web browser hijack and all files hidden
- Thread starter fliedaway
- Start date
Hi,
I signed on as administrator and downloaded combofix to desktop changed it's name and it still froze. I switched on my computer this morning pressing F8 for safe mode and got the Microsoft recovery console option. It was not there yesterday! Should I select that operating system to start? thanks Ste.
I signed on as administrator and downloaded combofix to desktop changed it's name and it still froze. I switched on my computer this morning pressing F8 for safe mode and got the Microsoft recovery console option. It was not there yesterday! Should I select that operating system to start? thanks Ste.
Hi,
Please do a quick test to see if that option works.
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type exit and press ENTER to reboot back into normal mode.
Let me know if you had success in going thru those steps.
Please do a quick test to see if that option works.
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type exit and press ENTER to reboot back into normal mode.
Let me know if you had success in going thru those steps.
Hi,
1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)
1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)
Hi
1. Move renamed ComboFix file (I assume here that the file is whatever.exe) from your desktop to root of C: drive (C:\). That way we can access it on every account.
2. Try running ComboFix thru in safe mode with command prompt. Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (I assume you moved whatever.exe to C: root):
When ComboFix reboots select safe mode with command prompt again so that ComboFix will finish there.
1. Move renamed ComboFix file (I assume here that the file is whatever.exe) from your desktop to root of C: drive (C:\). That way we can access it on every account.
2. Try running ComboFix thru in safe mode with command prompt. Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (I assume you moved whatever.exe to C: root):
- cd\
- whatever.exe /nombr
When ComboFix reboots select safe mode with command prompt again so that ComboFix will finish there.
Hi I started again and got it to work here is the result.
ComboFix 11-06-25.05 - Administrator 26/06/2011 11:58:01.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.711 [GMT 1:00]
Running from: C:\whatever.exe.exe
Command switches used :: /nombr
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Steven\My Documents\Start Menu\Programs\Windows XP Restore
c:\documents and settings\Steven\My Documents\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Restore.lnk
c:\documents and settings\Steven\My Documents\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
<snip>
.
.
((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 )))))))))))))))))))))))))))))))
.
.
2011-06-24 22:05 . 2011-06-24 22:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 21:05 . 2011-06-24 21:29 -------- d-----w- C:\tdsskiller
2011-06-23 21:44 . 2011-06-23 21:47 -------- d-----w- C:\whatever
2011-06-23 20:56 . 2011-06-23 20:59 -------- d-----w- C:\fliedaway.exe5322f
2011-06-22 10:27 . 2011-06-25 15:11 -------- d-----w- C:\## aswSnx private storage
2011-06-18 19:00 . 2011-06-18 19:00 -------- d-----w- c:\documents and settings\Steven\Application Data\DriverCure
2011-06-18 19:00 . 2011-06-18 19:00 -------- d-----w- c:\documents and settings\Steven\Application Data\ParetoLogic
2011-06-18 18:59 . 2011-06-18 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-06-07 10:42 . 2011-06-07 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-06-07 10:37 . 2011-06-07 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\WinMaximizer
2011-06-07 09:41 . 2011-06-07 09:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-24 21:04 . 2011-06-24 21:04 1309375 ----a-w- C:\tdsskiller.zip
2011-05-02 15:31 . 2010-10-30 10:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-14 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_17\bin\jusched.exe" [2008-11-10 75264]
"RTHDCPL"="RTHDCPL.EXE" [2010-10-05 19580520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/11/2010 18:35 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [30/10/2010 11:45 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/11/2010 18:35 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [04/04/2011 12:09 48128]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-06-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-11-20 11:19]
.
2011-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-20 17:35]
.
2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-20 17:35]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Notify-TPSvc - TPSvc.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-26 12:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1078145449-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,c6,5f,f0,a4,37,4c,41,ae,87,a2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,c6,5f,f0,a4,37,4c,41,ae,87,a2,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(220)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-06-26 12:13:45
ComboFix-quarantined-files.txt 2011-06-26 11:13
.
