Jump to content

Trying to figure out if I should be concerned here


MG1
 Share

Recommended Posts

Greetings,

 

Three times now on the same website (personalitycafe.com) I've clicked one of their buttons and gotten an attempted redirect.The first two times I immediately closed firefox so didn't see much. I waited a second more the third time and saw outrate.com in the address of the site it began trying to load. I'm running on a 1.5MB DSL  connection and things can normally take a bit of time to load, so I may have gotten out before anything could happen - but I don't know and figure better safe than sorry.

 

I've run malwarebytes quick scan, spybot scan, avg free (though avg scan was before the third attempted outrate redirect from that site) and tdsskiller and all the scans have come up clean. I also have seen zero instances so far of any search engine redirects.

 

However. I'm a better safe than sorry mode as noted. I'm pasting below my DDS results and want to know if someone wiser than I can decide this and see if there seems to be any indication of a problem:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.5.1
Run by Golden at 22:31:48 on 2013-10-26
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3967.2807 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\AVG\AVG9\avgemc.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\notepad.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uProxyOverride = 127.0.0.1;
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
uRun: [cdloader] "C:\Users\Golden\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{93A32983-2774-473F-A6BB-DD727057C2FC} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{EFD56DE8-E163-4A06-B92E-21CB06BFC2D5} : DHCPNameServer = 10.0.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
SSODL: WebCheck - <orphaned>
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Golden\AppData\Roaming\Mozilla\Firefox\Profiles\sldxbrun.default\

FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx64;AVG Free AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2009-10-30 282976]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2009-10-30 35664]
R1 AvgTdiA;AVG Free Network Redirector x64;C:\Windows\System32\drivers\avgtdia.sys [2009-10-30 317520]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R2 avg9emc;AVG Free E-mail Scanner;C:\Program Files (x86)\AVG\AVG9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-7-15 308136]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-10-30 1153368]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-1 187392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;C:\Windows\System32\drivers\AE1200w764.sys [2011-3-29 1254464]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-25 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2009-8-28 49152]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-23 1255736]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [userChoice]
.
=============== Created Last 30 ================
.
2013-10-27 05:05:10    --------    d-----w-    C:\registry backup 102613
2013-10-16 18:38:15    99840    ----a-w-    C:\Windows\System32\drivers\usbccgp.sys
2013-10-16 18:38:15    7808    ----a-w-    C:\Windows\System32\drivers\usbd.sys
2013-10-16 18:38:15    52736    ----a-w-    C:\Windows\System32\drivers\usbehci.sys
2013-10-16 18:38:15    343040    ----a-w-    C:\Windows\System32\drivers\usbhub.sys
2013-10-16 18:38:15    325120    ----a-w-    C:\Windows\System32\drivers\usbport.sys
2013-10-16 18:38:15    30720    ----a-w-    C:\Windows\System32\drivers\usbuhci.sys
2013-10-16 18:38:15    25600    ----a-w-    C:\Windows\System32\drivers\usbohci.sys
2013-10-15 23:46:59    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-10-15 23:42:29    --------    d-----w-    C:\f6ff593e3df111aeca5d3f7ccf4344
2013-10-15 23:29:52    785624    ----a-w-    C:\Windows\System32\drivers\Wdf01000.sys
2013-10-15 23:29:30    633856    ----a-w-    C:\Windows\System32\comctl32.dll
2013-10-15 23:29:30    530432    ----a-w-    C:\Windows\SysWow64\comctl32.dll
2013-10-08 19:10:24    3155968    ----a-w-    C:\Windows\System32\win32k.sys
.
==================== Find3M  ====================
.
2013-09-22 23:28:06    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:49    2876928    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-09-22 23:27:48    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-09-22 23:27:48    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-09-22 22:54:51    3959296    ----a-w-    C:\Windows\System32\jscript9.dll
2013-09-22 22:54:50    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-09-22 22:54:50    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-09-21 03:38:39    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-09-21 03:30:24    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-09-21 02:48:36    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-21 02:39:47    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-09-14 01:10:19    497152    ----a-w-    C:\Windows\System32\drivers\afd.sys
2013-09-08 02:30:37    1903552    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-09-08 02:27:14    327168    ----a-w-    C:\Windows\System32\mswsock.dll
2013-09-08 02:03:58    231424    ----a-w-    C:\Windows\SysWow64\mswsock.dll
2013-08-29 02:17:48    5549504    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-08-29 02:16:35    1732032    ----a-w-    C:\Windows\System32\ntdll.dll
2013-08-29 02:16:28    243712    ----a-w-    C:\Windows\System32\wow64.dll
2013-08-29 02:16:14    859648    ----a-w-    C:\Windows\System32\tdh.dll
2013-08-29 02:13:28    878080    ----a-w-    C:\Windows\System32\advapi32.dll
2013-08-29 01:51:45    3969472    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51:45    3914176    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50:31    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-08-29 01:50:30    1292192    ----a-w-    C:\Windows\SysWow64\ntdll.dll
2013-08-29 01:50:16    619520    ----a-w-    C:\Windows\SysWow64\tdh.dll
2013-08-29 01:48:17    640512    ----a-w-    C:\Windows\SysWow64\advapi32.dll
2013-08-29 01:48:15    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2013-08-29 00:49:53    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-08-29 00:49:52    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-08-29 00:49:52    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-08-29 00:49:49    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-08-28 01:12:33    461312    ----a-w-    C:\Windows\System32\scavengeui.dll
2013-08-05 02:25:45    155584    ----a-w-    C:\Windows\System32\drivers\ataport.sys
2013-08-02 02:14:57    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-08-02 02:13:34    424448    ----a-w-    C:\Windows\System32\KernelBase.dll
2013-08-02 01:50:42    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17    338432    ----a-w-    C:\Windows\System32\conhost.exe
2013-08-02 00:59:09    112640    ----a-w-    C:\Windows\System32\smss.exe
2013-08-02 00:43:05    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05    3072    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-08-01 12:09:36    983488    ----a-w-    C:\Windows\System32\drivers\dxgkrnl.sys
.
============= FINISH: 22:32:06.18 ===============
 

