Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: Virus? XP Security, ping.exe, redirects

  1. #1
    Junior Member
    Join Date
    Dec 2011
    Posts
    15

    Default Virus? XP Security, ping.exe, redirects

    I had an XP Internet Security infection which I seem to have stopped by doing a System Restore (hope I didn't blow it there - but it made my computer inoperable by blocking any action I tried to do.) But I still have a problem when ping.exe uses up all my CPU. I go to Task Manager and close it. I'm also getting redirects from Google and pop-ups when I open other sites. I assume it's all related to one virus?
    Here is my dds. Thanks SO MUCH!
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by OWNER at 9:10:06 on 2011-12-18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.733 [GMT -8:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
    svchost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\System32\ping.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
    uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
    mRun: [<NO NAME>]
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1307578475531
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{3E94C2FB-09D7-48F4-A6A9-6547B6972D13} : DhcpNameServer = 192.168.0.1
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: SDWinLogon - SDWinLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\f4q8cx6v.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cruzio.com/
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\5.0.60401.0\npctrlui.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [2011-6-9 9600]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
    R1 MpKsl7ed4871d;MpKsl7ed4871d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d945d132-6628-4698-92ac-cce9dc5a7954}\MpKsl7ed4871d.sys [2011-12-16 29904]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-5-4 116608]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2011-6-30 618896]
    S1 MpKsl77954acb;MpKsl77954acb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4254461-b324-4aab-b754-c50cb017d1ae}\mpksl77954acb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4254461-b324-4aab-b754-c50cb017d1ae}\MpKsl77954acb.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-9 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-9 135664]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-12-17 00:52:22 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d945d132-6628-4698-92ac-cce9dc5a7954}\MpKsl7ed4871d.sys
    2011-12-17 00:52:05 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d945d132-6628-4698-92ac-cce9dc5a7954}\offreg.dll
    2011-12-17 00:51:50 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d945d132-6628-4698-92ac-cce9dc5a7954}\mpengine.dll
    2011-12-15 00:56:07 -------- d-----w- c:\program files\MW123
    2011-12-13 17:12:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-12-13 17:12:39 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-11-25 17:24:15 -------- d-----w- c:\documents and settings\owner\local settings\application data\Identities
    2011-11-21 16:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2011-11-21 16:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2011-11-21 16:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2011-11-21 16:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2011-11-21 16:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2011-11-21 16:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2011-11-21 16:06:46 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2011-11-21 16:01:32 -------- d-----w- c:\program files\iPod
    .
    ==================== Find3M ====================
    .
    2011-12-01 03:55:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
    2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 22:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 22:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-15 01:38:00 456192 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32(2).dll
    2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-07-02 18:17:28 2400568 ----a-w- c:\program files\HousecallLauncher64.exe
    .
    ============= FINISH: 9:10:40.30 ===============
    Last edited by tashi; 2011-12-18 at 20:17. Reason: Copy pasted txt log into topic, "attach" missing. :-)

  2. #2
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi and Welcome!! My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
    • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
    • The fixes are specific to your problem and should only be used for the issues on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
    • It's often worth reading through these instructions and printing them for ease of reference.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.


    IMPORTANT NOTE : Please do not delete anything unless instructed to.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
    Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.


    Vista and Windows 7 users:
    These tools MUST be run from the executable (.exe) every time you run them
    with Admin Rights (Right click, choose "Run as Administrator")


    Stay with this topic until I give you the all clean post.
    ----------

    **WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

    Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

    If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

    If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.
    ----------

    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Copy and paste the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)

    ----------

    Please read through these instructions to familarize yourself with what to expect when this tool runs

    Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ----------

    If you have chosen to attempt to clean, please post the logs created by TDSSKiller and ComboFix.

  3. #3
    Junior Member
    Join Date
    Dec 2011
    Posts
    15

    Default Reply

    What you say is unsettling, to say the least. I do want to try to clean my computer. Please advise me if you think I should just delete everything and start from scratch. I do have a backup hard drive.
    I ran the TDSSKiller; it didn't find anything.
    (Note: between my original post and now, I received a Windows update and told it to run. I don't know if that addressed my infection at all.

