Jump to content

Recommended Posts

q0iq7ga5301.com is somehow involved with in my browser. The browser gets diverted by this website after I select a hit out of my IE8 search engine. Tried it with all my search engines and it did not matter.

AVG and MBAM Updated find nothing.

DDS (Ver_10-03-17.01) - NTFSx86

Run by richard at 16:19:47.40 on Wed 07/14/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2157 [GMT -5:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Windows\system32\lsm.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\LogonUI.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe

C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPH.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k apphost

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Windows Home Server\esClient.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k iissvcs

C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe

C:\Program Files\Windows Home Server\WHSConnector.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\sttray.exe

C:\Program Files\Qurb\QSP-3.0.311.7\QOELoader.exe

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Microsoft Location Finder\LocationFinder.exe

C:\Program Files\Pop up Blocker Pro\pdie.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Windows Home Server\WHSTrayApp.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\richard\Downloads\dds.scr

C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"

uRun: [Pop up Blocker Pro] "c:\program files\pop up blocker pro\pdie.exe" Minimize

mRun: [sigmatelSysTrayApp] sttray.exe

mRun: [<NO NAME>]

mRun: [QOELOADER] "c:\program files\qurb\qsp-3.0.311.7\QOELoader.exe"

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\users\richard\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {F2FCA757-1250-413D-B20A-D7C3D283DC42} - c:\program files\pop up blocker pro\pdie.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

TCP: {6BD86BD0-D5BC-4A98-AD5A-343D3BB070BE} = 166.102.165.32,192.168.2.130

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

AppInit_DLLs: avgrsstx.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-11 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-11 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-11 242896]

R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\windows home server\Microsoft.HomeServer.Archive.TransferService.exe [2009-10-7 239464]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]

R2 EpsonPOSLog;Epson Point of Service Log Service;c:\program files\epson\epson advanced printer driver 4\EpsonPHLog.exe [2009-5-9 290816]

R2 EpsonPOSPort;Epson Point of Service Port Handler;c:\program files\epson\epson advanced printer driver 4\EpsonPH.exe [2010-1-1 376832]

R2 esClient;Windows Media Center Client Service;c:\program files\windows home server\esClient.exe [2009-10-7 97128]

R2 Esdpdx04;Esdpdx04;c:\windows\system32\drivers\ESDPDX04.SYS [2010-1-1 66560]

R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2009-10-7 376680]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2010-1-19 55184]

S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2009-10-12 12800]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-27 1343400]

=============== Created Last 30 ================

2010-07-14 21:13:14 20 ----a-w- c:\users\richard\defogger_reenable

2010-07-14 19:46:11 0 d-----w- c:\program files\Pop up Blocker Pro

2010-07-14 17:04:32 0 d-----w- C:\EbuDllTmpDir

2010-07-14 16:56:48 0 d-----w- c:\program files\Intel Corporation

2010-07-14 16:19:58 6976 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2010-07-14 16:19:58 6976 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2010-07-14 01:26:05 0 d-----w- c:\windows\system32\MpEngineStore

2010-07-09 03:26:52 0 d-----w- c:\users\richard\appdata\roaming\Sling Media

2010-07-09 03:26:51 0 d-----w- c:\programdata\Sling Media

2010-07-07 23:04:19 0 d-----w- c:\program files\Trend Micro

2010-07-05 08:09:20 0 d-----w- c:\programdata\VehicleManager

2010-07-04 20:18:51 29272 ----a-r- c:\windows\system32\AdobePDF.dll

2010-07-02 13:22:11 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-07-02 13:22:11 49472 ----a-w- c:\windows\system32\netfxperf.dll

2010-07-02 13:22:11 297808 ----a-w- c:\windows\system32\mscoree.dll

2010-07-02 13:22:11 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2010-07-02 13:22:11 1130824 ----a-w- c:\windows\system32\dfshim.dll