and I understand from the otehr post I'm also supposed to post the attach file?

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 10/31/2009 2:50:56 AM
System Uptime: 10/26/2013 9:35:48 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | M3A76-CM
Processor: AMD Athlon II X2 240 Processor | AM2 | 2800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 191.805 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP305: 9/20/2013 8:16:15 PM - Scheduled Checkpoint
RP306: 9/27/2013 8:42:29 PM - Scheduled Checkpoint
RP307: 10/5/2013 1:09:22 AM - Scheduled Checkpoint
RP308: 10/9/2013 12:14:57 AM - Windows Update
RP309: 10/15/2013 4:39:34 PM - Windows Update
RP310: 10/16/2013 11:38:21 AM - Windows Update
RP311: 10/23/2013 10:06:37 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acrobat.com
Adobe AIR
Adobe Reader 9.5.3
Adobe Shockwave Player 11.5
Audacity 2.0
Avery Wizard 4.0
Canon iP2700 series Printer Driver
Canon iP2700 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CCleaner (remove only)
FileZilla Client 3.7.1
GIMP 2.6.10
GoGear Mix Device Manager
GPL Ghostscript 9.01
Gtk+ Runtime Environment 2.10.11-1
Inquisit 3 Web Edition
Java 7 Update 10 (64-bit)
Java Auto Updater
Java 7 Update 5
JavaFX 2.1.1
K-Lite Codec Pack 5.1.0 (Full)
LAME v3.99.3 (for Windows)
magicJack
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft IntelliPoint 7.0
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Mozilla Firefox 24.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8 Essentials
neroxml
Notepad++
OpenOffice.org 3.3
Pegasus Mail
R for Windows 2.15.0
SA25x5 & SA26x5 Device Manager
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
Scribus 1.3.3.14
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Spybot - Search & Destroy
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Visual C++ 8.0 Runtime Setup Package (x64)
.
==== Event Viewer Messages From Past Week ========
.
10/26/2013 9:36:01 PM, Error: atikmdag [52236]  - CPLIB :: General - Invalid Parameter
10/26/2013 9:36:01 PM, Error: atikmdag [43029]  - Display is not active
10/26/2013 8:51:04 PM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
10/26/2013 8:51:03 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
10/26/2013 8:51:02 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
10/26/2013 8:50:55 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
10/26/2013 8:50:55 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/26/2013 8:50:54 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/26/2013 8:50:46 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
10/26/2013 8:50:42 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AvgLdx64 AvgMfx64 AvgTdiA DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
10/26/2013 8:50:40 PM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
10/22/2013 2:49:49 PM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk6\DR6.
.
==== End Of File ===========================
 

Help?