    Here is the log from combofix. Thanks for the help!:

    ComboFix 11-12-23.01 - OWNER 12/23/2011 17:34:59.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1072 [GMT -8:00]
    Running from: c:\documents and settings\OWNER\My Documents\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\NetworkService\Application Data\Adobe\sp.Dll
    c:\windows\$NtUninstallKB46948$
    c:\windows\$NtUninstallKB46948$\1815599955\@
    c:\windows\$NtUninstallKB46948$\1815599955\bckfg.tmp
    c:\windows\$NtUninstallKB46948$\1815599955\cfg.ini
    c:\windows\$NtUninstallKB46948$\1815599955\Desktop.ini
    c:\windows\$NtUninstallKB46948$\1815599955\keywords
    c:\windows\$NtUninstallKB46948$\1815599955\kwrd.dll
    c:\windows\$NtUninstallKB46948$\1815599955\L\ivohefmz
    c:\windows\$NtUninstallKB46948$\1815599955\lsflt7.ver
    c:\windows\$NtUninstallKB46948$\1815599955\U\00000001.@
    c:\windows\$NtUninstallKB46948$\1815599955\U\00000002.@
    c:\windows\$NtUninstallKB46948$\1815599955\U\00000004.@
    c:\windows\$NtUninstallKB46948$\1815599955\U\80000000.@
    c:\windows\$NtUninstallKB46948$\1815599955\U\80000004.@
    c:\windows\$NtUninstallKB46948$\1815599955\U\80000032.@
    c:\windows\$NtUninstallKB46948$\2450200787
    c:\windows\system32\oobe\isperror
    c:\windows\system32\oobe\isperror\ispcnerr.htm
    c:\windows\system32\oobe\isperror\ispdtone.htm
    c:\windows\system32\oobe\isperror\isphdshk.htm
    c:\windows\system32\oobe\isperror\ispins.htm
    c:\windows\system32\oobe\isperror\ispnoanw.htm
    c:\windows\system32\oobe\isperror\isppberr.htm
    c:\windows\system32\oobe\isperror\ispphbsy.htm
    c:\windows\system32\oobe\isperror\ispsbusy.htm
    c:\windows\system32\SET12B.tmp
    c:\windows\system32\SET137.tmp
    F:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_.afd
    -------\Service_SPService
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-24 to 2011-12-24 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-24 01:48 . 2011-12-24 01:48 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1678539C-AEF4-4082-ADC2-4CD62E0AAA5B}\offreg.dll
    2011-12-24 01:25 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1678539C-AEF4-4082-ADC2-4CD62E0AAA5B}\mpengine.dll
    2011-12-19 00:35 . 2011-12-19 00:35 -------- d-----w- c:\program files\Seagate
    2011-12-19 00:35 . 2011-12-19 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
    2011-12-15 04:12 . 2011-12-15 04:12 -------- d-----w- c:\program files\ERUNT
    2011-12-15 00:56 . 2011-12-15 00:56 -------- d-----w- c:\program files\MW123
    2011-12-13 17:12 . 2011-12-13 17:12 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-11-25 17:24 . 2011-11-25 17:24 -------- d-----w- c:\documents and settings\OWNER\Local Settings\Application Data\Identities
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-01 03:55 . 2011-06-09 20:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-23 13:25 . 2004-08-10 11:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-21 10:47 . 2011-06-11 15:25 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-10 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-10 11:00 385024 ------w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2004-08-10 11:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-10 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2005-03-30 01:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2005-03-30 01:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-15 01:38 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22 . 2011-06-08 22:42 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-10 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-28 07:06 . 2004-08-10 11:00 599040 ----a-w- c:\windows\system32\crypt32(2).dll
    2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41 . 2004-08-10 11:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41 . 2004-08-10 11:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-07-02 18:17 . 2011-07-02 18:17 2400568 ----a-w- c:\program files\HousecallLauncher64.exe
    2011-11-05 06:53 . 2011-06-09 21:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2011-04-20 1633680]
    "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-10-17 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
    backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-05-12 06:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
    2005-06-01 16:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeePass 2 PreLoad]
    2011-04-10 17:18 1733120 ----a-w- c:\program files\KeePass Password Safe 2\KeePass.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
    2011-05-11 05:27 5607080 ----a-w- c:\program files\Spybot - Search & Destroy 2\SDTray.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [6/9/2011 1:31 PM 9600]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 10:25 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 9:54 AM 116608]
    R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [6/30/2011 3:49 PM 618896]
    S1 MpKsl77954acb;MpKsl77954acb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4254461-B324-4AAB-B754-C50CB017D1AE}\MpKsl77954acb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4254461-B324-4AAB-B754-C50CB017D1AE}\MpKsl77954acb.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2011 1:21 PM 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2011 1:21 PM 135664]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc427b1e60cf5e.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-09 21:21]
    .
    2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc427b1e9a082e.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-09 21:21]
    .
    2011-12-24 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\OWNER\Application Data\Mozilla\Firefox\Profiles\f4q8cx6v.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cruzio.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
    Notify-SDWinLogon - SDWinLogon.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-23 17:48
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(672)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(2112)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\CDBurnerXP\NMSAccessU.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\stsystra.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\eHome\ehmsas.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-23 17:52:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-24 01:52
    .
    Pre-Run: 252,923,031,552 bytes free
    Post-Run: 253,468,565,504 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 9E50C984C2042BE423BFF61C331E07DB

