PDA

View Full Version : Rloader Virus Help



savanna
2012-03-26, 03:46
I have some sort of virus that’s infected my machine that initially displayed a message about the computer needing a scan. I know I wasn’t supposed to, but out of desperation I ran Spybot, MalwareBytes, TDSSKiller, Eset, and finally Combo-Fix. I used Safe Mode whenever I could. Eset found something called “Virus.Win32.Rloader.a” and Malwarebytes found something called “Virus.Rloader” and three instances of “Heuristics.Reserved.Word.Exploit”. All were removed.

At least now the computer is usable, but I don’t think it’s fully fixed yet. My desktop has lost its original background setting and the TCIP/IP DNS Server settings keep reverting back to a specific value after I set it to automatic and then reboot.

I think it needs a good cleaning with the help of an expert.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Bob at 19:36:39 on 2012-03-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1296 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MiMedia LLC\MiMedia\MiMedia.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe
C:\Program Files\Expedia\Expedia Fare Alert 2.1\ExpediaFareAlert.exe
svchost.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sendori\SendoriSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uLocal Page = c:\program files\common files\microsoft shared\stationery\Blank.htm
uStart Page = hxxp://twitter.com/
uDefault_Search_URL = hxxp://search.searchcompletion.com/?si=10211&home=1
mLocal Page = c:\program files\common files\microsoft shared\stationery\Blank.htm
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=%s
mURLSearchHooks: H - No File
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [DriverMax_RESTART] "c:\program files\innovative solutions\drivermax\devices.exe" -RESTART
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\aquari~1.lnk - c:\program files\aquarius soft\pc alarm clock pro\alarm.exe
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\expedi~1.lnk - c:\program files\expedia\expedia fare alert 2.1\ExpediaFareAlert.exe
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mimedia.lnk - c:\program files\mimedia llc\mimedia\MiMedia.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151}
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1F50389D-8DEA-49E5-9593-FA09ACC3563A} : NameServer = 216.146.35.240,216.146.36.240,192.168.1.1
TCP: Interfaces\{1F50389D-8DEA-49E5-9593-FA09ACC3563A} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\vw9a9lod.default\
FF - prefs.js: browser.search.selectedEngine - Complitly
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\bob\application data\mozilla\firefox\profiles\vw9a9lod.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\NPDOC.DLL
FF - plugin: c:\program files\netscape\navigator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\NPJPI142_06.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\nppl3260.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\nprfxins.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\nprjplug.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\npyacs.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2011-4-6 41912]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-5 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-7-13 47640]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
R2 Sendori;Sendori;c:\program files\sendori\SendoriSvc.exe [2011-8-5 98168]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-5-10 127496]
S0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys --> c:\windows\system32\drivers\avgarkt.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\avgarcln.sys --> c:\windows\system32\drivers\AvgArCln.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; [x]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-1-31 158856]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-03-25 20:47:55 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-25 20:40:25 -------- d-----w- C:\!! Ant-Virus Temp
2012-03-25 16:13:58 98816 ----a-w- c:\windows\sed.exe
2012-03-25 16:13:58 518144 ----a-w- c:\windows\SWREG.exe
2012-03-25 16:13:58 256000 ----a-w- c:\windows\PEV.exe
2012-03-25 16:13:58 208896 ----a-w- c:\windows\MBR.exe
2012-03-25 13:26:39 -------- d-----w- c:\documents and settings\bob\application data\Seh
2012-03-25 13:26:39 -------- d-----w- c:\documents and settings\bob\application data\Octy
2012-03-20 16:34:51 -------- d-----w- C:\TradeStation Brokerage
2012-03-19 17:09:18 -------- d-----w- c:\documents and settings\bob\local settings\application data\{4633C16E-71E6-11E1-826D-B8AC6F996F26}
2012-03-17 10:44:11 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-17 10:44:11 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-12 17:11:18 -------- d-----w- c:\documents and settings\bob\application data\Openworld Learning
2012-03-12 17:07:58 -------- d-----w- C:\flashdigger
2012-03-10 12:09:05 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-03-10 12:09:05 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2012-03-10 12:09:04 818104 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2012-03-10 12:09:04 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-03-10 12:09:04 441272 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2012-03-10 12:09:04 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2012-03-10 12:09:04 1969080 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2012-03-10 12:09:04 16312 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2012-03-10 12:09:04 101304 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2012-03-10 12:09:03 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-03-10 12:09:03 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-03-09 14:12:36 121208 -c--a-w- c:\windows\system32\drivers\AnyDVD.sys
2012-03-05 22:27:37 -------- d-----w- c:\documents and settings\bob\application data\SendBlaster2
.
==================== Find3M ====================
.
2012-03-25 20:49:07 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-03-11 12:14:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-01 01:45:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-01 01:44:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-28 23:38:47 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-03 16:43:23 8410624 ----a-w- c:\program files\HTML Guardian 7.msi
.
============= FINISH: 19:38:05.73 ===============