 

Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Hi MrCharlie,

 

Below is the RougeKiller report. Any information you could share with me about what you see and why you suggest specific steps would be really helpful as we go through this process. I like to be educated about what's going on so I can take proper responsibility for my own understanding, if that makes any sense.

 

Anyway, the report:

 

RogueKiller V8.7.5 _x64_ [Oct 22 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Golden [Admin rights]
Mode : Scan -- Date : 10/27/2013 13:06:44
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD3200AAKS-00V1A0 ATA Device +++++
--- User ---
[MBR] b5aaba646f52737e5f906e1a30a08755
[bSP] 998053bfc207ddea7e2d78fdb2b008c9 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 305143 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10272013_130644.txt >>
 

Link to post
Share on other sites

All looks OK, are you still having problems??

 

MrC

 

Glad to hear all looks okay.

 

The only problem I had to begin with was a set of three staggered instances of attempted redirect from one particular site to outrate when I clicked the site's buttons (it's a forum). Third time I took an extra second to look in the address bar before quickly exiting firefox (the first couple, I immediately exited firefox when my brain caught that something wasn't right) and my brain registered outrate.com in the address to which it said it was redirecting.

 

I haven't returned to that site since this happened and I'm not sure I ever should (which makes me sad,it's an interesting community and I learn a lot in dialogue there).

 

As for my own machine: I haven't had any problems with google redirects or any other sites or anything else I'm aware of. I came here and posted because I want to be sure that I'm not dealing with some sort of silent infection that would either get ugly later or stay silent over time but do nasty things anyway.

 

Three questions:

 

1. Am I correct in understanding that you don't think there is cause for concern that my computer has been infected/affected by the attempted outrate redirects from that site?

 

2. Assuming you don't think there is cause for concern with my machine - what do you recommend I do about/in relation to that site?

 

3. What next steps should I take from this scanning process (remember I also scanned with tdsskiller before posting here)?

 

Hope the above info and questions make sense. I really really appreciate your help!

Link to post
Share on other sites

1. Am I correct in understanding that you don't think there is cause for concern that my computer has been infected/affected by the attempted outrate redirects from that site?

There's nothing showing in the logs so far but that doesn't mean that you're clean. If you're still having a problem I think we should run some scans.

2. Assuming you don't think there is cause for concern with my machine - what do you recommend I do about/in relation to that site?

Runs some scans

3. What next steps should I take from this scanning process (remember I also scanned with tdsskiller before posting here)?

Run ComboFix to start with:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.
 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

MrCharlie, your suggestions aren't making any logical sense to me just yet.

 

1. You wrote: "There's nothing showing in the logs so far but that doesn't mean that you're clean. If you're still having a problem I think we should run some scans."

 

How could I determine if there's still a problem if I don't return to that one specific site? That's the only place I have seen anything. And if that site is actually infected, wouldn't returning to that site and using it simply to see if I get more attempted redirects be quite unwise?

 

2 & 3. My understanding is that Combofix is pretty serious stuff and shouldn't ever be used lightly. Given that I can't determine if I'm "still having a problem" unless I return to a possibly infected site for the purpose of seeing if it tries to redirect again, I'm trying to understand the logic of using something (Combofix) that as I understand it could itself mess with my machine ... without any evidence that there is any problem outside of that site and without the action of returning to a site that as far as I can tell, has been infected and I may have avoided infection through a combo of quick action and slow internet speed. Seems like using Combofix would be taking a big risk without being able to answer your question about "if I'm still having a problem" in the first place.

 

Note: the problematic site is legit but has had other malware problems in the past that I know about from rare but memorable firefox alerts and skimming discussion in their support forums after fixes. However, in the past, such problems have been specific to the ads, and Adblock Plus combined with blocking some site images (and possibly not having Flash enabled in general when I browse) has removed me from that part of the site dynamic. This redirect, however, seemed to come directly from some site scripts or something more directly associated with the site and I can't see the wisdom in returning to the site and exposing my machine again just to see if there's still a problem.

