Jump to content

Recommended Posts

IE 8 redirects google search to random sites.

I've tried m'warebyte, eset, ad-aware, tdsskiller etc. No one picked up any infections. Still I get redirected to random sites using IE8.

Attached hijackthis log, ark.txt, dds.txt and attach.txt.

Hopefully you are able to find out.

Many thanks!!

ark.zip

DDS.txt

hijackthis.log

mbam_log_2011_01_31__07_06_53_.txt

Link to post
Share on other sites

Hello nor_way! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "-Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Here are the newest updated mbyte log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5647

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

31.01.2011 11:15:58

mbam-log-2011-01-31 (11-15-58).txt

Scan type: Quick scan

Objects scanned: 173522

Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And then the newest DDS Log:

DDS (Ver_10-12-12.01) - NTFSx86

Run by Chief-o at 11:18:10,62 on 31.01.2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2973.1978 [GMT 1:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Acer\Acer Bio Protection\BASVC.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\Program Files\Acer\Acer Bio Protection\PdtWzd.exe

C:\WINDOWS\PLFSetI.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\Marlin\LOCALS~1\Temp\RtkBtMnt.exe

C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\system32\mstsc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Marlin\Desktop\dds.pif

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [LaunchApp] Alaunch

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup

mRun: [bkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe

mRun: [boot] c:\program files\acer\empowering technology\epower\Boot.exe

mRun: [ProductReg] "c:\program files\acer\wr_popup\ProductReg.exe"

mRun: [ZPdtWzdVitaKey MC3000] "c:\program files\acer\acer bio protection\PdtWzd.exe" show

mRun: [PLFSetL] c:\windows\PLFSetL.exe

mRun: [PLFSetI] c:\windows\PLFSetI.exe

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\program files\acer\empowering technology\Framework.Launcher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\acer\acer bio protection\PwdBank.exe

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290308062328

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290307933921

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

Notify: AWinNotifyVitaKey MC3000 - c:\program files\acer\acer bio protection\WinNotify.dll

Notify: igfxcui - igfxdev.dll

Notify: spba - c:\program files\common files\spba\homefus2.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Notification Packages = scecli c:\program files\acer\acer bio protection\PwdFilter

============= SERVICES / DRIVERS ===============

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [2009-1-27 42608]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-30 64288]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-1-30 218688]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-4-28 114984]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-25 95896]

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-6-24 810144]

R2 IGBASVC;iGroupTec Service;c:\program files\acer\acer bio protection\BASVC.exe [2009-1-27 3566080]

R2 IAANTMON;Intel® Matrix Storage Event Monitor;c:\program files\intel\intel matrix storage manager\IAANTmon.exe [2009-1-27 354840]

R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-26 45056]

R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-26 131072]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2008-6-2 2058776]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-3-27 244368]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-7-24 41216]

R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [2007-4-29 24576]

R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-4-15 51160]

R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-4-8 43736]

R3 SjtWinIo;SJT I/O Driver;c:\windows\system32\drivers\SjtWinIo.sys [2010-9-23 8704]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1402272]

S3 BS2Srv;BeoSound 2;c:\windows\system32\drivers\BS2Drv.sys [2010-12-9 16512]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-6-21 18432]

S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [2010-6-16 23936]

S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [2009-9-24 41984]

=============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2011-01-31 02:18:02 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-01-31 02:17:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2011-01-31 00:51:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE

2011-01-30 06:55:56 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-01-30 06:55:42 -------- d-----w- c:\program files\DAEMON Tools Lite

2011-01-30 06:55:17 -------- d-----w- c:\docume~1\marlin\applic~1\DAEMON Tools Lite

2011-01-30 06:55:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite

2011-01-30 06:52:55 15880 ----a-w- c:\windows\system32\lsdelete.exe

2011-01-30 06:26:38 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-01-30 06:26:25 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-01-30 05:49:13 -------- d-----w- c:\docume~1\marlin\locals~1\applic~1\Sunbelt Software

