vjmure
Members-
Posts
19 -
Joined
-
Last visited
Reputation
0 Neutral-
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Final question; the defogger did not ask me to reboot (it didn't when i disabled either). Should i reboot? Any concerns there? -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Thank you very much! A couple questions; did i have a TDL3 rootkit? My understanding is it usually attaches to atapi.sys or print spool; i don't recall touching those (or did the combo fix go after that). Also, one of the combo fix script commands had what looked like files related to CA Antivirus; should i be concerned there? Again, thanks a ton. I'd like to make a donation, but i don't have paypal; any other methods? Thanks V -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
ESET Log.... ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=7.00.6000.17023 (vista_gdr.100222-0012) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=9ca1ae75e3c8bd47b978bc711879a4f6 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-05-15 04:33:32 # local_time=2010-05-15 12:33:32 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=4866 16775141 100 100 0 76229105 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=135028 # found=0 # cleaned=0 # scan_time=10853 -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Other than the ip thing; they seem OK..... But i'm not doing much. Should i try other things? Does it look clean? Are we actually good? -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Something odd that i noticed; maybe nothing..... I launched IE, my home page is now "bing" (instead of the google). IE hung a moment and i saw at the bottome; waiting for connection 96.6.44.50. Did a search for that IP address and found nothing. Did a tracert from CMD, after a few bounces it landed on: akamaitechnologies.com..... Not sure why ie would try to connect to it; seems like a legit company. Maybe there is some sort of subdomain of the bing .com page... Not sure; just figured i'd point that out. -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Thanks again. I ran combo fix. I did disable the Spyware Doctor for 30 min, but it wasn't enough time (my bad). It came up during the combo fix run. There were a couple popup errors, but it seemed to continue and run its course. Hopefully not a problem (?). Errors Were: - Pev.exe application error, Instruction at "0x0050005c" referenced memory at "0x0050005c" which could not be read. - C:\Combo-fix\catchme.cfxxe is not a valid win32 application - After reboot, ATTRIB {something} ; this one went away while i was trying to write it down. But it did finish..... ComboFix 10-05-14.06 - vjmure 05/15/2010 6:44.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.441 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\vjmure\Desktop\CFScript.txt AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 ))))))))))))))))))))))))))))))) . 2010-05-14 10:53 . 2010-05-14 10:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-14 21:40 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-15 11:02 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-15 11:04 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-15 10:44 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-05-15 10:44 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-05-15 10:44 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2009-11-28 271600] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-11-11 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-15 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-15 07:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1628) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1832) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(3948) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft LifeCam\MSCamS32.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe c:\windows\system32\RUNDLL32.EXE c:\program files\CA\CA Internet Security Suite\ccprovsp.exe . ************************************************************************** . Completion time: 2010-05-15 07:10:30 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-15 11:10 ComboFix2.txt 2010-05-14 21:35 ComboFix3.txt 2010-05-13 10:25 ComboFix4.txt 2010-05-08 13:39 Pre-Run: 44,429,148,160 bytes free Post-Run: 44,577,538,048 bytes free - - End Of File - - 694E78CE25B4148CE8DFC3A9A17571A2 -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Thanks again! Does that mean i am clean? V -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
OK, i am trying to C/P the results, but it keeps coming back with a 501 error. So i took screen shots (attached). I hope that works..... -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.05.10 - AhnLab-V3 2010.05.15.00 2010.05.14 - AntiVir 8.2.1.242 2010.05.14 - Antiy-AVL 2.0.3.7 2010.05.14 - Authentium 5.2.0.5 2010.05.14 - Avast 4.8.1351.0 2010.05.14 - Avast5 5.0.332.0 2010.05.14 - AVG 9.0.0.787 2010.05.14 - BitDefender 7.2 2010.05.14 - CAT-QuickHeal 10.00 2010.05.14 - ClamAV 0.96.0.3-git 2010.05.14 - Comodo 4841 2010.05.14 - DrWeb 5.0.2.03300 2010.05.14 - eSafe 7.0.17.0 2010.05.13 - eTrust-Vet 35.2.7488 2010.05.14 - F-Prot 4.5.1.85 2010.05.14 - F-Secure 9.0.15370.0 2010.05.14 - Fortinet 4.1.133.0 2010.05.14 - GData 21 2010.05.14 - Ikarus T3.1.1.84.0 2010.05.14 - Jiangmin 13.0.900 2010.05.14 - Kaspersky 7.0.0.125 2010.05.14 - McAfee 5.400.0.1158 2010.05.14 - McAfee-GW-Edition 2010.1 2010.05.14 - Microsoft 1.5703 2010.05.14 - NOD32 5115 2010.05.14 - Norman 6.04.12 2010.05.14 - nProtect 2010-05-14.01 2010.05.14 - Panda 10.0.2.7 2010.05.14 - PCTools 7.0.3.5 2010.05.14 Application.NirCmd Prevx 3.0 2010.05.14 - Rising 22.47.04.03 2010.05.14 - Sophos 4.53.0 2010.05.14 - Sunbelt 6303 2010.05.14 - Symantec 20101.1.0.89 2010.05.14 - TheHacker 6.5.2.0.280 2010.05.14 - TrendMicro 9.120.0.1004 2010.05.14 - TrendMicro-HouseCall 9.120.0.1004 2010.05.14 - VBA32 3.12.12.5 2010.05.14 - ViRobot 2010.5.14.2316 2010.05.14 - VirusBuster 5.0.27.0 2010.05.14 - -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Test -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Script results below. Also, i did have PC Tools "fix" its findings as it has since found an .exe. Screenshot attached. ComboFix 10-05-14.06 - vjmure 05/14/2010 17:16:32.