vjmure
Members-
Posts
19 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by vjmure
-
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Final question; the defogger did not ask me to reboot (it didn't when i disabled either). Should i reboot? Any concerns there? -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Thank you very much! A couple questions; did i have a TDL3 rootkit? My understanding is it usually attaches to atapi.sys or print spool; i don't recall touching those (or did the combo fix go after that). Also, one of the combo fix script commands had what looked like files related to CA Antivirus; should i be concerned there? Again, thanks a ton. I'd like to make a donation, but i don't have paypal; any other methods? Thanks V -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
ESET Log.... ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=7.00.6000.17023 (vista_gdr.100222-0012) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=9ca1ae75e3c8bd47b978bc711879a4f6 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-05-15 04:33:32 # local_time=2010-05-15 12:33:32 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=4866 16775141 100 100 0 76229105 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=135028 # found=0 # cleaned=0 # scan_time=10853 -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Other than the ip thing; they seem OK..... But i'm not doing much. Should i try other things? Does it look clean? Are we actually good? -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Something odd that i noticed; maybe nothing..... I launched IE, my home page is now "bing" (instead of the google). IE hung a moment and i saw at the bottome; waiting for connection 96.6.44.50. Did a search for that IP address and found nothing. Did a tracert from CMD, after a few bounces it landed on: akamaitechnologies.com..... Not sure why ie would try to connect to it; seems like a legit company. Maybe there is some sort of subdomain of the bing .com page... Not sure; just figured i'd point that out. -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Thanks again. I ran combo fix. I did disable the Spyware Doctor for 30 min, but it wasn't enough time (my bad). It came up during the combo fix run. There were a couple popup errors, but it seemed to continue and run its course. Hopefully not a problem (?). Errors Were: - Pev.exe application error, Instruction at "0x0050005c" referenced memory at "0x0050005c" which could not be read. - C:\Combo-fix\catchme.cfxxe is not a valid win32 application - After reboot, ATTRIB {something} ; this one went away while i was trying to write it down. But it did finish..... ComboFix 10-05-14.06 - vjmure 05/15/2010 6:44.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.441 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\vjmure\Desktop\CFScript.txt AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 ))))))))))))))))))))))))))))))) . 2010-05-14 10:53 . 2010-05-14 10:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-14 21:40 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-15 11:02 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-15 11:04 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-15 10:44 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-05-15 10:44 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-05-15 10:44 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2009-11-28 271600] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-11-11 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-15 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-15 07:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1628) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1832) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(3948) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft LifeCam\MSCamS32.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe c:\windows\system32\RUNDLL32.EXE c:\program files\CA\CA Internet Security Suite\ccprovsp.exe . ************************************************************************** . Completion time: 2010-05-15 07:10:30 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-15 11:10 ComboFix2.txt 2010-05-14 21:35 ComboFix3.txt 2010-05-13 10:25 ComboFix4.txt 2010-05-08 13:39 Pre-Run: 44,429,148,160 bytes free Post-Run: 44,577,538,048 bytes free - - End Of File - - 694E78CE25B4148CE8DFC3A9A17571A2 -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Thanks again! Does that mean i am clean? V -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
OK, i am trying to C/P the results, but it keeps coming back with a 501 error. So i took screen shots (attached). I hope that works..... -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.05.10 - AhnLab-V3 2010.05.15.00 2010.05.14 - AntiVir 8.2.1.242 2010.05.14 - Antiy-AVL 2.0.3.7 2010.05.14 - Authentium 5.2.0.5 2010.05.14 - Avast 4.8.1351.0 2010.05.14 - Avast5 5.0.332.0 2010.05.14 - AVG 9.0.0.787 2010.05.14 - BitDefender 7.2 2010.05.14 - CAT-QuickHeal 10.00 2010.05.14 - ClamAV 0.96.0.3-git 2010.05.14 - Comodo 4841 2010.05.14 - DrWeb 5.0.2.03300 2010.05.14 - eSafe 7.0.17.0 2010.05.13 - eTrust-Vet 35.2.7488 2010.05.14 - F-Prot 4.5.1.85 2010.05.14 - F-Secure 9.0.15370.0 2010.05.14 - Fortinet 4.1.133.0 2010.05.14 - GData 21 2010.05.14 - Ikarus T3.1.1.84.0 2010.05.14 - Jiangmin 13.0.900 2010.05.14 - Kaspersky 7.0.0.125 2010.05.14 - McAfee 5.400.0.1158 2010.05.14 - McAfee-GW-Edition 2010.1 2010.05.14 - Microsoft 1.5703 2010.05.14 - NOD32 5115 2010.05.14 - Norman 6.04.12 2010.05.14 - nProtect 2010-05-14.01 2010.05.14 - Panda 10.0.2.7 2010.05.14 - PCTools 7.0.3.5 2010.05.14 Application.NirCmd Prevx 3.0 2010.05.14 - Rising 22.47.04.03 2010.05.14 - Sophos 4.53.0 2010.05.14 - Sunbelt 6303 2010.05.14 - Symantec 20101.1.0.89 2010.05.14 - TheHacker 6.5.2.0.280 2010.05.14 - TrendMicro 9.120.0.1004 2010.05.14 - TrendMicro-HouseCall 9.120.0.1004 2010.05.14 - VBA32 3.12.12.5 2010.05.14 - ViRobot 2010.5.14.2316 2010.05.14 - VirusBuster 5.0.27.0 2010.05.14 - -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Test -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Script results below. Also, i did have PC Tools "fix" its findings as it has since found an .exe. Screenshot attached. ComboFix 10-05-14.06 - vjmure 05/14/2010 17:16:32.