  4. #4
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    Well, it looks like ComboFix has already neutralized the worst infection on the system so we may not need a restore.
    ----------

    GMER

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and attach it in your reply.


    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
    .
    ----------

  5. #5
    Junior Member
    Join Date
    Dec 2011
    Posts
    15

    Default Reply

    Here is the log from Gmer. I have my fingers crossed. My computer has been acting normal recently. No ping.exe issues or redirects from Google. I do worry something could be working in the background that is stealing my information. How does one know for sure?
    Thanks again for the help. I, and I hope others reading this, will (should) send in a contribution.


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-25 06:53:03
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3500630NS_Q rev.3.BTJ
    Running: gmer.exe; Driver: C:\DOCUME~1\OWNER\LOCALS~1\Temp\kfwdrpog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? Combo-Fix.sys The system cannot find the file specified. !
    ? C:\ComboFix\catchme.sys The system cannot find the path specified. !
    ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[1880] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01262EC0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Webroot\Washer\WasherSvc.exe[2056] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0008EE55 C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3332] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106AC350 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3332] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106AC2E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3332] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1045E363 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3332] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1045E91C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- EOF - GMER 1.0.15 ----

  6. #6
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi irving,

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan as shown below.


    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.



    The log can also be found here:
    C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ----------

    ESET Online Scanner
    I'd like us to scan your machine with ESET Online Scan

    Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the Start button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Make sure that the option "Remove found threats" is Unchecked
    9. Push the Start button.
    10. ESET will then download updates for itself, install itself, and begin
      scanning your computer. Please be patient as this can take some time.
    11. When the scan completes, push
    12. Push , and save the file to your desktop using a unique name, such as
      ESETScan. Include the contents of this report in your next reply.
    13. Push the Back button.
    14. Push Finish

    http://www.eset.com/onlinescan/
    ----------

    In your next reply please post the logs created by Malwarebytes and ESET online scanner.

  7. #7
    Junior Member
    Join Date
    Dec 2011
    Posts
    15

    Default Reply

    Here are the results of the scans. Because of the additional steps of downloading the Eset scan in Mozilla, I ran it from IE. Does that matter? I usually use Mozilla. If it makes a difference, I could run it again in Mozilla.
    Thanks again.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122602

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/26/2011 7:10:31 AM
    mbam-log-2011-12-26 (07-10-31).txt

    Scan type: Quick scan
    Objects scanned: 178209
    Time elapsed: 5 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    C:\BACKUP\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudInternetSecurity7.zip Win32/Bagle.gen.zip worm
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\34\6924d4a2-35c6558f Java/Agent.DY trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\38\1b6211a6-2aae5079 Java/Exploit.CVE-2011-3544.F trojan
    C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\13\b6e408d-3ee52776 a variant of Java/Exploit.Blacole.AF trojan
    C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\34\6924d4a2-742f8441 Java/Agent.DY trojan
    C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\38\1b6211a6-1f5819a4 Java/Exploit.CVE-2011-3544.F trojan

  8. #8
    Junior Member
    Join Date
    Dec 2011
    Posts
    15

    Default Reply

    Maybe you know this, but the last section (the C:\ section) is from the Eset scan.

  9. #9
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi irving52,

    I ran it from IE. Does that matter?
    No you did everything just fine.
    -------------

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      File::
      C:\BACKUP\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudInternetSecurity7.zip	
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\34\6924d4a2-35c6558f	
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\38\1b6211a6-2aae5079	
      C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\13\b6e408d-3ee52776	
      C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\34\6924d4a2-742f8441	
      C:\Documents and Settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\38\1b6211a6-1f5819a4
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

    How is your system running now?