2010-06-22 17:50:24 1286456 ----a-w- c:\windows\system32\ntdll.dll

2010-06-22 17:50:22 641536 ----a-w- c:\windows\system32\CPFilters.dll

2010-06-22 17:50:22 417792 ----a-w- c:\windows\system32\msdri.dll

2010-06-22 17:50:22 204288 ----a-w- c:\windows\system32\MSNP.ax

2010-06-22 17:50:22 199680 ----a-w- c:\windows\system32\mpg2splt.ax

2010-06-22 16:48:37 45056 ----a-w- c:\windows\system32\HSSICore.dll

2010-06-22 16:48:37 40960 ----a-w- c:\windows\system32\HS_live.ocx

2010-06-22 16:48:37 184320 ----a-w- c:\windows\system32\OESICore.dll

2010-06-22 16:48:25 0 d-----w- c:\programdata\Homestead

2010-06-22 16:46:55 98136 ----a-w- c:\windows\gzip.exe

==================== Find3M ====================

2010-06-03 07:24:44 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll

2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll

2010-05-01 14:49:25 2326528 ----a-w- c:\windows\system32\win32k.sys

2010-04-23 07:13:36 2048 ----a-w- c:\windows\system32\tzres.dll

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2010-03-30 04:05:53 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2010-02-01 19:09:56 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat

2010-02-01 19:09:56 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat

2010-02-01 19:09:56 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

2010-02-01 19:09:56 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:20:51.18 ===============

Link to post
Share on other sites

Hello ,

And :angry: My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi Elise,

I think this took care of the problem. It is no longer redirecting. Here is the Combofix report. I've been needing to install an larger hard drive so I guess I'll go ahead and put it in and reload Windows.

Thanks for your help.

Richard

ComboFix 10-07-14.02 - richard 07/15/2010 7:41.1.4 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2605 [GMT -5:00]

Running from: c:\users\richard\Downloads\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\richard\g2mdlhlpx.exe

c:\windows\system32\SiRPCSrv3.dll

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))

.

2010-07-15 12:48 . 2010-07-15 12:48 -------- d-----w- c:\users\richard\AppData\Local\temp

2010-07-15 00:58 . 2010-07-15 00:58 -------- d-----w- c:\program files\SoftInform

2010-07-14 16:56 . 2010-07-14 16:56 -------- d-----w- c:\program files\Intel Corporation

2010-07-14 01:26 . 2010-07-14 17:05 -------- d-----w- c:\windows\system32\MpEngineStore

2010-07-09 03:26 . 2010-07-14 23:20 -------- d-----w- c:\users\richard\AppData\Roaming\Sling Media

2010-07-07 23:04 . 2010-07-07 23:04 -------- d-----w- c:\program files\Trend Micro

2010-07-07 10:40 . 2010-07-07 10:40 -------- d-----w- c:\users\Administrator

2010-07-05 08:09 . 2010-07-05 08:37 -------- d-----w- c:\users\richard\AppData\Local\Kaizen_Software_Solutions

2010-07-04 20:18 . 2007-03-23 09:05 29272 ----a-r- c:\windows\system32\AdobePDF.dll

2010-07-02 13:22 . 2009-11-25 17:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-07-02 13:22 . 2009-11-25 17:47 49472 ----a-w- c:\windows\system32\netfxperf.dll

2010-07-02 13:22 . 2009-11-25 17:47 297808 ----a-w- c:\windows\system32\mscoree.dll

2010-07-02 13:22 . 2009-11-25 17:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2010-07-02 13:22 . 2009-11-25 17:47 1130824 ----a-w- c:\windows\system32\dfshim.dll

2010-06-22 17:50 . 2010-03-24 06:37 1286456 ----a-w- c:\windows\system32\ntdll.dll

2010-06-22 17:50 . 2010-05-09 09:14 641536 ----a-w- c:\windows\system32\CPFilters.dll

2010-06-22 17:50 . 2010-05-09 09:14 417792 ----a-w- c:\windows\system32\msdri.dll

2010-06-22 16:48 . 2010-06-22 16:46 45056 ----a-w- c:\windows\system32\HSSICore.dll