Link to post
Share on other sites

Oddly, just after I PMed you I had a redirect - the first from anywhere other than that site - from one of my bookmarks (an old google version). I am scared about Combofix and wish there was something less dangerous to my machine but will do what you ask.

Link to post
Share on other sites

ComboFix isn't dangerous, just about everyone I help runs it.

What browser is being redirected?

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

Hi MrCharlie,

 

Quick note for now, more later. You asked what browser - Firefox.

 

I've had a deluge of work and family stuff in the last 24 hours and wasn't able to get to the scan you suggested today but can get to it tomorrow (Wed 10/30). Want to do it while not half-asleep.

 

Just wanted to let you know I'm still on it...

Link to post
Share on other sites

MrCharlie, I want to make sure i understand you about the correct way to download Farbar. You wrote:

ComboFix isn't dangerous, just about everyone I help runs it.

What browser is being redirected?

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC

 

 

When I go to the page, I see what is in the attached screenshot at the top of the page.

 

Those blue buttons look somewhat like what you say, HOWEVER not 100% (no @BleepingComputer and instead bit version numbers).

 

And they are also directly underneath a header that says Sponsored Links.

 

I don't see any other buttons on the page. Are the blue buttons in the attached screenshot the correct ones for true download per your instructions?

 

Just want to make sure I do everything correctly.

 

 

post-147367-0-25853200-1383176809_thumb.

Link to post
Share on other sites

Okay, ran the Farbar Tool, results are pasted and attached as instructed:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-10-2013
Ran by Golden (administrator) on GOLDEN-PC on 30-10-2013 18:43:02
Running from C:\Documents\Scan 103013
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG9\avgemc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [intelliPoint] - C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2314120 2009-06-01] (Microsoft Corporation)
HKCU\...\Run: [cdloader] - C:\Users\Golden\AppData\Roaming\mjusbsp\cdloader2.exe [50592 2012-02-01] (magicJack L.P.)
MountPoints2: J - J:\autorun.exe
AppInit_DLLs: avgrssta.dll [13048 2010-07-15] (AVG Technologies CZ, s.r.o.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xAE3F73539559CA01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll (AVG Technologies CZ, s.r.o.)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll (AVG Technologies CZ, s.r.o.)
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Golden\AppData\Roaming\Mozilla\Firefox\Profiles\sldxbrun.default

FF NetworkProxy: "type", 0
FF Plugin: @java.com/DTPlugin,version=10.10.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.10.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @canon.com/EPPEX - C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: firebug - C:\Users\Golden\AppData\Roaming\Mozilla\Firefox\Profiles\sldxbrun.default\Extensions\firebug@software.joehewitt.com.xpi
FF Extension: Adblock Plus - C:\Users\Golden\AppData\Roaming\Mozilla\Firefox\Profiles\sldxbrun.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

==================== Services (Whitelisted) =================

R2 avg9emc; C:\Program Files (x86)\AVG\AVG9\avgemc.exe [921952 2010-07-20] (AVG Technologies CZ, s.r.o.)
R2 avg9wd; C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [308136 2010-07-15] (AVG Technologies CZ, s.r.o.)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [537896 2008-06-24] (Nero AG)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