  10. #10
    Junior Member
    Join Date
    Dec 2011
    Posts
    15

    Default

    ComboFix 11-12-26.02 - OWNER 12/26/2011 12:27:11.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.917 [GMT -8:00]
    Running from: c:\documents and settings\OWNER\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\OWNER\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    FILE ::
    "c:\backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudInternetSecurity7.zip"
    "c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\34\6924d4a2-35c6558f"
    "c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\38\1b6211a6-2aae5079"
    "c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\13\b6e408d-3ee52776"
    "c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\34\6924d4a2-742f8441"
    "c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\38\1b6211a6-1f5819a4"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudInternetSecurity7.zip
    c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\34\6924d4a2-35c6558f
    c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\38\1b6211a6-2aae5079
    c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\13\b6e408d-3ee52776
    c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\34\6924d4a2-742f8441
    c:\documents and settings\OWNER\Application Data\Sun\Java\Deployment\cache\6.0\38\1b6211a6-1f5819a4
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-26 to 2011-12-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-26 18:16 . 2011-12-26 18:16 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{659E631D-38DC-472E-B85E-330DD65E90F8}\MpKsl9215cbf2.sys
    2011-12-26 18:16 . 2011-12-26 18:16 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{659E631D-38DC-472E-B85E-330DD65E90F8}\offreg.dll
    2011-12-26 18:15 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{659E631D-38DC-472E-B85E-330DD65E90F8}\mpengine.dll
    2011-12-26 15:19 . 2011-12-26 15:19 -------- d-----w- c:\program files\ESET
    2011-12-19 00:35 . 2011-12-19 00:35 -------- d-----w- c:\program files\Seagate
    2011-12-19 00:35 . 2011-12-19 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
    2011-12-15 04:12 . 2011-12-15 04:12 -------- d-----w- c:\program files\ERUNT
    2011-12-15 00:56 . 2011-12-15 00:56 -------- d-----w- c:\program files\MW123
    2011-12-13 17:12 . 2011-12-13 17:12 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-01 03:55 . 2011-06-09 20:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-23 13:25 . 2004-08-10 11:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-21 10:47 . 2011-06-11 15:25 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-10 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-10 11:00 385024 ------w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2004-08-10 11:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-10 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2005-03-30 01:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2005-03-30 01:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-15 01:38 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22 . 2011-06-08 22:42 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-10 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-28 07:06 . 2004-08-10 11:00 599040 ----a-w- c:\windows\system32\crypt32(2).dll
    2011-07-02 18:17 . 2011-07-02 18:17 2400568 ----a-w- c:\program files\HousecallLauncher64.exe
    2011-11-05 06:53 . 2011-06-09 21:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-24_01.49.09 )))))))))))))))))))))))))))))))))))))))))
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2011-04-20 1633680]
    "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-10-17 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
    backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-05-12 06:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
    2005-06-01 16:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeePass 2 PreLoad]
    2011-04-10 17:18 1733120 ----a-w- c:\program files\KeePass Password Safe 2\KeePass.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
    2011-05-11 05:27 5607080 ----a-w- c:\program files\Spybot - Search & Destroy 2\SDTray.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
    "c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [6/9/2011 1:31 PM 9600]
    R1 MpKsl9215cbf2;MpKsl9215cbf2;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{659E631D-38DC-472E-B85E-330DD65E90F8}\MpKsl9215cbf2.sys [12/26/2011 10:16 AM 29904]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 10:25 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 9:54 AM 116608]
    R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [6/30/2011 3:49 PM 618896]
    S1 MpKsl77954acb;MpKsl77954acb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4254461-B324-4AAB-B754-C50CB017D1AE}\MpKsl77954acb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4254461-B324-4AAB-B754-C50CB017D1AE}\MpKsl77954acb.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2011 1:21 PM 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2011 1:21 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - KFWDRPOG
    *NewlyCreated* - MBAMSWISSARMY
    *NewlyCreated* - MPKSL765770AC
    *NewlyCreated* - MPKSL9215CBF2
    *Deregistered* - kfwdrpog
    *Deregistered* - MpKsl765770ac
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc427b1e60cf5e.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-09 21:21]
    .
    2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc427b1e9a082e.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-09 21:21]
    .
    2011-12-26 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\OWNER\Application Data\Mozilla\Firefox\Profiles\f4q8cx6v.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cruzio.com/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-26 12:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(672)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-12-26 12:36:28
    ComboFix-quarantined-files.txt 2011-12-26 20:36
    ComboFix2.txt 2011-12-24 01:52
    .
    Pre-Run: 254,832,340,992 bytes free
    Post-Run: 254,827,065,344 bytes free
    .
    - - End Of File - - 171FA40C0604B944693FB6E98018A6F7

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •