Windows XP Recovery, No DDS!

[timmyt224]

Hijack this!

Ken, I just have an icon for the RSIT, no Hijack This. Maybe I'm confused, long day. However, either send me a link or clue so we can attempt this process. Thanks again, T

 

[ken545]

Go into your Program Files, it should be there

Or try here
C:\Program Files\trend micro\Tim.exe

 

[timmyt224]

Hijack this and TFC

I ran both of these applications as requested and did a reboot with the cable modem disconnected. Once back up and running and attempted a search under a new tab and was redirected once again, scour was still present.

 

[ken545]

Post a new HJT log


What you need to do is reset your cable modem. There should be a reset button somewhere on it, not familiar with what you have, it just is a small button that you can hold in for about 30 seconds that will set it back to defaults.

Then run this program and post the log, it looks like its been successful in removing Scour

http://download.cnet.com/Hitman-Pro-3-32-bit/3000-2239_4-10895604.html

 

[timmyt224]

HJT log, doing the hitman now.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:49:41 PM, on 6/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\Tim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.app.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [OutpostMonitor] "C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Free\feedback.exe" /dumps_startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1254591051484
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Unknown owner - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IHA_MessageCenter - Unknown owner - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O24 - Desktop Component 0: (no name) - http://photos.surfline.com/albums/hawaii/IMG_7941.thumb.jpg

--
End of file - 7461 bytes

 

[timmyt224]

Hitman

I ran the Hitman and then did a search under a new tab, once again and was redirected to scour, it's the devil!!!

 

[ken545]

I know this may be a project for you but do you have access to another computer that you could borrow from a friend, a laptop would be ideal, and plug it into your cable modem and see if you get redirected on that one. Where thinking it may be the cable modem that is directing you, we have seen this before recently , not just with scour but other sites as well. If the borrowed computer gets redirected also then you will need to have the cable company come out and reset the thing back to factory defaults.

In the meantime I will still be looking for an answer for this, there is one somewhere


Lets try Super Anti Spyware

Please download SuperAntiSpyware Free
Install the program

• Run SuperAntiSpyware and click: Check for updates
• Once the update is finished, on the main screen, click: Scan your computer
• Check: Perform Complete Scan
• Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

• Click: Preferences
• Click the Statistics/Logs tab
• Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your next reply

 

[ken545]

When you get a chance check this file please

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

C:\Windows\System32\drivers\VolSnap.sys

If the site is busy you can try this one
http://virusscan.jotti.org/en

 

[timmyt224]

Finding Time!

Ken, Busy with work, having difficulty finding time to catch up! I will be performing theses tasks over the next couple of days.. Thanks for all your help. T

 

[timmyt224]

SUPER AntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/10/2011 at 12:21 PM

Application Version : 4.53.1000

Core Rules Database Version : 7245
Trace Rules Database Version: 5057

Scan type : Complete Scan
Total Scan Time : 01:16:41

Memory items scanned : 295
Memory threats detected : 0
Registry items scanned : 8648
Registry threats detected : 0
File items scanned : 27676
File threats detected : 28

Adware.Tracking Cookie
C:\Documents and Settings\Tim\Cookies\tim@casalemedia[1].txt
C:\Documents and Settings\Tim\Cookies\tim@imrworldwide[2].txt
C:\Documents and Settings\Tim\Cookies\tim@atdmt[1].txt
C:\Documents and Settings\Tim\Cookies\tim@dc.tremormedia[2].txt
C:\Documents and Settings\Tim\Cookies\tim@media6degrees[2].txt
C:\Documents and Settings\Tim\Cookies\tim@revsci[2].txt
C:\Documents and Settings\Tim\Cookies\tim@ad.yieldmanager[2].txt
C:\Documents and Settings\Tim\Cookies\tim@serving-sys[1].txt
C:\Documents and Settings\Tim\Cookies\tim@doubleclick[1].txt
C:\Documents and Settings\Tim\Cookies\tim@network.realmedia[1].txt
C:\Documents and Settings\Tim\Cookies\tim@yieldmanager[1].txt
C:\Documents and Settings\Tim\Cookies\tim@adbrite[1].txt
C:\Documents and Settings\Tim\Cookies\tim@pointroll[1].txt
C:\Documents and Settings\Tim\Cookies\tim@ads.pointroll[2].txt
C:\Documents and Settings\Tim\Cookies\tim@questionmarket[1].txt
C:\Documents and Settings\Tim\Cookies\tim@tribalfusion[1].txt
C:\Documents and Settings\Tim\Cookies\tim@2o7[2].txt
C:\Documents and Settings\Tim\Cookies\tim@ru4[1].txt
C:\Documents and Settings\Tim\Cookies\tim@realmedia[2].txt
C:\Documents and Settings\Tim\Cookies\tim@invitemedia[1].txt
C:\Documents and Settings\Tim\Cookies\tim@ad.wsod[2].txt
C:\Documents and Settings\Tim\Cookies\tim@ads.watchmygf[2].txt
C:\Documents and Settings\Tim\Cookies\tim@ads.basal[1].txt
C:\Documents and Settings\Tim\Cookies\tim@ads.bighealthtree[2].txt
C:\Documents and Settings\Tim\Cookies\tim@collective-media[2].txt
C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt
C:\Documents and Settings\Tim\Cookies\tim@sextube[1].txt
C:\Documents and Settings\Tim\Cookies\tim@www.sextube[2].txt