R1 AvgLdx64; C:\Windows\System32\Drivers\avgldx64.sys [282976 2013-01-15] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx64; C:\Windows\System32\Drivers\avgmfx64.sys [35664 2011-10-07] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiA; C:\Windows\System32\Drivers\avgtdia.sys [317520 2011-05-05] (AVG Technologies CZ, s.r.o.)
S3 Linksys_adapter_H; C:\Windows\System32\DRIVERS\AE1200w764.sys [1254464 2011-03-29] (Broadcom Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-30 18:42 - 2013-10-30 18:42 - 00000000 ____D C:\FRST
2013-10-28 17:32 - 2013-10-28 17:32 - 00032013 _____ C:\Users\Golden\.recently-used.xbel
2013-10-28 17:22 - 2013-10-28 17:22 - 00002047 _____ C:\Users\Golden\Desktop\RKreport[0]_S_10282013_172232.txt
2013-10-27 13:15 - 2013-10-27 13:15 - 00000000 ____D C:\Users\Golden\Desktop\mwb instructions
2013-10-27 13:04 - 2013-10-27 13:07 - 00000000 ____D C:\Users\Golden\Desktop\RK_Quarantine
2013-10-27 13:02 - 2013-10-27 13:03 - 03997696 _____ C:\Users\Golden\Desktop\RogueKillerX64.exe
2013-10-26 22:05 - 2013-10-26 22:09 - 00000000 ____D C:\registry backup 102613
2013-10-26 22:05 - 2013-10-26 22:05 - 00000000 ____D C:\Users\Golden\Documents\New folder
2013-10-26 19:49 - 2009-06-10 14:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts.20131026-194908.backup
2013-10-19 14:44 - 2013-10-19 14:44 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-10-16 11:38 - 2013-09-04 05:12 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2013-10-16 11:38 - 2013-09-04 05:11 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2013-10-16 11:38 - 2013-09-04 05:11 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2013-10-16 11:38 - 2013-09-04 05:11 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2013-10-16 11:38 - 2013-09-04 05:11 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2013-10-16 11:38 - 2013-09-04 05:11 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2013-10-16 11:38 - 2013-09-04 05:11 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2013-10-15 16:47 - 2013-09-22 16:28 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-10-15 16:47 - 2013-09-22 16:28 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-10-15 16:47 - 2013-09-22 16:27 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-10-15 16:47 - 2013-09-22 16:27 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-10-15 16:47 - 2013-09-22 16:27 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-10-15 16:47 - 2013-09-22 16:27 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-10-15 16:47 - 2013-09-22 16:27 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-10-15 16:47 - 2013-09-22 16:27 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-10-15 16:47 - 2013-09-22 16:27 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-10-15 16:47 - 2013-09-22 16:27 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-10-15 16:47 - 2013-09-22 16:27 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-10-15 16:47 - 2013-09-22 15:55 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-10-15 16:47 - 2013-09-22 15:55 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-10-15 16:47 - 2013-09-22 15:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-10-15 16:47 - 2013-09-22 15:54 - 02647552 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-10-15 16:47 - 2013-09-22 15:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-10-15 16:47 - 2013-09-22 15:54 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-10-15 16:47 - 2013-09-22 15:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-10-15 16:47 - 2013-09-22 15:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-10-15 16:47 - 2013-09-22 15:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-10-15 16:47 - 2013-09-22 15:54 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-10-15 16:47 - 2013-09-22 15:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-10-15 16:47 - 2013-09-20 20:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-10-15 16:47 - 2013-09-20 20:30 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-10-15 16:47 - 2013-09-20 19:48 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-10-15 16:47 - 2013-09-20 19:39 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-10-15 16:46 - 2013-09-22 16:27 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-10-15 16:46 - 2013-09-22 16:27 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-10-15 16:46 - 2013-09-22 15:55 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-10-15 16:46 - 2013-09-22 15:54 - 19252224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-10-15 16:46 - 2013-09-22 15:54 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-10-15 16:42 - 2013-10-15 16:44 - 00000000 ____D C:\f6ff593e3df111aeca5d3f7ccf4344
