to quarantine)
-qmbr (copy all mbr to quarantine)
mbr log : Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
I re-downloaded the link for mbr above and ran it again. it gave me the exact same log. I have attached it and the system look log.
Also when I try to run the command you have me I get an error:
"Valid command line perimeters:
-I <file name> (path to file log)
-qpath <folder_name> (path to quarantine folder)
-qall (copy all object to quarantine)
-qsus (copy all suspicious objects to quarantine)
-qmbr (copy all mbr to quarantine)
mbr log : Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
tdss killer gives this error when I try to run the command as I explained in my last reply:
"Valid command line perimeters:
-I <file name> (path to file log)
-qpath <folder_name> (path to quarantine folder)
-qall (copy all object to quarantine)
-qsus (copy all suspicious objects to quarantine)
-qmbr (copy all mbr to quarantine)"
And yes, IE does the same thing. I'm not sure if its a redirect or a new feature of hotmail. It just looks "off" to me.
Thanks for your help.
"Valid command line perimeters:
-I <file name> (path to file log)
-qpath <folder_name> (path to quarantine folder)
-qall (copy all object to quarantine)
-qsus (copy all suspicious objects to quarantine)
-qmbr (copy all mbr to quarantine)"
And yes, IE does the same thing. I'm not sure if its a redirect or a new feature of hotmail. It just looks "off" to me.
Thanks for your help.
Broni
Posts: 56,041 +516
I see...
1. Please open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
3. Save the above as CFScript.txt
4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
FCopy::
C:\WINDOWS\system32\dllcache\termsrv.dll | c:\windows\System32\termsrv.dll3. Save the above as CFScript.txt
4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
ComboFix 10-07-29.04 - Administrator 07/30/2010 13:18:20.4.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.536 [GMT -4:00]
Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Greg\Desktop\CFScript.txt
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *enabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\system32\dllcache\termsrv.dll --> c:\windows\System32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.
2010-07-30 17:18 . 2008-04-14 10:42 295424 ----a-w- c:\windows\system32\termsrv.dll
2010-07-28 07:40 . 2010-07-28 07:40 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-27 16:31 . 2008-04-14 05:10 36352 -c--a-w- c:\windows\system32\dllcache\disk.sys
2010-07-27 16:31 . 2008-04-14 05:10 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-07-27 05:13 . 2010-07-27 05:13 388096 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-27 04:48 . 2010-07-27 04:48 -------- d-sh--w- c:\documents and settings\Greg\IECompatCache
2010-07-27 04:33 . 2010-07-27 04:33 -------- d-----w- c:\documents and settings\Greg\Application Data\JAM Software
2010-07-27 04:32 . 2010-07-27 04:32 -------- d-----w- c:\program files\JAM Software
2010-07-27 02:47 . 2010-07-28 05:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 16:39 . 2010-07-26 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-26 09:27 . 2010-07-26 09:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-26 09:00 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-26 08:27 . 2010-07-28 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-26 03:20 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-26 03:20 . 2010-07-26 03:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-26 03:20 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 03:14 . 2010-01-04 10:29 69720 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-07-25 03:14 . 2010-01-04 10:29 13400 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-07-25 03:08 . 2010-07-25 03:08 -------- d-----w- c:\documents and settings\Greg\Application Data\Sunbelt
2010-07-25 03:08 . 2010-07-25 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-07-25 03:06 . 2010-04-28 19:12 86232 ----a-w- c:\windows\system32\drivers\sbhips.sys
2010-07-25 03:06 . 2010-04-28 19:12 204632 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-07-25 03:05 . 2010-01-14 09:42 67800 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-07-25 03:05 . 2010-04-28 19:12 322904 ----a-w- c:\windows\system32\drivers\SbFw.sys
2010-07-23 08:12 . 2010-07-23 08:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2010-07-23 06:01 . 2010-07-23 06:01 -------- d-----w- c:\program files\Sunbelt Software
2010-07-23 05:19 . 2010-07-23 05:19 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2010-07-23 05:18 . 2010-07-23 05:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-07-23 05:16 . 2010-07-23 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-08 09:30 . 2010-07-08 09:30 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-07-08 09:10 . 2010-07-08 09:10 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-07 03:45 . 2010-07-07 03:45 -------- d-----w- c:\documents and settings\Greg\Local Settings\Application Data\TheWeatherNetwork