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.442 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\vjmure\Desktop\CFScript.txt AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} file zipped: c:\windows\system32\oledlga.dll . ((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 ))))))))))))))))))))))))))))))) . 2010-05-14 10:53 . 2010-05-14 10:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-09 02:17 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-14 21:08 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-14 21:12 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 03:04 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-29 00:33 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-04-29 00:32 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Analog Devices\SoundMAX\smax4 .exe c:\program files\Analog Devices\SoundMAX\smax4pnp .exe c:\program files\CA\CA Internet Security Suite\casc .exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\cavrid .exe c:\program files\IC\Card Reader Driver v1.9e\disk_monitor .exe c:\program files\Microsoft LifeCam\lifeexp .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [N/A] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-28 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-14 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-14 17:26 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1748) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1952) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(2792) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\WS2_32.dll c:\windows\system32\WS2HELP.dll . Completion time: 2010-05-14 17:32:24 ComboFix-quarantined-files.txt 2010-05-14 21:32 ComboFix2.txt 2010-05-13 10:25 ComboFix3.txt 2010-05-08 13:39 Pre-Run: 44,604,461,056 bytes free Post-Run: 44,578,422,784 bytes free - - End Of File - - 2853959EEC6EAE0E148520CFF1F675D6 Upload was successful -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
-
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
From http://www.virustotal.com/ "0 bytes size received / Se ha recibido un archivo vacio " Also, my "Spyware Doctor" ran on its normal schedule and found some things; screen shot it attached. I took no action (the app is still up). Thanks, V -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
BTW, i did reenable the Antivirus / anti malware as well. (i ran no scans though) Thanks, V -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Thanks again. Here is the result of the combo fix: ComboFix 10-05-12.03 - vjmure 05/13/2010 6:07.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.460 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\SMRTDRIV.DLL c:\windows\system32\ctfmon .exe c:\windows\system32\nwiz .exe c:\windows\system32\regsvr32 .exe c:\windows\system32\rundll32 .exe c:\windows\vvx3000 .exe . ((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 ))))))))))))))))))))))))))))))) . 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-09 02:17 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-13 03:26 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-13 10:03 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 03:04 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-29 00:33 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-04-29 00:32 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Analog Devices\SoundMAX\smax4 .exe c:\program files\Analog Devices\SoundMAX\smax4pnp .exe c:\program files\CA\CA Internet Security Suite\casc .exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\cavrid .exe c:\program files\IC\Card Reader Driver v1.9e\disk_monitor .exe c:\program files\Microsoft LifeCam\lifeexp .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [N/A] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-28 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-13 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 0a000000 uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 01000000 uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 1a000000 uInternet Connection Wizard,ShellNext = 1a000000 uInternet Connection Wizard,ShellNext = hxxp://www.google.com uInternet Connection Wizard,ShellNext = Microsoft Corporation uInternet Connection Wizard,ShellNext = MICROSO uInternet Connection Wizard,ShellNext = 6.0.2600.0000 uInternet Connection Wizard,ShellNext = no uInternet Connection Wizard,ShellNext = \0 uInternet Connection Wizard,ShellNext = about:NoAdd-ons uInternet Connection Wizard,ShellNext = about:SecurityRisk uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = yes IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-13 06:19 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1748) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1952) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll . Completion time: 2010-05-13 06:25:06 ComboFix-quarantined-files.txt 2010-05-13 10:25 ComboFix2.txt 2010-05-08 13:39 Pre-Run: 44,847,493,120 bytes free Post-Run: 44,995,600,384 bytes free - - End Of File - - 75BDE1F420D64B80D3957D265DA23B36