2013-10-15 16:30 - 2013-08-28 19:17 - 05549504 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-10-15 16:30 - 2013-08-28 19:16 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-10-15 16:30 - 2013-08-28 19:16 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2013-10-15 16:30 - 2013-08-28 19:16 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-10-15 16:30 - 2013-08-28 19:13 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2013-10-15 16:30 - 2013-08-28 18:51 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-10-15 16:30 - 2013-08-28 18:51 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-10-15 16:30 - 2013-08-28 18:50 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-10-15 16:30 - 2013-08-28 18:50 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2013-10-15 16:30 - 2013-08-28 18:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-10-15 16:30 - 2013-08-28 18:48 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2013-10-15 16:30 - 2013-08-28 17:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-10-15 16:30 - 2013-08-28 17:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-10-15 16:30 - 2013-08-28 17:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-10-15 16:30 - 2013-08-28 17:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-10-15 16:29 - 2013-07-04 05:50 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2013-10-15 16:29 - 2013-07-04 04:50 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2013-10-15 16:29 - 2013-06-25 15:55 - 00785624 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys
2013-10-15 16:28 - 2013-09-13 18:10 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2013-10-15 16:28 - 2013-09-07 19:30 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-10-15 16:28 - 2013-09-07 19:27 - 00327168 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll
2013-10-15 16:28 - 2013-09-07 19:03 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
2013-10-15 16:28 - 2013-08-27 18:12 - 00461312 _____ (Microsoft Corporation) C:\Windows\system32\scavengeui.dll
2013-10-15 16:28 - 2013-08-01 05:09 - 00983488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2013-10-15 16:28 - 2013-07-20 03:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-10-15 16:28 - 2013-07-20 03:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2013-10-15 16:28 - 2013-07-12 03:41 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbcir.sys
2013-10-15 16:28 - 2013-07-12 03:40 - 00109824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBAUDIO.sys
2013-10-15 16:28 - 2013-07-04 05:57 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll
2013-10-15 16:28 - 2013-07-04 05:50 - 00102400 _____ (Microsoft Corporation) C:\Windows\system32\davclnt.dll
2013-10-15 16:28 - 2013-07-04 04:57 - 00205824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll
2013-10-15 16:28 - 2013-07-04 04:51 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll
2013-10-15 16:28 - 2013-07-04 03:11 - 00140800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2013-10-15 16:28 - 2013-07-02 21:40 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbscan.sys
2013-10-15 16:28 - 2013-07-02 21:05 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys
2013-10-15 16:28 - 2013-07-02 21:05 - 00032896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidparse.sys
2013-10-15 16:28 - 2013-06-05 22:50 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2013-10-15 16:28 - 2013-06-05 22:49 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2013-10-15 16:28 - 2013-06-05 22:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2013-10-15 16:28 - 2013-06-05 22:47 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2013-10-15 16:28 - 2013-06-05 21:57 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2013-10-15 16:28 - 2013-06-05 21:51 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2013-10-15 16:28 - 2013-06-05 21:50 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2013-10-15 16:28 - 2013-06-05 20:30 - 00368128 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2013-10-15 16:28 - 2013-06-05 20:01 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-10-15 16:28 - 2013-06-05 20:01 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2013-10-08 12:10 - 2013-08-27 18:21 - 03155968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