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.442 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\vjmure\Desktop\CFScript.txt AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} file zipped: c:\windows\system32\oledlga.dll . ((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 ))))))))))))))))))))))))))))))) . 2010-05-14 10:53 . 2010-05-14 10:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-09 02:17 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-14 21:08 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-14 21:12 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 03:04 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-29 00:33 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-04-29 00:32 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Analog Devices\SoundMAX\smax4 .exe c:\program files\Analog Devices\SoundMAX\smax4pnp .exe c:\program files\CA\CA Internet Security Suite\casc .exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\cavrid .exe c:\program files\IC\Card Reader Driver v1.9e\disk_monitor .exe c:\program files\Microsoft LifeCam\lifeexp .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [N/A] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-28 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-14 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-14 17:26 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1748) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1952) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(2792) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\WS2_32.dll c:\windows\system32\WS2HELP.dll . Completion time: 2010-05-14 17:32:24 ComboFix-quarantined-files.txt 2010-05-14 21:32 ComboFix2.txt 2010-05-13 10:25 ComboFix3.txt 2010-05-08 13:39 Pre-Run: 44,604,461,056 bytes free Post-Run: 44,578,422,784 bytes free - - End Of File - - 2853959EEC6EAE0E148520CFF1F675D6 Upload was successful -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
-
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
From http://www.virustotal.com/ "0 bytes size received / Se ha recibido un archivo vacio " Also, my "Spyware Doctor" ran on its normal schedule and found some things; screen shot it attached. I took no action (the app is still up). Thanks, V -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
BTW, i did reenable the Antivirus / anti malware as well. (i ran no scans though) Thanks, V -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Thanks again. Here is the result of the combo fix: ComboFix 10-05-12.03 - vjmure 05/13/2010 6:07.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.460 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\SMRTDRIV.DLL c:\windows\system32\ctfmon .exe c:\windows\system32\nwiz .exe c:\windows\system32\regsvr32 .exe c:\windows\system32\rundll32 .exe c:\windows\vvx3000 .exe . ((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 ))))))))))))))))))))))))))))))) . 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-09 02:17 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-13 03:26 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-13 10:03 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 03:04 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-29 00:33 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-04-29 00:32 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Analog Devices\SoundMAX\smax4 .exe c:\program files\Analog Devices\SoundMAX\smax4pnp .exe c:\program files\CA\CA Internet Security Suite\casc .exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\cavrid .exe c:\program files\IC\Card Reader Driver v1.9e\disk_monitor .exe c:\program files\Microsoft LifeCam\lifeexp .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [N/A] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-28 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-13 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 0a000000 uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 01000000 uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 1a000000 uInternet Connection Wizard,ShellNext = 1a000000 uInternet Connection Wizard,ShellNext = hxxp://www.google.com uInternet Connection Wizard,ShellNext = Microsoft Corporation uInternet Connection Wizard,ShellNext = MICROSO uInternet Connection Wizard,ShellNext = 6.0.2600.0000 uInternet Connection Wizard,ShellNext = no uInternet Connection Wizard,ShellNext = \0 uInternet Connection Wizard,ShellNext = about:NoAdd-ons uInternet Connection Wizard,ShellNext = about:SecurityRisk uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = yes IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-13 06:19 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1748) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1952) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll . Completion time: 2010-05-13 06:25:06 ComboFix-quarantined-files.txt 2010-05-13 10:25 ComboFix2.txt 2010-05-08 13:39 Pre-Run: 44,847,493,120 bytes free Post-Run: 44,995,600,384 bytes free - - End Of File - - 75BDE1F420D64B80D3957D265DA23B36 -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Borislav, Thank you immensely for helping me out on this. I did the following: 1- Uninstalled Adobe Reader 9.1 (through ctl panel) 2- updated, and ran, Malwarebytes. It found zero infections. Report below. 3- Ran DDS- log below. Quick question; what should i do with my machine during this process? Should i leave it on? Shut it off? Could i check email, use internet etc? Thanks V Malwarebytes Log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4094 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 5/12/2010 5:22:13 PM mbam-log-2010-05-12 (17-22-13).txt Scan type: Quick scan Objects scanned: 140875 Time elapsed: 10 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS Log: DDS (Ver_10-03-17.01) - NTFSx86 Run by vjmure at 17:23:41.10 on Wed 05/12/2010 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.433 [GMT -4:00] AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CA\CA Internet Security Suite\casc.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\vjmure\Desktop\dds.com C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [CAVRID] "c:\program files\ca\etrust internet security suite\etrust ez antivirus\CAVRID.exe" mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spyware doctor\pctsGui.exe IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148152187781 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: PFW - UmxWnp.Dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ============= SERVICES / DRIVERS =============== R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-6-8 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-28 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-4-1 73720] R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-9-11 26352] R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-9-11 21104] R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-9-11 739696] R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-9-11 21488] R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-9-11 161008] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-28 112592] R2 CAISafe;CAISafe;c:\program files\ca\etrust internet security suite\etrust ez antivirus\isafe.exe [2007-1-7 144696] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-9-11 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-28 366840] R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-28 1142224] R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-4-1 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2009-6-15 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2009-4-1 207352] R2 VETMSGNT;VET Message Service;c:\program files\ca\etrust internet security suite\etrust ez antivirus\vetmsg.exe [2007-1-7 292080] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-4-1 205304] R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-9-11 133520] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\locals~1\temp\temporary directory 1 for tdl3%20razor[1].zip\tdl3 razor\tizerbruteforceex.sys --> c:\docume~1\vjmure\locals~1\temp\temporary directory 1 for tdl3%20razor[1].zip\tdl3 razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [2008-7-20 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-6-4 78104] =============== Created Last 30 ================ 2010-05-10 22:51:18 0 ----a-w- c:\documents and settings\vjmure\defogger_reenable 2010-05-09 04:05:24 0 d-----w- c:\program files\Trend Micro 2010-05-09 02:17:08 0 d-----w- C:\RotInHell 2010-05-08 13:57:41 0 d-----w- c:\program files\ESET 2010-05-08 13:53:55 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-05-08 13:53:55 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04:11 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04:11 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 12:30:32 0 d-sha-r- C:\cmdcons 2010-04-29 00:45:05 882 ----a-w- c:\windows\RegSDImport.xml 2010-04-29 00:45:05 879 ----a-w- c:\windows\RegISSImport.xml 2010-04-29 00:45:05 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45:04 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45:04 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45:04 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45:03 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45:03 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43:02 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat 2010-04-29 00:43:02 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42:57 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42:57 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat 2010-04-29 00:42:57 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat 2010-04-29 00:42:57 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42:47 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat 2010-04-29 00:42:47 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42:32 0 d-----w- c:\program files\common files\PC Tools 2010-04-29 00:42:31 0 d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42:31 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2010-04-27 10:49:03 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49:03 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49:00 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49:00 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48:58 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48:58 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46:25 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46:25 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43:23 93184 --sha-r- c:\windows\system32\oledlga.dll ==================== Find3M ==================== 2010-05-08 12:16:39 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-06 14:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll 2005-06-07 23:47:39 774144 ----a-w- c:\program files\RngInterstitial.dll 2008-11-09 04:37:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110820081109\index.dat ============= FINISH: 17:24:44.85 =============== -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
Last attachment ... ( i would have added attachments to the original, but machine froze....) defogger_disable.log renamed defogger_disable.txt defogger_disable.txt -
Rootkit infection (google redirect)
vjmure replied to vjmure's topic in Resolved Malware Removal Logs
here are attachments.... ark.txt Attach.txt mbam_log_2010_05_11__01_09_49_.txt -
Ran Antivirus, malwarebytes, PC Doctor; found a bunch of stuff, but did NOT fix the issue. Followed instructions on this page http://forums.malwarebytes.org/index.php?showtopic=9573 (I'm infected, what do i do now). Here are the logs. Side note; the "Defogger" did NOT ask me to reboot; but i did anyway????? Not sure if that is an issue. Here is the DDS.txt. Also, attached is the "attach.txt", "ark.txt" and malware bytes log.... ANY HELP IS IMMENSELY APPRECIATED! Thanks - Vjmure DDS (Ver_10-03-17.01) - NTFSx86 Run by vjmure at 18:57:01.28 on Mon 05/10/2010 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.447 [GMT -4:00] AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CA\CA Internet Security Suite\casc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\vjmure\Desktop\dds.com C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [CAVRID] "c:\program files\ca\etrust internet security suite\etrust ez antivirus\CAVRID.exe" mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spyware doctor\pctsGui.exe IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148152187781 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: PFW - UmxWnp.Dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ============= SERVICES / DRIVERS =============== R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-6-8 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-28 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-4-1 73720] R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-9-11 26352] R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-9-11 21104] R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-9-11 739696] R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-9-11 21488] R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-9-11 161008] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-28 112592] R2 CAISafe;CAISafe;c:\program files\ca\etrust internet security suite\etrust ez antivirus\isafe.exe [2007-1-7 144696] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-9-11 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-28 366840] R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-28 1142224] R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-4-1 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2009-6-15 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2009-4-1 207352] R2 VETMSGNT;VET Message Service;c:\program files\ca\etrust internet security suite\etrust ez antivirus\vetmsg.exe [2007-1-7 292080] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-4-1 205304] R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-9-11 133520] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\locals~1\temp\temporary directory 1 for tdl3%20razor[1].zip\tdl3 razor\tizerbruteforceex.sys --> c:\docume~1\vjmure\locals~1\temp\temporary directory 1 for tdl3%20razor[1].zip\tdl3 razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [2008-7-20 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-6-4 78104] =============== Created Last 30 ================ 2010-05-10 22:51:18 0 ----a-w- c:\documents and settings\vjmure\defogger_reenable 2010-05-09 04:05:24 0 d-----w- c:\program files\Trend Micro 2010-05-09 02:17:08 0 d-----w- C:\RotInHell 2010-05-08 13:57:41 0 d-----w- c:\program files\ESET 2010-05-08 13:53:55 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-05-08 13:53:55 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04:11 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04:11 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 12:30:32 0 d-sha-r- C:\cmdcons 2010-04-29 00:45:05 882 ----a-w- c:\windows\RegSDImport.xml 2010-04-29 00:45:05 879 ----a-w- c:\windows\RegISSImport.xml 2010-04-29 00:45:05 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45:04 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45:04 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45:04 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45:03 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45:03 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43:02 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat 2010-04-29 00:43:02 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42:57 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42:57 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat 2010-04-29 00:42:57 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat 2010-04-29 00:42:57 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42:47 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat 2010-04-29 00:42:47 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42:32 0 d-----w- c:\program files\common files\PC Tools 2010-04-29 00:42:31 0 d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42:31 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2010-04-27 10:49:03 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49:03 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49:00 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49:00 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48:58 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48:58 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46:25 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46:25 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43:23 93184 --sha-r- c:\windows\system32\oledlga.dll ==================== Find3M ==================== 2010-05-08 12:16:39 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe 2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll 2005-06-07 23:47:39 774144 ----a-w- c:\program files\RngInterstitial.dll 2008-11-09 04:37:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110820081109\index.dat ============= FINISH: 18:58:10.64 ===============