Pre-Run: 23,109,255,168 bytes free
Post-Run: 23,473,377,280 bytes free
.
- - End Of File - - C81867D70A9DAF6F18EC4A946DD3533C
ComboFix 11-06-25.05 - Administrator 26/06/2011 11:58:01.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.711 [GMT 1:00]
Running from: C:\whatever.exe.exe
Command switches used :: /nombr
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Steven\My Documents\Start Menu\Programs\Windows XP Restore
c:\documents and settings\Steven\My Documents\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Restore.lnk
c:\documents and settings\Steven\My Documents\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
<snip>
.
.
((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 )))))))))))))))))))))))))))))))
.
.
2011-06-24 22:05 . 2011-06-24 22:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 21:05 . 2011-06-24 21:29 -------- d-----w- C:\tdsskiller
2011-06-23 21:44 . 2011-06-23 21:47 -------- d-----w- C:\whatever
2011-06-23 20:56 . 2011-06-23 20:59 -------- d-----w- C:\fliedaway.exe5322f
2011-06-22 10:27 . 2011-06-25 15:11 -------- d-----w- C:\## aswSnx private storage
2011-06-18 19:00 . 2011-06-18 19:00 -------- d-----w- c:\documents and settings\Steven\Application Data\DriverCure
2011-06-18 19:00 . 2011-06-18 19:00 -------- d-----w- c:\documents and settings\Steven\Application Data\ParetoLogic
2011-06-18 18:59 . 2011-06-18 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-06-07 10:42 . 2011-06-07 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-06-07 10:37 . 2011-06-07 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\WinMaximizer
2011-06-07 09:41 . 2011-06-07 09:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-24 21:04 . 2011-06-24 21:04 1309375 ----a-w- C:\tdsskiller.zip
2011-05-02 15:31 . 2010-10-30 10:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-14 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_17\bin\jusched.exe" [2008-11-10 75264]
"RTHDCPL"="RTHDCPL.EXE" [2010-10-05 19580520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/11/2010 18:35 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [30/10/2010 11:45 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/11/2010 18:35 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [04/04/2011 12:09 48128]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-06-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-11-20 11:19]
.
2011-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-20 17:35]
.
2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-20 17:35]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Notify-TPSvc - TPSvc.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-26 12:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1078145449-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,c6,5f,f0,a4,37,4c,41,ae,87,a2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,c6,5f,f0,a4,37,4c,41,ae,87,a2,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(220)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-06-26 12:13:45
ComboFix-quarantined-files.txt 2011-06-26 11:13
.
Pre-Run: 23,109,255,168 bytes free
Post-Run: 23,473,377,280 bytes free
.
- - End Of File - - C81867D70A9DAF6F18EC4A946DD3533C
Last edited by a moderator:
Hi that worked here is the result thanks Ste. DDS (Ver_2011-06-22.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Run by Steven at 8:42:07 on 2011-06-27
#Option MBR scan is disabled.
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.563 [GMT 1:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre1.5.0_17\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.co.uk/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_17\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [wyfydDIpXfRmt] c:\documents and settings\all users\application data\wyfydDIpXfRmt.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_17\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_17\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{3E940F49-D259-410C-BB9D-8B8330BF452B} : DHCPNameServer = 192.168.1.1
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
============= SERVICES / DRIVERS ===============
.
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-20 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-30 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-20 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [2011-4-4 48128]
.
=============== Created Last 30 ================
.