 

[timmyt224]

Virus Total

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 4c8fcb5cc53aab716d810740fe59d025
Date first seen: 2009-03-07 01:14:18 (UTC)
Date last seen: 2011-06-09 11:13:19 (UTC)
Detection ratio: 0/42
_________________________________________________________________

Antivirus Version Last update Result
AhnLab-V3 2011.06.12.00 2011.06.11 -
AntiVir 7.11.9.159 2011.06.11 -
Antiy-AVL 2.0.3.7 2011.06.11 -
Avast 4.8.1351.0 2011.06.11 -
Avast5 5.0.677.0 2011.06.11 -
AVG 10.0.0.1190 2011.06.11 -
BitDefender 7.2 2011.06.11 -
CAT-QuickHeal 11.00 2011.06.11 -
ClamAV 0.97.0.0 2011.06.10 -
Commtouch 5.3.2.6 2011.06.11 -
Comodo 9029 2011.06.11 -
DrWeb 5.0.2.03300 2011.06.11 -
eSafe 7.0.17.0 2011.06.09 -
eTrust-Vet 36.1.8380 2011.06.10 -
F-Prot 4.6.2.117 2011.06.10 -
F-Secure 9.0.16440.0 2011.06.11 -
Fortinet 4.2.257.0 2011.06.11 -
GData 22 2011.06.11 -
Ikarus T3.1.1.104.0 2011.06.11 -
Jiangmin 13.0.900 2011.06.11 -
K7AntiVirus 9.106.4798 2011.06.10 -
Kaspersky 9.0.0.837 2011.06.11 -
McAfee 5.400.0.1158 2011.06.11 -
McAfee-GW-Edition 2010.1D 2011.06.11 -
Microsoft 1.6903 2011.06.11 -
NOD32 6198 2011.06.11 -
Norman 6.07.10 2011.06.10 -
nProtect 2011-06-11.01 2011.06.11 -
Panda 10.0.3.5 2011.06.11 -
PCTools 7.0.3.5 2011.06.10 -
Prevx 3.0 2011.06.11 -
Rising 23.61.04.07 2011.06.10 -
Sophos 4.66.0 2011.06.11 -
SUPERAntiSpyware 4.40.0.1006 2011.06.11 -
Symantec 20111.1.0.186 2011.06.11 -
TheHacker 6.7.0.1.228 2011.06.11 -
TrendMicro 9.200.0.1012 2011.06.11 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.11 -
VBA32 3.12.16.1 2011.06.10 -
VIPRE 9551 2011.06.11 -
ViRobot 2011.6.11.4507 2011.06.11 -
VirusBuster 14.0.76.0 2011.06.11 -
MD5: 4c8fcb5cc53aab716d810740fe59d025
SHA1: da4e0035c58c0edb422eace57b35c90027e15f59
SHA256: 010eac43dbed700b73e4fc908faaf9f6a0168ebbd5d86751e49bc33aaa18bfa4
File size: 52352 bytes
Scan date: 2011-06-11 15:38:21 (UTC)

 

[ken545]

Hello Tim.

I had you check that file because it its corrupted or infected it will prevent TDSSKiller from running but it looks like its ok.

All SAS removed where tracking cookies


The reason I wanted you to try to hook up another computer to your cable modem was to detect if its infected but dont know if you did that yet.

Drag Combofix to the trash and lets grab a fresh new updated copy and run it please and post the log

 

[timmyt224]

Combo Fix Log

ComboFix 11-06-11.01 - Tim 06/12/2011 12:51:19.7.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.150 [GMT -4:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Security Suite *Disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}


((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))