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 16:40 . 2010-02-10 23:34 -------- d-----w- c:\documents and settings\Greg\Application Data\uTorrent
2010-07-23 05:53 . 2010-07-23 05:53 37760 ----a-w- c:\windows\system32\drivers\amdk7.sys5B84D6EB
2010-07-20 05:20 . 2010-03-22 06:05 -------- d-----w- c:\documents and settings\Greg\Application Data\FileZilla
2010-07-15 02:49 . 2010-02-11 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-11 20:28 . 2010-02-26 06:16 -------- d-----w- c:\documents and settings\Greg\Application Data\vlc
2010-06-26 00:37 . 2010-03-26 15:27 -------- d-----w- c:\program files\CCP
2010-06-26 00:35 . 2010-02-15 02:08 -------- d-----w- c:\program files\DivX
2010-06-25 05:59 . 2010-02-12 22:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-24 00:11 . 2010-03-27 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-24 00:07 . 2010-06-24 00:07 -------- d-----w- c:\program files\NOS
2010-06-14 14:31 . 2010-02-10 13:45 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 04:56 . 2010-02-13 01:25 737280 ----a-w- c:\windows\iun6002.exe
2010-06-10 04:53 . 2010-03-17 04:28 69584 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-10 04:47 . 2010-06-10 04:47 -------- d-----w- c:\program files\Phyxion.net
2010-06-10 04:38 . 2010-02-12 22:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-10 03:23 . 2010-06-10 03:23 -------- d-----w- c:\program files\Radeon Omega Drivers
2010-06-10 02:53 . 2010-03-08 17:22 -------- d-----w- c:\program files\MagicISO
2010-06-10 02:53 . 2010-02-15 02:08 -------- d-----w- c:\program files\Google
2010-06-05 23:26 . 2010-02-11 15:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 20:03 . 2010-02-11 00:53 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-05-06 10:41 . 2008-04-14 04:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-04-30 1291600]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G Configuration Utility.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Greg^Start Menu^Programs^Startup^MagicDisc.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-02-22 11:30 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 22:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-03-25 15:06 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 18:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-02 15:41 692316 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-02 15:42 102492 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-27 05:50 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX6000]
2010-01-29 05:04 764784 ----a-w- c:\windows\vVX6000.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [3/9/2010 12:53 AM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [3/9/2010 12:53 AM 5248]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:02 AM 95024]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [4/30/2010 12:31 PM 2730120]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [4/30/2010 12:30 PM 181584]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/24/2010 11:14 PM 13400]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [7/24/2010 11:05 PM 322904]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [7/24/2010 11:06 PM 204632]
S2 .vipre_reset;Vipre Trial Reset;c:\program files\Vipre_Reset.exe --> c:\program files\Vipre_Reset.exe [?]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [7/24/2010 11:14 PM 69720]
S3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2/17/2004 9:28 AM 292352]
S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2/17/2004 9:29 AM 273536]
S3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [7/15/2004 9:01 AM 18432]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [7/24/2010 11:05 PM 67800]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [7/24/2010 11:06 PM 86232]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/29/2010 1:04 AM 2074480]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/11/2010 8:51 PM 716272]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9a18gyat.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-30 13:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83600AB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf80e7f28
\Driver\ACPI -> ACPI.sys @ 0xf8034cb8
\Driver\atapi -> 0x83600ab0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(180)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-07-30 13:30:26
ComboFix-quarantined-files.txt 2010-07-30 17:30
ComboFix2.txt 2010-07-27 16:59
Pre-Run: 11,696,455,680 bytes free
Post-Run: 11,685,265,408 bytes free
- - End Of File - - 48CFF07B22EC5365B2348C552EB62D40
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.536 [GMT -4:00]
Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Greg\Desktop\CFScript.txt
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *enabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\system32\dllcache\termsrv.dll --> c:\windows\System32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.