==================== One Month Modified Files and Folders =======

2013-10-30 18:42 - 2013-10-30 18:42 - 00000000 ____D C:\FRST
2013-10-30 18:42 - 2009-10-31 02:50 - 01550762 _____ C:\Windows\WindowsUpdate.log
2013-10-30 18:41 - 2009-07-13 21:45 - 00015344 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-30 18:41 - 2009-07-13 21:45 - 00015344 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-30 18:34 - 2009-10-30 12:22 - 00257931 _____ C:\Windows\setupact.log
2013-10-30 18:34 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-30 16:33 - 2009-10-30 12:15 - 00003934 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{A4A0C1C1-C0A9-4751-85E5-0D7E43257930}
2013-10-30 16:31 - 2009-07-13 22:13 - 00005180 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-28 17:33 - 2010-09-26 16:36 - 00000000 ____D C:\Users\Golden\.gimp-2.6
2013-10-28 17:32 - 2013-10-28 17:32 - 00032013 _____ C:\Users\Golden\.recently-used.xbel
2013-10-28 17:32 - 2010-09-26 22:03 - 00000000 ____D C:\Users\Golden\AppData\Roaming\gtk-2.0
2013-10-28 17:32 - 2009-10-31 02:51 - 00000000 ____D C:\Users\Golden
2013-10-28 17:22 - 2013-10-28 17:22 - 00002047 _____ C:\Users\Golden\Desktop\RKreport[0]_S_10282013_172232.txt
2013-10-28 17:03 - 2009-10-30 12:07 - 00000000 ____D C:\Windows\system32\Drivers\Avg
2013-10-28 16:21 - 2011-03-23 13:06 - 00000995 _____ C:\Users\Golden\Desktop\magicJack.lnk
2013-10-28 16:21 - 2011-03-23 13:06 - 00000981 _____ C:\Users\Golden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\magicJack.lnk
2013-10-28 16:21 - 2011-03-23 13:04 - 00000000 ____D C:\Users\Golden\AppData\Roaming\mjusbsp
2013-10-28 14:28 - 2013-09-02 00:04 - 00000000 _____ C:\Users\Golden\Desktop\temp.txt
2013-10-27 17:40 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
2013-10-27 14:02 - 2011-03-27 23:55 - 00000000 ____D C:\Users\Golden\Desktop\installation files
2013-10-27 13:15 - 2013-10-27 13:15 - 00000000 ____D C:\Users\Golden\Desktop\mwb instructions
2013-10-27 13:07 - 2013-10-27 13:04 - 00000000 ____D C:\Users\Golden\Desktop\RK_Quarantine
2013-10-27 13:03 - 2013-10-27 13:02 - 03997696 _____ C:\Users\Golden\Desktop\RogueKillerX64.exe
2013-10-26 22:32 - 2012-03-13 19:31 - 00000000 ____D C:\Users\Golden\Desktop\misc
2013-10-26 22:09 - 2013-10-26 22:05 - 00000000 ____D C:\registry backup 102613
2013-10-26 22:05 - 2013-10-26 22:05 - 00000000 ____D C:\Users\Golden\Documents\New folder
2013-10-26 21:00 - 2011-12-28 21:57 - 00001113 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-26 21:00 - 2009-10-30 12:04 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-25 19:01 - 2009-11-03 20:37 - 00000000 ____D C:\Users\Golden\AppData\Local\Adobe
2013-10-24 14:04 - 2012-05-27 17:45 - 00000000 ____D C:\Users\Golden\AppData\Roaming\Audacity
2013-10-23 18:43 - 2013-09-04 18:53 - 00002601 _____ C:\Users\Golden\Desktop\Aug 2013 electricity estimate.txt
2013-10-22 14:09 - 2011-02-17 19:07 - 00000000 ____D C:\Users\Golden\AppData\Roaming\FileZilla
2013-10-20 08:01 - 2012-05-06 12:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-10-19 15:24 - 2009-10-30 12:25 - 00000000 ____D C:\Users\Golden\AppData\Local\Mozilla
2013-10-19 14:44 - 2013-10-19 14:44 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-10-16 11:27 - 2009-11-03 21:22 - 00084138 _____ C:\Windows\PFRO.log
2013-10-16 11:27 - 2009-07-13 21:45 - 00439520 _____ C:\Windows\system32\FNTCACHE.DAT
2013-10-15 19:57 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2013-10-15 16:44 - 2013-10-15 16:42 - 00000000 ____D C:\f6ff593e3df111aeca5d3f7ccf4344
2013-10-15 16:44 - 2013-07-12 21:18 - 00000000 ____D C:\Windows\system32\MRT
2013-10-15 16:42 - 2009-10-30 12:27 - 80541720 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-09-30 16:45 - 2013-09-16 21:08 - 00000000 ____D C:\Users\Golden\Desktop\tawny frogmouth

Some content of TEMP:
====================
C:\Users\Golden\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Golden\AppData\Local\Temp\ose00000.exe
C:\Users\Golden\AppData\Local\Temp\ose00001.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-10-21 00:21

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Nothing showing, please run this scan:

Please run a free online scan with the ESET Online Scanner (it may take a while to run)

Note: You will need to use Internet Explorer for this scan.

First please Disable any Antivirus you have active, as shown in This Topic

Note: Don't forget to re-enable it after the scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats is unchecked and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
Click Start

Wait for the scan to finish

If threats were found:

Click on "list of threats found"

Click on "export to text file" and save it as ESET SCAN and save to the desktop

Click on back

Put a checkmark in "Uninstall application on close"

Click on finish

Post back the log.....MrC

Link to post
Share on other sites

Hi MrCharlie,

 

I'm starting to suspect that the virus infecting my computer may be undetectable in most if not every single scan. I saw an article about a redirect virus that even ComboFix didn't find, and it got me thinking about new viruses versus standard approaches. I do know I need to understand more clearly what's going on and why. I also need to get deliberate about how we're planning to use the currently infected computer (which is our primary one but has been down, of course) in the future. If this virus is so difficult to track now, I wonder if it would hang around silently even after it appeared to be cleaned, assuming we could somehow find some of it through this process.

 

I'm considering various options, including a clean (re)install of the OS on my machine.

 

May I put this discussion on hold until I can figure out whether I feel it's wise for me to continue hunting the virus or if I should take a different approach?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.