shelf life
2012-03-31, 04:17
hi savanna,

Your post is a few days old. If you still need help simply reply back.

savanna
2012-03-31, 14:12
Yes, I do. Thank you very much.

shelf life
2012-03-31, 22:11
Take a look in your root drive C: for a combofix.txt file. Copy/paste the text file in your reply.


lost its original background setting
You should be able to change it back.


TCIP/IP DNS Server settings keep reverting back
Do they revert back to this IP: 208.67.222.XYZ

savanna
2012-04-03, 14:45
Combofix.txt info is below.

TCIP/IP DNS Server settings keep reverting back to 216.146.35.240 and 216.146.36.240. I have the modem set to use OpendDNS settings, so I want the computer to find DNS dynamically.

Thank you very much.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 12-03-22.01 - Bob 03/25/2012 11:17:45.20.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1422 [GMT -5:00]
Running from: F:\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bob\Application Data\Seh\papuyw.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2012-03-25 13:26 . 2012-03-25 16:30 -------- d-----w- c:\documents and settings\Bob\Application Data\Seh
2012-03-25 13:26 . 2012-03-25 16:00 -------- d-----w- c:\documents and settings\Bob\Application Data\Octy
2012-03-20 16:34 . 2012-03-20 21:00 -------- d-----w- C:\TradeStation Brokerage
2012-03-19 17:09 . 2012-03-19 17:09 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\{4633C16E-71E6-11E1-826D-B8AC6F996F26}
2012-03-10 12:09 . 2012-03-10 12:09 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-03-10 12:09 . 2012-03-10 12:09 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2012-03-10 12:09 . 2012-03-10 12:09 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-03-10 12:09 . 2012-03-10 12:09 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-03-09 14:12 . 2012-03-09 14:12 121208 -c--a-w- c:\windows\system32\drivers\AnyDVD.sys
2012-03-07 12:35 . 2012-03-07 12:35 -------- d-----w- c:\documents and settings\World Cup
2012-03-05 22:27 . 2012-03-05 22:30 -------- d-----w- c:\documents and settings\Bob\Application Data\SendBlaster2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 12:14 . 2011-11-18 22:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-04 10:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-01 01:45 . 2012-01-31 01:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-01 01:44 . 2011-04-29 12:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-11 19:06 . 2012-02-16 16:24 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-01-13 03:19 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-28 23:38 . 2008-01-17 17:50 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-03 16:43 . 2009-10-03 16:43 8410624 ----a-w- c:\program files\HTML Guardian 7.msi
2011-05-19 20:22 . 2009-08-20 23:58 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2011-07-21 20:16 . 2009-08-20 23:58 550712 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-08-20 23:58 . 2009-08-20 23:58 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-03-17 10:44 . 2012-03-10 12:09 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-25_15.54.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-25 16:08 . 2012-03-25 16:08 16384 c:\windows\temp\Perflib_Perfdata_8b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_MonitoredFolder]
@="{C00213B1-77A8-4F0E-B740-0B36FBF7FAE7}"
[HKEY_CLASSES_ROOT\CLSID\{C00213B1-77A8-4F0E-B740-0B36FBF7FAE7}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_SynchronizationPending]
@="{FAD5EA38-2D1D-485D-9B07-D35EB72B922E}"
[HKEY_CLASSES_ROOT\CLSID\{FAD5EA38-2D1D-485D-9B07-D35EB72B922E}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_Synchronized]
@="{69DE75F6-60E6-4E55-B416-171941A5C73E}"
[HKEY_CLASSES_ROOT\CLSID\{69DE75F6-60E6-4E55-B416-171941A5C73E}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverMax_RESTART"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2011-07-07 9245096]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-03-09 5934712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-05 16859648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
"mylbx"="c:\program files\My Lockbox\mylbx.exe" [2011-12-07 2136384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\Bob\Start Menu\Programs\Startup\
Aquarius Soft PC Alarm Clock Pro.lnk - c:\program files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe [2011-9-10 937984]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Expedia Fare Alert 2.1.lnk - c:\program files\Expedia\Expedia Fare Alert 2.1\ExpediaFareAlert.exe [2009-4-23 1466368]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MiMedia.lnk - c:\program files\MiMedia LLC\MiMedia\MiMedia.exe [2011-9-22 55696]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-05 20:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Omega Research Task Scheduler.lnk]