2011-06-08 11:01:15 . 2011-06-08 11:01:15 -------- d-----w- C:\Documents and Settings\Tim\Application Data\SUPERAntiSpyware.com
2011-06-08 11:01:15 . 2011-06-08 11:01:15 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-08 11:00:41 . 2011-06-10 14:37:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-06-07 23:58:26 . 2011-06-07 23:58:26 17480 ----a-w- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2011-06-07 23:57:07 . 2011-06-07 23:57:43 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2011-06-07 11:44:52 . 2011-06-07 11:45:39 -------- d-----w- C:\rsit
2011-06-06 16:39:19 . 2011-06-06 16:39:19 -------- d-----w- C:\_OTL
2011-06-03 19:06:40 . 2011-06-03 19:06:40 260 ----a-w- C:\WINDOWS\system32\cmdVBS.vbs
2011-06-03 19:06:40 . 2011-06-03 19:06:40 256 ----a-w- C:\WINDOWS\system32\MSIevent.bat
2011-06-03 18:58:20 . 2011-06-03 18:58:21 65536 ----a-r- C:\Documents and Settings\Tim\Application Data\Microsoft\Installer\{730EF0E8-8B8E-4054-B2CE-5D4BA3BCE510}\NewShortcut1_011BB310849E4442B8017718F2C57FE0.exe
2011-06-03 18:58:20 . 2011-06-03 18:58:20 65536 ----a-r- C:\Documents and Settings\Tim\Application Data\Microsoft\Installer\{730EF0E8-8B8E-4054-B2CE-5D4BA3BCE510}\NewShortcut1_9E64A938C044442B9C8C104AA62BD820.exe
2011-06-03 18:58:20 . 2011-06-03 18:58:20 65536 ----a-r- C:\Documents and Settings\Tim\Application Data\Microsoft\Installer\{730EF0E8-8B8E-4054-B2CE-5D4BA3BCE510}\ARPPRODUCTICON.exe
2011-06-03 18:57:22 . 2011-06-03 19:06:46 -------- d-----w- C:\Program Files\Verizon
2011-06-03 00:44:27 . 2011-06-03 00:44:27 -------- d-----w- C:\WINDOWS\system32\wbem\Repository
2011-06-02 22:48:58 . 2011-06-02 22:48:58 -------- d-----w- C:\Program Files\ESET
2011-05-29 15:35:27 . 2011-06-03 00:41:39 -------- d-----w- C:\Program Files\ERUNT
2011-05-14 17:01:39 . 2011-05-14 17:01:40 404640 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-03-16 21:13:24 . 2011-01-03 21:44:08 137656 ----a-w- C:\WINDOWS\system32\drivers\avipbb.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
C:\Program Files\Agnitum\Outpost Security Suite Free\op_shell.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 08:40:32 218032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-23 15:00:06 2424192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 13:39:54 281768]
"OutpostMonitor"="C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" [BU]
"OutpostFeedBack"="C:\Program Files\Agnitum\Outpost Security Suite Free\feedback.exe" [BU]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-05-26 21:18:30 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 17:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21:41 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-10-07 15:10:04 932288 ----a-w- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15:10 40368 ----a-w- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-07-06 18:30:16 195072 ----a-w- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12:16 15360 ----a-w- C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04:00 122933 ----a-w- C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41:10 49152 ----a-w- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 13:32:24 77824 ----a-w- C:\WINDOWS\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 13:36:20 114688 ----a-w- C:\WINDOWS\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 13:35:40 94208 ----a-w- C:\WINDOWS\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12:44 221184 ----a-w- C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03:10 292128 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12:28 1695232 ----a-w- C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Transfer Monitor]
2009-09-15 23:47:36 479232 ----a-w- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18:30 413696 ----a-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56:14 236016 ----a-w- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44:46 248552 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01:00 110592 ----a-w- C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter

R1 SandBox;SandBox;C:\WINDOWS\system32\drivers\SandBox.sys [2010-11-26 15:52:28 710696]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 18:25:48 12872]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 18:41:30 67656]
R2 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe [x]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2011-04-27 12:25:27 136360]
R2 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-05-24 20:02:04 143360]
R2 mrtRate;mrtRate; [x]
R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2010-04-20 20:05:16 34280]
R3 afwcore;afwcore;C:\WINDOWS\system32\drivers\afwcore.sys [2010-09-27 20:40:28 267624]
R3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll [2010-11-26 15:51:16 72352]
R3 FlyUsb;FLY Fusion;C:\WINDOWS\system32\DRIVERS\FlyUsb.sys [2009-11-10 14:27:06 18560]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\WINDOWS\System32\svchost.exe [2008-04-14 00:12:36 14336]
R3 VBEngNT;VBEngNT;C:\WINDOWS\system32\drivers\VBEngNT.sys [2010-06-09 13:44:20 241088]
R3 VBFilt;VBFilt;C:\WINDOWS\system32\Filt\VBFilt.dll [2010-11-26 15:51:22 36288]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper


------- Supplementary Scan -------

uStart Page = hxxp://www.app.com/
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = localhost
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12

 

[timmyt224]

Modem Check

Ken, I currently have no access to another computer to verify if the modem is infected.

 

[ken545]

Hello Tim,

Just wanted to let you know that I will be away and offline from this evening until the end of the month, but this thread will still be open , another helper will step in and help you.

CF log looks ok, still being redirected to Scour ?

Its most likely where we havent looked, it may be in your add remove programs in the control panel

ProgramFiles%\scourtoolbar\uninstall.exe<--

 

[Dakeyras]

Hi.

I will be assisting your good self from this point onwards...

Please answer my colleagues last query(post #75) and we will go from there, thank you.

 

[Dakeyras]

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of DDS logs and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.