2011-01-30 05:48:44 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-01-30 05:48:29 -------- d-----w- c:\program files\Lavasoft

2011-01-30 04:29:18 -------- d-----w- c:\windows\pss

2011-01-17 02:23:40 70144 --sha-r- c:\windows\system32\kmddsp7.dll

2011-01-17 02:20:40 -------- d-----w- c:\program files\Rosetta Stone

2011-01-11 22:20:13 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc5348.tmp

2011-01-11 21:57:58 -------- d-----w- c:\program files\iPod

2011-01-11 21:57:54 -------- d-----w- c:\program files\iTunes

2011-01-11 21:54:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-01-11 21:54:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-01-11 21:54:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-01-11 21:54:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-01-11 21:54:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-01-11 21:54:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-01-11 21:54:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

==================== Find3M ====================

2010-11-29 16:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 16:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 17:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-12 15:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

============= FINISH: 11:18:44,42 ===============

Link to post
Share on other sites

Maybe I'm stupid but it seems like the files denies access no matter what I try. The online analysis does not come up with any confirmation and I couldn't send it as an attachment by e-mail either.

Edit: After changing permission it worked.

Attached result from scanning.

AhnLab-V3 2011.01.27.01 2011.01.27 -

AntiVir 7.11.2.37 2011.01.31 -

Antiy-AVL 2.0.3.7 2011.01.28 -

Avast 4.8.1351.0 2011.01.31 -

Avast5 5.0.677.0 2011.01.31 -

AVG 10.0.0.1190 2011.01.31 Cryptic.BTF

BitDefender 7.2 2011.01.31 Gen:Variant.Vundo.6

CAT-QuickHeal 11.00 2011.01.31 -

ClamAV 0.96.4.0 2011.01.30 -

Commtouch 5.2.11.5 2011.01.31 -

Comodo 7552 2011.01.31 -

DrWeb 5.0.2.03300 2011.01.31 -

Emsisoft 5.1.0.1 2011.01.31 Gen.Variant.Vundo!IK

eSafe 7.0.17.0 2011.01.30 -

eTrust-Vet 36.1.8129 2011.01.31 -

F-Prot 4.6.2.117 2011.01.30 -

F-Secure 9.0.16160.0 2011.01.31 Gen:Variant.Vundo.6

Fortinet 4.2.254.0 2011.01.31 -

GData 21 2011.01.31 Gen:Variant.Vundo.6

Ikarus T3.1.1.97.0 2011.01.31 Gen.Variant.Vundo

Jiangmin 13.0.900 2011.01.31 -

K7AntiVirus 9.78.3690 2011.01.31 -

Kaspersky 7.0.0.125 2011.01.31 -

McAfee 5.400.0.1158 2011.01.31 -

McAfee-GW-Edition 2010.1C 2011.01.31 -

Microsoft 1.6502 2011.01.31 -

NOD32 5833 2011.01.31 a variant of Win32/Kryptik.JHE

Norman 6.06.12 2011.01.30 -

nProtect 2011-01-31.01 2011.01.31 Gen:Variant.Vundo.6

Panda 10.0.3.5 2011.01.30 Suspicious file

PCTools 7.0.3.5 2011.01.29 -

Prevx 3.0 2011.01.31 -

Rising 23.43.00.02 2011.01.31 -

Sophos 4.61.0 2011.01.31 -

SUPERAntiSpyware 4.40.0.1006 2011.01.30 -

Symantec 20101.3.0.103 2011.01.31 -

TheHacker 6.7.0.1.122 2011.01.30 -

TrendMicro 9.120.0.1004 2011.01.31 -

TrendMicro-HouseCall 9.120.0.1004 2011.01.31 -

VBA32 3.12.14.3 2011.01.31 -

VIPRE 8260 2011.01.31 -

ViRobot 2011.1.31.4284 2011.01.31 -

VirusBuster 13.6.173.1 2011.01.31 -

Additional informationShow all

MD5 : 30e80e02547b63647ff845c6efd371ea

SHA1 : ebc35b362f89a0b3fafaa236b05a062d0aceeae8

SHA256: 638f9c899d0d364afd3b6215e8184961dc6b61fb0e9dfa40005d4deadaa3203a

ssdeep: 1536:A2R5DmLNE+Azk7/yXBSMzCmxJSZPxvx3EAWg:As5yLNE+Azk7/yXBXzcZJJUn

File size : 70144 bytes

First seen: 2011-01-31 12:06:47

Last seen : 2011-01-31 12:06:47

TrID:

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: SSDP Service DLL

original name: ssdpsrv.dll

internal name: ssdpsrv.dll

file version.: 6.1.7000.0 (winmain_win7beta.081212-1400)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x74AA

timedatestamp....: 0x3853EC96 (Sun Dec 12 18:42:30 1999)

machinetype......: 0x14c (I386)

[[ 6 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x66B0, 0x6800, 6.44, f8929b9279a4ed1f48941f49b3502924

.rdata, 0x8000, 0x901A, 0x9200, 5.46, e063bc582ff6e038d8f35ec05e65e151

.data, 0x12000, 0x8D58, 0x600, 2.71, cc198028b3f27e18af1c134868ccbbb4

.sxdata, 0x1B000, 0x8, 0x200, 0.04, 3da831fb06c70d68c4475e1385fc29ca

.rsrc, 0x1C000, 0x500, 0x600, 2.92, 1737166ea9c60abf302d71520c6f088d

.reloc, 0x1D000, 0x50E, 0x600, 4.88, c14be5a77e0897cc7197fe1c422c99cb

[[ 5 import(s) ]]

KERNEL32.dll: Sleep, InterlockedCompareExchange, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, DisableThreadLibraryCalls, EnumUILanguagesW, CloseHandle, CreateProcessW, InterlockedExchange, HeapAlloc, GetProcessHeap, SetUnhandledExceptionFilter, lstrlenA, MultiByteToWideChar, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, LeaveCriticalSection, InterlockedDecrement, SetLastError, GetCommandLineA, VirtualProtect, VirtualFree, HeapFree, VirtualAlloc

USER32.dll: LoadStringA, PostMessageA

ADVAPI32.dll: RegQueryInfoKeyW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegOpenKeyExA, RegOpenKeyExW

ole32.dll: CoUninitialize, CoInitializeEx, CoCreateInstance

MSVCR71.dll: __CppXcptFilter, wcschr, wcscmp, wprintf, _wcsicmp, _CxxThrowException, _except_handler3, _adjust_fdiv, _amsg_exit, _initterm, free, _XcptFilter, malloc, _onexit, _lock, __dllonexit, memset

ExifTool:

file metadata

CharacterSet: Unicode

CodeSize: 26624

CompanyName: Microsoft Corporation

EntryPoint: 0x74aa

FileDescription: SSDP Service DLL

FileFlagsMask: 0x003f

FileOS: Windows NT 32-bit

FileSize: 68 kB

FileSubtype: 0

FileType: Win32 DLL

FileVersion: 6.1.7000.0 (winmain_win7beta.081212-1400)

FileVersionNumber: 6.1.7000.0

ImageVersion: 5.0

InitializedDataSize: 79872

InternalName: ssdpsrv.dll

LanguageCode: English (U.S.)

LegalCopyright: Microsoft Corporation. All rights reserved.

LinkerVersion: 5.12

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 4.0

ObjectFileType: Dynamic link library

OriginalFilename: ssdpsrv.dll

PEType: PE32

ProductName: Microsoft Windows Operating System

ProductVersion: 6.1.7000.0

ProductVersionNumber: 6.1.7000.0

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 1999:12:12 19:42:30+01:00

UninitializedDataSize: 0

Symantec reputation:Suspicious.Insight

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\system32\kmddsp7.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.