2010-07-30 17:18 . 2008-04-14 10:42 295424 ----a-w- c:\windows\system32\termsrv.dll
2010-07-28 07:40 . 2010-07-28 07:40 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-27 16:31 . 2008-04-14 05:10 36352 -c--a-w- c:\windows\system32\dllcache\disk.sys
2010-07-27 16:31 . 2008-04-14 05:10 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-07-27 05:13 . 2010-07-27 05:13 388096 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-27 04:48 . 2010-07-27 04:48 -------- d-sh--w- c:\documents and settings\Greg\IECompatCache
2010-07-27 04:33 . 2010-07-27 04:33 -------- d-----w- c:\documents and settings\Greg\Application Data\JAM Software
2010-07-27 04:32 . 2010-07-27 04:32 -------- d-----w- c:\program files\JAM Software
2010-07-27 02:47 . 2010-07-28 05:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 16:39 . 2010-07-26 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-26 09:27 . 2010-07-26 09:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-26 09:00 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-26 08:27 . 2010-07-28 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-26 03:20 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-26 03:20 . 2010-07-26 03:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-26 03:20 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 03:14 . 2010-01-04 10:29 69720 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-07-25 03:14 . 2010-01-04 10:29 13400 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-07-25 03:08 . 2010-07-25 03:08 -------- d-----w- c:\documents and settings\Greg\Application Data\Sunbelt
2010-07-25 03:08 . 2010-07-25 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-07-25 03:06 . 2010-04-28 19:12 86232 ----a-w- c:\windows\system32\drivers\sbhips.sys
2010-07-25 03:06 . 2010-04-28 19:12 204632 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-07-25 03:05 . 2010-01-14 09:42 67800 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-07-25 03:05 . 2010-04-28 19:12 322904 ----a-w- c:\windows\system32\drivers\SbFw.sys
2010-07-23 08:12 . 2010-07-23 08:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2010-07-23 06:01 . 2010-07-23 06:01 -------- d-----w- c:\program files\Sunbelt Software
2010-07-23 05:19 . 2010-07-23 05:19 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2010-07-23 05:18 . 2010-07-23 05:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-07-23 05:16 . 2010-07-23 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-08 09:30 . 2010-07-08 09:30 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-07-08 09:10 . 2010-07-08 09:10 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-07 03:45 . 2010-07-07 03:45 -------- d-----w- c:\documents and settings\Greg\Local Settings\Application Data\TheWeatherNetwork
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 16:40 . 2010-02-10 23:34 -------- d-----w- c:\documents and settings\Greg\Application Data\uTorrent
2010-07-23 05:53 . 2010-07-23 05:53 37760 ----a-w- c:\windows\system32\drivers\amdk7.sys5B84D6EB
2010-07-20 05:20 . 2010-03-22 06:05 -------- d-----w- c:\documents and settings\Greg\Application Data\FileZilla
2010-07-15 02:49 . 2010-02-11 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-11 20:28 . 2010-02-26 06:16 -------- d-----w- c:\documents and settings\Greg\Application Data\vlc
2010-06-26 00:37 . 2010-03-26 15:27 -------- d-----w- c:\program files\CCP
2010-06-26 00:35 . 2010-02-15 02:08 -------- d-----w- c:\program files\DivX
2010-06-25 05:59 . 2010-02-12 22:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-24 00:11 . 2010-03-27 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-24 00:07 . 2010-06-24 00:07 -------- d-----w- c:\program files\NOS
2010-06-14 14:31 . 2010-02-10 13:45 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 04:56 . 2010-02-13 01:25 737280 ----a-w- c:\windows\iun6002.exe
2010-06-10 04:53 . 2010-03-17 04:28 69584 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-10 04:47 . 2010-06-10 04:47 -------- d-----w- c:\program files\Phyxion.net
2010-06-10 04:38 . 2010-02-12 22:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-10 03:23 . 2010-06-10 03:23 -------- d-----w- c:\program files\Radeon Omega Drivers
2010-06-10 02:53 . 2010-03-08 17:22 -------- d-----w- c:\program files\MagicISO
2010-06-10 02:53 . 2010-02-15 02:08 -------- d-----w- c:\program files\Google
2010-06-05 23:26 . 2010-02-11 15:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 20:03 . 2010-02-11 00:53 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-05-06 10:41 . 2008-04-14 04:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-04-30 1291600]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G Configuration Utility.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Greg^Start Menu^Programs^Startup^MagicDisc.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-02-22 11:30 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 22:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-03-25 15:06 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 18:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-02 15:41 692316 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-02 15:42 102492 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-27 05:50 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX6000]
2010-01-29 05:04 764784 ----a-w- c:\windows\vVX6000.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [3/9/2010 12:53 AM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [3/9/2010 12:53 AM 5248]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:02 AM 95024]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [4/30/2010 12:31 PM 2730120]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [4/30/2010 12:30 PM 181584]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/24/2010 11:14 PM 13400]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [7/24/2010 11:05 PM 322904]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [7/24/2010 11:06 PM 204632]
S2 .vipre_reset;Vipre Trial Reset;c:\program files\Vipre_Reset.exe --> c:\program files\Vipre_Reset.exe [?]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [7/24/2010 11:14 PM 69720]
S3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2/17/2004 9:28 AM 292352]
S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2/17/2004 9:29 AM 273536]
S3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [7/15/2004 9:01 AM 18432]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [7/24/2010 11:05 PM 67800]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [7/24/2010 11:06 PM 86232]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/29/2010 1:04 AM 2074480]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/11/2010 8:51 PM 716272]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9a18gyat.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-30 13:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83600AB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf80e7f28
\Driver\ACPI -> ACPI.sys @ 0xf8034cb8
\Driver\atapi -> 0x83600ab0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(180)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-07-30 13:30:26
ComboFix-quarantined-files.txt 2010-07-30 17:30
ComboFix2.txt 2010-07-27 16:59
Pre-Run: 11,696,455,680 bytes free
Post-Run: 11,685,265,408 bytes free
- - End Of File - - 48CFF07B22EC5365B2348C552EB62D40
Broni
Posts: 56,041 +516
OK. So far everything looks clean...
What are the current issues.
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
===============================================================
Download OTL to your Desktop.
* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
What are the current issues.
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
===============================================================
Download OTL to your Desktop.
* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Great. I don't think I'm having any more problems other than the Windows Validation issue that occurred after the first combofix scan.
I think the Hotmail issue was just the implementation of some new features.
I have attached the OTL logs. If you can provide assistance with the windows validation issue I would appreciate it.
Thanks for your help.
I think the Hotmail issue was just the implementation of some new features.
I have attached the OTL logs. If you can provide assistance with the windows validation issue I would appreciate it.
Thanks for your help.
Broni
Posts: 56,041 +516
Let's finish cleaning process and then we'll worry about validation.
=======================================================================
Update your Java version here: http://www.java.com/en/download/installed.jsp
Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.
Now, we need to remove old Java version and its remnants...
Download JavaRa to your desktop and unzip it to its own folder
======================================================================
Run OTL
=======================================================================
Update your Java version here: http://www.java.com/en/download/installed.jsp
Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.
Now, we need to remove old Java version and its remnants...
Download JavaRa to your desktop and unzip it to its own folder
- Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
- Accept any prompts.
======================================================================
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
Code::OTL O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.) O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - File not found [2010/07/23 01:16:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller [2010/07/24 22:22:11 | 000,001,250 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100727-002135.backup :Services :Reg :Files :Commands [purity] [emptytemp] [emptyflash] [Reboot] - Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- You will get a log that shows the results of the fix. Please post it.
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Broni
Posts: 56,041 +516
Good 
Last scans...
1. Download Security Check from HERE, and save it to your Desktop.
2. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.
3. Go to Kaspersky website and perform an online antivirus scan.
1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Last scans...
1. Download Security Check from HERE, and save it to your Desktop.
- Double-click SecurityCheck.exe
- Follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
2. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.
3. Go to Kaspersky website and perform an online antivirus scan.
1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Attached is the log from security check. I also did TFC.
But I get the following error when attempting the Kaspersky scan:
"Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program."
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
VIPRE Antivirus Premium
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
Mozilla Firefox (3.6.8)
Mozilla Thunderbird (3.1.1) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
But I get the following error when attempting the Kaspersky scan:
"Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program."
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
VIPRE Antivirus Premium
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
Mozilla Firefox (3.6.8)
Mozilla Thunderbird (3.1.1) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
Broni
Posts: 56,041 +516
Instead of Kaspersky....
Please run a free online scan with the ESET Online Scanner
Please run a free online scan with the ESET Online Scanner
- Disable your antivirus program
- Tick the box next to YES, I accept the Terms of Use
- IMPORTANT! UN-check Remove found threats
- Click Start
- Accept any security warnings from your browser.
- Check Scan archives
- Click Start
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push List of found threats
- Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Here are the found threats
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118116.dll a variant of Win32/Cimag.CK trojan
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0118270.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0120296.dll a variant of Win32/Cimag.CY trojan
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP84\A0121593.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP89\A0123897.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118116.dll a variant of Win32/Cimag.CK trojan
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0118270.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0120296.dll a variant of Win32/Cimag.CY trojan
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP84\A0121593.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP89\A0123897.sys Win32/Olmarik.ZC trojan
Broni
Posts: 56,041 +516
That's fine. All those files are in restore point, which we'll reset in a moment.
OTL Clean-Up
Clean up with OTL:
* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
======================================================================
Your computer is clean
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.
Turn off System Restore:
- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
2. Restart computer.
3. Turn System Restore on.
4. Make sure, Windows Updates are current.
5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
7. Run defrag at your convenience.
8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
9. Please, let me know, how is your computer doing.
OTL Clean-Up
Clean up with OTL:
* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
======================================================================
Your computer is clean
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.
Turn off System Restore:
- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
2. Restart computer.
3. Turn System Restore on.
4. Make sure, Windows Updates are current.
5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
7. Run defrag at your convenience.
8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
9. Please, let me know, how is your computer doing.
Broni
Posts: 56,041 +516
Go http://www.microsoft.com/genuine/default.aspx?displaylang=en
* Click on Validate Windows
* Click on Validate Now button and save the file to your desktop.
* Double click on that file you just downloaded and install it.
* Now go back to the webpage where you downloaded the file and click on the Refresh button. Then click on Continue.
* It should take a few seconds. Tell me what you see on the next page.
* Click on Validate Windows
* Click on Validate Now button and save the file to your desktop.
* Double click on that file you just downloaded and install it.
* Now go back to the webpage where you downloaded the file and click on the Refresh button. Then click on Continue.
* It should take a few seconds. Tell me what you see on the next page.
- Status