2010-06-22 16:48 . 2010-06-22 16:46 184320 ----a-w- c:\windows\system32\OESICore.dll

2010-06-22 16:48 . 2010-06-22 16:48 -------- d-----w- c:\programdata\Homestead

2010-06-22 16:46 . 2010-06-22 16:46 98136 ----a-w- c:\windows\gzip.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-14 17:04 . 2009-10-13 00:32 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-14 17:04 . 2009-10-13 09:42 3565 ----a-w- c:\programdata\Intuit\QuickBooks 2008\qbbackup.sys

2010-07-14 17:04 . 2009-10-13 00:32 -------- d-----w- c:\program files\Common Files\InstallShield

2010-07-14 02:24 . 2009-11-28 15:06 -------- d-----w- c:\program files\UnderCoverXP

2010-07-06 18:51 . 2010-01-14 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-05 13:38 . 2009-11-17 22:42 -------- d-----w- c:\program files\uTorrent

2010-07-05 13:37 . 2009-11-17 22:41 -------- d-----w- c:\users\richard\AppData\Roaming\uTorrent

2010-07-02 13:38 . 2009-10-13 00:45 -------- d-----w- c:\program files\Microsoft Silverlight

2010-07-02 13:37 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail

2010-07-02 13:33 . 2009-10-13 01:44 -------- d-----w- c:\programdata\Microsoft Help

2010-07-02 13:22 . 2009-10-13 01:46 -------- d-----w- c:\program files\Microsoft.NET

2010-06-22 16:46 . 2009-10-13 09:15 -------- d-----w- c:\program files\Intuit

2010-06-03 07:24 . 2009-12-12 03:58 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-03 07:24 . 2009-12-12 03:58 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-28 17:28 . 2009-10-28 18:32 -------- d-----w- c:\users\richard\AppData\Roaming\Download Manager

2010-05-27 07:24 . 2010-06-10 21:57 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-05-27 03:49 . 2010-06-10 21:57 293888 ----a-w- c:\windows\system32\atmfd.dll

2010-05-21 05:18 . 2010-06-10 21:57 977920 ----a-w- c:\windows\system32\wininet.dll

2010-05-01 14:49 . 2010-06-10 21:57 2326528 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 20:39 . 2010-01-14 19:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39 . 2010-01-14 19:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-23 07:13 . 2010-05-26 09:27 2048 ----a-w- c:\windows\system32\tzres.dll

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392]

"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2006-11-06 121640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="sttray.exe" [2007-06-08 303104]

"QOELOADER"="c:\program files\Qurb\QSP-3.0.311.7\QOELoader.exe" [2009-10-13 6656]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-03 2065248]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\users\richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]

Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2009-12-25 604008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2010-01-19 55184]

R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-07-22 12800]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-27 1343400]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-01 691696]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-17 216200]

S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-03 242896]

S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2009-10-07 239464]

S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-17 308064]

S2 EpsonPOSLog;Epson Point of Service Log Service;c:\program files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe [2009-05-09 290816]

S2 EpsonPOSPort;Epson Point of Service Port Handler;c:\program files\EPSON\EPSON Advanced Printer Driver 4\EpsonPH.exe [2009-09-26 376832]

S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2009-10-07 97128]

S2 Esdpdx04;Esdpdx04;c:\windows\system32\Drivers\ESDPDX04.SYS [2007-07-17 66560]

S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2009-10-07 376680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.foxnews.com/

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

TCP: {6BD86BD0-D5BC-4A98-AD5A-343D3BB070BE} = 166.102.165.32,192.168.2.130

DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MsDepSvc]

"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-07-15 07:50:02

ComboFix-quarantined-files.txt 2010-07-15 12:50

Pre-Run: 53,686,370,304 bytes free

Post-Run: 53,798,252,544 bytes free

- - End Of File - - DE2CA05C4C4D8C2B66A297EAE387A0DB

Link to post
Share on other sites

Hello again,

That took indeed out the rootkit. :)

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please launch MBAM and update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.