backup=c:\windows\pss\Omega Research Task Scheduler.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
backup=c:\windows\pss\PalTalk.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Office Startup.lnk]
backup=c:\windows\pss\Office Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2012-03-09 17:15 5934712 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-12-19 17:08 159744 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-12-19 17:08 135168 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 22:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 14.0]
2008-01-20 01:01 2245984 ----a-w- c:\program files\Norton Ghost\Agent\VProTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-05-21 11:01 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Updater]
2010-06-16 21:42 839680 ----a-w- c:\program files\OpenDNS Updater\OpenDNSUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-01-31 21:14 17147528 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\NinjaTrader 7\\bin\\NinjaTrader.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"5910:TCP"= 5910:TCP:vnc5910
.
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [4/6/2011 2:37 PM 41912]
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/5/2010 7:39 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 1:01 AM 994360]
R2 Sendori;Sendori;c:\program files\Sendori\SendoriSvc.exe [8/5/2011 2:37 PM 98168]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 5:00 AM 5120]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [5/10/2009 4:26 PM 127496]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; [x]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/14/2011 1:01 AM 399416]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/31/2012 4:09 PM 158856]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [8/18/2005 1:00 AM 7168]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1553896]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-25 c:\windows\Tasks\User_Feed_Synchronization-{1FF685FF-AF79-4E0B-A492-555956BF9C7C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\program files\Common Files\Microsoft Shared\Stationery\Blank.htm
uStart Page = hxxp://twitter.com/
uDefault_Search_URL = hxxp://search.searchcompletion.com/?si=10211&home=1
mLocal Page = c:\program files\Common Files\Microsoft Shared\Stationery\Blank.htm
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=%s
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1F50389D-8DEA-49E5-9593-FA09ACC3563A}: NameServer = 216.146.35.240,216.146.36.240,192.168.1.1
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\vw9a9lod.default\
FF - prefs.js: browser.search.selectedEngine - Complitly
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-{CD3B82B8-AFDD-810A-42B6-C5090CD5BF42} - c:\documents and settings\Bob\Application Data\Seh\papuyw.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-25 11:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-03-25 11:37:45
ComboFix-quarantined-files.txt 2012-03-25 16:37
ComboFix2.txt 2012-03-25 15:55
ComboFix3.txt 2012-01-31 22:10
ComboFix4.txt 2011-12-16 03:19
ComboFix5.txt 2012-03-25 16:14
.
Pre-Run: 19,337,666,560 bytes free
Post-Run: 19,391,246,336 bytes free
.
- - End Of File - - E68BF11BDC2B14A555332B26A2CB93FF

shelf life
2012-04-04, 01:51
hi,

Not much there to be concerned about.

It looks like your using two DNS providers?

http://www.opendns.com/support/dynamic_ip_downloads/
you have there updater software:
c:\program files\OpenDNS Updater\OpenDNSUpdater.exe

Then this ip (216.146.36.240) resolves to:
http://dyn.com/

savanna
2012-04-08, 16:28
After doing a C drive search for "Dyn" I was able to find a folder called Sendori within the Program Files directory. Googleing Sendori revealed that it "will update your computer's DNS settings to protect you from the latest threats". After activating the uninstall.exe file in that directory my DNS settings are no longer being held hostage. It is fixed!

Thank you very much for your help.

shelf life
2012-04-08, 23:03
ok, your welcome. You can remove combofix like this:
start>run and type in combofix /uninstall
click ok or hit enter.
Note the space after the x and before the /

You can also delete the tdsskiller icon from your desktop.

For your reference:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista, Windows 7 and Windows 8 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) Your browser risks: The why and how (http://www.cert.org/tech_tips/securing_browser/) to secure your browser for safer surfing.

10) Warez, cracks, keygens etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will also encounter malware. Do you really trust the source of the file?

More info/tips with pictures, links below

Happy Safe Surfing.