LewdOod

Honorary Members

View Profile See their activity

Posts
26
Joined
May 4, 2011
Last visited
August 4, 2011

Reputation

0 Neutral

Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

Heh... yeah, it's a little old, but considering the extent of its use is really just running a couple of Office programs and a couple web browsers at any given time it's served its purpose pretty well. I don't use it for gaming or anything, and as you can see I've used a minimal amount of its HDD space. Its processor speed's pretty good, though (which was why I bought it in the first place), so that's why I was a little worried about the start-up speed and everything. If you're giving the little fella a clean bill of health, I'll get back to using it for work for the next few months and I'll look at getting a new unit towards the end of the year when they all go on holiday sale. Thanks a ton for all your help with this, Chris, and if you have a paypal acct where I could send you a tangible "thank you", let me know. Take care, and have a great summer! -Jared
- June 13, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

Here you go -- http://www.pcpitstop.com/betapit/sec.asp?conid=24406340
- June 10, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

Ok -- Here you go, Chris. Still no Google redirects, phantom audio or other symptoms. Still a little slow on startup (not too bad, though). "All Programs" menu under Start still has many empty folders, but other than that, everything seems OK (knock on wood). Thanks, and let me know if I should do anything else... ----------------------------------------------------------------- Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6788 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6-6-2011 11:03:42 AM mbam-log-2011-06-06 (11-03-41).txt Scan type: Quick scan Objects scanned: 189393 Time elapsed: 25 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ----------------------------------------------------------------- . DDS (Ver_2011-06-03.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25 Run by sharpej at 11:07:09 on 2011-06-06 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.218 [GMT -4:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\SatSrv.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Sprint Instinct Applications\MEMonitor.exe C:\Documents and Settings\sharpej\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\sharpej\Local Settings\Application Data\Google\Chrome\Application\chrome.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://rf1.ruderfinn.com uURLSearchHooks: H - No File BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\sharpej\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe" mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe" mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe Trusted Zone: alltel.com\care Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{1E32566C-6865-4956-BC77-3C6B845505FB} : DhcpNameServer = 192.168.1.1 Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Notify: igfxcui - igfxsrvc.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\sharpej\application data\mozilla\firefox\profiles\50jrvbn5.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\sharpej\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com . ============= SERVICES / DRIVERS =============== . R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240] R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544] R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552] R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008] R2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144] R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200] S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584] S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192] . =============== Created Last 30 ================ . 2011-06-06 14:36:38 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-05-20 21:45:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-20 21:38:23 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-05-20 21:38:23 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-05-20 21:38:23 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll . ==================== Find3M ==================== . 2011-06-01 17:09:30 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys 2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe 2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe 2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe . ============= FINISH: 11:08:46.48 ===============
- June 6, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

OK -- Looks like the thing might actually be working all right now. Kaspersky might just have been the answer. Startup seemed a bit slow in normal mode, but once I logged on everything seems pretty crisp. No Google redirects now, no phantom audio, no IE script error messages. I appear to have lost desktop shortcuts -- my VPN shortcut's missing, as is my Firefox shortcut, for example. Not sure what else might be missing from the desktop. Program folders in the start menu are still coming up empty, not sure how to fix that, so if you have any tips, they'd be much appreciated. Process-wise, I'm seeing two "GoogleUpdate.exe" processes currently running and chrome_updater.exe. CPU's ran heavy for a while, bouncing on the high end between 70-95% usage. Setup.exe kept spiking it, it looks like, and that was about 20 mins after startup. Setup ended, CPU calmed down. Actually, those Google processes ended, as well. Let me know if I should run anything else before I try using it full time again, and thanks again for all your help on this!
- June 1, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

OK -- sorry it took me a while to get back to you here, but I was on vacation and was just now able to run Kaspersky Rescue Disk. Updated it to its latest definitions and ran a scan on Disk Boot Sectors, Hidden Startup Objects, "sda1" & "sda2" (I have no idea what sdas are). The thing found a ton of Java exploits, Spy.Win.32's, Trojan,Win32.TDSS, trojan-banker.win32 and other stuff. Followed recommended action for each. I realized the "C:" drive wasn't explicitly labeled, so I'm going to scan that now and then restart the system to determine how it's running. I'll post as soon after I restart. If you need/want to see a report, you'll have to let em know how to save it someplace where I can find it, because I don't quite understand the save-to options it offers. Thanks! -J
- June 1, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

Only thing that loaded on the desktop were icons for my Outlook, a shortcut to a VPN network-based folder I use for work, a shortcut to a C:-based folder for work, a shortcut to MBAM, and my recycling bin. No task bar, no start button. It took another 10 mins or so after my last post for these to appear. After about 9am ET tomorrow (Thurs.), I'll be away from my computer 'til Monday evening. So, I won't be able to run any scans til then, but in the meantime I'll be able to answer any general questions you might have. Thanks- J
- May 26, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

OK -- just got my "Log on to windows" screen, 10 mins after the "Windows is starting up" box first came up and about 20 mins after initial startup. Had to log in as an administrator. 5 mins later, sill nothing on my desktop (although my "windows is running in safe mode" explanation box came up, and closed immediately when I clicked "OK". I'll leave the thing running to see if the desktop ever loads and we can go from there...
- May 25, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

"Windows is starting up" dialog box just popped up on my safe mode desktop, about 10 min. after I originally tried starting up the system (in safe mode). It's now been stuck on that for 6 mins...
- May 25, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

OK -- Now I seem to have a really serious problem. I had left the desktop up and running after running DDS this morning, and about 20 mins. ago the fan kicked on and wasn't turning off. I thought maybe it was just because it's warm in my office, but when I turned on the monitor I had an alert window saying that "Windows Security detected a threat and needed to perform a system scan". The alert's dialog box said something like "Webpage alert" though, so I was suspicious. I had unplugged my usb mouse to use with the netbook while we clean the desktop, so I plugged it back into my desktop's usb hub to navigate, but it wasn't recognized (tried multiple usb ports). I then tried Ctrl+alt+delete to retsart, and it wouldn't let me select any of the choices, though I could tab around. With no other options apparent, I did a hard restart, and now I have the following problem: -- Startup in Normal mode hangs at "Windows is starting up" blue screen -- Startup in either Safe Mode (w/ or w/o Networking) loads but gives me an all-black, blank desktop without a taskbar / Start option. Basically, now i have nothing. Ctrl Alt Del doesn't do anything, right-clicking the desktop does nothing... nothing does anything. I just have a black screen of nothing. I did zilch other than post the logs to this forum earlier today, and left the computer on. I had task manager open, the dialog box from Monday evening's Symantec scan open (because I meant to tell you the scan found no threats and took 2.5 hrs to scan 192k files) and Chrome open to this forum. Since we started trying to clean it I haven't done anything with it other than run the scans you requested and use chrome, FF & IE to either post to this board or check search re-directs (always searching either for "NHL" or "Malwarebytes" and clicking on NHL.com or Malwarebytes.org in the results list). What should I do?????????????????
- May 25, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

Yes, ran HostXpert, though it didn't seem to do anything at all. And I don't really know what "custom hosts" are, so I don't think I had any of those entries to replace. Anyway, here's the DDS stuff. "Attach" is attached as a zip file, like in my original post. Please let me know what's next. . DDS (Ver_11-03-05.01) - NTFSx86 Run by sharpej at 13:13:00.64 on Wed 05-25-2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.121 [GMT -4:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\SatSrv.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Documents and Settings\sharpej\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\sharpej\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\sharpej\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://rf1.ruderfinn.com uURLSearchHooks: H - No File BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe" mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe" mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe Trusted Zone: alltel.com\care Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Notify: igfxcui - igfxsrvc.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\sharpej\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com . ============= SERVICES / DRIVERS =============== . R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240] R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544] R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552] R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008] R2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144] R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200] S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584] S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192] . =============== Created Last 30 ================ . 2011-05-20 21:45:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-20 21:38:23 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-05-20 21:38:23 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-05-20 21:38:23 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll 2011-05-07 04:42:14 -------- d-sha-r- C:\cmdcons 2011-05-07 04:37:10 98816 ----a-w- c:\windows\sed.exe 2011-05-07 04:37:10 89088 ----a-w- c:\windows\MBR.exe 2011-05-07 04:37:10 256512 ----a-w- c:\windows\PEV.exe 2011-05-07 04:37:10 161792 ----a-w- c:\windows\SWREG.exe 2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software 2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software 2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security 2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET 2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes 2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware . ==================== Find3M ==================== . 2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe 2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe 2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe . ============= FINISH: 13:16:05.87 =============== Attach.zip
- May 25, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

Yup -- happens in safe mode, too, with both IE & FF. Was able to uninstall Flash in Safe mode, had to switch to Normal to uninstall Java because it wouldn't allow me to remove in Safe. Took about 10 mins to open Add/Remove window and populate list off programs. When I clicked uninstall for Java, it told me my IE browser was open. I never opened it, and only opened the Add/Remove after initial startup. So there's that to mull over, too. Anyways, did everything as instructed. Startup was still ridiculously slow. IE took forever to load, and even Task Manager took a while to load so I could check CPU / Mem usage. Redirect still happening. No sign of IE Script Error messages, although I had four IE processes running after exiting the window I opened to check browser results. Folders under Start > All Programs are still coming up empty, too. Have to go into my C drive to access Firefox. Redirect is pointing my browser to "mvm.us" and "clickattract.org" now, whereas before I believe it was "iclickcity" or something like that. Once it sent me to GroupOn. I dunno. No phantom audio yet, after about 15 mins. Anyway, let me know what's next, and thanks for sticking with me here...
- May 20, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

OK, here's everything but the GMER log. FYI, I ran MBAM in Normal mode, ComboFix & DDS in Safe Mode w/ Networking. ComboFix still will not run in Normal Mode. When GMER was completed I couldn't find the "save" button for the results (the window only listed a handful of cookies discovered in the scan), and then I accidentally closed it before I found anything. I then ran it again so I could get you a log, but the scan was sill running when I had to get to bed last night. When I woke up, the computer had restarted at some point overnight and gave me a "Windows has recovered from a serious error" message. Do you want me to run GMER again, and if so, where is the "save" button for the log? Keep in mind that I ran MBAM in Safe Mode, so the screen display size may have caused the "save" button to "fall off" the window or the page... Anyway, after running those scans I still have a browser redirect, and like usual I figure it's just a matter of time til I get an IE Script Error message and hear phantom audio again. Please let me know what's next... Thanks- Jared *** MBAM *** Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6612 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5-18-2011 6:59:29 PM mbam-log-2011-05-18 (18-59-29).txt Scan type: Quick scan Objects scanned: 187278 Time elapsed: 27 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) *** COMBOFIX *** ComboFix 11-05-17.03 - sharpej 05-18-2011 19:32:32.5.1 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.346 [GMT -4:00] Running from: c:\documents and settings\sharpej\Desktop\ComboFix.exe . . ((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 ))))))))))))))))))))))))))))))) . . 2011-05-04 02:38 . 2011-05-04 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software 2011-05-04 02:38 . 2011-05-04 02:38 -------- d-----w- c:\program files\AVAST Software 2011-05-03 03:17 . 2011-05-04 22:19 -------- d-----w- c:\program files\PC Tools Security 2011-05-03 03:17 . 2011-05-04 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2011-05-03 03:15 . 2011-05-04 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2011-05-02 21:27 . 2011-05-02 21:27 -------- d-----w- c:\program files\ESET 2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\sharpej\Application Data\Malwarebytes 2011-05-02 17:09 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-05-02 16:01 . 2011-05-02 16:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Steganos 2011-05-02 14:27 . 2011-05-02 14:27 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-24 02:28 . 2009-11-24 02:28 6694516 -c----w- c:\program files\ps3-video-converter.exe 2009-11-22 15:56 . 2009-11-22 15:55 15534341 -c----w- c:\program files\sss2006int.exe 2009-11-22 15:27 . 2009-11-22 15:27 426352 -c----w- c:\program files\ds_dm.exe 2009-01-27 01:34 . 2009-01-27 01:34 1044480 -c----w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-01-27 01:34 . 2009-01-27 01:34 200704 -c----w- c:\program files\mozilla firefox\plugins\ssldivx.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SSS2008 File Redirection Starter"="c:\program files\Steganos Privacy Suite 2008\fredirstarter.exe" [2008-03-05 57344] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-14 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-15 180269] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-04-01 95960] "SSS2008 PasswordManagerFFAutoFill"="c:\program files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe" [2008-03-11 21504] "SSS2008 HotKeys"="c:\program files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe" [2008-03-11 25088] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247] "SSS2006"="c:\program files\Steganos Security Suite 2006\SSS2006.exe" [2006-05-24 5279744] . c:\documents and settings\sharpej\Start Menu\Programs\Startup\ Sprint media monitor.lnk - c:\windows\RM.exe [2008-10-29 222552] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\0\0] "Script"=PTAPrinterScript.VBS . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\1\0] "Script"=PTAMapDrives.VBS . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\Paltalk Messenger\\paltalk.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= . S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [10-4-2005 11:42 AM 74240] S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [10-11-2007 7:24 AM 79104] S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys --> c:\windows\system32\drivers\VCdRom.sys [?] S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5-1-2009 3:35 PM 181544] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664] S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048] S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048] S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048] S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [6-4-2009 2:30 PM 151552] S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [5-24-2006 6:23 AM 184320] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664] S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [6-4-2009 2:30 PM 19584] S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [3-25-2007 2:15 PM 7548] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3-12-2004 3:18 PM 169192] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-05-18 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-11 23:41] . 2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28] . 2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28] . 2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204Core.job - c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39] . 2011-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204UA.job - c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39] . . ------- Supplementary Scan ------- . uStart Page = hxxp://rf1.ruderfinn.com Trusted Zone: alltel.com\care Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\sharpej\Application Data\Mozilla\Firefox\Profiles\50jrvbn5.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-18 19:43 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(276) c:\windows\system32\WININET.dll . Completion time: 2011-05-18 19:50:07 ComboFix-quarantined-files.txt 2011-05-18 23:49 ComboFix2.txt 2011-05-12 21:59 ComboFix3.txt 2011-05-07 05:09 ComboFix4.txt 2009-04-02 03:20 . Pre-Run: 127,728,078,848 bytes free Post-Run: 127,729,664,000 bytes free . - - End Of File - - CF44778763BA8EFAC345D8FEDFB5F40D *** DDS *** . DDS (Ver_11-03-05.01) - NTFSx86 NETWORK Run by sharpej at 20:09:04.32 on Wed 05-18-2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.255 [GMT -4:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\Documents and Settings\sharpej\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://rf1.ruderfinn.com uURLSearchHooks: H - No File BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe" mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe" mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll Trusted Zone: alltel.com\care Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Notify: igfxcui - igfxsrvc.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com . ============= SERVICES / DRIVERS =============== . S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240] S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104] S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?] S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096] S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808] S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552] S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008] S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320] S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136] S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144] S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584] S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192] S3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200] . =============== Created Last 30 ================ . 2011-05-07 04:42:14 -------- d-sha-r- C:\cmdcons 2011-05-07 04:37:10 98816 ----a-w- c:\windows\sed.exe 2011-05-07 04:37:10 89088 ----a-w- c:\windows\MBR.exe 2011-05-07 04:37:10 256512 ----a-w- c:\windows\PEV.exe 2011-05-07 04:37:10 161792 ----a-w- c:\windows\SWREG.exe 2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software 2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software 2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security 2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET 2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes 2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware . ==================== Find3M ==================== . 2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe 2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe 2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe . ============= FINISH: 20:09:37.57 ===============
- May 19, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

OK -- Here are the logs. Prior to running ESET I still had all of the original symptoms. After running both scans I still have a Google redirect as of this post (I just checked), and I just got the weird audio again. Figure it's just a matter of time til I get more IE Script Error messages, too. Also you'll notice that the ESET scan (which I ran in Normal mode this time) took over 4 hours 15 mins., more than double what it took to run in Safe Mode the first time you had me run it. Ironically, it didn't find anything this time, either. It's been two weeks now, and I don't think we've gotten anywhere with this thing -- I'm still showing the same symptoms as when I first posted. Oh, and there's another IE Script Error message.... Argh -- I'm just lucky I've been able to trick out my little ASUS eee netbook so I can work off of that these last couple of weeks, because I can't use this desktop machine until it's clean (I connect to my office network thru VPN, and I don't want to risk infecting the network). Please let me know what to do next -- this damn thing is killing me... Thanks Chris- Jared *** ESET *** ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb # end=stopped # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2011-05-02 09:34:57 # local_time=2011-05-02 05:34:57 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=3380 # found=0 # cleaned=0 # scan_time=248 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb # end=stopped # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-05-09 01:14:35 # local_time=2011-05-09 09:14:35 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 485851 485851 0 0 # scanned=8563 # found=0 # cleaned=0 # scan_time=2987 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-05-09 03:29:10 # local_time=2011-05-09 11:29:10 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 489308 489308 0 0 # scanned=119728 # found=2 # cleaned=2 # scan_time=7606 H:\I386\Apps\APP12302\src\SpyInstall_HPPre.exe probably a variant of Win32/Agent.HVEUCPZ trojan (deleted - quarantined) 00000000000000000000000000000000 C H:\System Volume Information\_restore{E23F125D-7307-4B2A-BF76-7586BCAC24BE}\RP2\A0000098.exe probably a variant of Win32/Agent.HVEUCPZ trojan (deleted - quarantined) 00000000000000000000000000000000 C # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-05-15 05:37:11 # local_time=2011-05-15 01:37:11 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 1007687 1007687 0 0 # scanned=120227 # found=0 # cleaned=0 # scan_time=15329 *** Screen317 Security Check *** Results of screen317's Security Check version 0.99.11 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Windows Firewall Disabled! ESET Online Scanner v3 Symantec AntiVirus iolo technologies' DriveScrubber 3 WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 18 Out of date Java installed! Adobe Flash Player 10.2.152.32 Adobe Reader X Mozilla Firefox (3.6.17) Firefox Out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent Symantec AntiVirus DefWatch.exe Symantec AntiVirus Rtvscan.exe iolo common lib ioloServiceManager.exe ``````````End of Log````````````
- May 16, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

Startup in normal mode didn't seem too bad. A little slow, but nothing absurd. Can't stick around to see if the weird noises happen or more IE Script Error messages pop up, but I'll let you know later. meantime, if you see anything in the reports and need me to take action, please let me know. Thanks! -J
- May 12, 2011
- 37 replies
Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod replied to LewdOod's topic in Resolved Malware Removal Logs

Here are the ComboFix & DDS reports. Had to run ComboFix in Safe Mode again, so I ran DDS in it to just to save time and aggravation. Still getting IE Script Error messages even in Safe Mode as I post this. I'll restart after I post and let you know of any other issues that still remain. Thanks- J *** ComboFix *** ComboFix 11-05-11.04 - sharpej 05-12-2011 17:39:31.4.1 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.275 [GMT -4:00] Running from: c:\documents and settings\sharpej\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . K:\autorun.inf . . ((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 ))))))))))))))))))))))))))))))) . . 2011-05-04 02:38 . 2011-05-04 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software 2011-05-04 02:38 . 2011-05-04 02:38 -------- d-----w- c:\program files\AVAST Software 2011-05-03 03:17 . 2011-05-04 22:19 -------- d-----w- c:\program files\PC Tools Security 2011-05-03 03:17 . 2011-05-04 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2011-05-03 03:15 . 2011-05-04 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2011-05-02 21:27 . 2011-05-02 21:27 -------- d-----w- c:\program files\ESET 2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\sharpej\Application Data\Malwarebytes 2011-05-02 17:09 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-05-02 16:01 . 2011-05-02 16:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Steganos 2011-05-02 14:27 . 2011-05-02 14:27 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2011-04-13 14:56 . 2011-04-13 14:56 -------- d-----w- c:\documents and settings\sharpej\Local Settings\Application Data\Identities . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-24 02:28 . 2009-11-24 02:28 6694516 -c----w- c:\program files\ps3-video-converter.exe 2009-11-22 15:56 . 2009-11-22 15:55 15534341 -c----w- c:\program files\sss2006int.exe 2009-11-22 15:27 . 2009-11-22 15:27 426352 -c----w- c:\program files\ds_dm.exe 2009-01-27 01:34 . 2009-01-27 01:34 1044480 -c----w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-01-27 01:34 . 2009-01-27 01:34 200704 -c----w- c:\program files\mozilla firefox\plugins\ssldivx.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SSS2008 File Redirection Starter"="c:\program files\Steganos Privacy Suite 2008\fredirstarter.exe" [2008-03-05 57344] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-14 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-15 180269] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-04-01 95960] "SSS2008 PasswordManagerFFAutoFill"="c:\program files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe" [2008-03-11 21504] "SSS2008 HotKeys"="c:\program files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe" [2008-03-11 25088] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247] "SSS2006"="c:\program files\Steganos Security Suite 2006\SSS2006.exe" [2006-05-24 5279744] . c:\documents and settings\sharpej\Start Menu\Programs\Startup\ Sprint media monitor.lnk - c:\windows\RM.exe [2008-10-29 222552] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\0\0] "Script"=PTAPrinterScript.VBS . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\1\0] "Script"=PTAMapDrives.VBS . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\Paltalk Messenger\\paltalk.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= . S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [10-4-2005 11:42 AM 74240] S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [10-11-2007 7:24 AM 79104] S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys --> c:\windows\system32\drivers\VCdRom.sys [?] S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5-1-2009 3:35 PM 181544] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664] S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048] S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048] S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048] S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [6-4-2009 2:30 PM 151552] S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [5-24-2006 6:23 AM 184320] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664] S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [6-4-2009 2:30 PM 19584] S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [3-25-2007 2:15 PM 7548] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3-12-2004 3:18 PM 169192] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-05-12 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-11 23:41] . 2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28] . 2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28] . 2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204Core.job - c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39] . 2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204UA.job - c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39] . . ------- Supplementary Scan ------- . uStart Page = hxxp://rf1.ruderfinn.com Trusted Zone: alltel.com\care Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\sharpej\Application Data\Mozilla\Firefox\Profiles\50jrvbn5.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-12 17:52 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2011-05-12 17:59:12 ComboFix-quarantined-files.txt 2011-05-12 21:58 ComboFix2.txt 2011-05-07 05:09 ComboFix3.txt 2009-04-02 03:20 . Pre-Run: 127,902,838,784 bytes free Post-Run: 127,893,188,608 bytes free . - - End Of File - - 23FBF361EE94C0760CF123E969DC245B *** DDS *** . DDS (Ver_11-03-05.01) - NTFSx86 NETWORK Run by sharpej at 18:00:44.42 on Thu 05-12-2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.258 [GMT -4:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\sharpej\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://rf1.ruderfinn.com uURLSearchHooks: H - No File BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe" mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe" mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll Trusted Zone: alltel.com\care Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Notify: igfxcui - igfxsrvc.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com . ============= SERVICES / DRIVERS =============== . S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240] S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104] S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?] S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096] S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808] S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048] S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552] S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008] S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320] S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136] S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144] S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584] S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192] S3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200] . =============== Created Last 30 ================ . 2011-05-07 04:42:14 -------- d-sha-r- C:\cmdcons 2011-05-07 04:37:10 98816 ----a-w- c:\windows\sed.exe 2011-05-07 04:37:10 89088 ----a-w- c:\windows\MBR.exe 2011-05-07 04:37:10 256512 ----a-w- c:\windows\PEV.exe 2011-05-07 04:37:10 161792 ----a-w- c:\windows\SWREG.exe 2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software 2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software 2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security 2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET 2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes 2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-04-13 14:56:24 -------- d-----w- c:\docume~1\sharpej\locals~1\applic~1\Identities . ==================== Find3M ==================== . 2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe 2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe 2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe . ============= FINISH: 18:01:09.71 ===============
- May 12, 2011
- 37 replies

Sign In

LewdOod

Posts

Joined

Last visited

Reputation

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Double-header: Windows Recovery, then XP Home Security2011 infection

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information