2011-06-27 07:37:56 489786 ------r- C:\dds.exe
2011-06-26 10:45:37 4137147 ------r- C:\whatever.exe.exe
2011-06-24 22:05:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 21:05:12 -------- d-----w- C:\tdsskiller
2011-06-23 21:46:06 -------- d-sha-r- C:\cmdcons
2011-06-23 21:44:53 -------- d-----w- C:\whatever
2011-06-23 20:56:58 -------- d-----w- C:\fliedaway.exe5322f
2011-06-22 10:27:56 -------- d-----w- C:\## aswSnx private storage
2011-06-22 08:45:52 98816 ----a-w- c:\windows\sed.exe
2011-06-22 08:45:52 256512 ----a-w- c:\windows\PEV.exe
2011-06-22 08:45:52 208896 ----a-w- c:\windows\MBR.exe
2011-06-22 08:36:51 -------- d-----w- c:\windows\pss
2011-06-18 19:00:38 -------- d-----w- c:\documents and settings\steven\application data\DriverCure
2011-06-18 19:00:36 -------- d-----w- c:\documents and settings\steven\application data\ParetoLogic
2011-06-18 18:59:42 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
2011-06-16 14:21:10 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 14:20:50 -------- d-----w- C:\New Folder
2011-06-09 12:13:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-09 12:13:47 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-09 11:16:51 -------- d-----w- c:\windows\system32\LogFiles
2011-06-09 10:14:43 -------- d-----w- c:\documents and settings\steven\application data\Malwarebytes
2011-06-09 10:14:36 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-07 11:22:15 -------- d-----w- c:\documents and settings\all users\application data\Alwil Software
2011-06-07 10:42:44 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-06-07 10:37:50 -------- d-----w- c:\documents and settings\all users\application data\WinMaximizer
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 8:42:37.82 ===============
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Run by Steven at 8:42:07 on 2011-06-27
#Option MBR scan is disabled.
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.563 [GMT 1:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre1.5.0_17\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.co.uk/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_17\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [wyfydDIpXfRmt] c:\documents and settings\all users\application data\wyfydDIpXfRmt.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_17\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_17\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{3E940F49-D259-410C-BB9D-8B8330BF452B} : DHCPNameServer = 192.168.1.1
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
============= SERVICES / DRIVERS ===============
.
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-20 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-30 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-20 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [2011-4-4 48128]
.
=============== Created Last 30 ================
.
2011-06-27 07:37:56 489786 ------r- C:\dds.exe
2011-06-26 10:45:37 4137147 ------r- C:\whatever.exe.exe
2011-06-24 22:05:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 21:05:12 -------- d-----w- C:\tdsskiller
2011-06-23 21:46:06 -------- d-sha-r- C:\cmdcons
2011-06-23 21:44:53 -------- d-----w- C:\whatever
2011-06-23 20:56:58 -------- d-----w- C:\fliedaway.exe5322f
2011-06-22 10:27:56 -------- d-----w- C:\## aswSnx private storage
2011-06-22 08:45:52 98816 ----a-w- c:\windows\sed.exe
2011-06-22 08:45:52 256512 ----a-w- c:\windows\PEV.exe
2011-06-22 08:45:52 208896 ----a-w- c:\windows\MBR.exe
2011-06-22 08:36:51 -------- d-----w- c:\windows\pss
2011-06-18 19:00:38 -------- d-----w- c:\documents and settings\steven\application data\DriverCure
2011-06-18 19:00:36 -------- d-----w- c:\documents and settings\steven\application data\ParetoLogic
2011-06-18 18:59:42 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
2011-06-16 14:21:10 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 14:20:50 -------- d-----w- C:\New Folder
2011-06-09 12:13:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-09 12:13:47 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-09 11:16:51 -------- d-----w- c:\windows\system32\LogFiles
2011-06-09 10:14:43 -------- d-----w- c:\documents and settings\steven\application data\Malwarebytes
2011-06-09 10:14:36 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-07 11:22:15 -------- d-----w- c:\documents and settings\all users\application data\Alwil Software
2011-06-07 10:42:44 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-06-07 10:37:50 -------- d-----w- c:\documents and settings\all users\application data\WinMaximizer
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 8:42:37.82 ===============
Hi,
Are you able to follow these earlier steps now? Do you have your XP Home installation disk available?
Are you able to follow these earlier steps now? Do you have your XP Home installation disk available?